DAV EY WINDER
Travelling to the US? You may want to keep certain passwords at home. Davey explains how to do so without hiding anything from the authorities
Head to the United States and customs officers may demand to see your passwords. Davey explains how to comply without giving up all your information.
International travel presents a host of security issues that don’t apply at home. The long arm of the law can reach into places you didn’t realise abroad: your laptop and smartphone, for example, or possibly even your social media accounts – but more on that in a moment. Let’s stick with protecting your privacy and securing data on your devices to start.
In the past, I’ve recommended using a barebones Chromebook linked to a Google account established solely for travel purposes, and so not linking to any sensitive or truly personal data. I have, on occasions, even resorted to carrying a “burner phone” – which, again, doesn’t link to the real me or my business.
The trouble is, these measures aren’t so great if you need to actually do some work while away from home. Or even if you intend to keep in the social loop. Trying to maintain a balance between privacy, security and productivity is a battle that sometimes feels doomed to defeat. Especially when we read reports that border officials in countries such as the USA are, in some instances, searching devices and demanding encryption passwords upon entry. The “I forget” response doesn’t work, and will likely lead to an extended interview and a forensic search of your devices. But what if you could honestly comply with such a request, without handing over access to sensitive material?
Enter 1Password and its “Travel Mode” for users of the subscriptionbased versions of the password manager (note that it won’t work with standalone versions synced with Dropbox or iCloud). It works by deleting those vaults from your device that you haven’t flagged as being safe for travel. If you’re stopped for inspection, you can quite legitimately hand over your device; officials would only be able to see your travel vault. Not that they’d know that, since there’s no indication of the program being in Travel Mode, or of there being any other vaults. This is because there aren’t; they’ve actually been deleted from the device and can no longer be accessed from it. This includes your encryption keys, so even a forensic inspection wouldn’t be able to find any traces of them.
On reaching your destination hotel, you can turn off Travel Mode and gain access to your normal work passwords once again, but only by logging into your account via the web interface. Business users with the Pro version of 1Password Teams can use the system via a team administrator, who manages which vaults are safe for travel and activates the mode for individual team members.
It isn’t immediately obvious where the Travel Mode option is. You can’t access it from your device apps, only from the web interface. First, go to the dashboard and select a vault. Click on the pencil icon to edit and you can select whether or not the vault is deleted from your devices in Travel Mode. Once you’ve done that, go to the My Profile section from your account dropdown. From here you can access the Travel Mode toggle. When you next access the app on a device, assuming it’s connected to the internet, the non-travel vaults will be deleted along with their respective encryption keys.
Some would argue that deceiving border or law enforcement officials is a silly game – and to them I’d say that I’m not advocating deception, but a way to comply with the request to “search” your device for encryption passwords. Without a warrant, the official will have the right to search your devices but nothing else. In the same way that they have the right to search your suitcase but not your home or office without a court order.
The 1Password travel mode “fully and honestly” complies with the request to decrypt what’s on your device. Indeed, 1Password developer AgileBits states: “Travel Mode should not be used for purposes of deception or lack of cooperation. It’s about what you choose to have in your possession when you travel, and what you choose to not have in your possession.”
Travel Mode won’t provide a way of legally withholding your social media passwords should a border official demand them. Although this may sound like a far-fetched scenario, I wouldn’t be so sure in Trump’s America. It isn’t fake news that the US could soon start demanding such access for visitors from the UK under certain circumstances. The social media identity question has already been in play for a while, and it was under the Obama administration that it began for visitors from certain countries. This has been strengthened under Trump so that anyone applying
“Travel Mode deletes those vaults from your device that you haven’t flagged as being safe for travel”
for a visa to visit the US can be asked to provide all social media identities for the previous five years.
Former US Secretary for the Department of Homeland Security, John Kelly (now Chief of Staff), has also made it clear that he wants this “extreme vetting” for visitors from seven Muslim-majority countries. The usual anti-terrorism reasoning is being applied. Okay, so the “done nothing wrong, nothing to worry about” brigade will no doubt slap me for criticising this, but I will anyway – especially since another DHS spokesperson has indicated that countries participating in the visa waiver scheme, such as the UK, could also be scrutinised at the border in this way.
Why am I against this? I can answer with another question and answer: what’s the first rule of the password security club? Yep, don’t tell anyone your password. For what it’s worth I couldn’t tell you my Facebook, Twitter or LinkedIn password – they’re all stupidly long, at least 25 random and mixed characters, in fact. Like many others, I rely upon remembering one of these long text-string constructs that unlocks access to the others from an encrypted password vault.
Would I want to reveal that master password to law enforcement, enabling them to access not only my social media accounts but my bank accounts as well? No, I wouldn’t. Nor would I want to annoy the Department of Homeland Security and have my devices, and possibly orifices, forensically searched. Having a collection of work-related logins, plus my social media accounts, would be an uncomfortable but acceptable trade-off – enough to satisfy legal requirements while not exposing my entire digital world to a stranger.
