Slashdot Mirror
NZ Customs Wants Power To Require Passwords
First time accepted submitter Orange Roughy writes New Zealand customs are seeking powers to obtain passwords and encryption keys for travelers. Supposedly they will only act to obtain credentials if it was acting on 'some intelligence or observation of abnormal behaviour.' People who refuse to hand over credentials could face up to three months jail time. From the story: "Customs boss Carolyn Tremain has told MPs the department would only request travellers hand over passwords to their electronic devices if it had a reason to be suspicious about what was on them. The department unleashed a furore last week when it said in a discussion paper that it should be given unrestricted power to force people to divulge passwords to their smartphones and computers at the border. That would be without Customs officials having to show they had any grounds for suspicion."
Kills tourism to N.Z.
Even if the person is the biggest paedophile terrorist drug-dealer in the world, do you honestly believe that there would be evidence on his phone WHILE HE IS TRAVELLING?
I don't believe that Carolyn Tremain understands this "Internet" thing.
Easy workaround: dual-booted laptop, one partition with WindowsXP and weak password, full with celebrity porn, 9/11 conspiracy documents and spyware to keep them busy for a while. Fully encrypted Linux partition for everything else.
karma police: arrest this man, he talks in maths; he buzzes like a fridge, he's like a detuned radio. [radiohead]
A department such as customs, police, wellfare etc. will always ask for the maximum possible powers. It is a given. There can be no argument against the fact that a speed camera on every light pole will lower the amount of speeders (either by fear or getting them off the roads). The police therefore will ask for that.
The role of the legislative body is to control the power of the departments and offset their wants against the negative outcomes of those wants. *Customs* We want everyone's password *Legislature* No, but you can seize equipment and a password may be demanded by a judge.
The fact that they don't always get it right is a different issue.
Protip: whenever some government official says that they won't use their power for some purpose, you know that it will be used in exactly that way or for that purpose. Case in point, RIPA in the UK, which has been used (abused) in cases related to petty crime in exactly the way it was originally claimed it would not be used.
The real "Libtards" are the Libertarians!
for i in `seq 1 2160`; do echo "Hello, jail! It's hour $n."; done \
| gpg -a --symmetric --passphrase "$(dd if=/dev/urandom bs=1024 count=1)" > ~/important.txt
When in a foreign land, you follow the rules of that land. Intrinsic rights are and only can be given to those who fall under that state's jurisdiction. Until there are universally accepted and guaranteed by some global dominion people can not and should not expect the laws that they were raised under to respected in other jurisdictions.
Time is what keeps everything from happening all at once.
My dad was just in N.Z.
The first thing he did when he arrived was call me and asked me what we set his pin code for his tablet .... TO JAIL!
[New Zealand] Customs said its counterparts in Australia, Canada, the United States and Britain had equivalent powers, though the department has so far been unable to substantiate that.
Is that true? Does anyone know the current law in those countries? I think it is true in the U.K. where you can be jailed for not handing over passwords and/or encryption keys, but I don't know about Australia, Canada, or the U.S. Can anyone shed some light on this?
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
People are stupid on average and would be daft enough to leave incriminating files on laptops and smart phones that's why customs needs an over-reaching power like this.
The problem is really is revealing a password that you use elsewhere. So change it before you go make it 1234 or password or some other trivial thing. Maybe put a fresh copy of windows on before you travel, or would that be suspicious in itself. Customs can give you a hard time already even your butt isn't secure.
New Zealand wouldn't be the first country to make failing to hand over encryption keys illegal, just make sure your laptop is clean and it isn't a problem. It's not like you can't download a file once you are past customs.
Blarney Quality Restaurant, Plants
And how many customs officials do they have on duty at AKL anyway? do they have time to go through all 300+ passengers phones/tablets/laptops?
And of course you could keep you sensitive data on a 64GB microSD card, easy enough to hide, and just have a card in the machine with your music and ebooks to keep you amused on the long flight. (its about 12 hrs from LAX)
Anyone with a brain that doesn't want to have their files read will stick it in a private "cloud" and access it remotely and securely anyway.
Hell, £100 NAS boxes have this functionality nowadays without any third-party storing the data. Or rent a VPS for the duration.
