Slashdot Mirror
NZ Customs Wants Power To Require Passwords
First time accepted submitter Orange Roughy writes New Zealand customs are seeking powers to obtain passwords and encryption keys for travelers. Supposedly they will only act to obtain credentials if it was acting on 'some intelligence or observation of abnormal behaviour.' People who refuse to hand over credentials could face up to three months jail time. From the story: "Customs boss Carolyn Tremain has told MPs the department would only request travellers hand over passwords to their electronic devices if it had a reason to be suspicious about what was on them. The department unleashed a furore last week when it said in a discussion paper that it should be given unrestricted power to force people to divulge passwords to their smartphones and computers at the border. That would be without Customs officials having to show they had any grounds for suspicion."
Kills tourism to N.Z.
Enjoy your new, democratic Mordor rulers.
Even if the person is the biggest paedophile terrorist drug-dealer in the world, do you honestly believe that there would be evidence on his phone WHILE HE IS TRAVELLING?
I don't believe that Carolyn Tremain understands this "Internet" thing.
Easy workaround: dual-booted laptop, one partition with WindowsXP and weak password, full with celebrity porn, 9/11 conspiracy documents and spyware to keep them busy for a while. Fully encrypted Linux partition for everything else.
karma police: arrest this man, he talks in maths; he buzzes like a fridge, he's like a detuned radio. [radiohead]
A department such as customs, police, wellfare etc. will always ask for the maximum possible powers. It is a given. There can be no argument against the fact that a speed camera on every light pole will lower the amount of speeders (either by fear or getting them off the roads). The police therefore will ask for that.
The role of the legislative body is to control the power of the departments and offset their wants against the negative outcomes of those wants. *Customs* We want everyone's password *Legislature* No, but you can seize equipment and a password may be demanded by a judge.
The fact that they don't always get it right is a different issue.
This probably is proof that they cannot decrypt some communications and want access to phone calls and messages.
What we need is an OS that keeps everything encrypted in the cloud, and that has multiple users for perfect deniability. At customs you log into the NSA friendly user.
Protip: whenever some government official says that they won't use their power for some purpose, you know that it will be used in exactly that way or for that purpose. Case in point, RIPA in the UK, which has been used (abused) in cases related to petty crime in exactly the way it was originally claimed it would not be used.
The real "Libtards" are the Libertarians!
The ring bearer say?
for i in `seq 1 2160`; do echo "Hello, jail! It's hour $n."; done \
| gpg -a --symmetric --passphrase "$(dd if=/dev/urandom bs=1024 count=1)" > ~/important.txt
When in a foreign land, you follow the rules of that land. Intrinsic rights are and only can be given to those who fall under that state's jurisdiction. Until there are universally accepted and guaranteed by some global dominion people can not and should not expect the laws that they were raised under to respected in other jurisdictions.
Time is what keeps everything from happening all at once.
My dad was just in N.Z.
The first thing he did when he arrived was call me and asked me what we set his pin code for his tablet .... TO JAIL!
On android you can have more than one Login. Simply log out of your main session and log in to the new one. Make sure to not make it return to the log-in screen if the screen goes dark, that way it's permanently on the new login. Add in a few apps and what not to it so that it's not too suspiciously "empty".
If asked about it, just say it's your kid/wife/friend or whoever else's session for when they use the phone and you don't have the password for obvious reason. But lets face it, customs official aren't the brightest, they probably won't even notice it.
[New Zealand] Customs said its counterparts in Australia, Canada, the United States and Britain had equivalent powers, though the department has so far been unable to substantiate that.
Is that true? Does anyone know the current law in those countries? I think it is true in the U.K. where you can be jailed for not handing over passwords and/or encryption keys, but I don't know about Australia, Canada, or the U.S. Can anyone shed some light on this?
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
People are stupid on average and would be daft enough to leave incriminating files on laptops and smart phones that's why customs needs an over-reaching power like this.
The problem is really is revealing a password that you use elsewhere. So change it before you go make it 1234 or password or some other trivial thing. Maybe put a fresh copy of windows on before you travel, or would that be suspicious in itself. Customs can give you a hard time already even your butt isn't secure.
New Zealand wouldn't be the first country to make failing to hand over encryption keys illegal, just make sure your laptop is clean and it isn't a problem. It's not like you can't download a file once you are past customs.
Blarney Quality Restaurant, Plants
zig heil
Anyone with a brain that doesn't want to have their files read will stick it in a private "cloud" and access it remotely and securely anyway.
Hell, £100 NAS boxes have this functionality nowadays without any third-party storing the data. Or rent a VPS for the duration.
