Your advice to mail ahead your secure computer is not good. Mailed electronics are just as susceptible to search, if not more so, as what you keep with you.

I think the reality we have to grapple with, regardless of rights violated, is that if you want to cross a nation border, it's best to assume that all nations involved will end up with a copy of all the data (hopefully encrypted) you move across that border. In the face of that scenario, how do we proceed?

Unless you are under an active investigation, the chances of your mailed laptop or phone being intercepted and searched are far, far less than if they are on your person at the border.

Still, if you are paranoid enough you can mitigate the danger of your data falling into unsecured hands (at the border or by mail intercept) by using an encrypted shadow volume:

https://www.veracrypt.fr/en/Hidden%20Volume.html

> the chances of your mailed laptop or phone being intercepted and searched are far, far less than if they are on your person at the border

Isn't "mailing a laptop" now counted as sending dangerous goods, due to the battery?[0]

If so, the chances of it being subject to interception and/or search might well be far higher than someone just carrying a laptop in hand luggage across an international border.

[0] https://www.dhl.com/en/express/shipping/shipping_advice/lith...

How do you think the manufacturer ships them, one by one, to the purchasers?

I've just had a look on my favourite parcel shipping site and found this wording in their terms:

> RESTRICTED ITEMS The following items are deemed unsuitable for shipment by our services, and are therefore restricted. Any of these items being sent may result in surcharges, delays or confiscation by authorities where appropriate. No damage cover is available with these items:

> [a long list of stuff, including laptops]

So, who here would be happy to ship their laptop internationally without damage cover?

It's much easier for a policeman to demand the password to decrypt data when he has you in custody at customs than when it is searched by the mailman.

You're confusing "not perfect" with "not good". There's an old saying: when outrunning a bear, you don't have to be the fastest guy, you just have to be faster than the slowest guy.

> It's much easier for a policeman to demand the password to decrypt data when he has you in custody at customs than when it is searched by the mailman.

is that really true? I would expect that they can just perform hardware tampering when you're not present when searching in mailed items, but given that customs might use racial profiling to target you at airport, you may be better off mailing the computer securely, such as using tamper-proof or tamper-evident stickers/bags.

Dragnet demanding your password at the border is something we know they do - there are loads of witnesses saying they were asked for passwords at borders. Dragnet hardware tampering of electronics in the mail is not something we know they do.

I've only seen two articles claiming evidence of physical tampering - like a hoax about Dell from 2005 [1] and Bloomberg's dodgy story about spy chips from last year [2] - neither of which seems truthy, and neither of which involved mail interdiction.

(Of course, it's widely suspected mailed hardware can be tampered with, but most of the claims/speculation I've read has been about targeted tampering, not dragnet)

[1] https://www.snopes.com/fact-check/keyboard-loggers/ [2] https://techcrunch.com/2018/10/04/bloomberg-spy-chip-murky-w...

>I would expect that they can just perform hardware tampering when you're not present

On what legal authority?

The border search exemption is about searching, not tampering.

The issue is more that border agents are taking advantage of a law written before the age of computers to use powers the founders probably never intended.

I seriously doubt that there's any legal basis to bug a computer just because it was shipped internationally.

So if the threat model is being asked for your password, not being present when the device crosses is a good mitigation.

(If you've done enough bad things they government is targeting you specifically, YMMV)

> Unless you are under an active investigation, the chances of your mailed laptop or phone being intercepted and searched are far, far less than if they are on your person at the border.

Inbound international mail is also subject to search by customs, that doesn't just happen to stuff the owner carries across the border.

Just send it like most other things in this situation are sent: in pieces.

> most secure way ... encrypt the laptop and phone and ship to your destination via standard shipping services

Absolutely not. Any time your hardware is physically out of your control is a time when someone could install a hardware keylogger or replace your ethernet card with one that exfiltrates data or whatever.

The most secure option is to travel with an encrypted hdd/phone on you with no way to decrypt them, and separately acquire the private key (e.g. via shipping a secure hardware token which is made to be tamper resistant to a trusted friend at your destination).

If the devices leave your control for more than a few minutes, consider the hardware compromised and never unlock them again.

Laptops simply are not made to be highly resistant to an attacker with physical access, whereas hardware keys are, so it's not a good idea to ship them.

If you do ship them, you'll have to do a physical examination for suspicious hardware at your destination, (as you presumably did when you first received them if you're that paranoid), and it's damn hard to find a good lab for that in some countries.

Your advice is good as a way that's secure for most people's threat models, but it is a far cry from being the most secure solution, and I'd argue it's much less secure than simply carrying them with you.

Carry a computer with encrypted data but don't use it; remove the hard drive to copy the data to another computer in order to decrypt the data with the separate key. Discard the old hard drive and old computer afterward.

Do not use a single key; require several keys that are with different people, combined only in the way that you know how. Ensure the people are present to notice if the police try to come in.

By paraphrasing my comment as you did, you avoided the point I was making. What I proposed is the easiest and most secure way for a normal traveler not already under suspicion to avoid losing/exposing potential client and employer data to a foreign government during a border confiscation. By no means is it 100% foolproof and I never claimed it was. As I said elsewhere in the thread, if you're already the subject of an investigation your mailed package will be intercepted, but that's an entirely different conversation.

In short, the scope of my comment was avoiding a border seizure during travel, not 100% securing your devices from being compromised, which is an impossible goal short of just not using any devices, period.

> This action can be flagged as suspicious as well, triggering a deeper investigation into the traveler.

More and more people are probably doing this so this is going to stop being suspicious.

>This action can be flagged as suspicious as well, triggering a deeper investigation into the traveler.

Whenever I travel internationally on business and need a laptop, I'm required by company policy to bring a laptop freshly wiped by IT instead of my normal laptop.

That's sensible. So is this becoming the norm?