The problem I have with laws like this is that you ONLY catch the stupid people anyway. If they are going through customs with a laptop full of "how to beat customs" documents, then they get what they deserve and shouldn't be that professional.
What you're doing, though, is doing NOTHING to stop an actual, determined guy with half a brain from doing whatever he wants.
Spend less on junk like this, and just get more passengers a five minute interview to find suspicious people, or spend fives minutes longer on checking the faces, passport lists, etc.
The real issue is if they store those credentials. Providing credentials to the custom for an inspection is somewhat legal. Storing the passenger info + credentials is a NO.
Slashdot, fix the reply notifications... You won't get away with it...
A government strong enough to give you everything you want, is also strong enough to take away everything you have.
In Soviet Washington the swamp drains you.
and just have a card in the machine with your music and ebooks to keep you amused on the long flight. (its about 12 hrs from LAX)
Hopefully, all your music is legal and your ebook titles don't sound suspicious.
And how many customs officials do they have on duty at AKL anyway? do they have time to go through all 300+ passengers phones/tablets/laptops?
This can be fully automated. In the UK, I recall they recorded the entire hard drive of your laptop. They said this was a measure against pedophiles, although this policy seems to only have affected a couple of reporters as far as I can tell. They never did this to me when I entered the UK.
This is in contrast with France.
At least, the French make a copy of your hard drive when you don't know they're doing it. Waiting until you've left your hotel room, or waiting until you've fallen asleep, is much less obtrusive.
You want to bring some document to someone IN NZ, ask him to send you his PUBLIC key.
You want to be able to bring some document OUT OF NZ, keep your PUBLIC key on your computer.
And have NO PRIVATE KEY with you...
When asked to decrypt, you're just mathematically unable to do so... And any computer expert will be able to confirm what you say.
If enough people take that way, they'll eventually understand that it's futile to require password.
There's no such law in NZ, they want it, but NZ signed up to the basic human rights laws, so privacy is the law there.
And this is not about foreigners vs locals. NZ customs wants the right to grab all passwords and encrypted data for New Zealand people too.
If you recall the scandal because New Zealand's spy agency broke the law and spied on New Zealanders. MegaUpload is suing them, but now they're trying to seize Dot Coms money to prevent that:
http://www.reuters.com/article/2013/03/07/us-newzealand-megaupload-spying-idUSBRE92604320130307
"The GCSB was found to have spied on Dotcom in the run-up to the 2012 raid, prompting an apology from the prime minister...Dotcom is a German national but with residency in New Zealand, which made it illegal to spy on him."
So GCSB would tell customs who to search, but they seem to be breaking the NZ domestic spying laws, acting against their own country.
Easy, just create a default boot partition with nothing on it and boot the encrypted bomb-making partition when you are in your hotel room.
With all the dozens of different Linux/BSD/Unix variants, and the different window systems they have, as a full time IT worker, I'd have a hard time working out what was what on them all. Good luck to the rent-a-goon at customs when I pull out my FreeNAS box with VMware hypervisor with an Ubuntu guest with Xmonad windowing system with an AES encrypted partition that's mounted by cryptsetup based bash script.
Alas, there is no good open source password manager with built-in plausible deniability. All variants of keepass reject the idea, shifting it somewhere else and there is no good solution for Android. The best solution would be a database of X password databases (big X, a hundred or more), with only one database being encrypted and other slots filled with junk, and everything must be overwrittend during any save operation. If password manager does that by default (i.e. you don't tick special option to enable) then you might have one password db, two or several. Or 1024. Nobody can tell. And if you gave away password to innocent db with your small subset of passwords there is no way to prove that you ever had some other db inside your storage. That's going to satisfy any customs and any british judge, unless they ban such software completely.
Never, ever travel to any Commonwealth country again. Not that the US of A is that far behind but each day that passes just brings more revolting news from these supposed "freedom loving" countries.
How hard would it be to build an application for mobile or computer that would allow a special doomsday password, that would wipe personal data, or any selected directories, while appearing to log in normally? You would be complying with a request to supply a password, but it would be the action of the Bund agent himself which destroyed the data, not yours.
They belong to my employer. And I would violate the terms of my employment if I reveal them.
