Random Thoughts

[nullius]

I have a habit that may upset some people:  I overwrite new disks with a pseudorandom bitstream.  Then, when I use a disk for data, I encrypt it in such a manner that there is no visible, unencrypted structure to the disk:  No header, no unencrypted metadata.  (How?  Magic—don’t ask!)

As a result, my house is filled with random-looking disks that may or may not contain decryptable data.  Some are hooked up to machines, and probably have data—if, that is, they are not hot spares.  The ones not hooked up to machines may be backup disks, or decommissioned disks, or new disks that I have never used.  All of these disks are indistinguishable from each other, to anybody who is not me.  To me, the disks are identified by serial number in a file that is stored encrypted.  (Don’t ask.  Security by obscurity is a part of defence-in-depth, except within the quite narrow purview of Kerckhoffs’ Principle.)

Occasionally, it has happened that a disk was lost or stolen.  I never worried too much about this.

The presence in my house of all these random-looking disks has oft tempted me with an interesting thought experiment:  What would happen, if I were to attempt passing the United States border with one of my disks?  A disk with encrypted data would be interesting.  A new, unused disk would be more interesting.

Don’t Be Stupid

I generally contemn the concept of “civil disobedience”.  That’s just a way for “TPTB” to induce potential troublemakers to paint targets on their own backs.  You don’t win by incurring to yourself avoidable trouble for nothing.  You win by making “TPTB” powerless over you:  By keeping your privacy, appearing mostly harmless, and secretly doing whatever you wanted to do anyway.  Open defiance gets you marked for life, when you are young and idealistic; and this limits your freedom of action in the future, when you otherwise may actually have become dangerous.  The system works out neatly for itself.  Make the system irrelevant.

That being said, for anyone who already has trouble at the U.S. border and doesn’t mind a bit more of it, my aforestated “thought experiment” suggests some amusing hijinks.

Say you buy a 12 TB hard disk for about 300 units of depreciating funny-money (“United States Dollars”), and pack it in your bag looking random.  Is it a new disk that you just freshened up with a pseudorandom bitstream?  Or is it packed with juicy data that you so happen to have encrypted?

Have fun explaining to the border police that you don’t remember.  But what if, seriously, you don’t remember?  I have lost data this way—long ago, before I devised better schemes for keeping my metadata straight.  I have stared at a disk, trying to remember whether or not I ever wrote any actual data to it.  Cypherpunks have a tough lot in life.

The scenario also presents some interesting philosophical questions.  Say you have a disk written with juicy unencrypted data:  Julian Assange’s secret diaries, Satoshi Nakamoto’s private keys, and your multi-terabyte pr0n collection (which is what the border police are most personally interested in seeing).  Now, you decide to destroy this disk with a cryptographic erasure:  You encrypt all the data in-place, then irretrievably destroy the key.  At the U.S. border, what is the legally proper answer to the question of the disk’s contents?

• “Pseudorandom data.”  This is strictly true.  You are not lying to the American police, which would be a “crime”.  But this introduces in turn another question:  What if the program you used to irretrievably destroy the encryption key was buggy, and you later discover that you had inadvertently retained the key all along?  Data remanence is a big problem, you know.
• “Encrypted data that I can’t decrypt.”  This is also true.  But you can be extraordinarily rendered and then beaten with a $5 wrench until They are satisfied that you are not lying—or until you’re dead.
• “Schrödinger’s Cat’s data.”  Amusing—until my caricature of the secret police decides to amuse themselves by locking you in a box with a gun triggered by a Geiger counter, etc., such that they can write up your status as “unknown and unknowable”.

It would be fantastically stupid to test these answers empirically.  At best, you would probably lose a disk worth 300 units of depreciating funny-money.

Supreme Confusion

Modern (or postmodern) laws are a game, invented to amuse people who have sufficient firepower to enforce the rules of their game.  Arbiters of those rules are called lawyers.

This question is for the lawyers:

What are the legalities attendant passing of the United States border with a disk full of pseudorandom data?

The problem with allowing passage of large amounts of pseudorandom data is that nobody can prove it isn’t encrypted data.  Note that there can here be no question of the burden of proof:  The question cannot be proved at all.  —Or rather, it could only be proved that the disk’s owner is lying, if the disk’s owner is lying, by decrypting the data.  If the disk’s owner is telling the truth, it cannot be proved that he is telling the truth.

