arbitrary electronic search & seizure + canadian border = ok

Following the judgement and policy confirming that US customs can conduct searches without suspicion, some of my colleagues in the trade group at McCarthy have published an e-Alert that describes Canadian authorities’ approach to searches of electronic devices at the Canadian border:

CBSA has yet to publish a report detailing its policy on border searches of electronic devices. That said, the CBSA has stated that its examination authority under the Customs Act extends to electronic storage devices. Other sources of information also suggest that they, like their American counterparts, do not accord electronic devices special status at the border. For example, the Canadian Customs Act broadly defines “goods” to include “any document in any form”, suggesting no special treatment for electronic documents. Canadian case law also supports this interpretation. In a 2008 Ontario Court of Justice decision, the Court stated that it saw no intrinsic difference between a computer search and a detailed examination of the contents of one’s suitcase.

2. Searches Without Suspicion

Given their characterization as ordinary goods, it follows that a border official can search travelers’ electronic goods even in the absence of suspicion regarding the traveler or the electronic device.

The article also provides some background on the situation with the US, confidentiality regarding information obtained from such searches, ability to detain electronic devices for further inspections, privileged information, and some thoughts on how to protect your information.

If you cross the border frequently with sensitive business information, it is well worth a read, as is my previous post on the US policy.

arbitrary electronic search & seizure + us border = ok

I imagine its not much of a surprise given the current environment in the states (as well as, to some extent, similar past rulings in the US). Wired reports arbitrary searches of electronics are OK:

Federal agents at the border do not need any reason to search through travelers’ laptops, cell phones or digital cameras for evidence of crimes, a federal appeals court ruled Monday, extending the government’s power to look through belongings like suitcases at the border to electronics.

Needless to say, consideration should be given to taking some steps to protect confidential or sensitive records that you would not want to be seized. And no, I don’t mean nudie pictures or the like, but things such as confidential information of your business, or that of third parties who have entrusted you with confidential information, or personal information. That being said, Wired also made this observation:

The 9th’s ruling did not, however, clarify whether a traveler has to help the government search his computer, by providing the login information, or what would happen when the government decided to search a laptop with encrypted data on the drive. The defendant in the case can appeal the decision to the U.S. Supreme Court, but the Court is unlikely to take up an issue that two separate appeals courts have agreed upon.

Alternatively, better to leave all sensitive data at the office and, if required, connect through a VPN, retrieve, then erase before crossing.

Well, at least we can thank our stars that the ruling doesn’t apply to “highly intrusive searches of the person”. Yet.

Update: The EFF has published an article on possible ways to minimize the risk of laptop searches. They point out that encryption might not be all that handy:

If, however, you don’t respond to CBP’s demands, the agency does have the authority to search, detain, and even prohibit you from entering the county. CBP has more authority to turn non-citizens away than it does to exclude U.S. persons from entering the country, but we don’t know how the agents are allowed to use this authority to execute searches or get access to password protected information. CBP also has the authority to seize your property at the border. Agents cannot seize anything they like (for example, your wedding ring), but we do not know what standards agents are told to follow to determine whether they can and should take your laptop but let you by.

Elaborating on my suggested approach, they point out the following:

Another option is to bring a clean laptop and get the information you need over the internet once you arrive at your destination, send your work product back, and then delete the data before returning to the United States. Historically, the Foreign Intelligence Surveillance Act (FISA) generally prohibited warrantless interception of this information exchange. However, the Protect America Act amended FISA so that surveillance of people reasonably believed to be located outside the United States no longer requires a warrant. Your email or telnet session can now be intercepted without a warrant. If all you are concerned about is keeping border agents from rummaging through your revealing vacation photos, you may not care. If you are dealing with trade secrets or confidential client data, an encrypted VPN is a better solution.

Anyway, worth a read if you do cross the border with sensitive information.

Another update: More advice from Bruce Schneier on how to deal with customs (both in the US and elsewhere) and also safeguard sensitive information. I particularly like this suggestion (which he offers after also suggesting the VPN approach that I mentioned above) though it does require a little white lie:

If you can’t [use a clean laptop and download via secure VPN], consider putting your sensitive data on a USB drive or even a camera memory card: even 16GB cards are reasonably priced these days. Encrypt it, of course, because it’s easy to lose something that small. Slip it in your pocket, and it’s likely to remain unnoticed even if the customs agent pokes through your laptop. If someone does discover it, you can try saying: “I don’t know what’s on there. My boss told me to give it to the head of the New York office.” If you’ve chosen a strong encryption password, you won’t care if he confiscates it.

