Digital Privacy at the Border with 1Password and DEVONthink

digital privacy at the border

For whatever reason, people think of my country as progressive. A recent change to customs law might go some way to challenging that. Customs agents in New Zealand now have the power to demand security information including passwords, PIN numbers or biometric access to digital devices. They call it a ‘digital strip search’. If New Zealand has long been thought of as pioneering, I’m embarrassed to list this among our firsts. Assurances from customs that the threshold for search is high make no difference, the fact remains, the law exists. 1  What follows are some suggestions for apps and services that can help protect your digital privacy at the border.

First, note this is not legal advice, neither am I qualified to offer any. I am also basing this upon New Zealand customs law, which only covers the search of physical devices, and does not compel anybody to provide access to cloud services. 2 To state the obvious, you would do well to know the laws the that govern your border crossings, no matter where you travel. For the U.S, you could do worse than familiarise yourself with the recommendations from civil liberties group, the Electronic Frontier Foundation.

Digital Strip Search, an Apt Phrase

Most Academics have cause to travel often, and many carry sensitive information with them of one kind or another. My own work might be considered seditious in some parts of the world, 3 and I know plenty of academics and even grad students working under embargo, simply because that is how universities operate. To say nothing of our actual ‘private’ lives; iPhones with photos of family, personal messages, journal entries, medical information and so on. The phrase ‘digital strip search’ is apt, being submitted to such an invasion of privacy would make anyone would feel naked. If you would rather not put yourself through such an ordeal, 4 there are steps you can take to protect yourself.

Apps and Services to Manage Digital Privacy

This assumes you are traveling with iOS devices and not a Mac. That is not to say this cannot be done with a Mac, just that the entire process is more involved for Mac users. The principles still apply. If you’re travelling with a laptop, you could do worse than follow the advice of Bruce Schneier. Either way, it is getting to the point where traveling with as little tech as possible is the right way to go, even if it is impractical. And what gear you do travel with should be kept as clean as possible. Time willing, I may come back to the idea of travelling with a Mac.

1Password

 

1password Digital Privacy At The Border
1Password's Cloud Vaults provide security and convenience for border crossing

I cannot bang the 1Password drum loud enough. In my experience it is the best password manager available. It actually includes a feature called Travel Mode, designed for this situation. There is a school of thought, however, to suggest it is a nice idea that is a bit misguided in practice. Whether or not you decide to use it, it is a nice option to have.  Although it's not obvious that travel vaults are missing, that the feature exists is not a secret, so I do understand the argument.

At the same time, if you have a subscription to 1Password, the cloud vaults provide a better option by making it possible to remove the app entirely and download everything at the other end. This way you are not setting a flag that advertises you are ‘hiding' something.  It does mean holding on to an extra piece of information, as you will need the encryption key, as well as your password to set it all up again. See below for places you might put that.

Secure Private Data with DEVONthink’s Strong Encryption

I have written about using DEVONthink for this purpose. DEVONthink goes beyond being outstanding software for managing data by including strong AES 256 bit encryption. Again, you hold the keys, which means anything you put inside a DEVONthink database can be locked behind first class encryption. DEVONthink can store practically any kind of data or document, making it ideal for this scenario. Syncing is easy to setup with your choice of providers, including iCloud Drive.

Devonthink Digital Privacy
DEVONthink's iOS app can help maintain privacy with its strong encryption and flexible syncing

Among DEVONthink’s strengths is its ability to compartmentalise data in different ways. Whether you do that by group, or you setup a separate database for the documents. It can give you granular control over what you sync and when. It will even let you use multiple cloud services simultaneously as it sync’s each database separately.

You can work out for yourself how best to set this up, but my preference would be to setup a special database and download it to my device when I need it. That way I can be deliberate about what data I need, and organise it accordingly. I can also avoid using excess data.

Boxcryptor and Sync.com

If you have no use for DEVONthink, you might consider using encrypted cloud storage. If you're serious about privacy, using DropBox or  iCloud is not enough. In the past I have happily endorsed Sync.com for approximating the convenience of Dropbox while offering much better security with end-to-end encryption. I still hold that service in high regard, especially now the app has better integration with the iOS Files app. They offer 5Gb of storage for free, which should be plenty for this scenario.

If you prefer the flexibility of sticking with your existing cloud storage service, then take a look at Boxcryptor. It is free to use if you only need to secure one service, but you will need a paid account to encrypt file names so bear that in mind when naming your files.

