Securing my data for international travel

By Regus Patoff, Anonymous Person

I have a complicated international trip coming up, and I want to protect my private information from border officials. Abroad or in the US, border officials can and do abuse their discretionary power to interrogate travelers, seize electronic devices, demand passwords, and generally inquire into matters unrelated to border safety. This post summarizes my plan. Later I’ll let you know how it went.

 

I’m hard to find online

I started preparing by making my Twitter account anonymous and taking down my personal blog. Now I don’t pop up in Google, so I’m protected from a casual search on my name. It took a full year for my name to fade off of Google, so start this in advance if you want to do it.

I’m not a “target”

I am not important enough to need to worry about state security agencies, and this post isn’t for people who are. . I just want to provide zero information to border guards. All they need to know is that I’m not carrying weapons on a flight, and beyond that, in matters of my heart and mind, they can piss off. My border crossings double as resistance to the erosion of my legal and human rights.

I carry a lot of electronic equipment with me when I travel, though no more that what a typical business traveler might. Basically, a phone, a tablet, and a laptop, though no laptop on this trip . I’m leaving behind many computer services that I need to stay in touch with:

  • A computer server providing websites for myself and others, and also DNS. I need administrative access to that even when traveling.
  • Hidden Tor services that I host.
  • Other various backup services hosted by a major cloud services provider.
  • My personal email hosted by another cloud services provider.
  • A backup email provider, a big one, just in case.
  • My private cloud that I host, full of information that I like to have available all the time and on any device, but which I don’t want to trust to a vendor.

Devices I’m taking along

These are the devices I’ll be carrying:

  • An Android phone (cell and Wi-Fi connectivity, with an add-on SD-card for storage). Serves as a phone, of course, but also as a music player.
  • An Android tablet (Wi-Fi connectivity, with an add-on SD-card for storage). This, with an accessory keyboard and mouse, serves as a full-service computer substitute, an ebook reader, and a mapping+navigation device.

Why Android?

I know that iOS devices are regarded as more secure by the extremely careful and/or extremely threatened. I’m not an Android expert who can improvise my own iOS-equivalent security. However, I am not trying to defend myself against intelligence services at the border, I’m just trying to beat border guards. Stock Android with encryption will work. I prefer Android because I like to tinker, so that’s what I’m taking. Loyal iOS users reading this will have no trouble translating its suggestions into the language of their favorite mobile platform.

I’m also carrying a philosophy

Don’t be a hostage to your stuff. My travel devices are cheap and/or old enough to make losing them to government seizure acceptable. It’s the data that matters.

Sensitive data

My data protection strategy is to keep my sensitive data in the cloud where I can access it when it is safe to do so. My sensitive data in this case includes:

  • Contacts
  • Email
  • Calendar
  • Bookmarks
  • Browser history
  • Passwords
  • Cryptographic keys
  • Photographs

Backups

I’ll be keeping data of this sort in the cloud (private or public) and accessing them through secure connections (HTTPS, SSH) or by secure synchronization services (Android sync, Google Drive, Mozilla sync). I also store configuration profiles for important applications (for example, email) so I don’t have to remember them. I have made several layers of backups for everything, in several locations, including my private cloud and a virtual machine I pay a cloud services provider for. If the sync services fail or I lose my devices, I’ll be able to access my important data from any Internet-connected computer.

Passwords

Passwords are a problem. I use around one hundred strong, random passwords for various websites and services, which means I have to use a password manager to keep track of them. I don’t care much for the hosted password management services, so I run my own and sync its database through my private cloud. My Android devices automatically sync up with my password database.

However, to be truly independent of particular devices and safe from government seizure, I need to carry a few strong but unforgettable passwords in my head. I use one to access my private cloud, where everything important is stored. I have another memorized password for my password database, which is itself encrypted, and one more for my backup email account. In general, the correct-battery-horse-staple (https://xkcd.com/936/) method of password building is the way to go for these master, memorized passwords.

Non-sensitive data

In addition to the sensitive data, I’ll be carrying some relatively bulky, non-sensitive stuff:

  • Music files
  • Map files
  • Ebooks

I’ll keep this data on the external MicroSD cards in each device, unencrypted. I’ll avoid carrying anything controversial. These things are already backed up at home, but are too bulky to sync if I lose them. Worst case scenario, I can’t listen to LCD Soundsystem on the funicular. It’s something of a technical trick, though, to keep sensitive data from being saved to those cards by the ever-helpful Android operating system.

My pilot protocol

Putting all this together, here is my planned device security protocol for before and after entering a country:

  1. Before: Factory reset the devices. Do not begin device setup.[Non-random thought: Will border officials be annoyed to find a factory-reset device? I imagine the Israelis would be annoyed, or the authorities in Urumqi. An alternative would be to set up a false/alternative identity on the device, which would take planning and time. A secondary and very uninteresting Google account would do the trick. However, DO NOT GET CAUGHT LYING TO THE AUTHORITIES. When I was living in {oppressive regime}, I planned my lies very carefully and kept them effectively unfalsifiable.]
  2. After border crossing, set up the devices using Google account credentials.
  3. Choose option to restore from a cloud backup, including apps.
  4. Finish setup, and when prompted, have the device restore all apps.
  5. Retrieve email configuration from the cloud.
  6. Set up SSH keys.
  7. Re-sync browser bookmarks.
  8. Rebuild the home screen, which in my experience is not restored.

Coming soon: How this worked in a “liberal democracy” with draconian security measures, and in an “undemocratic regime” with the same.

 

One Reply to “Securing my data for international travel”

  1. Hello.

    I am curious about which password management service you are using and how/where you host it.
    Do you maintain your own private cloud that you back up on a paid corporate platform, vice versa, or some other combination of services?
    I had just launched my own self-hosted cloud service and have been curious yet cautious about moving away from LastPass to a cloud hosted option for password management.

Leave a Reply

Your email address will not be published.