This section encompasses considerations on whether there are decent alternatives to full disk encryption for protecting data in a border scenario; findings about data deletion beyond recovery; and data protection on devices other than PCs.
Now, I’m traveling from the United States, because I live in the United States. So when I am on this trip, I’ll be going home to the U.S. And I personally am concerned about border searches and taking precautions against them. According to the statistics that the American Civil Liberties Union obtained from the government under the Freedom of Information Act about how frequently border searches of electronic devices occur, it came out to about 300 per month, which is very few in terms of the number of people who enter the United States. That data was for October 2008 to June 2010 time period.
So on the one hand, searches of electronic devices (you know, intrusively looking through what people have on their computers) are actually extraordinarily rare as a proportion of travelers. At the same time, I personally know three people to whom this has happened, and so it feels like a very concrete and real possibility to me. I feel that it’s not random, and it feels like a real thing to me because I know these three people who had this happen to them, in some cases on multiple occasions, not just once.
So I’m interested in experimenting with precautions that I can take. I’m gonna talk about the approach that I’ve chosen to try on this particular trip to the Nethrelands. I use Ubuntu, so I have full disk encryption using LUKS, and LUKS has a concept of key slots. So you have the ability to have up to eight different passphrases, any one of which is valid, to decrypt your hard drive. So what you can do is as follows: I got my original passphrase, and it can generate a totally random and non-memorable thing, and then add that thing as an additional passphrase in a secondary key slot. And then there are two different key slots, each of which has an independent passphrase. Then, if I have some way to have or get the non-memorable one at home where I’m returning to, or to my destination in the U.S., then, skipping a few details about LUKS trying to prevent you from locking yourself out of your own computer even if you wanted to, you can kill the original slot that contains your original passphrase, and then you no longer know the passphrase to decrypt your drive.
I’ve actually done that on this trip, I have a passphrase that I left at home in the United States that I don’t know and can’t remember, and when I’m going to cross the border, before doing so I’m going to kill the key slot on my laptop that contains the passphrase that I know. When I return home, I have access to another passphrase that will be valid, but I won’t have it at the time that I’m crossing the border. So that was actually relatively easy to set up, it’s an interesting possibility. I’ve tried other encryption possibilities, other approaches at other times.
Is it possible that you could be compelled by a judge to turn over that password to decrypt? Well, one distinction is that the judge compelling you to do something requires you to be implicated in an actual criminal investigation. I don’t mean that you have to be the suspect, there has to actually be a specific criminal investigation about a specific crime in order for the judge to compel evidence to be turned over within the U.S. And this is different from the situation at the border, where they can ask me just because they feel like it, just because I happen to be crossing the border. So it’s absolutely correct that by having my passphrase written down I have lesser legal protection than I ordinarily would at home in the U.S., in the sense that any Fifth Amendment right that I might have no longer applies to prevent me from turning over that piece of paper.
On the other hand, compared to the border where no suspicion and no reason whatsoever is necessary, I still have relatively greater protection.
Marcia Hofmann speaking: Yes, I agree. And I think the key to this is – remember that I said that the Fifth Amendment right applies in a situation where they are trying to compel something from your mind, so that’s kind of the key there. If they happen to know that Seth had written down his password and they wanted to obtain a warrant to seize it, then that wouldn’t be a Fifth Amendment issue, but rather a Fourth Amendment issue, and in theory they could do that.
Seth Schoen speaking: So there’s this great design called “Keypad”. I don’t know if any of you have read this paper “Keypad: An Auditing File System for Theft-Prone Devices” from the University of Washington. I really admire this design, unfortunately they have not released their code, so I’m actually quite interested in re-implementing it. This is an alternative way, among other things, of not knowing your password. And it also provides a lot of advantages if your device is lost or stolen, not just at the border but at any time. Strangely enough, this is sort of like a digital rights management system, except that the person whose computer it is ultimately does have access to the keys. They ultimately can decrypt, and they ultimately can export files from the system. But every time they want to access a file, they have to request a decryption key for that file from a server. Under normal circumstances, where the person is in possession of their device, the server will automatically grant the decryption key and allow the person to read their files. But under exceptional circumstances, such as if the device has been lost, or perhaps if the person is currently crossing the border, the server could be programmed not to grant those keys, and therefore the device would be unable to read those files.