Further update: US customs, presumably emboldened by the court’s decision, have published their official policy (PDF) describing arbitrary search. The good news is that the reaction, at least in some corners, is somewhat less than favourable. From a recent article in the Washington Post:

“The policies . . . are truly alarming,” said Sen. Russell Feingold (D-Wis.), who is probing the government’s border search practices. He said he intends to introduce legislation soon that would require reasonable suspicion for border searches, as well as prohibit profiling on race, religion or national origin.

There’s also some description of what the good folks at Customs would do, including treatment of privileged materials, etc. If you frequently travel to the US with sensitive business materials, you would do well to review the policy. I may post a summary at some point…

Also, another less than enthusiastic op-ed piece in USA Today.

the internet: how not to learn to commit crimes

A story in the the Daily Record. The phrase “the thing speaks for itself” (which is one of those handy latin phrases I learned in law school but almost never use, except of course in blog posts – res ipsa loquitur, for you latinphiles out there…) seems to be appropriate for this:

At exactly 5:45:34 on April 18, 2004 a computer taken from the office of the attorney of Melanie McGuire, did a search on the words “How To Commit Murder.”

That same day searches on Google and MSN search engines, were conducted on such topics as `instant poisons,` `undetectable poisons,’ ‘fatal digoxin doses,’ and gun laws in New Jersey and Pennsylvania.

Ten days later, according to allegations by the state of New Jersey, McGuire murdered her husband, William T. McGuire, at their Woodbridge apartment, using a gun obtained in Pennsylvania, one day after obtaining a prescription for a sedative known as the “date rape” drug.

As a married man, it also makes me wonder what exactly is it about divorce that is really so bad that people resort to the apparently more preferable alternative of brutally murdering their spouses (as I delicately knock on wood…).

Via Slashdot.

silly lawsuit of the week

OK. Short version of the story in InformationWeek: Woman puts up a website. She puts a “webwrap” agreement at the bottom – i.e. basically a contract that says if you use the site then you agree to the contract. Still some question as to whether such a mechanism is binding, but anyway…

So the Internet Archive of course comes along and indexes her site. Which apparently is a violation of the webwrap. So she sues, representing herself, I believe. The court throws out everything on a preliminary motion by IA except for the breach of contract.

InformationWork observes that “Her suit asserts that the Internet Archive’s programmatic visitation of her site constitutes acceptance of her terms, despite the obvious inability of a Web crawler to understand those terms and the absence of a robots.txt file to warn crawlers away.” (my emphasis). They then conclude with this statement:

If a notice such as Shell’s is ultimately construed to represent just such a “meaningful opportunity” to an illiterate computer, the opt-out era on the Net may have to change. Sites that rely on automated content gathering like the Internet Archive, not to mention Google, will have to convince publishers to opt in before indexing or otherwise capturing their content. Either that or they’ll have to teach their Web spiders how to read contracts.

(my emphasis).

They already have – sort of. It’s called robots.txt – the thing referred to above. For those of you who haven’t heard of this, its a little file that you put on the top level of your site and which is the equivalent of a “no soliciation” sign on your door. Its been around for at least a decade (probably longer) and most (if not all) search engines

From the Internet Archive’s FAQ:

How can I remove my site’s pages from the Wayback Machine?

The Internet Archive is not interested in preserving or offering access to Web sites or other Internet documents of persons who do not want their materials in the collection. By placing a simple robots.txt file on your Web server, you can exclude your site from being crawled as well as exclude any historical pages from the Wayback Machine.

Internet Archive uses the exclusion policy intended for use by both academic and non-academic digital repositories and archivists. See our exclusion policy.

You can find exclusion directions at exclude.php. If you cannot place the robots.txt file, opt not to, or have further questions, email us at info at archive dot org.

standardized methods of communications – privacy policies, etc. – more. Question is, will people be required to use it, or simply disregard and act dumb?