A Method for Digital Privacy at the Border

Once you have handed over your passcode, or consented to unlock your device with TouchID or FaceID, anything on it is fair game. Many apps provide an extra security layer, but the passcode is all that is needed to change either the finger, or face to get beyond most of them. The safest approach is to have nothing on your device. Setup these apps before you leave, and remove everything from your device. Myself, I would even setup a different iCloud account altogether.

Before you leave

Back everything up, obviously. Now do it again. Don't rely on iCloud backup alone. Ideally you will have at least a secondary location. I use iMazing for this, and all my backups are included in my Time Machine Off-site clone, and my Backblaze continuous cloud backup. Incidentally, if you use Backblaze you have another means for client-side encrypted storage. You can retrieve anything you need to on demand from your Backblaze locker. The way I figure, that even leaves me room to make the kind of screw ups that come with having attention madness.

If you're an iOS only user, I would seriously consider investing in some external storage to add a secondary backup. The Sandisk iXpand Drives tend to be the best, not only for the drive quality but they include software to handle the backup.

Once you are backed up, setup a new iCloud account. Note, your devices can be logged into more than one account for different services. For example, you can log into the App Store with one iCloud account, and use a different one for Photos, iCloud Drive and so on.

When you Arrive

This should be obvious. Either download the necessary apps to your alternate iCloud account, or log back into your ordinary account and do the same. This is time consuming and annoying — and it will cost you data — but consider the alternatives. In this part of the world, it now means a choice between being digitally naked or a NZ$5000 on the spot fine for refusing access. Considering how you will maintain your digital privacy at the border is no longer optional.

Photo by Matt Artz on Unsplash

  1. New Zealand customs have form that should make anyone wary
  2. Anyone with eyes can see how stupid this makes the law, so stupid it hurts.
  3. Posting this probably doesn’t aid my cause
  4. And you don’t have a spare $5000 to throw at the problem

1Password X: A look at the future of 1Password in the browser | AgileBits Blog

While we are on this particular train. Agile Bits have done a lot for user security, with the release of their new browser based app, the are doing more. The 1Password X  browser will also allow Linux and Chrome OS users to get in on the act. It's not something that I need personally, but I can see how this will be useful. They write:

Wouldn’t it be cool if 1Password could do X?” is a question we often ask ourselves. The values for X are always changing, but some ideas come up again and again. Wouldn’t it be cool if…

• When you log in to a site, 1Password is right there on the page ready to fill?

• You could use 1Password without downloading the app?

• Linux users and Chrome OS users could join in on the fun?

Now 1Password can do all these and more. We call it 1Password X, and it’s our brand new, full-featured experience that runs entirely in your browser. It’s super easy to set up, deploy, and use. It works everywhere Chrome works, including Linux and Chrome OS. And it’s a re-imagination of how 1Password works on the web.

1Password 7 Adds Face ID Support, ‘Quick Copy’ Feature for Faster Copy & Paste – MacStories

MacStories have a write up of the latest big update to 1Password. There is enough hype everywhere for the iPhone X. I’ll happily stay away from that. It does, however, mean we have a slew of app updates on the way. I wrote about my preference for 1Password not too long ago, but already that post is starting to look dated. The improvements to the user experience keep coming. The new Quick Copy feature is a good example of the attention to detail from Agile Bits. They seem intent on eliminating little the little annoyances and friction that prevent users from using certain security features. They even tidy up interactions where third-party apps haven’t bothered to implement the system extension.

From Macstories,

First up is Quick Copy, a feature aimed at speeding up the process of filling secure information in apps that do not integrate with 1Password's action extension. Quick Copy is designed for those times when you're switching back and forth between an app and 1Password: when you copy a field in 1Password, exit the app, then return to it to copy another field, the field after the one you previously copied is automatically placed in the clipboard. For instance, if you copy your username, close 1Password, then open it again, the password field is automatically copied; if you copy your account's password, the one-time authentication code (the field displayed after the password one) will be copied instead.

The Necessity of using a Password Manager

1password For Macos

Have I been Pwned

If you ever need to convince somebody to use a password manager, try playing them  The Russian Passenger on Reply All.  The episode covers a service called Have I Been Pwned, which keeps a record of known data breaches that users can search to see if their credentials have ever been exposed.  Try searching the email addresses of friends, family and colleagues on the site. It won't take you long to find somebody you know.

