Late last month, I opened an e-mail from my friend in Paris, and the first thing I saw was
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1
PGP is encryption software that's been around since 1991. When I asked him why he was using it, he told me his company had been talking to the CIA for a while about its technology and he'd just gotten used to encrypting all his e-mail.
I started writing about all things encryption before 1991, when the development of PGP first made public the conflict between my right to privacy and government's right to intercept criminal communication. It's been hammer and tongs between the encryption/privacy community and the government ever since.
Still, I can count on zero hands the times I've actually encrypted an e-mail or a file. I don't know exactly why. It seems like it's never been easy enough to do to make it practical. Plus it's not as if I'm carrying around state secrets on my MacBook.
But I'm beginning to think there's another good reason not to encrypt. On Friday, I saw a post on Dave Farber's Interesting People list that gave me that sick, déjà vu feeling. It was a post from Ohio State University law professor Peter Swire -- a copy of his testimony to the Senate Judiciary Subcommittee on the Constitution, called "No, You Can't Search My Laptop." Swire was responding to recently disclosed policies from the Department of Homeland Security that allow agents to confiscate, copy and examine the contents of anyone's laptop as they cross a border, whether or not they are suspected of breaking a law.
The Washington Post ran a story the same day. Here's the lead:
Federal agents may take a traveler's laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed.
Also, officials may share copies of the laptop's contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement.
Holy crap.
Swire notes that agents at the border are going further than just taking image copies of people's hard drives. They're actually demanding passwords and encryption keys so they can examine the contents.
Of course, they promise to destroy the copies and the keys as soon as they're done -- as long as they don't find anything illegal, like a downloaded song you didn't pay for -- so no security worries there, right? There's no such thing as a crooked customs or Border Patrol agent.
This gives government agents access to information they would never get by opening up your suitcase. In addition to e-mail, spreadsheets, documents and personal financial information like credit card receipts and photos, nowadays they can also listen to your stored Skype calls and voice mails.
Not to mention that just having encrypted data on your hard drive causes suspicion, or at least throws down the gauntlet. If you were looking for illegal stuff and you ran into a file that looked like this,
qANQR1DBwU4D/TlT68XXuiUQCADfj2o4b4aFYBcWumA7hR1Wvz9rbv2BR6WbEUsy ZBIEFtjyqCd96qF38sp9IQiJIKlNaZfx2GLRWikPZwchUXxB+AA5+lqsG/ELBvRa c9XefaYpbbAZ6z6LkOQ+eE0XASe7aEEPfdxvZZT37dVyiyxuBBRYNLN8Bphdr2zv z/9Ak4/OLnLiJRk05/2UNE5Z0a+3lcvITMmfGajvRhkXqocavPOKiin3hv7+Vx88
wouldn't you immediately need to know what it said? It could be a conspiracy! It could be a list of child pornographers! It could be a copyrighted magazine article! It could be a bootleg Led Zepplin video!
Urgh.
So I figure the best solution is to encode your files rather than encrypt them, so that you could hide your stuff in plain sight. If agents don't know something is encrypted and it looks innocuous, they won't compel you to give them the key. "Here's your laptop, ma'am. Sorry for the inconvenience."
This idea made me think of steganography, an alternative to PGP-style encryption. While the message -- "PERSHING SAILS FROM NY JUNE 1" -- might look like the gibberish above when encrypted, the same message, coded with a form of steganography that uses the first letter of each word, would read,
PRESIDENT'S EMBARGO RULING SHOULD HAVE IMMEDIATE NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW. STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY.
(Thanks to Gary Kessler's steganography site for quick access to examples.)
But traditional steganography won't work for laptop travelers who aren't trying to move one or two short secret messages. Most of us just don't want some random government agent to be able to make a copy of our entire electronic brain every time we cross a border.
What I want is something that automatically takes all my files and recodes them, so that they look and read like something else entirely -- like Proust, maybe, or better yet, Kafka.
I want "Hey, Amy, when are you coming to pick up Season 7 of Buffy?" to read,
"Someone must have been telling lies about Josef K., he knew he had done nothing wrong but, one morning, he was arrested."
That would be sweet. And there are oceans of public domain text ripe for the codin', thanks to Project Gutenberg ...
But, alas, no such program exists. And even if it did, that does not solve our problems today. Unfortunately, the solution to the present insanity may be not to move our data across borders at all.
The very sensible Mark Seiden, a legendary computer security expert who is now at Yahoo, told me that stego is "not a good thesis" for protecting laptops.
His suggestion? "Leave everything on a server, encrypted." That way you don't have to carry it across the border, and as long as you know you'll have a network connection, you can get to it once you get where you're going. This protects travelers not only from overzealous customs agents, but makes losing a laptop or having it stolen a mere inconvenience, rather than a security nightmare.
Because apparently we are living in Josef K.'s world now, where criminals and customs agents are just different versions of the same thing.
Shares