Fair Use and the DMCA

An article in Wired News with the dramatic title of “Lawmakers Tout DMCA Killer” describes the most recent attempt to: (a) water down the protections afforded to content owners by the DMCA; (b) ensure the preservation of fair use rights on the part of users. As is usual, each side has its own rhetoric to describe what is happening, so in fairness I took the liberty of offering to readers of this blog the two alternative descriptions above. The nub:

The Boucher and Doolittle bill (.pdf), called the Fair Use Act of 2007, would free consumers to circumvent digital locks on media under six special circumstances.

Librarians would be allowed to bypass DRM technology to update or preserve their collections. Journalists, researchers and educators could do the same in pursuit of their work. Everyday consumers would get to “transmit work over a home or personal network” so long as movies, music and other personal media didn’t find their way on to the internet for distribution.

And then of course on the other side:

“The suggestion that fair use and technological innovation is endangered is ignoring reality,” said MPAA spokeswoman Gayle Osterberg. “This is addressing a problem that doesn’t exist.”

Osterberg pointed to a study the U.S. Copyright Office conducts every three years to determine whether fair use is being adversely affected. “The balance that Congress built into the DMCA is working.” The danger, Osterberg said, is in attempting to “enshrine exemptions” to copyright law.

To suggest that content owners have the right to be paid for their work is, for me, a  no-brainer. That being said, I wonder whether the DMCA and increasingly more complex and invasive DRM schemes will ultimately backfire – sure they protect the content, but they sure as heck are a pain in the ass – just my personal take on it. For example, I’d love to buy digital music, but having experienced the controls that iTunes imposes and suddenly having all my tracks disappear, I just don’t bother with it now. Not to mention the incredible hoops one needs to go through to display, say, Blu-ray on a computer – at least in its original, non-downgraded resolution – why bother with all of that at all?

I wonder whether this is, in a way, history repeating itself in a way. I am old enough to remember the early days of software protection – virtually every high-end game or application used fairly sophisticated techniques (like writing non-standard tracks on floppies in between standard tracks) in attempting to prevent piracy. Granted, these have never gone away altogether, particularly for super high end software that needs dongles and and the like, and of course recently there has been a resurgence in the levels of protection that have been layered on in Windows, but after the initial, almost universal lockdown of software long ago, there came a period where it seemed many (if not most) software developers just stopped using such measures.  At least that’s what seemed to happen. I’m not quite sure why, but I wonder if this same pattern will repeat with content rather than software. I suspect not. But hey, you never know.

In the meantime, off I go, reluctantly, in the cold, cold winter, to the nearest record shop to buy music the old fashioned way…


Wikiality – Part III

Bit of an elaboration on a previous post on the use of Wikipedia in judgements. I cited part of a New York Times article, which had in turn quoted from a letter to the editor from Professor Kenneth Ryesky. The portion cited by the NYT article suggested that Ryesky was quite opposed to the idea, which wasn’t really the case. He was kind enough to exchange some thoughts via e-mail:

In his New York Times article of 29 January 2007, Noam Cohen quoted a sentence (the last sentence) from my Letter to the Editor published in the New York Law Journal on 18 January 2007. You obviously read Mr. Cohen’s article, but it is not clear whether you read the original Letter to the Editor from which the sentence was quoted.

Which exemplifies the point that Wikipedia, for all of its usefulness, is not a primary source of information, and therefore should be used with great care in the judicial process, just as Mr. Cohen’s article was not a primary source of information.

Contrary to the impression you may have gotten from Mr. Cohen’s New York Times article of 29 January, I am not per se against the use of Wikipedia. For the record, I myself have occasion to make use of it in my research (though I almost always go and find the primary sources to which Wikipedia directs me), and find it to be a valuable tool. But in research, as in any other activity, one must use the appropriate tool for the job; using a sledge hammer to tighten a little screw on the motherboard of my computer just won’t work.

Wikipedia and its equivalents present challenges to the legal system. I am quite confident that, after some trial and error, the legal system will acclimate itself to Wikipedia, just as it has to other text and information media innovations over the past quarter-century.

Needless to say, quite a different tone than the excerpt in the NYT article. Thanks for the clarification, Professor Ryesky.

