July 20, 2017

Engineering around social media border searches

The latest news is that the U.S. Department of Homeland Security is considering a requirement, while passing through a border checkpoint, to inspect a prospective visitor’s “online presence”. That means immigration officials would require users to divulge their passwords to Facebook and other such services, which the agent might then inspect, right there, at the border crossing. This raises a variety of concerns, from its chilling impact on freedom of speech to its being an unreasonable search or seizure, nevermind whether an airport border agent has the necessary training to make such judgments, much less the time to do it while hundreds of people are waiting in line to get through.

Rather than conduct a serious legal analysis, however, I want to talk about technical countermeasures. What might Facebook or other such services do to help defend their users as they pass a border crossing?

Fake accounts. It’s certainly feasible today to create multiple accounts for yourself, giving up the password to a fake account rather than your real account. Most users would find this unnecessarily cumbersome, and the last thing Facebook or anybody else wants is to have a bunch of fake accounts running around. It’s already a concern when somebody tries to borrow a real person’s identity to create a fake account and “friend” their actual friends.

Duress passwords. Years ago, my home alarm system had the option to have two separate PINs. One of them would disable the alarm as normal. The other would sound a silent alarm, summoning the police immediately while making it seem like I disabled the alarm. Let’s say Facebook supported something similar. You enter the duress password, then Facebook locks out your account or switches to your fake account, as above.

Temporary lockouts. If you know you’re about to go through a border crossing, you could give a duress password, as above, or you could arrange an account lockout in advance. You might, for example, designate ten trusted friends, where any five must declare that the lockout is over. Absent those declarations, your account would remain locked, and there would be no means for you to be coerced into giving access to your own account.

Temporary sanitization. Absent any action from Facebook, the best advice today for somebody about to go through a border crossing is to sanitize their account before going through. That means attempting to second-guess what border agents are looking for and delete it in advance. Facebook might assist this by providing search features to allow users to temporarily drop friends, temporarily delete comments or posts with keywords in them, etc. As with the temporary lockouts, temporary sanitization would need to have a restoration process that could be delegated to trusted friends. Once you give the all-clear, everything comes back again.

User defense in bulk. Every time a user, going through a border crossing, exercises a duress password, that’s an unambiguous signal to Facebook. Even absent such signals, Facebook would observe highly unusual login behavior coming from those specific browsers and IP addresses. Facebook could simply deny access to its services from government IP address blocks. While it’s entirely possible for the government to circumvent this, whether using Tor or whatever else, there’s no reason that Facebook needs to be complicit in the process.

So is there a reasonable alternative?

While it’s technically feasible for the government to require that Facebook give it full “backdoor” access to each and every account so it can render threat judgments in advance, this would constitute the most unreasonable search and seizure in the history of that phrase. Furthermore, if and when it became common knowledge that such unreasonable seizures were commonplace, that would be the end of the company. Facebook users have an expectation of privacy and will switch to other services if Facebook cannot protect them.

Wouldn’t it be nice if there was some less invasive way to support the government’s desire for “extreme vetting”? Can we protect ordinary users’ privacy while still enabling the government to intercept people who intend harm to our country? We certainly must assume that an actual bona fide terrorist is going to have no trouble creating a completely clean online persona to use while crossing a border. They can invent wholesome friends with healthy children sharing silly videos of cute kittens. While we don’t know too much about our existing vetting strategies to distinguish tourists from terrorists, we have to assume that the process involves the accumulation of signals and human intelligence, and other painstaking efforts by professional investigators to protect our country from harm. It’s entirely possible that they’re already doing a good job.

Comments

  1. I’m not sure the lockout solutions work. They might just refuse to let you in to the country until you should them an unlocked account.

    What if you don’t even have a Facebook account? Would they believe you? Would having social media accounts become a requirement for entering the country?

    • Dan Wallach says:

      All perfectly reasonable questions. I do have several friends who pointedly don’t have Facebook accounts.

  2. Another option: Consider all parts of all your social media accounts as though they were completely open to the public, and use them accordingly.

    That’s probably a good practice even if you’re not planning to cross any borders. The notion that anything you upload to any online service is somehow “private” is dangerously misleading.

    • Dan Wallach says:

      Perhaps you keep your Facebook page carefully groomed, but what about your friends (or your “friends” who you don’t really know all that well)? Would you vouch that none of your “friends” have posted things for which you could be guilty by association?

  3. Grimmtooth says:

    Additional sanitation suggestion (and easier): delete social media apps from your mobile devices before crossing the border. Reinstallation is just a few buttons presses away when you’re clear.

    • Chilly8 says:

      If you are going to do that, you might want to use an app that can overwrite all the data on your phone, and then do a factory data reset, to make sure the forensic tools will not see anything.

  4. Julian Bond says:

    Two factor auth gets interesting. Especially when it relies on a roaming phone number that can receive texts during trans-continental travel. Have you got all the required devices with you and do they all work at this particular border crossing.

  5. To read twitter, technical countermeasures will at best lead to delay, at worst refused entry.

    As far as “enemies” crossing the border, I’m not sure where to set the vigilance knob. Lots of the baddies fit the Mr Evil mold, not the Dr Evil mold — thus, the shoe bomber, underpants bomber, butt bomber, and various failed attacks around the world; arguably we can let them in (in fact, they cleared security in place at the time) because they get caught by other measures (caught by other passengers on an airplane is still caught) or (butt bomber) fail to detonate their bomb effectively. More recently, there’s “help, help, I’ve inexplicably got ricin all over my hands!” in Georgia.

    At the same time, some succeed — but there’s nothing in border crossing data that would have lead to their detection — Pulse Nightclub shooter was a natural-born US citizen, Tim McVeigh was a natural-born US citizen, one of the two San Bernardino shooters was a natural-born US citizen.

    And of course, none of this makes sense if we treat all people and all deaths equally. Bed and bath falls both kill more people than terrorists, cars kill 10x more pedestrians by crashing into them, 100x more of their own drivers in crashes, and cause 1000x more early deaths (according to thousands-large health studies) by luring people away from the exercise that they need.

  6. What are the implications of using a password manager?

    I don’t know my social network passwords. They’re stored on 1Password. Should 1Password have a temporary lockout mechanism? What does it mean to give the authorities a password that also opens my bank and email accounts?

  7. Wendy M. Grossman says:

    I suspect that “they” are really not as interested in the contents of what you’ve posted to your account (unless something quickly shows you’ve told a lie) as they are in the social graph; in any case, sanitizing your account won’t help if someone on your friends list is connected to someone that raises a red flag (whether the reason is good or bad). How many of us really know everyone on our list of contacts? And that’s where fake accounts will expose themselves very quickly – because it takes a lot of effort to create a plausible-looking set of friends for a fake account.

    I’m wondering why none of the social media companies have stepped up to point out that sharing your password with a third party like that contravenes the terms of service. In the Facebook ToS it’s section 4, item 8: “You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.”

    There’s a real and serious concern regarding abuse here. Obviously, anyone who does give their password at the border should change it immediately afterwards, but that isn’t always easy to do (on your phone? in the baggage claim?) and it’s easily forgotten in the stress of travel. Although I guess it does create plausible deniability: “I don’t know, officer, I gave my password to US immigration last year, and ever since there’s been strange stuff appearing on my account that I didn’t post.”

    wg