Chapter 5
Traveling
Voyages across oceans and borders have long been recorded, as any genealogist who has spotted her grandfather’s name on a steamship passenger list can tell you. But modern technologies have given government agencies new and extensive means to monitor, record, and analyze our global movements. And the mini-computers in our pockets and embedded in our vehicles mean that even a trip to the corner store may not be an entirely private journey. Increasingly, we are inviting others along for the ride, whether we know it or not.
1. Smartphones
Smartphones have become more popular due to the release of devices that sell for less than $200, discounted by carriers who subsidize the price for users who sign up for wireless contracts. The devices are also popular because of downloadable apps that perform an impressive and ever-expanding array of tasks. Examples include consulting a traffic app on the commute to work, loading retail coupons, and streaming television programs.
The more consumers use their mobile devices for broader and deeper purposes, the greater the risk of exposing their personal information. Perhaps even more concerning, there is evidence to suggest that many apps collect information that isn’t actually needed to provide the service. Reports of popular apps collecting irrelevant information or transmitting data when devices are turned off has led to significant backlash.
The following are some tips on how to make your private information more secure:
• Use a password to protect access to your smartphone.
• Add a tracking service that enables the device to be wiped remotely because once the bad guys have the hardware, it’s very difficult to keep them out.
• Back up all the personal data on your device, including photos and email, then delete anything you don’t really need.
• Keep the number of apps to a minimum.
• Try to avoid giving apps unnecessary permissions. Remember, an app would never ask for permission unless it needed it, and at that point, you are in the best position to decide if you want to grant it. Check permissions during the life of the app.
• During installation, verify that the permissions being sought by the mobile applications match not only what the privacy policy says, but also what you would expect the app to require. Permissions within mobile apps access your device’s data and capabilities in order to run. These permissions could include location, identity, email, and contacts.
• Download apps from reputable sites such as Google Play, Apple, or Microsoft. Keep an eye open for dodgy-looking apps with names that are almost, but not quite, the ones you want.
• Check the developer’s privacy policy to see whether it tells you what personal information the app will be accessing, and how it may be used or disclosed. If you can’t locate the privacy policy, or any privacy information for that matter, consider whether it’s worth taking the risk of downloading the app. Many mobile applications lack the most basic and minimal building blocks for privacy protection.
• Keep your apps up to date and regularly delete the ones you no longer want or use. An out-of-date app can provide hackers the opening they crave to do their nasty work.
Though the explosion of apps makes identifying the most trendy a potentially perilous exercise, we will examine one — Snapchat — that has attracted attention due to both popularity and controversy. Part of the interest here is the crossover nature of some applications. Yes, it’s a phone-based application — an “app” — but, by its very nature, it is social media. These blurred lines can create entirely new security and privacy concerns.
Snapchat is a text, video and photo-based messaging application for mobile phones. Founded in 2012, the company is based in Venice, California.[1]
It boasts more than 100 million “daily active Snapchatters” and is growing. Users skew towards the young.
Snapchat’s “twist” is that the text, photos and videos you share disappear shortly after being viewed by the person at the other end who is usually a “friend.” The time period depends on the user. It can be one second, 10 seconds, or longer.
In addition to running on mobile phones, the app also lives on the iPad, Android tablets and iPod touch, which are often used by young children, a problem we’ll discuss a little later in this section.
According to the Silicon Valley, California-based organization ConnectSafely.org, Snapchat was developed as an “antidote” to the more traditional social networking services such as Facebook, where media that you post can live forever and people have to worry about their reputations. “Snapchat users feel like they don’t have to worry if they’re having a bad hair day or just want to make a silly face.”[2]
However, as with anything we share in cyberspace, there are risks. And this has been the case with Snapchat in both the United States and Canada. For example, an investigation by The Canadian Press discovered that third-party accounts were posting Snapchat pictures showing questionable behavior at universities.
“They are images of dormitory drug use, drunken debauchery and naked selfies — captured by self-destructing photo apps such as Snapchat.
“But social media images intended to be fleeting, and for a limited group of friends, are taking on a longer life and a much larger audience through unsanctioned accounts that collect posts from students and re-post them to anyone who subscribes.
“The accounts raise questions about child pornography, revenge porn and invasions of privacy, because people in the background of photos and videos featured in these rogue accounts may not have consented to the post being shown to a wider audience. These accounts have cropped up at least 26 universities and colleges across the country, according to an analysis by The Canadian Press.”[3]
Though Snapchat’s ephemeral images are only to be shared among friends, they may be given a longer shelf-life, allowing them to be distributed.