Thoughts on Quantum Computing

Interesting article in Wired News where they interview David Deutsch who they refer to as the Father of Quantum Computing. He has a kind of low key but interesting take on the recent demonstration of a real, live 16 qubit quantum computer by D-Wave, a Canadian company based out of Vancouver.

Low key insofar as he doesn’t seem particularly enthused about the potential of quantum computers, other than perhaps their ability to be used to simulate quantum systems and of course encryption:

Deutsch: It’s not anywhere near as big a revolution as, say, the internet, or the introduction of computers in the first place. The practical application, from a ordinary consumer’s point of view, are just quantitative.

One field that will be revolutionized is cryptography. All, or nearly all, existing cryptographic systems will be rendered insecure, and even retrospectively insecure, in that messages sent today, if somebody keeps them, will be possible to decipher … with a quantum computer as soon as one is built.

Most fields won’t be revolutionized in that way.

Fortunately, the already existing technology of quantum cryptography is not only more secure than any existing classical system, but it’s invulnerable to attack by a quantum computer. Anyone who cares sufficiently much about security ought to be instituting quantum cryptography wherever it’s technically feasible.

Apart from that, as I said, mathematical operations will become easier. Algorithmic search is the most important one, I think. Computers will become a little bit faster, especially in certain applications. Simulating quantum systems will become important because quantum technology will become important generally, in the form of nanotechnology.

(my emphasis). Interesting thought about being retrospectively insecure. Particularly given spy agencies have, in the past, been sufficiently bold to transmit encoded messages on easily accessible shortwave frequencies.

I imagine the spook shops already have their purchase orders in for quantum crypto stuff (or have developed it already internally). Was a bit surprised by the statement above regarding existing technology for quantum computing. I had heard of some demos a while back, but didn’t realize that there are actually several companies offering quantum cryptography products.

Virtual Diplomacy

Short one as its getting late. Interesting piece on how Sweden is setting up an embassy in Second Life. As most of you know, Second Life is a MMORPG – a virtual world of sorts where people can control computer generated images of people in a virtual world.

That being said, somewhat less exciting than first blush, as the new virtual Swedish embassy will only provide information on visas, immigration, etc. Perhaps not surprising – I mean, its not like you should be able to get a real-world passport through the use of your virtual character. Nor, God forbid, do I hope they’re introducing the bureaucracy of passports to travel through virtual countries….

D-Wave’s Quantum Computing Demo

As I mentioned earlier, there was a Canadian company that announced it would demonstrate a working quantum computer this week. And demonstrate they did. Yesterday. In California. Then they released this press release, which is frustratingly short on details.

There was some other minor press coverage, including a short article in Scientific American. The nub:

For the demonstration, he says D-Wave operators remotely controlled the quantum computer, housed in Burnaby, British Columbia, from a laptop in California. The quantum computer was given three problems to solve: searching for molecular structures that match a target molecule, creating a complicated seating plan, and filling in Sudoku puzzles.

But experts say the announcement may be a bit – er – premature. Even if the computer were to work as advertised, it still would be nearly 1,000 times too small to solve problems that stump ordinary computers. Moreover, researchers do not know whether it will work at bigger sizes.

A similar tone was in most other articles that didn’t parrot the press release – namely, that the demo was not very impressive. That part is rather unfortunate, although not wholly unexpected – the company did indicate (somewhere) that this was intended to be a proof of concept to gain interest.

So I guess at least for the foreseeable future, the cryptography industry will still be around.

A Real Quantum Computer – This Week!

Sorry, been off sick. One very quick entry from Techworld, about a BC company, D-Wave, that will be debuting a real Quantum computer this week!!

Twenty years before most scientists expected it, a commercial company has announceda quantum computer that promises to massively speed up searches and optimisation calculations.

D-Wave of British Columbia has promised to demonstrate a quantum computer next Tuesday, that can carry out 64,000 calculations simultaneously (in parallel “universes”), thanks to a new technique which rethinks the already-uncanny world of quantum computing. But the academic world is taking a wait-and-see approach.

If it turns out to be true, this will be revolutionary news. I mean, truly revolutionary. If it works, well, say goodbye to most of the cryptography industry, as a quantum computer should easily be able to defeat the most sophisticated encryption methods currently known by simple brute strength. Amongst other things. This is nearly unlimited computing power in a box. Stunning. Assuming, of course, it actually works.