Laptop and Cell Phone Data Searched at Airport

Updated: November 22, 2010

Marlinspike is not known to be the subject of any criminal investigation, nor does he appear to be an immediate threat to national security.

Nonetheless, he was recently detained at JFK International Airport upon returning from an overseas conference, and the cause seems to be an interest in searching his electronic devices.

US Customs agents requested that Marlinspike provide the passwords needed to access encrypted data on his laptop and two cell phones, but he refused. After being detained for five hours, the equipment was returned and he was released.

From his interview with CNET:

"I have no idea what's going on, why this is happening to me. From the questions I've had to field it seems like this is part of some larger fishing expedition. There is someone somewhere who wants access to something on my laptop or my phone and they can't just come and ask me for it. And they can't get a warrant without suspicion. So, they wait for me to travel internationally because at the border they can do anything they want."

Marlinspike first discovered he was on a Federal watch-list several months ago when both he and airline staff were unable to print out his boarding pass. The airline staff informed him they needed to notify the Department of Homeland Security of his travel plans.

Exactly why he is on the watch-list is not known. Marlinspike is noted for exposing critical vulnerabilities in the verification of digital certificates. White hat hackers are largely misunderstood, and revealing exploitable flaws in information systems does not make one popular with everyone concerned.

For those unfamiliar with the term, white hats are somewhat equivalent to consumer product safety advocates - think along the lines of Ralph Nader and the end of the Corvair. Trouble maker to some, hero to others. Whatever your opinion, security was the intention.

Regardless of the fact that he may be on a Federal watch-list, Marlinspike had not been arrested, Mirandized, or charged with any offense. So, does the fact that he was returning from abroad mean that he has forfeited his Constitutional rights?

Security is one matter, and if he was suspected of posing an immediate threat to the safety and welfare of other travelers, then a thorough search for some kind of weapon or device is appropriate. Same thing for if he was suspected of smuggling, or breaking the law.

But does the mere fact that a US citizen travels overseas and seeks to return home give authorities carte blanche to search anything and everything irrespective of any specific purpose? Is the border a Constitutional no man's land?

If he had supplied the requested passwords, could Customs have seized the data even if it did not indicate that any laws were being broken, or if it did not present evidence of any immediate threat to security?

This incident brings several other questions to mind, such as whether the Customs agents have the authority to make copies of the data on Marlinspike's hard drive and SIM cards and retain it.

From his interview with Wired:

"I can't trust any of these devices now. They could have modified the hardware or installed new keyboard firmware."

The TSA has received great deal of attention lately regarding the uses of low radiation x-ray scanners and the enhanced physical pat-downs that have been repeatedly described as "gropings" by those that have had the displeasure of undergoing one, and the nation is in an uproar.

At least most people can ultimately understand that the purpose of these invasive searches is to save lives.

The prospect of having our confidential computer and phone data scrutinized simply because we wish to re-neter the country is going to go be even less popular, and it seems to be in direct conflict with both the spirit and the letter of the law as outlined in the Fourth Amendment, which plainly indicates:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
Related Categories
Featured Research
  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more