And you know, national security would be totally destroyed by the Four Horsemen of the Cryptocalypse if you just let people walk across the border with 12TB of encrypted pr0n in a package the size of a small paperback book.

However, the government would look silly for prohibiting or harassing travellers who carry what are, in substantial essence, empty disks.  Seriously.  This is a real problem.  Upon purchase, I immediately overwrite every new hard disk I buy with a pseudorandom bitstream, starting at sector 0 and ending at the final sector, inclusive.  I have been doing this for about two decades.  If I were to travel to the U.S. (LOL), I may want to take a new disk with me.

Someone terrifically stupid needs to be a guinea pig (“test case”) for this, such that the question may be properly decided by the United States Supreme Court.

[suchmoon]

I've crossed the border many times with copious amounts of storage, encrypted most of the time (albeit overtly), and never once was asked what's in it. Does that actually happen (I mean to people who are not wearing funny hats and/or large amounts of facial hair)? Or should I assume that the agencies can read it without my help anyway so it doesn't matter?

In any case, unless you're already suspected of something serious, the worst case scenario is probably your drive ending up in a trash bin, which you called the "best" case. The border is not as scary as you're making it sound. Millions of people cross it without any issues and you have to try really hard to get into trouble. I bet that even if you told the CBP agent on the Ambassador Bridge that you have a mysterious Schrödinger drive you'd be told to get lost and not hold up traffic.

Welcome back

[nullius]

I've crossed the border many times with copious amounts of storage, encrypted most of the time (albeit overtly), and never once was asked what's in it....  The border is not as scary as you're making it sound.

You have caught me in a rare case of speaking from abject ignorance, i.e. based on what I have read in almost^* 2^40 articles in the mainstream media.  I also did deliberately exaggerate at certain points, as hinted by such phrases as “my caricature of the secret police”; but overall, I was discussing what I thought to be a significant problem.

If I misfired, I stand corrected.  With a decade’s worth of perennially circulating stories about travellers being coerced to open their devices, log into social media accounts, and so forth, is it really that easy to stroll across the border with terabytes of encrypted data pseudorandom bits?

I wouldn’t know:  I am reliably told that TSA security-(porno-)theatre gives travellers the choice between being photographed effectually nude, and being groped.  Although I have no objection to either in pleasant company, I find TSA personnel decidedly displeasing; and if I refuse KYC on privacy grounds, you may imagine my opinion of how intimately the TSA peremptorily demands to “Know [Their] ‘Customers’”.  Thus, I have not crossed the American border in many years.

(* For a value of “almost” consistent with a tiny bit of hyperbole.)

Or should I assume that the agencies can read it without my help anyway so it doesn't matter?

Do you let any electronic devices (including bare disks) out of your physical control and observation?

I doubt that remote data-grabbers are anything but movie magic.  However, devices outside your control or observation (e.g., in checked baggage) could be bugged to facilitate future remote penetration; and nonvolatile storage media of any kind can be trivially copied (well, that’s why we encrypt!).  To be clear, I am just thinking aloud in terms of capabilities.  I have no idea if either practice is done at the U.S. border, or if so, how common that would be.

Welcome back

Thanks.  But on account of your questioning of my potentially erroneous information, I am so hurt and offended that I plan to complain to your ISP about your harassment and cyberbullying, then boycott the Bitcoin Forum forever.  Well, that’s the way of the internets nowadays.  I am completely sincere:  You know how it is, with sarcasm running out of money to pay for your sig; it stopped paying me, too.

[UNOE]

Interesting stuff.

The chances of the border police asking what's on your disk are probably around 1 in a million. At best.
Main duty of the border police is taxing the items you've brought from other countries.

[NeuroticFish]

Magic—don’t ask!

I think that there may be a problem here.
If you encrypt everything around you that means that you may have something to hide. And for some this would be enough. Because no matter what "magic" you use, the 5$ wrench has a good chance to crack it.
(The only way to get away is if you make them believe there's nothing there, but that will work maximum once.)

[PrimeNumber7]

The chances of your electronic device being searched at the boarder is low. In 2018, only about 33k people had their devices searched out of hundreds of millions of people entering the country.

The answer to your question is fairly simple, and does not matter which type of disk you are trying to cross the border with (and you do not allow CBP to see unencrypted data). (if the CBP attempts to search the disk)If you are a US citizen, you will eventually be allowed to enter the country, although you may first be detained. If you are not a US citizen or permanent resident, you will probably not be allowed to enter the country. CBP may make an image of the disk to try to decrypt it off site or possibly at a later time (for example if weaknesses of a particular encryption algorithm is discovered in the future). There is no law against carrying encrypted data across the border, and no requirement that you disclose any decryption keys.

