We are all Alain Philippon

Posted on March 6, 2015
Tags: privacy legal Canada law

Tim Lavoie

As described in this CBC story, a Quebec man by the name of Alain Philippon has been charged with not handing over his smart phone password when entering Canada. The story goes on to describe how border officers have differing rules from those of regular law enforcement, where probable cause and search-and-seizure go hand in hand.

The problem is that inspection for the purpose of applying duties or looking for safety-validation stickers is worlds away from allowing them to review every piece of information you own. Finance, health, everyone you exchange email with, pictures of your loved ones. Once you provide unrestricted access to your device, these people have it all, forever. Once you have unlocked the device, there is nothing saying that they only have a moment to rummage through your digital underwear drawer.

Their argument is that “it hasn’t been tested in court yet, so we can do as we please.” In effect, everyone should be their own Alain when unreasonable demands are put forth, as it is up to ordinary citizens to ensure that sufficient challenge is provided. Yes, it’ll have personal legal costs, but the government will pay attention when each and every search demand costs them thousands as well. With sufficient court review and associated backlash, the law can be improved.

Fundamentally, it is not our job to make theirs easier, especially when their job has apparently morphed into deep inspection of our data. So besides saying “Non!”, what can you do?

  • Full device encryption is a colossal PITA, but not for you. Performance, convenience and low cost means that you can protect your data from accidental or malicious use of your data if you lose personal control over the device. Apple’s iOS has moved in this direction, and Google has made noise there too (with some backsliding). Laptops are a solved problem too, with options for Mac, Windows, Linux, and *BSD. This protection is just as useful if someone steals the device, or it’s forgotten in a cab. You can, and should do this for removable storage as well such as USB drives.

  • Consider not carrying significant data at all. If you are going to “voluntarily engage with a border” as they say, take a minimal device with you, and access whatever you need from home over a secure, encrypted connection. VPNs, SSH and Tor are your friends here. Look at using the Tails live-CD or USB Linux distro, which if installed also allows for encrypted storage of the subset of the data you think you’ll need to have with you. Make it a low-cost device you won’t miss too much if border agents get pushy.

  • Keep your encrypted devices powered all the way off when going through any sort of security-interaction checkpoint. Not sleep mode, nor suspend to disk, which keeps a copy of memory (and crypto keys) more available than if it’s shut right down.