Data tends to move from place to place.  That’s kind of the point.  But when it does travel, sometimes the government wants to take a peek.  Any government.  A recent case out of Canada demonstrates that not letting the government take a peek can land you in jail.  And that’s bad for CISO’s trying to manage corporate data and keep it private and secure.

It’s pretty cold in Quebec this time of year.  Much warmer in the Dominican Republic.  When Alain Philippon returned from his trip to the island of Dominica, he was greeted by the Canadian Border Services when he arrived at Halifax Stanfield International Airport on March 2.  In addition to a tan, and probably a horrible pair of Bermuda shorts, Philippon had his cell phone with him.

The Border Services officer demanded not only that Philippon give over the phone to be examined, but also that Philippon unlock the phone so that the Border Services agent could rummage through Philippon’s emails, tweets, Facebook postings, photos, videos, linked accounts, Dropbox, Google Drive documents, GPS history, love letters, Internet cache, remote access apps and just about everything.

Philippon declined.

Philippon was arrested.  The Border Services politely (this is Canada, after all) arrested him for violation of section 153.1 (b) of the Customs Act for hindering or preventing border officers from performing their role under the act.  The statute provides that:

153.1 No person shall, physically or otherwise, do or attempt to do any of the following:

(a) interfere with or molest an officer doing anything that the officer is authorized to do under this Act; or

(b) hinder or prevent an officer from doing anything that the officer is authorized to do under this Act.

Under the act, the officer is authorized to inspect “goods” entering the country.  So Philippon “hindered” the Border agent from inspecting the items.  Border agents are also authorized to ask questions.  By not answering them has a person “hindered” the ability of the officer to ask the questions?

It’s a strange theory.  It means that wearing bulky clothing, which is hard to inspect, “hinders” the officer’s inspection, and therefore is a crime.  It can mean that putting your shampoo into a Ziploc bag, or putting one of those silly little locks on your luggage can slow down the process of inspection, you can be arrested.

But worse, the government is taking the position that not actively cooperating constitutes “hinder[ing]” an authorized act.

I thought Canada was a friendly country.

But more importantly is the fact that our friends up north (like their counterparts down south) are treating a cell phone, an iPad or a computer just like any other kind of good to be inspected, picked apart, pried on and spied on.

If you are a CISO of a company, that attitude is a problem.  Every time an employee travels – whether it is on vacation to the Dominican Republic or a business trip to Bruges, their corporate computers, phones, or other devices are subject to “inspection.” That means on the way into any other country, and on the way back in to the country of origin.  And there’s little limit on the authority of Border agents to “inspect.”  This means they can copy passwords, image drives, give the inspected data to other agencies or departments.  This is true because you have a “diminished expectation of privacy” at the border.

Of course, you can always take the Fifth.  Or, in Canada (with the exchange rate and everything) you can plead the Eleventh.  That is Section 11(c) of the Canadian Charter of Rights and Freedoms  , which provides

11. Any person charged with an offence has the right

(c) not to be compelled to be a witness in proceedings against that person in respect of the offence;

If you can successfully argue that the act of entering a password or decrypting the data on the phone constitutes a testimonial compulsion, then you might be able to say that you have no obligation to decrypt or unlock the phone.  US Courts are split on this issue for entry to the US, some saying people must decrypt, and others saying that the 5th Amendment provides an out.  As far as I can tell, Canadian Courts haven’t addressed the issue, but I don’t speak French.  Or Canadian.  Something about a hat trick, I think.

The same rationale has been applied in the UK where, in 2014 a man named Syed Hussain was arrested by border officials under the theory that his refusal to decrypt the contents of a thumb drive was a crime because the subject had potentially hampered a border investigation.   He was sentenced to five years in jail for not telling the police his password.

In the US there have been a number of cases questioning whether the government can, consistent with the Fifth Amendment, compel a person to decrypt the contents of an electronic device – either at the border or otherwise.

So, for example in the child pornography case of United States v. Pearson (2006): the government attempted to get Pearson to decrypt certain files they alleged were child porn, and he alleged were attorney work product (the laptop belonged to Pearson’s father, an attorney.)

