What to Do If the Laptop Ban Goes Global – Backchannel
Computing on the road may be about to get more complicated, expensive, and risky. For this you can thank people who want to blow airplanes out of the sky — and US officials who see genuine danger and/or an opportunity to engage in “just shut up and do as you’re told” security theater.
But when people like Homeland Security head John Kelly sound ready to drastically restrict travelers’ use of electronics in plane cabins — expanding a limited ban that’s already in place — we need to move into planning mode, not just worrying mode. If you’re among those who travel with a laptop, tablet, or digital camera, get ready for a huge mess.
I’m not going to get into the ban’s logic, or lack of it. As always, we’re not being told what specific threat (if any) the government is responding to — though if history is any lesson, officials prefer to overreact than take the chance that they will be blamed for something that goes wrong later on. Security theater has been the rule since 2001, with occasional positive tweaks but not enough real change.
So what should you do in the event of wider ban on cabin electronics? I asked some security experts for advice. “There is no good advice,” says one of them, Bruce Schneier. “It’s just crazy. Truly crazy.”
But some options for travelers may a bit less bad than others.
Let’s start, first, with the assumption that the government won’t impose an outright ban of laptops and larger electronics on all flights — in carry-ons and checked luggage — to and from the United States. (If it did, the ban would almost certainly be extended to all domestic flights, as well.) That would be a recipe for havoc on an epic scale. So as long as electronics can still be stowed in checked luggage, which is more than bad enough, the priority will be to discourage tampering and mitigate the risks associated with theft.
For people who carry sensitive information — business or personal — allowing electronics out of their control is simply a non-starter. Many business people, security-minded journalists, and political activists, among others, don’t leave their devices to the mercy of third parties.
Yet many of us do leave data in the hands of trusted (more than not) third parties, and that’s going to be one of the expanding workarounds in our no-can-carry world. That is, we can travel with bare-bones operating system setups, with as little personal or business data as possible (preferably none at all) on the laptop’s internal disk drive. When we arrive and get back online, we can work mostly in browsers and retrieve what we need from cloud storage for the specific applications that have to run “locally” on the PC.
Even if you never have to check your laptop, you can and should improve your security. For example, you should absolutely, positively encrypt your hard disk. Make sure your phone and tablet are encrypted, as well. A virtual private network (VPN) is essential when you’re on any wifi network or even a wired network that isn’t your own or your company’s. (There’s lots of useful information about all this online; start with the Electronic Frontier Foundation’s “Seven Steps to Digital Security” and “Digital Privacy at the US Border: Protecting the Data On Your Devices and In the Cloud.”)
If you are determined to run native applications (other than a browser) on a PC that you will have to put into checked luggage, there are ways to do it relatively safely. One is to use an external drive. You can “clone” the hard disk from your laptop to an external drive you carry with you on the plane—this is easier with a Mac than with Windows, which pretty much requires you to license a new copy — and you can then later start up the computer from the external drive. Or you can carry with you only what you’ll absolutely need.
I use the Ubuntu operating system (a flavor of GNU/Linux), and this simplifies creating a special travel setup. In preparation for international hassles, I’ve put a copy of my OS and essential data files on an encrypted USB thumb drive, which holds 256 gigabytes of data and costs about $70 on Amazon. I’m also using a different computer than normal: an older ThinkPad that I would have sold but which now will get new life as the computer equivalent of a burner phone. I think of it now as my “international travel computer.” If I’ve forgotten to load some specific files, and I have them backed up in the cloud, I can always go there.
I run that machine from the USB drive rather than use the ThinkPad’s internal drive, which has nothing on it at all. It’s a bit unwieldy with the thumb drive sticking out the side, as you can see here. (If I’m sitting in a conference audience, for example, I have to be careful that the person next to me doesn’t hit it by accident.) And the data-transfer speed of even a relatively fast USB 3.0 thumb drive lags what an internal disk can do. (I’m going to try this with a USB C external SSD drive as well, which will be faster.) But it does work.