How is this done? Well, images and videos only meant to last a few seconds can actually be captured, either by a smartphone’s operating system that allows someone to capture what’s on the screen, by a third-party app that allows the capture of videos, or by another mobile device that simply records the videos.
As well, Snapchat has come under fire from the U.S. Federal Trade Commission which said that it “deceived consumers with promises about the disappearing nature of messages sent through the service.” The commission issued a news release to announce that Snapchat had dealt with its concerns, allowing the two sides to reach an agreement.[4]
On the same day that the commission issued its news release, Snapchat took to its blog to tell its side of the story in which it admitted no wrongdoing, and instead insisted that it merely needed to communicate its privacy policy more clearly.
“When we started building Snapchat, we were focused on developing a unique, fast, and fun way to communicate with photos. We learned a lot during those early days. One of the ways we learned was by making mistakes, acknowledging them, and fixing them.
“While we were focused on building, some things didn’t get the attention they could have. One of those was being more precise with how we communicated with the Snapchat community. This morning we entered into a consent decree with the FTC that addresses concerns raised by the commission. Even before today’s consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description, and in-app just-in-time notifications. And we continue to invest heavily in security and countermeasures to prevent abuse.
“We are devoted to promoting user privacy and giving Snapchatters control over how and with whom they communicate. That’s something we’ve always taken seriously, and always will.”[5]
There are lessons to be learned from these examples. Although the text messages, photos, and videos are only meant to be shared by a select few, they can live forever.
It is for this reason that the Office of the Privacy Commissioner of Canada has commissioned a study to examine ways teenagers between the ages of 12 to 16 use Snapchat.
“The research will shed light on the steps that youth take in making their decisions, the outside factors that influence their decisions, and whether demographic factors, such as age and gender, have an impact on their decision making process. The results will be useful for improving public and parent knowledge around privacy, creating educational interventions relating to privacy, and providing guidance to industry about best practices for handling young people’s content and data.”[6]
The research project is scheduled to be completed by the end of March 2017.
While there is a need for more study, organizations such as ConnectSafely.org provide basic tips for ensuring privacy:
1. Manage your settings: If you don’t want just anybody sending you photos or videos, make sure that you’re using the default setting to only accept incoming pictures from “My Friends.”
2. Screen capture is possible: It’s a good idea to remind teens to avoid sending embarrassing pictures and videos. Although Snapchat lets you know if your message has been opened and saved, there are instances when you may be in the dark. For example, you’ll never know if someone has used another mobile device camera or recorder to capture the image or photo that you’ve sent.
3. Don’t screen-capture without permission: If someone has shared a photo with you, ask if it’s OK if you save it.
4. Protect your password: Ensure that your password is strong and unique. Parents should remind their kids to avoid sharing passwords, even with people they consider to be their best friends.
5. Keeping it real:Though Snapchat doesn’t allow users to search for new friends, there are still ways to find people you don’t know by locating their Snapchat username on other services, and then adding them to your friends list.
6. Sexting concerns: Parents should worry about kids sending naked or sexually explicit pictures of themselves. It’s best to insist that teens never take or distribute images that could get them into trouble.
7. Block the user: If you’re receiving unwanted snaps, use the Snapchat settings that allow you to block certain individuals. Tap on the “menu” button, and then “My Friends.” Swipe across their name on Apple devices, or on Android phones, press and hold the person’s name. Finally, press “Edit,” and then “Block” or “Delete.”
8. Flag underage users: Anyone under 13 years of age is not supposed to be using Snapchat. If you’re concerned that this is the case, send an email to support@snapchat.com.
9. Report abuse: If a child is receiving inappropriate photos or videos, or is the victim of harassment, contact Snapchat at safety@snapchat.com.
10. Delete the account: If you are unhappy with Snapchat, delete the account by going to http://www.shapchat.com/a/deletion_request.pdf.
Popular instant messaging sites
• Snapchat: Image and short video messaging app in which the message is set to “expire” or vanish after being viewed. Users can draw on the image, add filters and text.
• WhatsApp: Cross-platform mobile messaging app.
• Facebook Messenger: Instant messaging app that allows you to send text, stickers, gifts. You’re also able to create group chats and video.