[eddie13]

At the U.S. border, what is the legally proper answer to the question of the disk’s contents?

How about.. "I do not consent to this search and will exercise my right to remain silent."  ... .. .. . "Am I being detained?"
That might not work if you aren't a US citizen though trying to enter the US..

I don't see how information on a disk matters all that much when you can simply remember all of your Bitcoins across any boarder, such as memorizing your seed, or store your encrypted data anywhere on the internet and remember the decryption password/application across the boarder with you..

If you are from the US then encryption is legal and you have rights.. If you aren't a US citizen then encryption might not even be legal for you, and you don't have constitutional rights like a citizen does, so they probably have laws allowing them to do about whatever they want with you..

Someone terrifically stupid needs to be a guinea pig (“test case”) for this, such that the question may be properly decided by the United States Supreme Court.

How much does this gig pay?

[PrimeNumber7]

At the U.S. border, what is the legally proper answer to the question of the disk’s contents?

How about.. "I do not consent to this search and will exercise my right to remain silent."  ... .. .. . "Am I being detained?"
That might not work if you aren't a US citizen though trying to enter the US..

The government does not need probable cause, nor a warrant to have the legal authority to search you if you are crossing the border, even if you are a US citizen. As a practical matter, you will probably not get searched unless the government has a reason to believe you are doing something you shouldn't be doing.

If you are from the US then encryption is legal and you have rights.. If you aren't a US citizen then encryption might not even be legal for you, and you don't have constitutional rights like a citizen does, so they probably have laws allowing them to do about whatever they want with you..

Most rights granted by the constitution apply to both citizens and non-citizens.

[franky1]

people are not just randomly asked to have their hard drives searched. usually a red flag has to come up.
there needs to be a reasonable reason

typical red flags are people who pop up as unemployed, but enter a country. questions already arise as to who they funded the ticket.
next is the concern of them possibly trying to get work. but not getting a work visa. thus trying to evade certain things.

next is someone who's travel history is a bit suspicious. even the clothes they wear. for instance a smart suit (interview suit) but declaring they are travelling just for pleasure
even just getting a one way ticket brings up questions of when they are leaving

99.999% of people are just allowed to walk on passed whether they are holding laptops and stuff. but when someone coming in 'just for vacation' turns up in a suit carrying enough electronics for a whole office.. then yea expect a red flag

i was stopped in an airport. al that occured was they spotted my deodorant can. threw it in the trashcan and told me to continue with my journey. i forgot it wasnt 'travel size'

too many people worry and think that they are going to end up having a cavity search just for bringing in normal daily use stuff.. the reality is that unless you have been flagged for something obviously rule breaking or of concern of a potential rule break, yo wont be bothered

[bitserve]

I always get nervous when crossing the US border, probably unjustified, but knowing they can ruin my travel without needing any real excuse makes me somewhat uneasy tbh.

But the reality is that, most of the time, they are not that strict as they seem.

I remember one time, coming back from Defcon I had my handbag filled with all sorts of very suspicious items and purchases.

After passing the handbag scanner one agent comes to me and ask me if I have a computer in the bag. I very convinced say no, thinking to myself "I am not stupid, I know I have to put the laptop separately and out the handbag". He asks me again, and again I say "NO".

He then goes and make me open it.

Well... first thing that pops up is a red bull can that I planned to drink before boarding but somehow had forgotten about. Then just under it, a repurposed desktop mini PC I also had forgotten was one of the stupid things I had bought at Defcon. Also the badge (which was somewhat suspicious in itself - google defcon 20 badge and you'll see what I mean), and an assortment of items including a rubber ducky, a couple throwing star lan taps, heaps of sd cards and usb flash, and even a wifi pineapple!

At that precise moment I thought that couldn't end well...

And what did it happen? He just shrugged it off, threw the red bull can in the trashcan, ran one of those test drugs stripe on the contents (cannot blame him, lol), put the mini pc on the scanner to check I wasn't hidding anything inside and just let me go.

Did I have my laptop searched? No
Was I questioned about the strange looking computer I "tried to smuggle" in my handbag? No
Did he question me about ANYTHING? No

He just seemed a bit bothered because my stupidity had made him work extra, but that's all.