Anyway, these researchers from the University of Washington implemented this. They’re particularly interested in benefits for people like doctors who have a lot of sensitive information and obligations to tell people if that information is lost or stolen. And in this way, they can say, well, if the device is lost they can turn off the key server and say – no further accesses to the files on that device will succeed. It’s also potentially relevant in a border context, so I would love to re-implement this, and I think Google should do the same thing in Chrome OS, and I think it’s very feasible to implemented exactly this kind of things in Chrome OS.
In general, we can get into these concepts about mandatory access control, and in a sense about digital rights management, even though in this case it’s really for the protection of the end user and not to ultimately limit their ability to use files in the way that they want to – by implementing systems where physically possessing the device is not the only thing that you need in order to have access to read the files on the device. So I think there are a lot of possibilities for that.
I just wanted to say briefly that it’s relatively hard to delete stuff, and forensics is relatively effective. There are a lot of examples of that. You may know about Simson Garfinkel’s experiment with a bunch of used hard drives. He went and looked at what was on these used hard drives that had been decommissioned, and he found that very often people had attempted to delete the things on the hard drive before selling it and had not succeeded because they had used their ordinary Delete command, or they had used their ordinary Format command, and they did a high-level Format or a high-level Delete, and it didn’t overwrite the blocks actually containing the data. And so very often deleting things doesn’t work, and file systems are getting more advanced, so even “secure delete” may not actually overwrite the blocks with data. This is a frustrating problem.
Researchers who have looked at this generally say that the main answer is full disk encryption, because we really don’t know if we have some kind of log structured file system, whether the blocks that actually contain your data have been cleared when you erased things.
Also, wear leveling on flash drives is hilarious because the device actually writes your data somewhere unpredictable that you don’t know, on the physical device. And it doesn’t guarantee that overwriting the same block will actually overwrite that same block, because it says something like: “You surely don’t want to write to the same place on the drive multiple times”.
I think even Gutmann says that Gutmann’s advice about multiple-pass overwriting is obsolete. Single-pass overwrite is probably enough and has the advantage that you might actually do it, whereas you might not wait around for 35 overwrites. This is safer than securely deleting a file because the structure of the file system doesn’t matter.
Researchers from the University of Washington published this forensics paper where they say that people who are using partial volume encryption, not full disk encryption, often have leakage, where their operating system or their applications leave traces of the data from the encrypted volume outside of the encrypted volume. A really simple familiar example is that a word processor like Microsoft Word may auto-save, so you might have a TrueCrypt volume and you might have all of these things inside the TrueCrypt volume, and then edit them in a word processor – and it might auto-save outside of the TrueCrypt volume, and then erase the auto-save file; but the auto-save file can be undeleted. So this is a strong argument for preferring full disk encryption where possible. We don’t really have applications and operating systems that do this kind of secure compartmentalization very well on PCs.
Mobile devices are even worse because forensics on mobile devices is awesome, and counterforensics on mobile devices is horrible. Most mobile devices that you might get have no full disk encryption option; of course there are exceptions to that. Most mobile devices have no secure erase option – if they don’t come with one, it’s often quite difficult to add it yourself, especially if you have a device that doesn’t give you root access.
Law enforcement and all kinds of forensics professionals have extremely powerful forensic tools that are extremely automated, that work on mobile devices. They can often just plug the device into a bay – and have the entire contents of the device come up on their PC immediately. So mobile devices are rough.
Cameras are also kind of electronic devices that could be subject to search. And like your mobile phone, they generally won’t have a secure delete option. In fact, there are lots of funny stories about how, if you erase a photo on a camera and if you then put your compact flash disk into a PC, it’s generally just deleted on a FAT file system, so you can run an ordinary Undelete program on the compact flash disk, and undelete the photo. That’s a common case. So if you had compact flash or SD cards that you wanted to clear, you might want to actually put them into a PC and actually overwrite every block, rather than just doing the Delete photos in the camera.