I wonder if NZ could do much if corporations applied pressure to them. NZ's GDP and Apple's revenue number is nearly the same at $183B (in USD).
“Common sense is not so common.” — Voltaire
Alternative theory: I choose not to travel to somewhere where such mall cops have any authority, or where border authorities like to throw their weight around.
There are more places in the world that I would like to see than I will ever be able to in one lifetime. I choose to visit those where I feel welcome, and they get my tourism revenue in return.
There are more clients in the world than my company will ever be able to do business with. I choose to work with those in places where doing business is easy, and those places get more business and probably more tax revenues in return.
Of course there are some people who realistically need to travel to certain places, though I don't think it's nearly as many as the apologists tend to claim and I think the number is coming down as more convenient and much cheaper long-distance communications technology improves. And of course there are some people who are willing to put up with a lot because they really want to visit a certain place. But not everyone who travels is in these categories, and by making travel unpleasant and making a country unwelcoming, in the long run those places will lose out on the rest of the visitors they might have had.
I recently travelled from the UK to another country in Europe, and chose to go by train. It was significantly more expensive than flying with a budget airline, and of course the travel time itself was significantly longer. But it was so much more pleasant in all other respects than all the hassle that comes with flying these days that I did it anyway.
The thing I most noticed was that although I was going through several different countries, once I was out of the UK and into the Schengen Area I just got on a train to go from place to place and the fact that it was international was no big deal. And you know what? No-one died in a horrific terrorist incident on the train. The criminal underworld has not taken over half of Europe. They don't seem to have any worse problems with contraband and black markets and illegal immigrants than we have at home. I doubt anyone was sneaking state secrets (or a dodgy rip of the latest movie) out of the country in a USB stick hidden in their handbag. And at no point on the journey did I feel threatened or unsafe because of the lack of overt security.
In fact, the only times I felt threatened and unsafe on the entire trip were going out of and back into my own country, and that's because we're doing it wrong. But it was still far less unpleasant than flying and all that goes with it these days.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Maybe I am way off base here, but I thought that when a person flies to another country,the traveler isn't considered to be in the country before clearing customs. If travelers do not get through the customs checks, they are prevented from entering the country. If this is the case, how can a person that has not cleared customs be sent to a New Zealand jail for 3 months for breaking NZ laws when they are not in NZ?
and I won't be travelling to New Zealand, thanks.
if this is supposed to be a new economy, how come they still want my old fashioned money?
What for, exactly?
I mean, passwords protect data.
Is customs afraid of data?
Is there some dangerous piece of information that must be stopped from entering the country?
If your police force is afraid of people keeping secrets, then your police force needs to be disbanded.
Instead, the department would only use the power if it was acting on "some intelligence or observation of abnormal behaviour", she said
And that 'intelligence' or 'observation' will be totally classified (you know, because of national security and stuff), so there will be no way to verify if there was actually a valid reason to break into your iPhone. But don't worry, we won't abuse this new power.
For non-citizens and others without an automatic right to entry, the penalty for disobeying directives from customs agents for those violating "border-only" rules (i.e. not rules that apply inside the country such as assaulting a government official) should be denial of entry.
For citizens and others with an automatic right to entry, the person should be given a choice: Voluntarily go back and come back another time when they are willing to obey the rules, or be arrested/cited for violating whatever law they broke.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It is more complicated than that.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
before entering the country, create dummy profile or carry a not-so-smart device.
She's a lawyer.
I can neither confirm nor deny, that I may, or may not have never won an argument.
XML is a known as a key material required to create SMD: Software of Mass Destruction
Comment removed based on user account deletion
In practice, the meaning of "Godwin's law" has grown from the original "later posts to threads about social topics invite more comparisons to the NSDAP" to "he who makes such a comparison loses the argument". Mike Godwin wrote about being surprised about how this law took root in popular culture: "I wanted folks who glibly compared someone else to Hitler or to Nazis to think a bit harder about the Holocaust."
But in the case of rape or murder, well, that will end family ties for a few decades.
For this purpose, would you consider "rape" to include sexual contact between an 18-year-old and a 17-year-old when the 17-year-old has presented fake ID? Or are you in the "save it for marriage to avoid accidental molestation convictions" camp?