• Skype: Instant messaging and video calls.
• WeChat: Mobile text and voice messaging and calling app.
• Google Hangout: Text, video and voice messaging and calling app. Also offers an option to share photos, emojis and chat in groups.
• FaceTime: Video calling app for Apple devices.
• Viber: Instant messaging app. You can also share video and audio messages.
• BBM: Instant messaging app that allows non-Blackberry users to chat with others using BBM. Offers voice calling, photos and file sharing.
• LINE: Instant messaging for text, images, video and audio.
• Kik: Platform that allows users to share photos, videos and sketches.
2. In Your Vehicle
Your family vehicle is learning more about who’s behind the wheel — everything from where you like to shop to how hard you brake — as automakers roll out new tech-savvy features. Onboard navigation systems can tell where a vehicle is and where it has been. Electronic components stream data to computers that gauge driver behavior and the vehicle’s roadworthiness. Vehicles recognize drivers and adjust settings for them. Infotainment systems allow voice and data communications.
“With connectivity, cars are becoming highly efficient data harvesting machines,” says a 2015 study by the British Columbia Freedom of Information and Privacy Association (FIPA) on these developments.[7] Customer data generated by the connected vehicle is now seen as a major new source of revenue for marketers and advertisers, the study found. Some insurance companies are offering coverage that sets premiums based on driving patterns.
When tracked, combined, or linked with other available data, the information can reveal intensely private details of a person’s life, making it vulnerable to abuse by thieves, stalkers, and others with malicious intent, the study says.
It argues automakers have failed to comply with their obligations under privacy law when it comes to giving customers adequate information and choice about how their data is collected and used. The study recommends creation of data-protection regulations for the connected-vehicle and insurance industries, as well as involvement of privacy experts in the design stage of wired-vehicle research projects.
Vincent Gogolek, Executive Director of the BC association, believes the issue will be very important for the industry, government, and public. “There is still time to make choices and design systems that will protect privacy, but that window is closing quickly.” With vehicles collecting and even sharing more personal data, Canada’s privacy watchdog is quietly trying to ensure manufacturers, retailers, and insurance companies avoid bumps on the virtual highway.
The federal privacy commissioner’s office, which financially supported the BC study, is “actively following” the issues and has held discussions with industry players and provincial regulators, Valerie Lawton, a spokesperson for the commissioner, told The Canadian Press (CP).[8]
The Canadian Vehicle Manufacturers Association, which represents the country’s largest carmakers, initiated a meeting with the federal commissioner’s office in June 2015, say notes disclosed to CP under the Access to Information Act. Federal privacy officials saw it as an opportunity to get a better sense of the information collected by intelligent cars, what might be coming, and whether manufacturers were fully aware of their obligations, the notes indicate.
Legal and regulatory requirements are considered whenever carmakers look at introducing new technologies with privacy implications, said Mark Nantais, Manufacturers’ Association President.
“We’re fully compliant — and intend to be fully compliant — with the laws that are applicable,” Nantais said in an interview.
The internal notes from the privacy commissioner paint a futuristic scenario involving in-car advertising; for instance, a near-empty gas-tank sensor could project an advisory on the windshield offering the driver a discount at a nearby filling station.
Nantais, however, played down the notion wired cars produce a bounty of valuable information. “Is it myth or reality that the data actually exists? That’s a valid question,” he said. “Some people think that everything under the sun is available, and I don’t think that’s the case.”
A December 2013 report by the US Government Accountability Office examined the practices of ten companies (e.g., auto manufacturers, portable navigation device firms, and developers of map and navigation applications for mobile devices) that collected data to provide drivers with location-based services.
Some firms used this data to provide directions to drivers, advising them when and where to turn. Nine companies said they shared location data with others, such as traffic-information providers, in order to offer services, the report says. Two companies said they shared data stripped of personal information for other reasons, such as research, and this was “not always disclosed to consumers.”
“All 10 selected companies have taken steps consistent with some, but not all, industry-recommended privacy practices,” the report says. “In addition, the companies’ privacy practices were, in certain instances, unclear, which could make it difficult for consumers to understand the privacy risks that may exist.”[9]
The FIPA report notes that the United States lacks cross-sectoral data-protection legislation such as Canada’s private-sector privacy law. “Privacy law in the US is best characterized as a patchwork of sector-specific and issue-specific laws at both federal and state levels, leaving significant geographic and subject-matter gaps.”