The problem I have with laws like this is that you ONLY catch the stupid people anyway. If they are going through customs with a laptop full of "how to beat customs" documents, then they get what they deserve and shouldn't be that professional.
What you're doing, though, is doing NOTHING to stop an actual, determined guy with half a brain from doing whatever he wants.
Spend less on junk like this, and just get more passengers a five minute interview to find suspicious people, or spend fives minutes longer on checking the faces, passport lists, etc.
The real issue is if they store those credentials. Providing credentials to the custom for an inspection is somewhat legal. Storing the passenger info + credentials is a NO.
Slashdot, fix the reply notifications... You won't get away with it...
...fly in your underpants. Even better - A chastity belt. For hire before you board. Enjoy your flight!
A government strong enough to give you everything you want, is also strong enough to take away everything you have.
In Soviet Washington the swamp drains you.
You want to bring some document to someone IN NZ, ask him to send you his PUBLIC key.
You want to be able to bring some document OUT OF NZ, keep your PUBLIC key on your computer.
And have NO PRIVATE KEY with you...
When asked to decrypt, you're just mathematically unable to do so... And any computer expert will be able to confirm what you say.
If enough people take that way, they'll eventually understand that it's futile to require password.
I'm not allowed to share the password of my company owned laptop. If I travel to New Zealand on business travel and I am requested to share my password, I will have the choice of either getting fired for violating company information security rules, or it lands me in prison for 3 months.
Stop thinking about stupid workarounds and just put an end to this fucking nonsense.
Dang. How will I enter the password into the electrical outlet every time I want to turn on a table lamp? Electricity theft must be a real big problem over there.
Cisco are proud partners with the NSA though NIST (as does Symantec, McAffee Microsoft). Which is why Kapersky release the best NSA malware analysis:
http://www.nist.gov/itl/csd/nccoe-041513.cfm
Cisco's dead drop will simply identify the best routers to bug for the NSA. The company is telling Cisco that these routers are critical, hence these are the one's to bug.
This encryption keys thing, looks like its an attempt to remove the right to privacy. Since encryption is the one way left we have to ensure privacy, this would remove the right to that. It's then only a small step before the right to export data across the internet encrypted is likewise removed, since its basically the same thing.
They're trying to attack Mega the same way, with Paypal claiming its because they use 'encryption'. Demonizing encryption.
There's no such law in NZ, they want it, but NZ signed up to the basic human rights laws, so privacy is the law there.
And this is not about foreigners vs locals. NZ customs wants the right to grab all passwords and encrypted data for New Zealand people too.
If you recall the scandal because New Zealand's spy agency broke the law and spied on New Zealanders. MegaUpload is suing them, but now they're trying to seize Dot Coms money to prevent that:
http://www.reuters.com/article/2013/03/07/us-newzealand-megaupload-spying-idUSBRE92604320130307
"The GCSB was found to have spied on Dotcom in the run-up to the 2012 raid, prompting an apology from the prime minister...Dotcom is a German national but with residency in New Zealand, which made it illegal to spy on him."
So GCSB would tell customs who to search, but they seem to be breaking the NZ domestic spying laws, acting against their own country.
Dear terrorists, don't give us your password, then you'll go to jail 3 Months instead of 130 years.
Sit in jail for three months. That way you both make a political statement and get paid for it.
Easy, just create a default boot partition with nothing on it and boot the encrypted bomb-making partition when you are in your hotel room.
I listened to a NZ Tech podcast the other day, they weren't too fussed about it, nor am I.
In NZ we still trust our authorities instead of living in fear of them.
Customs can read your diary or open your locked suitcase, so why not?ï
Guilty until proven innocent.
So what's the maximum length of a Linux password anyway? ;-)
Give it to them! Neatly printed out on 5 pages. Double-sided. In 4pt font. For a dummy account. On a dummy OS.
There is always a slippery slope to these things. Police and security services say the require extraordinary powers that will only be used in very limited and extraordinary circumstances, of course claiming "Just because we have these powers doesn't mean we will use them" But then after a while they become standard tools because... well .. "We have these powers so we may as well use them." For example, extraordinary powers that US customs have at the border now is interpreted to mean "within a hundred miles of a border." So with a quick modification of some terms (and governments do love their own definitions of these things) at the border could wind up meaning something very different than what is normally understood.
Governments shitting themselves in fear is just pathetic. And hilarious! The plain and simple fact is all you do is encrypt everything, move everything to the cloud, format the device securely/wipe it before international travel, travel, then redownload all your shit once you arrive at your destination. Repeat the process before leaving. A great time to do this would be before going to sleep. Also change your passwords each time so when they demand you unlock your device before you go through customs, your password is something like, FuckGovernmentSnooping1234, so they can watch you type this in, and know you're giving them a giant middle finger.
