SaltyNZ: Predictably, the Herald simply spouts whatever the minister wanted to be published, without even asking the most obvious of questions, such as, 'How many searches were attempted in the last 5 years? How many of those searches required passwords? How many password requests were refused? How many investigations failed due to a password request being refused?'

I suspect the answer to the last question is 'None'.

Edit: accidentally a word.

There is a second layer to this. if the bill requires a password to access a device, does it also specify passwords to access encrypted materials, or if there are encrypted materials encrypted with public key, can they then make the end user ( the recipient) cough up the private key required to unlock it - which then leads to horrendous amounts of other issues.

If you are holding encrypted email on your laptop, e.g you use my public key to send me an email, then you have no way of unencrypting said email - so who is liable and how much pressure can be bought to bear on the holder of the private key. This then further auses issues as that private key isn't just the key to unlock one document but is the master key for all emails etc.

I know people are stupid. I mean how stupid do you have to be to see signs saying we will kill you if you bring drugs into our country, and then bring drugs in ( e.g. Indonesia ) and end up dead. So people will carry illegal goods, no matter what the danger or price, but you would still have to be stupid to put illegal information onto your laptop and carry it through customs knowing they will make you cough up the password, especially  considering cloud services , emails, etc.

Also the other issue is training. Now I'm sure every customs officer will recognise porn when they see it but how many would know an atomic bomb from a bio weapon or cyber warefare code to bring down systems? Other than looking for flesh voloured jpegs, what else would they honestly have time to scan for other than taking it offlin.e If they did take it offline - where is the protection of privacy, IP, commercial sensitivity?

I shudder to think what might happen - and to echo the person above - truancy? Seriously? times relaly have changed since I was at school.

Ummm @nunz this thread is over a year old. That news item is wayyyy out of date. Just a heads up 😉 

Elpie:

 

Ummm @nunz this thread is over a year old. That news item is wayyyy out of date. Just a heads up 😉 

 

doesn't mean it shouldn't be revisited ... :)

SaltyNZ: Predictably, the Herald simply spouts whatever the minister wanted to be published, without even asking the most obvious of questions, such as, 'How many searches were attempted in the last 5 years? How many of those searches required passwords? How many password requests were refused? How many investigations failed due to a password request being refused?'

I suspect the answer to the last question is 'None'.

Edit: accidentally a word.

Myself, my wife and my extended family have done a fair bit of travelling in the past 5 years, never even been looked at (Well we get searched occasionally etc as part of routine and random security checks), but not related to electronic devices. 

And the moral of the story is simply don't store any really dodgy or sensitive data on a device on your person.

DarthKermit:

 

And the moral of the story is simply don't store any really dodgy or sensitive data on a device on your person.

 

Yes, they've missed the boat entirely on this one. The illicit material will simply be stored on a cloud based service, not associated with any device that they happen to be carrying at the time.

If this had been enacted 10-20 years ago, it might have been much more effective.

Well this is going to be fun for anyone with a security clearance

Does anybody know what happened to this legislation.

How is plausible deniability dealt with? i.e. I am carrying a flash drive with a 50GB file of audio static (seemingly random data), and customs demands the decryption key for it?

What happens if the traveler is using a second or third factor authentication system, and only holds a portion of the decryption key? (or alleges they do not hold the full key)

What happens if the traveler gives a "Kill switch" code instead of the decryption code, and the data is irrevocably destroyed (assuming customs didn't bother to first clone the device)?

What happens if the traveler keeps getting the code wrong on a system with an expedentially increasing wait time before subsequent attempts?

What happens if the traveler "forgets" the key.

Or claims they never knew the Key (i.e. I got a really sweet deal on this used hard disk overseas and plan to format it, and use it when I get home).

What if the traveler simply refuses (i.e. states they will be charged with espionage in their home country if they disclose the key to a foreign government).

A harsh penalty for the above people seems pretty unfair, yet for any significantly illegal activity the penalty for not disclosing the key will need to exceed that of the illegal activity.

I think these kinds of things are dreamt up by people who don't understand what they are legislating. Encrypt dirty data, upload to cloud, breeze past Customs, download with Tor and decrypt. Why even bother trying to physically bring it in?

In the 1960s when helmet laws for motorcyclists were being debated in some American states, one state legislator actually seriously suggested making training wheels mandatory! I see this as something similar.

Scott3:

 

Does anybody know what happened to this legislation.

 

 

 

I don't where it went. I think it's still under review. But if our government is like every other government that has passed a similar law, claiming you 'forgot' will simply result in you being shown Her Majesty's finest hospitality for the convenience of your speedier remembering. 'I don't know' has never been an excuse under the law (quite reasonably).

I imagine it will simply be an extra line in the customs catechism: 'Did you pack your own bags? Do you know the contents of your bags? Are you carrying anything for anyone else? Did you copy all your own data? Do you know the contents of all your data devices? Are you carrying data for anyone else?'

Slightly off topic; but I've had personal spreadsheet and word processing files, etc, that I've genuinely forgotten the passwords to. Nothing particularly sensitive in them and they didn't have strong encryption.