Still, at least 15 US states have already enacted laws that give the vehicle owner control over data — concerning such things as speed, braking, and air-bag deployment — recorded by embedded devices in the event of a crash.
The state laws require that manufacturers of automobiles equipped with data recorders disclose in the owner’s manual the recorder’s existence along with the type of data recorded, stored, or transmitted on the device, the FIPA report says. These laws designate the car’s owner as the owner of the recorder data and prohibit third-party access to the recorder without consent.
“Exceptions include release pursuant to a valid court order or search warrant, for research purposes or for diagnostic purposes such as servicing or repairing the vehicle,” the FIPA report notes. In addition, some states forbid insurance companies from requiring access to such data, or from penalizing customers because they refuse to allow access.
3. At the Border
In the post-9/11 era, crossing the border — once a fairly quick and painless process — has become more of a headache. Indeed, traveling almost anywhere in the world involves heightened scrutiny as officials demand, collect, and consult more information about people on the move.
Travelers who once breezed through the world’s longest undefended border, between Canada and the United States, now face stiffer identification requirements. Border-related security measures imposed by the two countries are deepening as they pursue a perimeter security pact that involves more information sharing.
Sylvie Ménard returned home to Montreal from a relaxing vacation in Mexico in 2009 to a most uncomfortable welcome: Canadian border agents made her strip to see if she had a pink tattoo on her buttocks after mixing her up with an alleged criminal.
The 43-year-old manager of a wine business had no history of trouble with the law. But after being questioned by an airport customs official she was pulled aside. Her luggage was tested for drug residue and her name was run through a computer. Next, a border officer read out her rights, handcuffed her, and led her to a cell.
“I was really stressed,” Ménard told The Canadian Press.[10]
As far as Ménard can tell, her name matched that of a suspected criminal with the same birth date. Police were called. Ménard says it felt like a bad dream and she was astounded when a female border officer asked her to expose her backside to look for the tattoo. The officer later made her disrobe again to check if one had been erased with a laser.
Police checks turned up a different description for the suspect. Ménard said a police officer suggested she change her name to avoid future confusion. “That was the solution.” Ménard says there must be an easier way to verify identity, given that she was carrying a passport, driver’s license, and health card.
A spokesperson for the Canada Border Services Agency said he could not discuss the case, but said false matches occur and such checks are necessary. “We can’t let someone enter the country unless we’re absolutely certain about [his or her] identity.”
As the Canadian privacy commissioner notes, land crossings and seaports — and especially airports — are different from most other public spaces. “On the street, you would be understandably upset if police randomly demanded to examine your identification or subject you to searches.”
3.1 Crossing into Canada
The commissioner’s office has prepared a helpful fact sheet (“Checking In: Your Privacy Rights at Airports and Border Crossings”) that we summarize here to explain more about what to expect at the border and steps to take if you feel your rights have been disrespected.[11]
What data is being collected? Under the 2011 Canada-US perimeter security initiative, the two countries agreed to set up coordinated systems to track entry and exit information from travelers. For the moment, the tracking system involves exchanging entry information collected from people at the land border so that data on place and time of entry to one country serves as a record of exit from the other.
The first two phases of the program have been limited to foreign nationals and permanent residents of Canada and the United States, but not to citizens of either country. The initiative was to be expanded by June 30, 2014, to include information-sharing on all travelers crossing the land border. In addition, Canada planned to begin collecting information on people leaving by plane, something the US already does, by requiring airlines to submit passenger manifest data for outbound international flights. Canadian officials have said work continues on the final phases, though no revised dates have been disclosed. The US has legislative authority to proceed, but Canada would need to pass a bill.
The Canada Border Services Agency plans to use the information to track the movement of suspected fugitives, child sex offenders, smugglers, and terrorists, as well as identify people who remain in Canada past visa-expiration dates and help determine when those slated for deportation have voluntarily left. The Canadian government also hopes the data will help federal agencies avoid paying hundreds of millions of dollars in social benefits now going to people who shouldn’t receive them due to absences from the country.[12]
The Canadian border agency uses the Advance Passenger Information/Passenger Name Record (API/PNR) program to gather personal information about people arriving in Canada, including name, birth date, gender, citizenship, travel document data, itinerary, address, ticket payment information, frequent flyer information, baggage details, and contact telephone numbers. The data is checked against watch lists and databases, and individuals deemed to pose a security risk could receive additional scrutiny upon arrival. The information is stored for three-and-a-half years and may be shared with other agencies, subject to legal restrictions.
