I am the CTO of a small Canadian company, we build energy management and process optimization platforms for industrial clients. Many of our clients are large US companies, and some of our employees travel to clients' sites for implementation or consulting work. As a result, they have to cross the border with their company phone and laptop.
In recent news, a French researcher traveling to a conference in Texas had his laptop seized by the US authorities, for reasons that are not well explained. It seems that the number of similar cases has increased at the US border.
If a company laptop was ceased by the US customs, this will objectively represent a security breach and threaten the confidentiality of our clients' data. Consultants have to have a local copy of some dataset (like production data, energy related info... ) from facilities to perform analysis on their computer.
I am considering issuing a warning to all our employees about this, but I am wondering if some of you have recommendations regarding this: - technical measures to limit our exposure. We use encrypted disks, can the border officer force you to provide the password / encryption key? - legal measures to protect the confidentiality of data from US-based companies. Can the federal government seized confidential data from US-based companies just because it crosses the border?
Thanks for your help!
If you do not provide Border Patrol with access to whatever they want, you do not get to enter the country. You have zero rights at a US port of entry.
The best solution is what many US companies do for employees traveling to China -- a burner laptop & phone with no data on it.
Provide some form of remote access to services, such as webmail.
A two second google search will give you the answers you seek about what the CBP can do - https://www.cbp.gov/travel/cbp-search-authority/border-searc...
This is the answer - burner laptop and phone you can lose without repercussions.
From my extensive research reading spy novels this would be something they do entering a high risk environment. If you absolutely have to have the data onsite at client meetings and don't want to use the cloud, then separate the data from the laptop. Maybe go old school with a USB stick. Make the USB stick look like a charger. Or pack a bag of 100 USB sticks with your company logo on them as chatchkes but one of them has the data.
I have to imagine if they are going to seize a laptop they probably aren't going to let you in anyhow.
American here. Most of the country by population is considered a border zone where you have very limited rights against federal searches: https://www.aclu.org/know-your-rights/border-zone
As a foreigner, our government will arbitrarily detain and search you as you wish and you will have no recourse, especially with this administration.
It doesn't really matter what the laws are on paper. Your employees aren't going to resist interrogation and fight to defend some vague law on behalf of your clients when they're being questioned by big armed dudes and threatened with indefinite detention. The government will get its way.
Buy some separate Chromebooks for travel, with no local data saved and no logins saved, and loan them out to employees when they travel. Have them memorize a password and make sure it gets changed when they get back.
Better yet, don't even come here right now. The civilized world should be boycotting US businesses (or at least travel to the US) until and unless we get our shit in order. Make a Zoom call. It's not worth getting your employees traumatized.
I’ve had a laptop taken and held in Saudi nearly 22 years ago. It’s scary. Didn’t have all the cloud tech we got now
The other advice here is good, encrypt remote/ cloud storage, don’t be logged into anything I guess.
You need a consultation with a suitable security organisation and to have a C-level meeting to determine what category of messaging to your clients about this your legal team needs to draft. Treat it as if the worst-case scenario is true and all data that crosses the border will be cloned and forwarded to both competitors and phishing organizations, as if your employees are travelling to Myanmar.
The worst-case expectation for the U.S. is unlikely and emotionally fraught but as a CTO you have to consider your responsibilities. Not following advice like this doesn't just expose you to the one-in-a-million risk that the US will be that crazy, it exposes you to the one-in-ten risk that the Carney administration appeals to voters by introducing new laws in less than two years that make your company retroactively liable for "risking potential damages" to your clients, without a high burden of proof.
Travel with minimal electronics, buy everything here, sync data securely over the internet.
Should be the default when traveling to "sketchy" places.
they can (or could).
if this is really within your threat model i suggest treating travel to the US much like travel to any other foreign hostile nation.
there’s plenty of articles written and some probably that apply better for canadians (written from the perspective of your own security agency)
basic advice like take a burner laptop and leave sensitive information at home.
here’s the aussie one.(1)
Good luck.
(1) https://www.smartraveller.gov.au/before-you-go/staying-safe/...