FAKE REVIEWS!
Sorry for the Trumpesque headline, and for once you can believe it since there are plenty of fake reviews out there. Once upon an age ago, I used to review tech stuff for a variety of print and online publications – until both stopped paying anything like enough to cover the amount of time it takes to do properly. So I gave up and decided to focus my time on other, more financially rewarding, endeavours.
That said, I missed the actual process of reviewing an item. It’s the same reason why I enjoy writing about IT; there’s always something new to get your head around. I guess the boundary between research and consultancy, writing and reviewing is very thin indeed. Which is why I started writing “proper” reviews of the things I bought from Amazon.
I do this for free, and obviously my review style must be appreciated by enough folk that I’m currently ranked in the top 200 reviewers on Amazon. The downside of such a ranking is the number of requests I receive from dodgy vendors wanting to buy positive reviews for their products.
This used to be the norm, of course, and the number of reviews that were quite obviously the result of getting an item for free became ridiculous. It devalued the review system so much that eventually Amazon introduced community guidelines that prohibited such things.
Slowly but surely, the community moderators and, one assumes, an algorithm are working through the millions of reviews in the Amazon archive and removing any that aren’t from a verified purchaser. This is because the dodgy vendors would issue promotional codes to reviewers that meant they got the item for free.
I receive at least one or two offers from these folk every day. The scam works to circumvent the Amazon rules and get that verified purchaser label by offering to refund your purchase costs by PayPal once a positive review has been posted. I forward all these emails to Amazon to deal with. I’ve been receiving these offers through Facebook messages and even LinkedIn recently. I guess the vendors of cheap Chinese crap are desperate to get positive reviews and do research to track down how to get hold of target reviewers.
The trouble is this still leaves potential purchasers in a position of not knowing whether any given review is genuine. Sure, the “wisdom of crowds” effect kicks in, whereby given time and traffic the cream rises to the top and the brown stuff gets flushed to the bottom. It doesn’t help when there are only one or two reviews of an item new to the market. There are solutions out there, such as Fakespot ( fakespot.com). This online service has, at the time of writing, analysed some 627 million Amazon reviews for authenticity.
I tested Fakespot by feeding in a couple of products I’ve reviewed. The first, a travel wash bag, has only three reviews in total. I was suspicious of two of these. Fakespot confirmed my suspicions since it reckoned 66% of the reviews were suspect. The one that I was most wary of even got picked out with the “reviewer” being tagged as unreliable since there was a correlation with other fake reviewers’ profile data and language.
Next I thought I’d try a strap for my Gear S3 Frontier smartwatch, with which I was so unimpressed that I sent it straight back for a refund and gave it a two-star rating. My review is currently the top review of the product and states it has “cheap and nasty, quick-release pins that are slower than a pig in flippers swimming through porridge to use...” Yet, of the 58 reviews, 51 are either four or five stars. So what did Fakespot think? Again, it seemed to confirm my suspicions as it returned a D rating, suggesting 50% of the reviews were of low quality. Furthermore, it goes on to state that
“I receive numerous requests from dodgy vendors wanting to buy positive reviews for their products”
“our engine detects that in general the reviewers have a suspiciously positive sentiment” and “our engine has profiled the reviewer patterns and has determined that there may be deception involved”.
Overall, then, I’m pretty impressed with the Fakespot service. It seemed to agree with me on most of the items that I fed into it. There was the odd hiccup, but I guess that’s to be expected. Of course, you might say that if I thought that reviews were dubious then why do I need an algorithm to confirm it? And you have a point, but in my opinion it’s a useful tool in the purchaser’s armoury. It’s free to use (for the web-based engine; a monthly fee applies if you want to use the Chrome plugin that presents a rating as you browse) and pretty accurate. That it can reveal known, or very likely, dishonest reviewers is a bonus.
The best bit, though, is that it offers an “adjusted review rating” alongside the official Amazon one. So in the case of that watch strap, it went from a four-and-a-half-star review down to a two-star one.
A reader writes…
Martin Buck got in touch to say that his daughter-in-law was recently in Barcelona and had her iPhone 6 stolen from a restaurant table in the late evening. “Since it was password protected, she wasn’t too concerned and reported the loss to her network service provider the next morning when she was able to borrow a phone. They did all the usual stuff and told her not to worry. However, the following month, she got a bill from them for €1,700.
“It seems that gangs steal phones to order [and] if they can’t get into them, they pop out the SIM and put it in another phone, which is then used to call a premium number (which they own) outside of the EU – in this case, Morocco.”
SIM cards are highly valued by criminal types, more so than the handset itself. So how can you protect yourself from the same happening to you? The answer is embarrassingly simple: just enable the SIM lock feature in your handset to secure it.