A good password manager is easy to use, and simple to learn, and yet convincing people to use one can be difficult. My sense is that most people either don’t realise how insecure their recycled credentials are, or they think ‘that will never happen to me, I have nothing worth stealing’. I can only hope that wouldn’t apply to experienced researchers and academics, but students too need to be aware of how vulnerable university networks are. There are numerous reasons for hackers to target universities, gaining access to thousands of usernames and passwords chief among them. Because of all this, I believe it is critical for anyone working within the walls of a university – virtual or otherwise – to have a secure means for managing their credentials. To my mind, a password manager is the best solution – it is certainly the easiest.

Which Password Manager?

As for which password manager, for sheer user-friendliness, ease of use, and excellent design, I still feel that 1Password is the best choice for most people. It actually has the Pwned functionality inside the app itself.  A lot has been written lately about changes to 1Password. The concern from security experts has to do with the company’s move to a subscription service, and in turn the service itself being moved to a priority cloud based architecture. The concerns are not around the business model, but with certain technical decisions; specifically with the status of where the default user vaults are stored – i.e on the Agile Bits encrypted servers. It should go without saying that the vaults are mega-encrypted, so worthless to anyone without the user’s key, but to end the debate there drastically oversimplifies the matter.

I’m not going to dive any further into the debate itself, as I believe a lot of what is doing the rounds is either based on a combination of misunderstanding, miscommunication, and the wants and needs of edge-case users who aren’t representative of most people. Moreover, some people seem to be conflating the Mac and Windows versions, and the functionality under debate remains very much a part of 1Password. I would argue that regardless of the validity to concerns around cloud-storage, 1Password is still the best password manager for most people. In fact, some of the features that make it so are only available because of the cloud-based architecture. My take is this:

  • The vast majority of people are ludicrously vulnerable at the moment, simply because they have next to nothing in place to manage their online security. For most people, not only are obscure security threats not a huge concern, but there is much more to be gained by using a password manager than maintaining the status quo.
  • In the absence of a clever password scheme – which, let’s face it, most people will never use – even if you do generate strong passwords, you still need an absolutely unique one for every site and service you use. Most people who have taken this half measure are using paper notebooks, or some for of plain text or spreadsheet to store the credentials. Ironically, this is a half measure that will make you doubly vulnerable
  • A Password manager does all the work once you get used to using it. Not only have I found 1Password to have the best user experience in this regard, anybody I have ever got to use it in earnest has taken to it immediately. The browser extension on the Mac, and iOS Safari automatically generates and stores credentials for new registrations, and automatically populates forms and logins. It can also populate payment forms with one click, making it even more useful than Safari’s own Auto-Fill features.
  • Take travelling researchers, with the new 1Password travel mode one can remove the entire app from a device and then reinstate it once any overly officious border police have done with their perusal of any given device.
  • There are further benefits to having secure information in such a vault if you were to ever to lose your mobile device and other valuables. I use 1Password to store my bank cards and encrypted copies of documents.
  • 1Password’s subscription model is one of the more advantageous memberships of its kind. The Families plan gives you 5 licenses for US$5 a month. You can manage vaults for your less technically inclined, younger or older family members. It also means shared vaults for credentials you all need access to, Netflix anybody?
  • The concerns around the cloud-storage model are moot for anyone wanting to sync a password vault and doing it via Dropbox.
  • I could go on, but I fear I have lost enough of you already.
1password Best Password Manager
1Password is the most user-friendly password manager I have used.

Perhaps Agile Bits could have handled this situation better than they have, but to be clear, they are keeping intact the functionality that security boffins most value, i.e local vaults. Unfortunately, it seems people will seize upon anything to reinforce their own reluctance to address their security issues. So controversy like this tends to feed the fear and doubt. My concern is that people use something other than recycling passwords, becoming so blasé about resetting them that they become easy targets for phishing attacks. Attacks that nowadays can easily include the capture of two-factor authentication. A password manager mitigates most of the risks. And without labouring the point, using one will provide a huge improvement to most people’s security.

Other Options

Lastpass – I have been a user of Lastpass in the past. I have never found it to be as user-friendly as 1Password, but it has a lot of fans. The biggest selling point is its free tier, which is a good start for anyone balking at paying for security – and the upgrade price is only US$12 a year. You will need to upgrade to use things like two-factor authentication and device syncing.

Dashlane – I prefer the user interface of Dashlane to Lastpass. It has a similar ‘freemuim’ model, with similar limitations before upgrading.