Protecting your password privacy when crossing borders

I’m a big fan of password managers. In my opinion, it’s probably the easiest and most effective thing you can do to secure your devices and digital stuff. I’m also a big fan of 1Password for a number of reasons. It’s technically awesome, easy to use and like me, it’s Canadian!

But inevitably, whenever I mention using a password manager I get the question or snide comment, “isn’t that just making it easier for hackers because they only need to steal 1 password to get access to all of your stuff?”

And while yes, this is technically true, it sure beats whatever you’re doing now like reusing the same password over and over again for everything. This response generally abruptly ends any password management argument with a shrug, guilty look or outright confession from the other guy.

So yes, while using 1Password on my iPhone and iPad does keep my passwords protected, highly encrypted and secure, I’m still carrying around the master key to my online life (which is of course, long, strong and unique) with me everywhere I go. This generally isn’t a problem because if one of my devices happens to be lost or stolen, it’s likely more secure in the hands of a criminal with a password manager installed then without and I have the ability to remotely wipe it anyway.

Where this security paradigm breaks down, however, is when crossing a border

Numerous countries throughout the world are now not only asking travelers to turn on their devices to prove they are what they appear to be but also to hand over and unlock them for inspection.

Doing so certainly allows a border guard a great deal of access to things like email, text messages, and pictures but also browsing history, private OneNote and Evernote Documents, files shared via OneDrive, Google Drive or DropBox and even corporate data that is the property of your employer.

If you stop and think about what’s actually on your phone… it’s really a lot of information that you don’t necessarily need to be carrying with you all the time. And it’s all packed into one convenient little 5-ounce device.

So, what’s your legal requirement to hand over access to your smartphone or tablet?

Who knows. Certainly not me. I’m not a lawyer. Every country has their own legal system and legal requirements and not all border officials are simply going to have a quick look for security purposes either. If your device leaves your sight for more than 10 minutes there’s a good chance it’s been imaged, i.e. completely copied, or that some form of spyware has been installed and enabled and potentially all of your other online services can now be compromised via access to all your stored passwords.

So what’s a high-tech-mobile traveler to do?

I always advise when traveling to foreign countries to check into their technology legal requirements, such as, is encryption on your iPhone allowed? What about a VPN? In some countries setting a pin-code on your iPhone which encrypts the data is illegal. Same with using an encrypted VPN app.

For the busy business traveller, or tourist on a whirlwind multi-national cruise that can’t be without their iPhone, etc., this means either accepting the risk and doing nothing, constantly making changes to your devices to balance personal privacy with the legal requirements of the country you’re visiting, having multiple devices or using burner phones, or in effect breaking the law of the land (whether intentionally or not).

Part of this problem is solved with travel mode

While much like initially setting up a password manager, it can take a bit of work, but the benefits thereafter are all about convenience and peace of mind which makes the initial struggles worth it.

With 1Password travel mode, a user can designate certain “vaults”, basically a collection of passwords, as “safe for travel”.

When travel mode is activated from the web, everything that isn’t marked as “safe for travel” is completely removed from your devices. This means that there will be no non-safe for travel password data to be searched. Also, because most password manager users use randomly generated passwords such as h*7?L,.6v@L4m[7Dw7B?67?$7$8ty2 (or even longer and more complex if you’d like… which I do), even if you are requested to provide a password for an application you not only can’t provide it because it’s no longer stored on the device, but unless you are an elephant or have a photographic memory, there’s no chance you can possibly remember it.

Once you are back in a location where you feel it’s safe to fully restore all of your password vaults, you can do so by simply deactivating travel mode and syncing your device back to normal.

Did I mention I’m not a lawyer?

Being cyber-smart like this in no way guarantees that you won’t be deported for non-compliance with border inspection rules. That’s a layer 8 issue that can’t be fixed by technology.

What travel mode does provide is flexibility for users. It also wouldn’t hurt to additionally delete apps like DropBox or any others of concern so that not only are the passwords not accessible but also there is no need to be asked to open an unlock an application that doesn’t exist on the device in the first place.

While the downside of all of this is that it takes a bit of effort on the part of the user to pro-actively manage their privacy and security, and it limits some access to data while traveling… this is the kind of thing everyone should really be doing anyway. Besides, for those who really do care about these things, the slight inconvenience shouldn’t be that big of a deal.

IT teams need to be thinking about this too!

Employers using the Team version of 1Password will also be able to setup and control access to travel safe vaults on behalf of their employees taking the responsibility out of the hands of users. This can also greatly compliment other mobile device management technologies, as well as compliment policies and procedures for traveling workers and executives in particular.

In conclusion…

Travel mode is just simply another great reason why you should be using a password manager and think about what data you carry with you when you leave the country and the potential consequences associated with where you’re taking it too.

You can find 1Password online here, and get more information about travel mode on the AgileBits blog. I’d also invite you to check out the rest of the security tools and services I personally use or recommend in my Cyber Security Tool Box.

Leave a Reply