The federal border agency uses the Integrated Customs Enforcement System to collect basic information — including purpose of travel and goods purchased abroad — about people crossing the Canada-US border at major airports, some highway crossings, and cruise ship ports. Computers crunch the data to pinpoint suspicious travel patterns, which could result in extra scrutiny at the border. The system also enables border services officers to create lookout flags for specific travelers or vehicles. Personal information is kept in the system for six years.
The Canada Border Services Agency administers more than 90 acts, regulations, and international agreements — which cover everything from immigration to plants and animals — giving officers authority to conduct secondary inspections.
As the privacy commissioner notes, the courts have typically recognized that people should have reduced expectations of privacy at border points — meaning rights guaranteed by the Charter of Rights and Freedoms are limited “by factors such as sovereignty, immigration control, taxation and security.”
Border officers can search through vehicles, baggage, and belongings including files, photos, and contacts on laptops and smartphones, all without a court-approved warrant. According to the border agency, an officer may do the following:[13]
• Ask you to provide detailed information about your plans while visiting the country, or the time you spent abroad.
• Make further inquiries, check records, or conduct research to verify your customs declaration.
• Confirm the guardianship of children traveling with you.
• Process the payment of duty and taxes.
• Conduct a visual examination of your pet or any animals traveling with you.
• Ask you to produce evidence of the money you have available to fund your visit to Canada.
• Request that you produce receipts to account for expenses you incurred or purchases made abroad.
• Count your cash or travelers’ checks, in your presence.
It’s possible to request a copy of your personal API/PNR data. You may ask that a notation be added to the file should any information be inaccurate (see Resources). Contact the border agency’s recourse directorate to dispute any decision or search (cbsa-asfc.gc.ca/recourse-recours/menu-eng.html).
3.2 Crossing into the United States
In the United States, Customs and Border Protection and Immigration and Customs Enforcement (agencies of the Department of Homeland Security) have powers much like those of their Canadian counterparts to scrutinize travelers and goods crossing the border.
Upon entering the US, you almost certainly will be interviewed by a Customs and Border Protection agent who will collect your customs declaration. Immigration and Customs Enforcement investigates possible violations of laws and regulations.
As Homeland Security’s former Chief Privacy Officer, Mary Ellen Callahan, has noted, the US Supreme Court and Congress have long held that there is no expectation of privacy for materials and goods carried over the US border, regardless of one’s status in the United States.[14]
Homeland Security’s Callahan recognized the sensitivity of searches of electronic devices in issuing a privacy impact assessment spelling out how such inspections should be conducted to fulfill the department’s mission while respecting the rights of travelers.[15] Callahan also tried to reassure travelers by putting the issue in perspective, noting that between October 1, 2008, and August 11, 2009, Customs and Border Protection encountered more than 221 million travelers at US ports of entry.
“Approximately 1,000 laptop searches were performed in these instances — or roughly one laptop search for every 442 jumbo jets full of 500 passengers each. The vast majority of these searches were as simple as asking the traveler to power on the device to show that it is what it purports to be.”
Even so, there is plenty of advice for travelers wary of crossing the border with electronic files they wish to remain private — particularly given the ubiquity of smartphones and other portable devices that hold a wealth of information. The Electronic Frontier Foundation, devoted to defending digital rights, has produced “Defending Privacy at the US Border: A Guide for Travelers Carrying Digital Devices” that offers detailed tips on shielding data.
“For doctors, lawyers, and many business professionals, these border searches can compromise the privacy of sensitive professional information, including trade secrets, attorney-client and doctor-patient communications, research and business strategies, some of which a traveler has legal and contractual obligations to protect,” the guide says. “For the rest of us, searches that can reach our personal correspondence, health information, and financial records are reasonably viewed as an affront to privacy and dignity and inconsistent with the values of a free society.”
One option is to travel with an alternate smartphone and laptop that contain no sensitive data and can be wiped clean upon returning home. Or you can buy a separate laptop hard drive, install a fresh operating system on it, and use it in your computer while on the road, the Foundation’s guide suggests.
You can use the US Freedom of Information Act to see if the Homeland Security agencies have files about you. US citizens and lawful permanent residents can use the Privacy Act. Contact Customs and Border Protection about a concern or complaint. You can file a civil rights complaint against Customs and Border Protection or Immigration and Customs Enforcement with the Department of Homeland Security. (See Resources for links.)
