In March, the United States required incoming flights from eight countries to restrict tablets and laptop computers from the passenger cabin, requiring they be stowed with checked luggage. There had been reports that this laptop ban would be extended to all flights from Europe to the U.S., but yesterday’s announcement from the United States Department of Homeland Security (DHS) put those worries to rest. Instead, DHS will impose new security requirements for international flights bound for the United States, and airlines have four months to comply, or face restrictions which could include bans on passenger electronics. The DHS announcement was short on specifics, and if the restrictions are implemented poorly it will result in confusion and inconvenience that will affect electronic devices and individual cybersecurity. Travelers can take measures to protect themselves.
The March laptop ban and yesterday’s announcement are spurred by the concern that terrorists will disguise a bomb within a laptop computer, bring it aboard a plane and detonate it in flight. Airline screening is relatively uniform and comprehensive within the U.S., but less so in some foreign countries, so the worry is that terrorists will take advantage of less careful security protocols.
The Electronics Bans
Yesterday’s announcement by DHS seems to mean there will not be blanket laptop bans, but there could be individualized restrictions on laptops and tablets based upon airline, airport, and country of origin. If certain airports fail to implement the new security measures properly, they may be required to ban laptops from the passenger compartment, or perhaps altogether from the flight. Passengers will have to decide whether to bring certain electronics or leave them behind, and there will be consequences to productivity and cybersecurity.
Banning certain electronics from the airplane passenger compartment is an inconvenience, but inconvenience might be warranted if it improved safety. However, the security benefit of the March ban seems limited, since it allowed devices to be placed into checked luggage. A bomb disguised as a laptop can explode whether it is in the cargo hold or the passenger compartment, and if it causes the plane to crash, the harm is the same. Notably, poorly made batteries can spontaneously combust, and even reputable manufactures have installed defective batteries in their devices. A battery fire while in flight is dangerous, but in the passenger compartment it can be quickly detected and hopefully extinguished, but less so in the cargo hold. Though the potential harm of a battery fire is less than a bomb, the probability of occurrence is higher. Thus, banning electronics from the passenger compartment but allowing them in the cargo hold seems unhelpful. Whatever the merits, this restriction has been in place and may continue, so travelers need to be cybersecure when they are forced to check electronic devices instead of carrying them on.
Banning certain electronics altogether—even in checked luggage—seems to eliminate more risks, yet it imposes a far greater inconvenience since most people rely on their laptops and tablets whether they are traveling for business or pleasure. Such a ban means passengers must leave the devices at home, or ship them by mail. Inevitably, travelers will arrive at the airport with their devices, only to be told they cannot bring them aboard. Many of us have had to throw out a beverage or perhaps toiletries prior to entering airport security—imagine being told that our laptop cannot come aboard. U.S. residents who travel abroad need to consider whether their devices can be brought back on the return trip.
Terrorists have long targeted airplanes, and we depend upon our government to protect us from threats like this. Proper risk management is about reviewing all the threats, probabilities, and potential harms, and then working to reduce the risks in a prioritized manner. Risk management cannot prevent every potential consequence, nor should it focus on one potential harm to the exclusion of others.
As we evaluate the merits of our government’s risk management on this issue, one thing to consider is the ability of terrorists—like other criminals—to improvise and adapt. If terrorists are trying to disguise bombs as laptops, it is because laptops are indispensable to many, and are a common carry-on. Placing undue restrictions on the transport of certain electronics prevents their use by travelers in flight and perhaps for the duration of the visit. Governments need to be thoughtful in how they respond to terrorist threats, since overreaction risks fulfilling the terrorist’s mission of increasing public fear, confusion, and inconvenience. Notably, terrorist threats are not limited to “hard” targets like airports and airlines, they extend to “soft” targets like public streets, shopping malls, movie theatres, and softball diamonds. We can devote considerable resources—and cause considerable disruption—by making our hard targets even harder, but that does not necessarily result in a worthwhile increase to our overall safety.
