Laptops, smartphones are fair game for Customs

Security policies

To date, users with access to sensitive data have been advised to avoid making it available on a ACBPS agent’s whim by travelling with a ‘clean’ device, with no local data stored on it.

That advice remains sound if sensitive data is stored behind a firewall. If a user intends to upload data to a public cloud for access while on the road, recent revelations about cloud service providers' complicity in PRISM suggest it is no more or less private.

A superior layer of protection would be to provision high-risk executives with a clean (empty) laptop, from which they access data stored behind the corporate firewall via VPN, protected by two-factor authentication. Access to data from smartphones can meanwhile be protected using an MDM/MAM solution that requires a password for access to email or other corporate applications and data.

But here is where the situation gets tricky.

ACBPS officers have asked travellers for device pass-codes and passwords to access email on smartphones. The Customs Act could be interpreted to suggest they have the authority to do so.

Under the Customs Act, the definition of data held in a computer includes:

(a) data held in any removable data storage device for the time being held in a computer; or     
(b) data held in a data storage device on a computer network of which the computer forms a part.

This raises a dilemma for corporate IT, as it is unclear where the threshold is in terms of “reasonable” cooperation with an ACBPS officer.

If a person entering Australia is compelled (under threat of fines and imprisonment) to cooperate with officials when asked for the device lock code to their smartphone or a password for the email application within it, are they similarly obliged by law to provide authentication keys/passwords for VPN connections directly to other corporate systems?

I have repeatedly asked the ACBPS for clarity on the issue, and have been told:

“The ACBPS does not speculate on the application of legislation at the border in hypothetical situations. If individuals are concerned about how legislation is applied, they are entitled to seek independent legal advice.”

Without such an assurance, CSOs and other IT administrators should assume that provisioning smartphones or laptops to travelling executives allows the ACBPS the same level of access to your systems your travelling execs have, should a Customs official deem such access necessary.

At the border, there is no burden of proof of an offence before access to data is granted.

And for those readers that assume ‘it shouldn’t matter if you’ve got nothing to hide’, consider:

• Nation states routinely act in the interests of corporations. Do those corporations compete with yours?

• Nation states spy on trade delegations as routinely as they do on suspected terrorists. Are you negotiating large and complex deals or merger and acquisitions?

• Nation states are themselves routinely actors in corporate espionage. What could a nation state gain from access to your corporate data?