Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Protecting confidential information while travelling to the US
12 points by tartieret 3 days ago | hide | past | favorite | 10 comments
I am the CTO of a small Canadian company, we build energy management and process optimization platforms for industrial clients. Many of our clients are large US companies, and some of our employees travel to clients' sites for implementation or consulting work. As a result, they have to cross the border with their company phone and laptop.

In recent news, a French researcher traveling to a conference in Texas had his laptop seized by the US authorities, for reasons that are not well explained. It seems that the number of similar cases has increased at the US border.

If a company laptop was ceased by the US customs, this will objectively represent a security breach and threaten the confidentiality of our clients' data. Consultants have to have a local copy of some dataset (like production data, energy related info... ) from facilities to perform analysis on their computer.

I am considering issuing a warning to all our employees about this, but I am wondering if some of you have recommendations regarding this: - technical measures to limit our exposure. We use encrypted disks, can the border officer force you to provide the password / encryption key? - legal measures to protect the confidentiality of data from US-based companies. Can the federal government seized confidential data from US-based companies just because it crosses the border?

Thanks for your help!






If you do not provide Border Patrol with access to whatever they want, you do not get to enter the country. You have zero rights at a US port of entry.

The best solution is what many US companies do for employees traveling to China -- a burner laptop & phone with no data on it.

Provide some form of remote access to services, such as webmail.

A two second google search will give you the answers you seek about what the CBP can do - https://www.cbp.gov/travel/cbp-search-authority/border-searc...

reply


This is the answer - burner laptop and phone you can lose without repercussions.

From my extensive research reading spy novels this would be something they do entering a high risk environment. If you absolutely have to have the data onsite at client meetings and don't want to use the cloud, then separate the data from the laptop. Maybe go old school with a USB stick. Make the USB stick look like a charger. Or pack a bag of 100 USB sticks with your company logo on them as chatchkes but one of them has the data.

I have to imagine if they are going to seize a laptop they probably aren't going to let you in anyhow.

reply


American here. Most of the country by population is considered a border zone where you have very limited rights against federal searches: https://www.aclu.org/know-your-rights/border-zone

As a foreigner, our government will arbitrarily detain and search you as you wish and you will have no recourse, especially with this administration.

It doesn't really matter what the laws are on paper. Your employees aren't going to resist interrogation and fight to defend some vague law on behalf of your clients when they're being questioned by big armed dudes and threatened with indefinite detention. The government will get its way.

Buy some separate Chromebooks for travel, with no local data saved and no logins saved, and loan them out to employees when they travel. Have them memorize a password and make sure it gets changed when they get back.

Better yet, don't even come here right now. The civilized world should be boycotting US businesses (or at least travel to the US) until and unless we get our shit in order. Make a Zoom call. It's not worth getting your employees traumatized.

reply


I’ve had a laptop taken and held in Saudi nearly 22 years ago. It’s scary. Didn’t have all the cloud tech we got now

The other advice here is good, encrypt remote/ cloud storage, don’t be logged into anything I guess.

reply


You need a consultation with a suitable security organisation and to have a C-level meeting to determine what category of messaging to your clients about this your legal team needs to draft. Treat it as if the worst-case scenario is true and all data that crosses the border will be cloned and forwarded to both competitors and phishing organizations, as if your employees are travelling to Myanmar.

The worst-case expectation for the U.S. is unlikely and emotionally fraught but as a CTO you have to consider your responsibilities. Not following advice like this doesn't just expose you to the one-in-a-million risk that the US will be that crazy, it exposes you to the one-in-ten risk that the Carney administration appeals to voters by introducing new laws in less than two years that make your company retroactively liable for "risking potential damages" to your clients, without a high burden of proof.

reply


There are many places in which you can hide a 2TB micro sd card...

reply


Are bodily orifices covered by the 4th amendment?

reply


Travel with minimal electronics, buy everything here, sync data securely over the internet.

Should be the default when traveling to "sketchy" places.

reply


Azure virtual desktop and a factory fresh laptop image?

reply


they can (or could).

if this is really within your threat model i suggest treating travel to the US much like travel to any other foreign hostile nation.

there’s plenty of articles written and some probably that apply better for canadians (written from the perspective of your own security agency)

basic advice like take a burner laptop and leave sensitive information at home.

here’s the aussie one.(1)

Good luck.

(1) https://www.smartraveller.gov.au/before-you-go/staying-safe/...

reply




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: