DHS Secretary Says Agency Is Planning On Demanding Foreigners' Social Media Account Passwords
from the processing-the-fuck-out-of-immigrants-and-visitors dept
Last summer, the DHS started asking visitors to the US to supply their social media handles. It was all on a strictly voluntary basis, of course. But that doesn’t mean some immigrants and visa seekers didn’t do exactly as they were asked, either due to a language barrier or figuring that turning down this request might harm their chances of entering the country.
Six months later, the DHS made it more official, unofficially. An “optional” section in the DHS’s online visa application process asked for account info for multiple social media platforms, including (strangely) Github and JustPasteIt. Again, officials assured everyone this was optional and the information was to be used to assess the threat levels of incoming foreigners. Again, the DHS probably harvested a fair amount of information despite the optional nature of the request. Like any cop asking if you’d “mind if they look around the car a little bit,” the request carried unspoken threats that things might be a bit more difficult if the request was denied.
Now, news comes that the DHS is planning on going even further. Say goodbye to optional social media account disclosure. The DHS wants to be inside travelers’ [social media accounts], according to this report from Federal Computer Week.
John Kelly, the new secretary of the Department of Homeland Security, testified that foreign travelers coming to the United States could be required to give up social media passwords to border officials as a condition of entry.
“We want to say, for instance, which websites do you visit, and give us your passwords, so we can see what they do on the internet,” he said at a Feb. 7 House Homeland Security hearing, his first congressional hearing since his Senate confirmation. “If they don’t want to give us that information, they don’t come in.”
Thanks, Trump. Kelly noted that the recent, not-even-fully-legal-yet travel ban has given the DHS the perfect excuse to start behaving in a more totalitarian fashion.
[H]e added that President Donald Trump’s freeze on entry to the U.S. by citizens of seven countries, “is giving us an opportunity… to get more serious than we have been about how we look at people coming into the United States.”
Perhaps this will be deployed the way the DHS’s other attempts to peer into travelers’ social media accounts has: to make it “optional,” with the implicit threat that rejecting the agency’s advances will result in zero forward progress beyond the nation’s borders.
DHS Secretary Kelly isn’t much for implicit threats. He prefers his threats (at least those he makes) to be explicit.
[I]f they truly want to come into America, then they’ll cooperate. If not, you know, next in line.
Kelly also shouldered some of the blame for the disastrous travel ban roll out. In a too little, far too late mea culpa, Kelly suggested it might have been better to consult with Congress first. Kelly did not offer further details as to whether this would have just been a token gesture or whether the administration could have been talked out of the unpopular, possibly-illegal travel ban by legislators.
Fifteen years ago, a terrorist attack was exploited to expand government power — especially in the intelligence and law enforcement arenas. Fifteen years later, fear-mongering politicians and officials are still dining out on that attack, selling fear and buying government power real estate while using War on Terror eminent domain “orders” to carve holes in civil liberties. The Trump Administration has already made it clear it won’t extend any of our rights to citizens of other nations. The president’s new DHS head is right on top of ensuring visitors and immigrants are welcomed with maximum intrusiveness.
Filed Under: cbp, dhs, john kelly, passwords, privacy, social media
Comments on “DHS Secretary Says Agency Is Planning On Demanding Foreigners' Social Media Account Passwords”
Travelling to the US, Tip #01: Don't.
As if people really needed another reason to never visit the US if it can at all be avoided.
Look at pictures of the scenery, monuments and parks online, contact people via email, phone or even gorram snail mail, but never, ever come to the country in person if it’s even remotely possible to avoid doing so.
Re: Travelling to the US, Tip #01: Don't.
I was in the States in December 2002, and the news on the telly there was that air travellers shouldn’t lock their luggage so that the TSA could open it up and inspect it. They had a mouthpiece saying “security”, and “terror”, and that the TSA were free to force locks open if they wanted to. The TSA. Airport “security”. Some of the biggest tea-leafs on the planet, contemptuous of other human beings. With a license to rummage through women’s underwear…
So because of that, and the groping, I haven’t been back since. And that’s a shame, because I used to like the place…
Re: Re: Travelling to the US, Tip #01: Don't.
Since then the TSA came up with TSA-Approved locks that they had master keys for. It provided an excellent lesson in government-ordered back doors.
The TSA released close-up photos of the TSA master keys, in turn published in the Washington Post, letting anyone duplicate them. Those without locksmith skills can download the design for a 3D printer.
It soon became common for belongings to disappear from "locked" luggage. Meanwhile, TSA agents would still tear apart and destroy luggage…
Techdirt: TSA Agents Outwitted By Cory Doctorow’s Unlocked, ‘TSA-Safe’ Suitcase
Re: Re: Re: Travelling to the US, Tip #01: Don't.
I don’t lock my luggage anymore, for US domestic travel at least.
“Sorry officer, no idea what that might be. I didn’t put it in there, and I didn’t leave it alone until I handed it to the airline agent. How many people did you say handled my bag before you found it?”
I also don’t check anything of any value, but then, I never have.
Re: Re: Re: Travelling to the US, Tip #01: Don't.
Strangely, the fix for that is to pack a gun:
https://lifehacker.com/5448014/pack-a-gun-to-protect-valuables-from-airline-theft-or-loss
I don’t understand how this is enforceable.
“Give us your facebook password.”
“What’s facing-book?”
“We looked up your name on facebook and found this account right here”
“That’s not mine.”
What are they going to do? Just assume you’re lying and deny you entry? Now having social media accounts is also a requirement for entry into the united states?
Re: Re:
Imagine the fun if, like me, you use a password manager. Here you go,
*4ecD$#hcBf@~eld,(MF@^tq[$94Dp
And, as we all know, the favorite Twitter handle for these people is @RadicalMuslimTerrorist.
But in the .gov defense, which I’ve worked in, and despite this being an incredibly stupid policy, every so often you find someone who goes full-retard on social-media under their real name. It really does happen.
Re: Re: Re:
I wonder if Facebook allows the use of unprintable characters (like ) in their passwords?
Re: Re: Re: Re:
heh. Like “space”.
Re: Re:
It doesn’t have to make sense. In fact, it’s better for the authorities if their requirements are illogical. Like all border harrassment, this shit is completely subjective, and ambiguous “rules” only cause the traveler to be the one who suffers. He/she is already presumed guilty.
Re: How long does that take to do?
Can they check all of them? How long would that even take? Does a person specialized in doing this check these accounts or some robot? How do you check some of these if you can’t speak/read a foreign language?
Tumblr? Whatsapp? Snapchat? Twitter? Instagram? Viber? Sina Weibo? QQ? QZone? Line? Facebook? Google+?
Now not to mention it is only too long before they try to expand what defines a “social media” website.
Youtube? Pinterest? Flickr? LinkedIn? Kik? Tinder? Skype? Any other Dating website.
The rabbit hole is endless, ever changing, and they will only keep moving the goal posts as far they think they can to get access to more and more.
Re: Re: How long does that take to do?
That part’s easy. Feed it to Google Translate. If it doesn’t come back looking squeaky clean, assume it’s bad and treat them like they refused to give you the password at all.
As an optional shortcut, if it’s Arabic, don’t even bother with Google Translate and skip straight to assuming it’s bad. After all, terrorists speak Arabic.
Re: Re: Re: How long does that take to do?
Hand over your password, and the NSA will do a backup and translate much faster that Google can do a translate.
Re: Re: Re:2 How long does that take to do?
ever heard of att secure rooms?
For pushing a smaller government, it sure is getting bigger (along with the federal deficit to follow).
Re: Re:
Alternative government
Fair's fair
America leads by example. I think other countries should follow by also asking for social media account names and passwords, but just from Americans, especially politicians.
Re: Fair's fair
Trump should lead by example and publicly post the password to his twitter account.
Re: Re: Fair's fair
But then someone would post all sorts of garbage to it that would embarrass the Presidency and the country. We can’t have that.
/s
Re: Re: Re: Fair's fair
Too late.
Re: Re: Fair's fair
To be fair, Sean Spicer has done that three or four times already.
Dear Social Media Platforms:
Time to Implement a “Read Only” duress password, that will allow the required access _but not_ allow posting, binding of applications and services, etc to the account.
Think of it as a Valet Key for your social media account.
Re: Dear Social Media Platforms:
No, this is a terrible idea. The point is that they should not have access to private accounts, and be able to snoop through messaging history, etc, period.
If you give them this kind of concession, they’ll only come back demanding more.
Re: Re: Dear Social Media Platforms:
No, they shouldn’t have access.
But they’re going to. So now’s a good time to start planning for it to happen.
Re: Re: Re: Dear Social Media Platforms:
Better just to implement a “dummy data” password for your devices, something that appears to unlock it and opens to a useless collection of games, cat pictures, a few innocuous phone contacts, and a fake calendar or such.
Re: Dear Social Media Platforms:
It would have to be a key to a separate dummy account.
Re: Dear Social Media Platforms:
Giving that “valet” password to DHS I’m sure would get you permanently banned.
Re: Dear Social Media Platforms:
The point of a duress password is to protect your data and to provide deniability. Allowing the “required” access defeats the point.
Easy path to arresting people
This feels less like they want access to social accounts for security purposes and more of an easy avenue to make an arrestable offense.
Obstruction of justice, lying to a federal official, whatever they want. All they have to do is find a single social account you did not tell them about (sign up for that Github account five years ago and never use it? You better remember that login details) and you will be loaded with charges against you.
99% of folks they likely will never ask this information. But the few who do? Makes it really easy for them to either deny entry or arrest them.
I am curious on the legal boundaries of this. For example – if you manage the social accounts for your business, can they demand your passwords for that too?
If you manage your passwords using a password manager, can they demand access to that password manager? If they can, does that then allow them access to all of the logins stored on that manager?
If you store your logins on your phone, do they now have full access to your phone unencrypted?
If they find something critical of America but still protected by the 1st amendment, if they deny you entry because of that is that illegal?
How does this work with accounts held by minors?
If you delete the social media app from your phone so they can’t get access through your phone, but do provide them the login details, is that obstruction by making it more difficult for them to view your details?