The case was mooted when Pearson plead guilty.  In re Boucher (2009), another child porn case, the defendant entered the US at the Vermont border, and refused to decrypt the contents of his laptop.  The court forced him to provide a decrypted copy of his hard drive.

In United States v. Kirschner (2010) on the other hand, the Court held that forcing Kirschner to give the government his password would violate the Fifth Amendment, and in Commonwealth v. Hurst (2011) the government tried to get Hurst to decrypt the contents of his cell phone (he eventually pled guilty).  In United States v. Doe (2012) the Court held that production of a decryption key implicated the Fifth Amendment and could not be compelled, and in United States v. Fricosu (2012) the court ordered a defendant to provide a decrypted version of files on her hard drive.

It’s one thing to be held in contempt by a court for not producing a password or decryption key in response to a court order.  It’s another thing to make not “cooperating” with the police by not providing passwords a separate crime – obstruction of justice.

This presents a real problem for CISOs of companies that have sensitive information on laptops, cell phones or other devices, and who have employees who travel from place to place.  At every border, the employee runs the risk of having some officer demand that he or she produce the corporate device for “examination” which can include copying and retaining copies of this information and sharing it with any agencies it deems relevant.

This includes the authority (with approval) to copy and share copyrighted materials, confidential trade secrets, medical records, and even privileged records like journalist records and attorney client privileged materials.  It is important to note that the border officials may search and copy this material  “with or without individualized suspicion” – meaning that they can do this to anyone at the border.  Oh, and the border extends 50 miles from any border (including airports).

So would YOU as a CISO allow your employees to take sensitive information with them (even encrypted) on phones, tablets or laptops?  What would you tell employees to do when travelling?

A few tips:

1)      Take as little information as necessary.  We are all pack rats.  We keep every email and document.  Great when we need it.  Not great when someone else wants it.

2)      Encrypt.  Whole disk encryption of the drive, biometric AND other encryption of data.  If there is really sensitive stuff, have a two key system so the employee doesn’t even HAVE the ability to access the data without “corporate” approval.

3)      Offload the data?  Maybe.  Consider keeping the data safe at home, with the employee merely having the ability to access the data.  Double edged sword here, both legally and technically.  From a technical perspective, this would require an employee who needs data to log into a server and retrieve it – frequently over an insecure data connection provided by some foreign intelligence agency.  Subject to a “man in the middle” attack.  It also means that a court might conclude that the entire contents of the network are being “imported” or “exported” when the employee crosses the border.

What instructions do YOU give your employees when they are asked to decrypt or provide devices that contain sensitive corporate data?  Does providing such data to a border patrol officer or a highway cop constitute a “breach” of such data under data breach disclosure laws (probably not, as it’s not “unauthorized.”)

The real problem here is volume and sensitivity.  A laptop, tablet or smartphone isn’t a briefcase.  As the Supreme Court noted when it required warrants to search cell phones “incident to a lawful arrest,”

… a cell phone collects in one place many distinct types of information—an address, a note, a prescription, a bank statement, a video—that reveal much more in combination than any isolated record. Second, a cell phone’s capacity allows even just one type of information to convey far more than previously possible.

The sum of an individual’s private life can be reconstructed through a thousand photographs labeled with dates, locations, and descriptions; the same cannot be said of a photograph or two of loved ones tucked into a wallet. Third, the data on a phone can date back to the purchase of the phone, or even earlier. A person might carry in his pocket a slip of paper reminding him to call Mr. Jones; he would not carry a record of all his communications with Mr. Jones for the past several months, as would routinely be kept on a phone.

… Prior to the digital age, people did not typically carry a cache of sensitive personal information with them as they went about their day. Now it is the person who is not carrying a cell phone, with all that it contains, who is the exception. … A decade ago police officers searching an arrestee might have occasionally stumbled across a highly personal item such as a diary. …  Today, by contrast, it is no exaggeration to say that many of the more than 90% of American adults who own a cell phone keep on their person a digital record of nearly every aspect of their lives—from the mundane to the intimate.

Not just intimate information, but sensitive corporate information.  Best advice, if an employee is detained at the border and asked to decrypt a device (or provide a password to a device) containing sensitive personal information, have the employee provide the phone number of the security officer or someone in the General Counsel’s office.  Cause you really don’t want to be woken up at 4AM!

Leave a Reply