So, even in the (very) rare case someone is questioned about the contents of an encrypted disk... It is just that, a hard disk wiped out with random data, that is all.

There's no need to overcomplicate it with additional explanations that could maybe get you in further problems.

Not consenting to a search, refusing to answer any questions, or trying to state your right for privacy over your self admitted encrypted disk is probably asking for unnecessary trouble.

I am sure every lawyer would tell you it is in your best interest to, at least, give the appearance of cooperating instead of trying to be an ass over your rights no matter how right you really are.

[suchmoon]

If I misfired, I stand corrected.  With a decade’s worth of perennially circulating stories about travellers being coerced to open their devices, log into social media accounts, and so forth, is it really that easy to stroll across the border with terabytes of encrypted data pseudorandom bits?

Which border?

Southern border - being white and/or holding the right passport makes the process easier but as long as you have the right paperwork and dogs don't smell anything you won't be bothered too much.

Northern border - same thing just faster and easier. As I said, I doubt that even mentioning an encrypted drive would elicit anything more than a chuckle and a wave-through. I'm not gonna test it though

Airports - probably your idea of the border, based on your comments about perv-scanners (which are not unique to the US and are not applied on arrival). Some controls might be tougher there but unless you're on some terrorism watch list they're not gonna ask about a hard drive. So the question really is - what have you done to end up on the terrorism watch list?

After passing the handbag scanner one agent comes to me and ask me if I have a computer in the bag.

But that was TSA, right? Not CBP?

TSA only cares if you're carrying a bomb, a knife, or a bottle of Coke. They couldn't tell a hard drive from a dildo. CBP are the ones that you don't notice on departure and they ask stupid questions on arrival ("where you're going?" "how long is your stay?" "look at the camera").

BTW some airports have automated kiosks you answer stupid questions on a touch screen and just show a receipt to an agent (again, if you have the right passport / green card / visa waiver / etc).

[DireWolfM14]

Quite an interesting discussion, but I'm surprised no one has mentioned the obvious;  As an American, my data is protected from unwarranted search and seizure by the 4th amendment, and as far as I know the Bill of Rights applies to everybody in the US, not just citizens.  Unless you've been placed on a watch-list, or provided some other "just cause" to be searched, I don't think anyone would blink an eye over a hard drive or a USB stick.

I rarely leave the country, but interestingly enough, I did travel to Thailand for a vacation last March.  I took my work laptop so I could support my company if they needed me for something, and in order to avoid huge downloads using slow hotel wifi, and even slower company VPN, I prepared an encrypted USB stick with my project files.  Nothing crazy, some CAD files and product specs for some new products we're making.  Some of the information qualifies as trade secrets, and since it's new products that haven't been released it was worth keeping the information secret.  Which is why I didn't want it on the laptop's drive, in case it got jacked.  I kept the USB stick in my pocket the whole time, and never even thought to disclose to TSA or customs that it was encrypted.

I had a layover in Taiwan on both legs of the trip, went through four customs checks, and never had anyone ask me what was on the disk.

It's also worth noting that my name probably draws attention (when airlines are concerned) and I do have copious amounts of facial hair.  I don't wear funny hats, so maybe that's why I was able to get away with it.

[LoyceMobile]

How about.. "I do not consent to this search and will exercise my right to remain silent."  ... .. .. . "Am I being detained?"
That might not work if you aren't a US citizen though trying to enter the US..

I reserve being a smart ass for my home country, where I know the rules and know my rights. Especially after a very long flight, when I'm just tired and want to go home, I easily get annoyed with bureaucracy.

In any other country though, I am all "yes sir", "thank you sir" to anybody. When in doubt, I'm just extremely polite.
This has worked for me so far, and of course it helps I don't have anything to hide. I've declared an apple into several countries, just to be sure I won't get fined for it.

[Lauda]

How about.. "I do not consent to this search and will exercise my right to remain silent."  ... .. .. . "Am I being detained?"
That might not work if you aren't a US citizen though trying to enter the US..

Most rights granted by the constitution apply to both citizens and non-citizens.

It was my understanding as well that the US Constitution protects even non-citizens, thus they should have no right to do anything to you that they otherwise wouldn't to a US citizen. However, the US seems to be quite aligned with what I would consider an abusive police state. I'm quite sure depending on the circumstances, that they'd attempt to get it from you in one way of another. They might even let you inside the country and then later knock at the door wherever it is you're staying at.
Maybe it is time to expand it.