If you have been repeatedly referred to secondary screening, or suspect your name is on a watch list, you may want to contact Homeland Security’s Traveler Redress Inquiry Program.
4. At the Airport
Six-year-old Syed Adam Ahmed just wanted to go to a hockey game. Adam’s father, Sulemaan Ahmed, tweeted a photo from Toronto’s international airport that appeared to show the boy’s name with a “DHP” or “deemed high profile” label and instructions on how to proceed before allowing the youngster to check in. They were trying to board an Air Canada flight December 31, 2015, to Boston to see the NHL Winter Classic.[16]
Tales of other children with the same sorts of travel challenges soon emerged. Adam’s mother, Cajee, has become an unofficial liaison with the Liberal government on behalf of many families.
“When they saw this in the media, they contacted us,” said Cajee. “Because I guess they were surprised and happy to know they were not the only ones.”
It’s still unclear what’s going on, but Public Safety Minister Ralph Goodale promised to look at the Canadian no-fly regime, known as the Passenger Protect Program, as part of a broader national-security review. Under the program, the public safety minister establishes a list of people about whom there are reasonable grounds to suspect they will:
• engage or attempt to engage in an act that would threaten transportation security; or
• travel by air to commit certain terrorism offenses, such as participating in or contributing to terrorist activities.
The minister must review these listing decisions at least every 90 days. The criteria for inclusion on the list were recently broadened beyond those who simply posed an “immediate threat” to aviation security.
The name, birth date, and gender of each listed person are provided to airlines so they can check the information against those taking flights originating from, destined for, or flying within Canada.
Air carriers must cross-reference the list with all passengers who appear to be 18 years of age or older before issuing them a boarding pass.[17] If there is a match, the airline must confirm the person’s identity and inform Transport Canada.
In the event of a positive match, the public safety minister may then direct the airline to take action to prevent the individual from carrying out the prohibited activities outlined above. It might mean telling the carrier to forbid the person from boarding a plane or demanding that he or she undergo additional screening.
If you are denied boarding due to presence on the Canadian no-fly list, you will be given written notice confirming so. You then have 60 days to challenge the decision to the Passenger Protect Recourse Office.
Only one person is publicly known to have been prevented from boarding a plane due to being on the Canadian no-fly list. Hani Al Telbani of Longueuil, Quebec, was denied a seat on an Air Canada flight from Montreal to Riyadh, Saudi Arabia, via London, on June 4, 2008. Within days, the master’s student in information system security at Concordia University applied to the federal Office of Reconsideration (the appeal body at the time) and filed suit in the Federal Court, alleging the no-fly program breached guarantees under the Charter of Rights and Freedoms. A 2008 report commissioned by the appeal office said Telbani should never have been barred from the flight.
Canada followed the lead of the United States in establishing the list in 2007. The American no-fly roster — believed to be much larger than the Canadian one — has been heavily criticized by civil libertarians.
Ottawa insisted a Canadian version was necessary to guard against terrorists and others out to cause serious trouble aboard aircraft. Critics called it a violation of human rights with no guarantee of increased safety.
In announcing his review of the program, Goodale reminded airlines there is no need to check people younger than 18 against the no-fly list.
Complicating matters is the fact Air Canada, the country’s largest airline, is known to use US aviation security lists, though it refuses to discuss the practice. This could account for many of the hassles Canadians, including youngsters, experience at the airport.
We do know that the US Transportation Security Administration’s Secure Flight program allows for collection of the name, gender, and birth date of the some five million Canadians who cross American airspace each year en route to destinations such as the Caribbean, Mexico, and South America — even if their planes don’t touch American soil. The US agency runs the names against security lists.
Secure Flight uses this basic biographic data about travelers to try to identify both low-risk and high-risk passengers before they arrive at the airport through cross-referencing. The program then issues screening instructions to airlines, categorizing passengers —
• who are eligible for expedited screening,
• who will receive standard screening,
• on the Selectee List and therefore designated for enhanced screening, and
• on the US No-Fly List or Centers for Disease Control and Prevention Do Not Board List, and therefore ineligible to fly. (The No-Fly List is a subset of a database maintained by the Federal Bureau of Investigation’s Terrorist Screening Center.)