My regular laptop is fully encrypted, so if it’s stolen no one should be able to get my data. But I’ve spent a lot of time customizing it — adding software plus upgrading the memory and disk drive. It wouldn’t be cheap or simple to replace. I’m not going to even try prepping it for the new world order.
I assume corporate business travelers will get help from their IT departments. Larger companies should consider giving their employees personalized external USB/SSD drives and loaner laptops when they arrive at destinations. Keep in mind that if you work for an enterprise that is big enough or invests seriously in data security, rolling your own solution as I’ve done may raise alarms at headquarters. Check with the IT folks first.
You might also get a Chromebook for international travel. Chromebooks run Google’s Chrome operating system and keep pretty much all data in Google’s cloud. So you could carry a bare Chromebook through a border, go online, and retrieve the information you need. You have to completely trust Google with this method.
These are not cheap fixes. Thumb and low-capacity external drives are relatively inexpensive, but the time involved in setting up bootable drives with needed software and data (and making sure it all works) isn’t trivial if you do it yourself. It took me a couple of hours, but I cloned the result and now have a full backup of the travel drive. Chromebooks are more expensive. The cheapest I’ve seen is $179, but a Chromebook I’d consider using for serious work costs well above that. Yet for many people it’s a much easier solution.
Apart from immediate costs, these procedures don’t necessarily prevent some third party from tampering with the baggage-checked computer hardware itself. If I have to check mine, I’ll pack it in bubble wrap and tape, and do some other things to make it evident if someone has tampered with the machine. A third party with enough time and expertise could probably overcome those precautions, it’s true, but there’s a limit to paranoia.
Or the hardware itself could be stolen outright. Airlines currently instruct you not to leave valuables in your checked luggage. Theft by airport, airline, and security personnel isn’t all that common, but it does happen. And keep in mind that US carriers are responsible only for about $1,500 in losses for your checked luggage on international flights, according to the Department of Transportation. Better to only risk a burner laptop than a more expensive device chock full of your personal data.
The damage and theft risks are identical with other too-big-to-carry-on electronics. One more possible cost: Your home and/or business insurance may well need to be updated.
Airlines and airports should be installing — right now — systems designed to make all this less troublesome, and less risky. Emirates, one of the airlines hit by the earlier ban on incoming flights from certain airports in the Middle East, lets passengers keep their electronics in carry-on bags until they reach the gate, where airline personnel pack the gear carefully into boxes that are sealed and, after the flight, reunited with owners. Even this will make people who are concerned about data security nervous, but it’s better than other alternatives I’ve seen.
Airlines and airports also need to dramatically boost security to deter theft or other malfeasance on the ground. Video cameras should record everything in every place where airline, airport, and security personnel ever touch passengers’ gear, and the videos should automatically be available to passengers in the event of damage or theft, or even suspected tampering. All these measures, current and projected, add up to more costs for airlines. That means higher ticket prices for you and me.
None of the above even begins to count the cost of not being able to get work done on a flight. Nor does it reflect the huge annoyance — and waste of valuable time — in having to check luggage instead of carrying it on the plane. I try never to check luggage on business trips.
Bottom line: If and when this ban takes effect, my fairly frequent international travel is going to become considerably less convenient, disruptive for my work, and much riskier for my privacy. It’s also likely to become considerably less frequent, and the travel industry is in a well-deserved panic over people who are thinking that way.
If there’s a genuine threat, so be it. But this administration hasn’t begun to earn public trust, given its record of lying and authoritarian statements and actions.
Ultimately, one hopes, better detection gear will mitigate any actual risks. Until then, given the certain backlash from the travel industry and business travelers, Bruce Schneier figures that all this will lead to a new category of “trusted travelers” who are allowed to carry their electronics onto planes.
Maybe so. In the meantime, international travelers should get ready for a giant mess.