[bitserve]

But that was TSA, right? Not CBP?

TSA only cares if you're carrying a bomb, a knife, or a bottle of Coke. They couldn't tell a hard drive from a dildo. CBP are the ones that you don't notice on departure and they ask stupid questions on arrival ("where you're going?" "how long is your stay?" "look at the camera").

BTW some airports have automated kiosks you answer stupid questions on a touch screen and just show a receipt to an agent (again, if you have the right passport / green card / visa waiver / etc).

Yup, I think it was TSA. I have never seen those CBP's do anything else than asking stupid questions like you say, except one that literally trolled me big time (a hilarious anecdote, but probably offtopic).

Anyway... I think the best advice is to just try to cooperate and never, ever, self-admit anything (such as if a headerless hard disk is encrypted or not) you know they could not really prove in a court. More so if we are talking about the US and you are not a citizen, don't dominate the language, and don't know all the rules such as LoyceV said.

Also... It is understandable they don't really care about data (or any digital goods) being "smuggled" into/out of the country in encrypted hard disks. It is not as if there were any difficulty in transferring that same data via other means (ie. Internet). And we are already in 2020, where everyone and their grandmother do have encrypted data and it is almost (if not more) as suspicious having a fully plaintext hard disk.

[paxmao]

...

The chances of the border police asking what's on your disk are probably around 1 in a million. At best.
...

I cross borders many times a year. I am "randomly selected for a in-depth search" 1 of every 3. Welcome to my world.

[Kavelj22]

Crossing new borders with personal stuff is not a privacy matter because if there is a reasonable suspicion, then individuals can be searched in the interest of public safety. This can be affirmed by a proper law like the fourth amendment in usa, but the case is quite different in other countries. Individuals crossing border from Syria or Lybie, for exemple, are regurely subject of suspicion as police have to check every details/stuff provided by them and i can't blame.

[malevolent]

Don’t Be Stupid

I generally contemn the concept of “civil disobedience”.  That’s just a way for “TPTB” to induce potential troublemakers to paint targets on their own backs.  You don’t win by incurring to yourself avoidable trouble for nothing.  You win by making “TPTB” powerless over you:  By keeping your privacy, appearing mostly harmless, and secretly doing whatever you wanted to do anyway.  Open defiance gets you marked for life, when you are young and idealistic; and this limits your freedom of action in the future, when you otherwise may actually have become dangerous.  The system works out neatly for itself.  Make the system irrelevant.

There are many cases where civil disobedience proved to be successful, without people willing to risk their comfortable ways of life authoritarians are more likely to push harder as they know they will face no resistance. OTOH, in the event of a violent revolution troublemakers will need safe houses owned or operated by people who don't stand out.

[franky1]

civil disobediance needs to have many factors involved for success

for instance just doing a march along a non-important road with 500 different placards wanting 500 different changes wont get success.

organising it to affect the politicians would, organising a structured single message works. actually having a penalty for the politicians if they dont listen works

for instance threatening to not vote for a particular political party and threatening scheduled strikes on a regular occurrence while having petitions signed to prove the extent of the threats strength has alot more power than just some street procession/walk around

[UNOE]

The chances of your electronic device being searched at the boarder is low. In 2018, only about 33k people had their devices searched out of hundreds of millions of people entering the country.

The answer to your question is fairly simple, and does not matter which type of disk you are trying to cross the border with (and you do not allow CBP to see unencrypted data). (if the CBP attempts to search the disk)If you are a US citizen, you will eventually be allowed to enter the country, although you may first be detained. If you are not a US citizen or permanent resident, you will probably not be allowed to enter the country. CBP may make an image of the disk to try to decrypt it off site or possibly at a later time (for example if weaknesses of a particular encryption algorithm is discovered in the future). There is no law against carrying encrypted data across the border, and no requirement that you disclose any decryption keys.

That's a lot higher than I thought!

If you aren't a US citizen then encryption might not even be legal for you

A law that says non-citizens aren't allowed to use encryption doesn't exist.

...

The chances of the border police asking what's on your disk are probably around 1 in a million. At best.
...

I cross borders many times a year. I am "randomly selected for a in-depth search" 1 of every 3. Welcome to my world.

But they don't check the content of your disk?
Those are still high numbers!
Are you on some sort of list? o.o