I listened to some of Leo’s TWiT today, the show with Kevin Mitnick when he talked about his recent experiences at the US boarder.
The points I’ll discuss below, become pretty serious in terms of crossing any board and especially entering the US post 9/11, for employee’s with company issue laptops who frequently travel on business.
There were two points raised in the conversation on TWiT 163 that struck a chord with me, the first was that you can encrypt data on your PC an refuse to provide the password. This was in the context of material protected by NDA’s.
The second point was of material stored on your PC and the question you get asked "is this your machine?" and the ownership or responsibility of the material on the machine.
So in terms of NDA’s, I have material protected by non-disclosure agreements on my machine and as discussed in the TWiT show, is that if I had to hand over my machine to a customs agent without protecting the data, I could be sued for not protecting the information under the NDA. I don’t think that the NDA’s I’ve signed have an out that I can disclose the information without the threat of legal action if asked by a customs or any other agent of the state.
So I think I need to check out what the NDA’s I’ve signed say and what the companies policy is in crossing boarders with that information on the hard drive.
With the second point, my concern here is that with a work laptop, you can’t 100% guarantee what is on your machine, you just can’t. Your machine sit’s on a corporate LAN, that could have files dropped onto your machine if your firewall isn’t on. Files could also be pushed to your machine from the IT department, not that they would of course, but what if someone wanted to do something malicious. There’s also the sync that some machines do with network drives for backups, someone could have accidentally synced files to a network drive that you sync too and subsequently get transferred across to your machine without your knowledge.
All this means that you can’t be 100% sure what’s on your work laptop, you don’t own it and you can’t control it, so should you say, when asked that questions "is this machine yours?" - "no it’s a machine supplied to me by my employer and I do not have control over the all of the files on it due to my employers IT policy".
I think these are two questions that I need to check my my employer before I cross another boarder, what’s our position on disclosing NDA information to law enforcement agencies and the IT policy for protecting data and recommended response to the question of device ownership, the moral of the story is know your companies policy before traveling and after, having your machine confiscated for 90 days could hamper your productivity.
What’s your position, do you encrypt all the data, remove it from your hard drive and then put a copy in the cloud, how do you deal with crossing the boarder?