Recently I started thinking of warmer climates and getting a little more sun this time of year. In fact maybe a trip south of the border would be nice. Suffering from these thoughts I contemplated taking my laptop with me. Yes I admit it, I’m a geek. I like to bring some sort of technology when I travel whether it’s a smart phone, an mp3 player or a laptop. I find myself suffering separation anxiety if I don’t have some gadget to keep me busy. One thing led to another and then I recalled reading an article about changes to US Department of Homeland Security (DHS) border policies.
It seems the United States border agents have authority to search, detain and make copies of any computing device or storage media capable of being read by a computing device, whether the traveler is present or not. In spite of many Canadians thinking they have some sort of expectation to privacy and an inherent right to travel south to find some sun. When it comes to DHS, they don’t. Lately, air travelers into the US were not permitted carry-on luggage. This meant your computer had to be checked in and was at that time, available for agents to examine and image. Never mind those who travel with copied movies and music and may be in violation of US copyright laws, what about those who’s laptop contains private data such as personal medical records or communications that may be sensitive in nature such as client solicitor privilege material. If you were one of those travelers, you may not have been present when the device was examined and may not know whether your data was copied. What about theft of your luggage contents? Airports are prime locations known for this type of theft. It makes me wonder, do frequent business travellers have a strategy for such occurrences?
Canadians are traveling further abroad for business. If you travel to other parts of the world, what are the chances you might lose control of sensitive company documents? Now I agree that not everyone will have their laptop examined or stolen but the potential is real. If your business relies upon sensitive material being kept private, what are you doing to accomplish that? Do you know the laws of the country you are about to visit? Do you have any expectation of privacy when it comes to your data and a foreign government? A recent article in the UK (Times on Line) refers to MI5 warnings to prominent business people that foreign governments have turned their spying interests towards business secrets. They are targeting your data. Who is looking at your laptop in your hotel room while you are downstairs at dinner?
Fortunately there are tools and methods that can be implemented which will safeguard your sensitive data. For example, there is encryption software that will make your files or drives unreadable without the proper pass phrase. Some of these are free and very effective.
Another strategy might be to employ encryption on a folder containing your sensitive data, and upload that to a cloud computing storage area such as Google Docs or Windows Live SkyDrive. They offer large amounts of storage, available via your Web browser for free. Some permit files as large as 50mb in size. You upload your encrypted file to one of these services and travel with a laptop which contains non-sensitive data. When you reach your destination, you can download your files for use. When you are done with these files, upload them back to the cloud storage. If your company has a server to store sensitive documents, you can substitute the cloud storage with a secure network connection to the server.
Other things to be concerned about are cached Web browser files, Internet history files, deleted and temporary files. Did you know that your Internet History includes not only the Web locations you visited but also the local files on your computer that were accessed? These type files can reside within the active files on your drive or in deleted material in the unallocated space. They can also reside in Swap files and Random Access Memory (RAM). In some cases data has been recovered from RAM, hours or days after the machine was powered off, something thought not possible a short while back. RAM can contain passwords used for encryption, Web based email and much more. So what to do? In my way of thinking, a couple of options come to mind. Have a laptop used exclusively for travel. Once it has been setup, make a complete disk image of the drive and save the image. Before each trip out of country, restore the original image to the drive, making sure you opt to over write all of the drive. That way you have a new clean system every time you travel. Make sure you are not saving sensitive data to the laptop drive. Remember the encrypted cloud storage.
Alternatively, have a second hard disk used for travel. Before you leave home, replace the laptop drive with the travel drive, a clean new install (from an original drive image) on the travel drive each time. You could use wiping tools, however they tend to vary in their ability to over-write all the areas of concern and tend to do so very slowly, so be prepared to spend a lot of time wiping.
Obviously there are many other solutions beyond this. No matter what you settle on, make sure you consult a subject matter expert and that you revisit the topic often as technology has a tendency to change rapidly. The result is what was safe and secure today, might not be tomorrow. And remember, carry-on baggage rules can change in a hurry, which may cost you more than separation anxiety. Happy traveling.
Sensitive Data and International Travel
February 12th, 2010
Excellent post. Keep writing. Thanks.
I like this site and saw it on Bing search. I thought your thoughts on
Sensitive Data and International Travel | EFS e-Forensic Services Inc. are right on. Thanks for writing about this and looking forward to reading more on your site.