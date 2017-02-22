Coalition Slams DHS Plans To Demand Social Media Passwords
from the isn't-that-a-cfaa-violation? dept
Starting last summer, we noted that the Department of Homeland Security had quietly tested the waters to expand the information it requested of travelers entering the United States, to "optionally" include social media handles. By December it was officially in place. And then, just days into the new administration, the idea was floated to expand this program even further to demand passwords to social media accounts.
In other words: that escalated quickly. We went from "hey, maybe we could ask people to volunteer what their social media profiles are" to "hey, let's demand all social media accounts, including passwords" in, like, six months.
In response, a ton of human rights and civil liberties organizations have posted an open letter condemning this dangerous plan.
This proposal would enable border officials to invade people’s privacy by examining years of private emails, texts, and messages. It would expose travelers and everyone in their social networks, including potentially millions of U.S. citizens, to excessive, unjustified scrutiny. And it would discourage people from using online services or taking their devices with them while traveling, and would discourage travel for business, tourism, and journalism.
Demands from U.S. border officials for passwords to social media accounts will also set a precedent that may ultimately affect all travelers around the world. This demand is likely to be mirrored by foreign governments, which will demand passwords from U.S. citizens when they seek entry to foreign countries. This would compromise U.S. economic security, cybersecurity, and national security, as well as damage the U.S.’s relationships with foreign governments and their citizenry.
Policies to demand passwords as a condition of travel, as well as more general efforts to force individuals to disclose their online activity, including potentially years’ worth of private and public communications, create an intense chilling effect on individuals. Freedom of expression and press rights, access to information, rights of association, and religious liberty are all put at risk by these policies.
The first rule of online security is simple: Do not share your passwords. No government agency should undermine security, privacy, and other rights with a blanket policy of demanding passwords from individuals.
There are lots of reasons why the proposal is bad -- but the security one is probably the biggest. People should never share passwords with anyone, but most especially foreign governments who have no interest in protecting them. And the letter is accurate that this will just encourage other countries to do this back to Americans (and others) and create a massive security nightmare. And that doesn't even touch on the chilling effects created by such promised surveillance.
Of course, one hopes that this kind of insane policy will get people to recognize that passwords suck as a security system. At the very least, it should encourage people to use multifactor authentication that can't just be handed over to some random border control person demanding your passwords. But that's no excuse for DHS going down this path in the first place. It's a bad proposal that won't help DHS protect us, but will cause tremendous harm and create serious security problems.
Re:
Just killdisk your PCs/laptops and factory reset your phones before coming back to the United States. Any evidence you let Customs in a foreign country access your accounts will be gone. US Customs will never have any clue of what you did.
Re: Re:
Re:
"Left Hand, could you at least send a LETTER to Right Hand every so often?!"
So you've got one part of the government trying to make handing out passwords a felony, and another part talking about requiring those that wish to enter the country... hand over their passwords.
Brilliant.
Re: Re:
Re: Re:
I believe most T&A require you to not share your passwords (maybe the phrase "[company employees] will never ask you for your account information online" rings a bell).
Failing that, the CFAA criminalizes unauthorized access- which, unless you grant written permission, it would be trivial to argue that doing anything with said passwords would be unauthorized access.
But honestly, the commit-a-felony-to-gain-ingress part is probably intentional. Commit crimes for the group so you'll be less likely to turn away from the group.
while I understand your point and where you're coming from I can't help but think the grinding wheels of bureaucracy would just require the multi-factor authentication code as "part of" the account password
Re:
And you do not given them ALL of your acounts. Just give one or two, and leave the rest OFF your Customs declaration form.
Problem solved
Re:
Most people use the same email for all those accounts.
Re: Re:
Re: Re:
Re: Re: Re:
Re: Re: Re: Re:
Wiping your phone before going through Customs is highly recommended and very wise. When I go on road trips all over North America, I always wipe my phone with factory reset before crossing the border into either Canada or the United States.
Wiping your phone before going through Customs does not violate either Canadian or American law.
Re: Re: Re: Re:
As long as that VPN provider is not in the United States, it is not subject to American laws.
Re: Re: Re: Re: Re:
Jammerspro provides such anonymous encrypted systems, including an encrypted router that automatically routes through a VPN. You can connect to that through your phone's Wifi, and your phone provider will not have any records they can give you.
This router connects to your normal home or business broadband service, and can be used to anonymize Internet on any device that connects to it.
You just use this router with any VPN provider on the market, and any device that connects to it will go through the VPN, including your phone, leaving no internet connection history on your phone provider.
Also, a mobile provider outside the United States is NOT SUBJECT to United States laws, and cannot be compelled to hand information over to the US government.
Just do that, and then factory reset your phone before going through Customs, and CBP will n4ver figure out what you are up to.
Re: Re: Re: Re: Re: Re:
All fine in theory. And for people who are comfortable with fairly advanced IT. But you've repeatedly talked about nulling your devices and using spurious online presences just to cross a border.
Non of what you are suggesting is realistic for everyday people. The answer isn't to spend 110€ a month to avoid government sanctioned breaches of your security and privacy, it's to resist stupid laws. And in my case, not even contemplating entering the USA.
Also, a good idea, as I have said, is to killdisk your laptop and then reinstall Windows and and all your programs, so the forensic examination of your laptop will get nothing.
A positive side to giving away your passwords
I see this as a win. Its all poisoned fruit. You can claim the DHS agent did it from that moment on.