Even better would be for someone to come up with a fake login with a duress username and password, that would make it impossible to see the actual files on the device, maybe about 20 gigs for such a partition, that would lock the machine so that you had to do something special to reunlock the ACTUAL account on the device. Actually... that might not be that hard to do...
Or, use something else creative, such as suckmyd1cksnoops, or eatmyshitb1tches so they know there's no point checking the device, it'll be completely blank.
Of course, this could be just what they want you to do, if they've compromised the security of the encryption you use, as the NSA and other organizations like that seem to have done. Or just don't go to countries like that with repressive jackbooted thug regimes who insist on being able to spy on you.
This global civilization is backsliding towards the dark-ages in ways that make conceiving a child today tantamount to child-ABUSE. You might think things are improving because some places let queers pretend to marry each other, (sure, you're "married..." enjoy. Yes, we all respect your "love".) but while everyone's fighting these meaningless battles over trivialities, the monied interests are tightening their death-grip on power all around the world. Your privacy doesn't really exist anymore, which means FREEDOM doesn't really exist anymore, if indeed, it ever did, since if you can't think or talk as you like, you can't organize to resist the take-over of previously pseudo-democracies by thugs who want to lord over everyone else for their own benefit, a sort of neo-feudalism that's taking hold, and one of the last symptoms is "security" being locked down, since that also locks dissent down.
In short, y'all fucked.
With all the dozens of different Linux/BSD/Unix variants, and the different window systems they have, as a full time IT worker, I'd have a hard time working out what was what on them all. Good luck to the rent-a-goon at customs when I pull out my FreeNAS box with VMware hypervisor with an Ubuntu guest with Xmonad windowing system with an AES encrypted partition that's mounted by cryptsetup based bash script.
Alas, there is no good open source password manager with built-in plausible deniability. All variants of keepass reject the idea, shifting it somewhere else and there is no good solution for Android. The best solution would be a database of X password databases (big X, a hundred or more), with only one database being encrypted and other slots filled with junk, and everything must be overwrittend during any save operation. If password manager does that by default (i.e. you don't tick special option to enable) then you might have one password db, two or several. Or 1024. Nobody can tell. And if you gave away password to innocent db with your small subset of passwords there is no way to prove that you ever had some other db inside your storage. That's going to satisfy any customs and any british judge, unless they ban such software completely.
This would mean that if I get a crypto-locker virus, instead of having to pay the lockers their $1000 or whatever the price is of the day, then all I have to do is fly to NZ and they'd HAVE to give me the keys for free or be jailed! Woohoo!!
Never, ever travel to any Commonwealth country again. Not that the US of A is that far behind but each day that passes just brings more revolting news from these supposed "freedom loving" countries.
How hard would it be to build an application for mobile or computer that would allow a special doomsday password, that would wipe personal data, or any selected directories, while appearing to log in normally? You would be complying with a request to supply a password, but it would be the action of the Bund agent himself which destroyed the data, not yours.
So I give then a password that "works." More fool them.
This actions shows that while they may mean well, they have NO FUCKING IDEA HOW THE INTERNET WORKS.
The NZ Gov't is wasting their money on this shit. They aren't alone, but that doesn't make them any smarter, they're just one more mis-informed entity thinking they can legislate the world.
Can we make a password manager with location awareness that can't be opened within a kilometer of known customs checkpoints? What are they going to do then, outlaw password managers?
They belong to my employer. And I would violate the terms of my employment if I reveal them.
I wonder if NZ could do much if corporations applied pressure to them. NZ's GDP and Apple's revenue number is nearly the same at $183B (in USD).
“Common sense is not so common.” — Voltaire
Alternative theory: I choose not to travel to somewhere where such mall cops have any authority, or where border authorities like to throw their weight around.
There are more places in the world that I would like to see than I will ever be able to in one lifetime. I choose to visit those where I feel welcome, and they get my tourism revenue in return.
There are more clients in the world than my company will ever be able to do business with. I choose to work with those in places where doing business is easy, and those places get more business and probably more tax revenues in return.
Of course there are some people who realistically need to travel to certain places, though I don't think it's nearly as many as the apologists tend to claim and I think the number is coming down as more convenient and much cheaper long-distance communications technology improves. And of course there are some people who are willing to put up with a lot because they really want to visit a certain place. But not everyone who travels is in these categories, and by making travel unpleasant and making a country unwelcoming, in the long run those places will lose out on the rest of the visitors they might have had.