If you use your social accounts to login to other services, do they then get access to those other services?
If an account was set up for you (think the parents who make a Facebook account for their child before they become of age to manage one on their own), and you have no access to that account at all, are you still responsible for those details?
Are they trying to discourage all forms of immigration and travel?
Re: Re:
I won’t be setting foot in the USA for the foreseeable future. I take my holidays right here in the UK and have a fine old time. Last year we went to the Isle of Man (there’s more to see and do there so we will be going back); we’re going to Edinburgh this year. We’ve got to do York at some point…
Yet the US tourist industry is placing ads on UK TV inviting us to come and see the wonders of California, Florida, etc. I’d love to visit those places — gotta see the Grand Canyon for myself — but not while this horrible situation continues.
The thing is, Trump’s base isn’t urban or in touristy areas, it’s in Flyover Country. If the cities and resorts lose business, it’s no skin off their noses. I doubt that a drop in overseas visitor revenues will force a change in policy. :/
Isn’t the sharing of passwords a violation of every website’s Terms of Service? And isn’t that (at least in the eyes of the DOJ) a violation of CFAA, and a felony? So every non-citizen who visits the USA will be required to commit a felony before they will be admitted?
The CFAA doesn’t seem to grant an exemption for this kind of activity, so any government agent who logs in to another person’s account violates that website’s TOS, and they also commit a felony? Wonderful.
Re: Re:
You know that’s true and if argued effectively could get the whole thing stricken.
Re: Re:
Unless of course that is intentional. They’re going to deny all foreigners entry because the foreigners committed a felony offence and hence have a criminal record.
Sharing your credentials is a terms of service violation with Facebook and Twitter. Doing so could open you up to prosecution under the CFAA. The government should not be able to demand you commit a crime.
Twitter and Facebook should alter their terms of service to make the government’s use of credentials obtained through coercion (and without a warrant) a TOS violation. They should also start blacklisting blocks of IPs known to be used by government agencies.
Did Facebook just unofficially become mandatory for visitors?
I don’t have Facebook or Twitter accounts. If I were a teen or young adult, would they believe me? Or would they accuse me of lying and ban me from entering?
facepalm
Has the US government gone completely bonkers?
Re: facepalm
More and more evidence points to that, yes.
Re: facepalm
Well, only a few of them are completely insane while many more are borderline.
Two-factor authentication
For pretty much everything I use, my password is no longer enough to get into my stuff. For ongoing access, they’d need to clone my phone and also bypass fraud prevention on the sites which stops unrecognized devices from using the account.
So what is the implementation plan here? Asking you to fill a form with usernames and passwords will not work. Clone your phone? Wait while you log into each site and show them what’s there?
Re: Two-factor authentication
The assumption is that they also take your device too. Or force you to disable two-factor while they do their investigation.
Re: Two-factor authentication
“So what is the implementation plan here? “
ICE Agent: “Thank you sir, now please log in and authorize the USG terror-detector app to access your account, Ok, we’re good to go. Thank you, and have a nice day.”
Is this shit required for getting out too? 🙂
Re: Re:
Americans need a passport when they cross into Canada. Not because Canada requires it, but because the US requires it for them to return. The US now has agreements with Canada and other countries whereby if an American travels from there to a 3rd country, the US is notified.
The US already requires foreigners – and returning Americans – to allow their cell phones to be imaged at the border if requested.
So. If the US makes password demands, cell phone scans and social media scans mandatory for foreigners entering the country, the best bet is that it would do the same for returning Americans. And it would sign agreements with other countries to do the same to Americans at their borders, with the information returned to the US government.
I'm certain this will work...
…because every actual terrorist — who is willing to shoot people or blow them up or stab them or set them on fire — will be perfectly honest when dealing with DHS personnel.
So when foreigners traveling to the US all cancel their social media accounts, can Facebook sue the US government under Corporate Sovereignty laws?
Re: Re:
That would be hilarious!
Sadly, what will actually happen is that a handful of people decide not to travel to the US at all, a majority will sheepishly agree to hand over their details, and the actual terrorists make innocent dummy accounts while plotting elsewhere.
Re: Re:
Facebook is like Hotel California: you can check out any time but you can never leave.
What happens to people, like myself, who don’t use any social media at all? Do we become a threat because of that? What secrets are we could be potentially hiding?
This is utter insanity.
Re: Re:
They say ‘I don’t believe you, hand over your passwords or you’re not getting in’ and deny you entry into the country. Have fun finding a flight back on the spot.
Re: Re:
Fascism is the victory of instinct over reason. Animal over man.
Sounds remarkably like he just told them what they wanted to hear to get them off the topic. How many other presidents keep those types of promises? Not many you say? Let me know when your pet-peeve actually *does* something with regard to this. Everything else is speculation (and you know it).
Re: Re:
Who told who what about what? I have no idea what you are trying to convey.
The link in the article for “mind if they look around the car a little bit” is broken. Specifically, it got pasted twice.
There May Be Ways ...
… to take appropriate (plausibly-deniable) countermeasures …
Nice Police State.