[ reply to this | link to this | view in chronology ]
Re: A positive side to giving away your passwords
Re: Re: A positive side to giving away your passwords
Once they have this power they will learn all the tricks, install backdoors, create lists of your contacts and start going after friends of yours or friends of your friends the next time we need to root out communists.
This is much worse if you understand security theory then you may think.
Re: Re: Re: A positive side to giving away your passwords
Then you just go and make a new facebook account, and DHS/CBP will not be able to get back on to.
Re: Re: Re: Re: A positive side to giving away your passwords
If you suspend your facebook, all you (or anyone) needs to do to re-activate it is to login to it.
Re: Re: Re: Re: Re: A positive side to giving away your passwords
Is this a new feature? I swear that 12 months ago there wasn't that ability.
Re: Re: Re: A positive side to giving away your passwords
Just create a new Email address, the create "dummy" accounts for facebook, twitter, etc, and give the passwords for those to DHS/CBP and put those on your Customs form instead of your REAL accounts. CBP/DHS will never be the wiser.
Re: Re: Re: Re: A positive side to giving away your passwords
Rather than finagling your way around stupid ridiculous laws and regulations, why not point out to your stupid ass government how they are being stupid ..... oh wait, because that will get you tossed in jail. And now they want to asset forfeiture your ass for "participating" in a "riot" if anyone suffers damaged property from protesters - even if they were just standing there ... idk, maybe reporting on it and stuff.
Yeah, I want the guys who steal underwear for no apparent reason looking though my email and chat or what have you.
Re:
Shall I or not?
At the moment I’m planning an extended vacation in the US for this summer. That means I first book a flight and hope we don’t get rejected by ESTA for whatever obscure reason. Then I book flights, hotels and cars in the US. And then I arrive at the immigration counter … with me comes my family with the usual assortment of phones and tablets and probably our complete digital trail.
So, how much do I fake in advance and hope it fits together? How good an actor am I and what’s to expect from my co-actors?
What’s at risk? Just a good time for the family and a lot of money? Or more?
Why should we go through all that hassle? Canada seems to be a nice and interesting place, too. Maybe Costa Rica. Maybe … I’m sure there are many places, where we’re welcome.
Is this still chilling or already quite cold?
Re: Shall I or not?
Yeah, I'd avoid the US if at all possible for the foreseeable future. Look at the sights online if you really want to, but do not try to come here in person, spend that money in some other country that will appreciate it more.
Re: Re: Shall I or not?
It's not ideal, but what with this, the TSA, Trump's new immigration policies, banning teachers from the UK, I'm seriously considering a boat off the Georgian coast. Maybe a cruise from Bermuda or the Bahamas.
Re: Shall I or not?
There's your mistake right there.
This ought to end well....
DHS Agent: "Hand over your Facebook password."
Visitor: "I don't have a Facebook account."
DHS Agent: "I don't believe you."
Visitor: "Sorry."
DHS Agent: "Look, it's well-established that one can be jailed indefinitely if they won't hand over a password we think they have."
Visitor: "But I..."
DHS Agent: "And that's an American citizens. You're not, so we can ship you to a third country for torture. We've done it before. A guy transiting New York on his way home to Canada, just to check on vague suspicions."
DHS Agent: "Hand it over, and no dummy accounts. We'd better see lots of activity and friends on that account. We'll be examining your friends too."
Announcer (Facebook commercial): And that is just one reason why everyone should be on Facebook. Get your mandatory account today!
Well, that gives a standard defense for copyright infringement
"Dozens of border agents."
Case dismissed.
What people don't seem to understand in all of the privacy discussions around handing over passwords is that passwords are not just something you use for _reading_ private account details. They are a handle to _tampering_ with a person's identity. They will naturally _massively_ be used for planting evidence.
The CIA will be able to invent whole child pornography rings for people they don't like and plant all the evidence for it without using any hacking tool.
This really beats slipping a satchel in someone's pocket.
Re: Well, that gives a standard defense for copyright infringement
Re: Well, that gives a standard defense for copyright infringement
Re: Well, that gives a standard defense for copyright infringement
It's even worse.
https://xkcd.com/792/
In essence, in modern times where we can have hundreds of passwords to access all kinds of things, there are people who use the same password and remember it, and there are people who use different passwords and use a password manager; paper even.
If US.gov have some of your passwords or even one, they have an opportunity to expand.
I only signed up for Facebook because some websites require it or commentary.
[ reply to this | link to this | view in chronology ]
Re:
What about them? They are the best for figuring out your political leanings. And this makes it possible to correct your comments if they are unsuitable for someone entering the Land of the Free and the Home of the Brave.
You don't need to thank us, we'll do it ourselves.
Re:
No Excuse?!
No excuse except terrorism, pedophilia, drugs, crime, Muslims, and Hitler! If we forget these basic, never-ending wars, the government might lose our willingness to pay the taxes they levy and might lose our support for the outrages they commit in our names with our money.
I now feel a little un-American that I don't use Facebook.
I'm sure they'll do their "best" to secure this information.
So we have DHS compiling a massive database of userids and passwords for e-mail and social media accounts. That's not a high-value target at all. Given virtually no government agency has managed to receive a passing mark for securing their systems it's only a matter of time (and probably not a lot of time) before at least one organisation (hackers, foreign gov't, et al) gets their hands on it.
I expect you'd see lower distribution if you wrote your userid & password on a bathroom wall.
Re: I'm sure they'll do their "best" to secure this information.
