High security standards, elevated surveillance create tension for business.
With the recent legislation granting customs officials the power to seize electronic devices and compel users to unlock those devices businesses should become acutely aware that we have laws that are effectively at odds with each other.
On one hand, we must comply with requests for authorities to view and copy data from our laptops and on the other, privacy laws dictate that we must keep any personally identifiable information away from prying eyes.
This recent video from Nathan Hague brought these thoughts into sharp focus.
Nathan mis-identified the “malware” but that is about it. Everything else should be raising flags.
Normally I have no problem with surveillance while ensuring private information stays that way, but we are introducing an unknown into the equation which is the systems and procedures surrounding information collected by the border force. Without details on how this collected data is handled and stored how can anyone feel sure that the data that is supposed to be under their protection will stay that way with a third party now holding a potentially complete copy of all information on your laptop or phone?
What also has me concerned is how can we be sure the equipment used to extract data is clear of malware or virii? How does this compromise our digital hygiene?
Because businesses and individuals responsible for keeping information safe we have to start adopting behaviours reserved for security professionals including the limiting of data retained on a device and regarding the electronics you travel with as expendable.
The first part is data minimisation. When travelling with a device ensure it has as little as possible in the way of data, software or other methods that could reveal more information including passwords that could unlock more information.
Instead, rely on cloud services, webmail and remote-control systems allowing you to use a device as a tool to control a computer at home or office. By using these services, you can ensure that the information you are meant to keep safe stays that way. Your device simply becomes a clean way to access your valuable data where it should be back in your home or office under lock and key.
The second part is managing compromises that might spread or have long term repercussions for you, your business, customers and suppliers. Our digital hygiene is compromised the second an unknown party accesses our devices. How can we be sure that our device will not get infected? It could be malware that has been on the surveillance equipment for weeks or months. It could have been picked up from the last device scanned.
Anyone concerned about malware and virii will know exactly what to do. Decommission and destroy.
A potentially compromised device should not be trusted until it has been proven otherwise and with the prevalence of malware, rootkits, keyloggers and surveillance tools the risk for disaster is high so if your device is ever accessed without your supervision you should consider wiping it or better still simply destroying it.
With the wide range of affordable laptops and mobile phones it is not hard or prohibitively expensive to have a travel kit that you can “burn” or destroy should it ever leave your side.
Simply run these devices with as little as possible on them and be prepared to dump them as soon as you are suspicious of their state.
I know this seems paranoid but knowing the state of play with malware and data privacy it has come to the point where we have to start taking notice.