I recently travelled from the UK to another country in Europe, and chose to go by train. It was significantly more expensive than flying with a budget airline, and of course the travel time itself was significantly longer. But it was so much more pleasant in all other respects than all the hassle that comes with flying these days that I did it anyway.
The thing I most noticed was that although I was going through several different countries, once I was out of the UK and into the Schengen Area I just got on a train to go from place to place and the fact that it was international was no big deal. And you know what? No-one died in a horrific terrorist incident on the train. The criminal underworld has not taken over half of Europe. They don't seem to have any worse problems with contraband and black markets and illegal immigrants than we have at home. I doubt anyone was sneaking state secrets (or a dodgy rip of the latest movie) out of the country in a USB stick hidden in their handbag. And at no point on the journey did I feel threatened or unsafe because of the lack of overt security.
In fact, the only times I felt threatened and unsafe on the entire trip were going out of and back into my own country, and that's because we're doing it wrong. But it was still far less unpleasant than flying and all that goes with it these days.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Maybe I am way off base here, but I thought that when a person flies to another country,the traveler isn't considered to be in the country before clearing customs. If travelers do not get through the customs checks, they are prevented from entering the country. If this is the case, how can a person that has not cleared customs be sent to a New Zealand jail for 3 months for breaking NZ laws when they are not in NZ?
and I won't be travelling to New Zealand, thanks.
if this is supposed to be a new economy, how come they still want my old fashioned money?
http://www.cbc.ca/news/canada/nova-scotia/quebec-resident-alain-philippon-to-fight-charge-for-not-giving-up-phone-password-at-airport-1.2982236
What for, exactly?
I mean, passwords protect data.
Is customs afraid of data?
Is there some dangerous piece of information that must be stopped from entering the country?
If your police force is afraid of people keeping secrets, then your police force needs to be disbanded.
Instead, the department would only use the power if it was acting on "some intelligence or observation of abnormal behaviour", she said
And that 'intelligence' or 'observation' will be totally classified (you know, because of national security and stuff), so there will be no way to verify if there was actually a valid reason to break into your iPhone. But don't worry, we won't abuse this new power.
For non-citizens and others without an automatic right to entry, the penalty for disobeying directives from customs agents for those violating "border-only" rules (i.e. not rules that apply inside the country such as assaulting a government official) should be denial of entry.
For citizens and others with an automatic right to entry, the person should be given a choice: Voluntarily go back and come back another time when they are willing to obey the rules, or be arrested/cited for violating whatever law they broke.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I hope I don't have to travel to my company's Auckland office, then. We work with banking data, and it would be a violation of various US government regulations for me to allow unrestricted access to my laptop.
My personal laptop, on the other hand, I have it dual-boot, set to automatically boot in to TAILS, with Windows camouflage on. It takes direct action to have it boot in to my "daily use" OS. So if I were ever asked to boot it, I'd just power it on and hand it over. (Oh, I have a password on TAILS, it's just one I don't use anywhere else, for anything, so I will happily "give them the password.")
Of course, my primary OS partition is encrypted, and is *NOT* mounted when booted to TAILS.
RE: ... they should be traveling on a diplomatic passport. (Which my ex-wife does all the time...)
Wow, that must have been a hell of a divorce decree.
before entering the country, create dummy profile or carry a not-so-smart device.
And what are they going to to with OSes that are not in english? Windows in russian or suahili? Linux in Finnish or german? I bet they dont have the nessesary keys in the keyboard for inserting the damn password words with interesting characters like õ or ä ...
Comment removed based on user account deletion
New Zealand customs are seeking powers to obtain passwords and encryption keys for travelers. Supposedly they will only act to obtain credentials if it was acting on 'some intelligence or observation of abnormal behaviour.' People who refuse to hand over credentials could face up to three months jail time.
I would go for this, provided that if I unlock my device and nothing illegal is found the customs agent demanding access goes to prison for six months without pay, Oh, and there has to be consulate IT representatives there taking video of the examination to make sure nothing is "planted".
In practice, the meaning of "Godwin's law" has grown from the original "later posts to threads about social topics invite more comparisons to the NSDAP" to "he who makes such a comparison loses the argument". Mike Godwin wrote about being surprised about how this law took root in popular culture: "I wanted folks who glibly compared someone else to Hitler or to Nazis to think a bit harder about the Holocaust."
But in the case of rape or murder, well, that will end family ties for a few decades.
For this purpose, would you consider "rape" to include sexual contact between an 18-year-old and a 17-year-old when the 17-year-old has presented fake ID? Or are you in the "save it for marriage to avoid accidental molestation convictions" camp?