Our country should balance the potential benefits and costs of these measures, and consider that restrictions imposed by the U.S. could be followed by reciprocal restrictions from other countries. We do not know the details of the threats, and second-guessing policy decisions does not change the circumstances, so let’s focus on minimizing their consequences.
Cybersecurity starts with our computing devices, and is affected any time we relinquish physical control of a smartphone, tablet, or laptop. Placing a laptop or tablet with checked luggage, or sending it by mail, means giving up possession, whether for hours or days. Placing electronics in luggage instead of carrying it with us increases the risks of loss or theft which creates dual concerns: losing access to devices and data, and the possibility that someone else will steal data.
Consider if you were to lose access to your device or data, how you would be inconvenienced, and could you restore your data? Would you have trouble accessing your cloud stored data, such as emails, contacts, calendar, and documents? You should back up your data regularly, and store the backup in a secure location.
Consider if a spy or thief were to get access to your device, and how that puts your data at risk. Our devices don’t just hold data, they access data stored on the cloud. Poorly secured computing devices allow casual thieves to review and steal your data, and even well-secured devices can be compromised by governments or cybercriminals. Make sure your devices require a password or other authentication method (e.g. fingerprint) to access their contents, and don’t use weak passwords like “password” or “123456.” If you store—or access—sensitive information on a portable electronic device, the device should be fully encrypted, such as with Microsoft’s BitLocker, Apple OS X’s FileVault, or the default encryption enabled on Apple’s iOS. Don’t bring—or have access to—data that you don’t need. Cloud accounts should be secured with strong passwords and two-factor authentication.
Following the March passenger compartment laptop ban imposed on certain countries, some airlines tried to alleviate the inconvenience by providing passengers with a loaner laptop or tablet for use during the flight. Travelers who must leave their laptops at home will be tempted to use borrowed electronic devices when they arrive at their destination. Any borrowed or shared computing device presents cybersecurity risks, whether the device belongs to the airline, hotel, friend, or employer. Any activity on a computer leaves traces, and the owner or a subsequent user can find clues about what the prior users were doing. Computers might have monitoring software installed that tracks everything the user does, every password entered, and all data accessed. Data and privacy are at risk, and travelers should not use loaner devices to perform confidential work, access confidential documents, or access cloud accounts. Before and after using a loaner device, the user should try protect their privacy by using “private” or “incognito” web browser windows, and clearing the internet history and cache. Consider avoiding the loaners, and use your smartphone instead, perhaps getting a keyboard for it instead of using the touchscreen.
In the airport, plane, hotel, or anywhere there is public Wi-Fi, the data sent and received is visible to others, including the network provider and others using the network. Think twice before connecting since your cybersecurity—and mental health—may be better served by remaining disconnected for that limited period of time. When connected, use encrypted communications, such as through a virtual private network (VPN) and by visiting websites that are HTTPS rather than HTTP (as most websites and email providers use). You can be hacked through the Wi-Fi network so disconnect when you are done using it by turning off your Wi-Fi adapter or putting your device in airplane mode.
Your privacy and cybersecurity is always at risk, and you need to decide whether and how to mitigate the risks. Travel increases the risks, and potential laptop restrictions further intensify them. Further, some countries target travelers for espionage, and some countries may even conduct an electronic search of your devices at the border. For example, the protections of the Fourth Amendment may not apply at U.S. ports of entry. Normally, law enforcement must obtain a search warrant from a judge prior to searching the contents of an electronic device, but at ports of entry, an electronic search without a warrant may be legally permissible.
Don’t travel with devices, data, or cloud access that you don’t need. Ensure your stowed or shipped computing devices have strong passwords, consider full disk encryption, and regularly backup your data and store those backups securely. If devices are stowed or shipped, consider sealing them in an envelope or package so that you can tell if they have been accessed. Finally, purchase replacement batteries from reliable manufacturers and vendors, since the risk of fire is not worth saving a few dollars.
Public safety and personal freedom, privacy, and cybersecurity are closely interrelated and the debate will continue. Individually, we need to assess the personal risks we face in the context of evolving threats and travel restrictions, and choose appropriate measures that protect our privacy and cybersecurity.