Travelers, including non-Americans, who experience screening-related or inspection difficulties can pursue a remedy through the Department of Homeland Security’s Traveler Redress Inquiry Program.
Moreover, in March 2016, Canada and the US agreed to set up a Redress Working Group to help resolve errors of identity on no-fly lists. In a statement, Canada said the new processes would help expedite processing of complaints and streamline security-list removal procedures. In addition, Canada and the US will routinely share their respective no-fly lists as part of a joint effort to identify threats.
Air travelers worldwide have become used to the pre-boarding ritual of placing items in trays, lifting one’s arms, and even removing footwear for security screeners.
The US Transportation Security Administration and Canadian Air Transport Security Authority have generally similar screening procedures involving walk-through metal detectors, physical searches, full-body scanners, and explosive-trace detection.
You might undergo additional screening due to random selection because you tripped a detector alarm, or the fact you must avoid the detector because of a pacemaker or other such device.
In addition to a visual search under accessories such as scarves, the screening officer may also carry out a “pat down” to check for concealed objects. You can ask that a pat down take place in a private area and that an officer of the same gender wears gloves during the procedure. A second officer is also supposed to be present.
In airports equipped with millimeter-wave full-body scanners, you may choose this option or a physical search if required to undergo additional screening. However, in a small number of cases US screeners will require a full-body scan. The scanners, which detect weapons and explosives not caught by metal detectors, generate a stick-figure image of the passenger rather than a detailed outline. It can alert screeners to an area of the body requiring additional search.
If your checked baggage is opened and inspected, a notice to that effect will be placed inside.
The United States and Canada have also embraced similar advanced data-crunching techniques to try to pinpoint potentially dangerous travelers. The Canada Border Services Agency has ushered in scenario-based targeting (already used by the US) as part of Canada’s commitment to cooperate with Washington under the 2011 continental security pact known as the Beyond the Border initiative.
Commercial airlines are legally bound to provide Canada’s border agency with specific information about passengers flying to Canada, including name, birth date, citizenship, seat number, and other details. The border agency has long used the information to assess people for risk, allowing officials to zero in on those with high scores for additional attention upon landing. The new scenario-based scheme uses elaborate number-crunching, or Big Data analytics, to reveal patterns in the information provided by air carriers — a method the border agency considers more efficient and accurate.
Privacy Commissioner Daniel Therrien is pressing the border agency to explain the program’s rationale and build in safeguards to protect individual liberties. Travelers may be targeted if they fit the general attributes of a group due to traits they cannot change such as age, gender, nationality, birthplace, and racial or ethnic origin, he warns.
In his recently released annual report, Therrien said, “it could allow the operator to, for example, search for all males aged between the ages of 18–20 who are Egyptian nationals and who have visited both Paris and New York.”[18]
The border agency says scenarios are “a generic set of indicators” that flow from analysis of intelligence, enforcement, trends, and other information to identify passengers who “may pose a higher risk” due to concerns about national security, smuggling of contraband such as drugs, or illicit migration. This could mean additional scrutiny for some travelers when their plane touches down in Canada.
You can take action by doing the following (links are provided in the Resources at the end of this book):
• Contact the Department of Homeland Security Traveler Redress Inquiry Program.
• File a complaint with the US Transportation Security Administration (TSA).
• Make an application to the Passenger Protect Recourse Office (Public Safety Canada).
• File a complaint with the Canadian Air Transport Security Authority (CATSA).
• File a complaint regarding damage or lost items because of a CATSA search.
5. Staying Secure On the Move
Phones, tablets, and laptops are popular targets for both physical and data theft, warns Public Safety Canada,[19] the counterpart of US Homeland Security. “These devices offer a centralized source of information, both personal and professional, about you and the organization for which you work or represent.”
Here are some useful tips from Public Safety on avoiding cyber-theft on the road.
Before you go:
• Protect all your devices with strong passwords or passcodes Do not use the same code on more than one device. (See the earlier section on Passwords in Chapter 4.)
• Minimize the data contained on your device. Only include information that you will need for your travel.
• To avoid losing valuable information, back up all important files and store them in a separate location.
• Some devices have an option that will erase all data if the password is repeatedly entered incorrectly. Enable this option so that if you lose the device, that’s all you’ll lose.
• Update any software and security patches.
• Do some research on the laws and regulations of the country you plan to visit, as you are subject to the laws governing intellectual property, digital information, censorship, and encrypted data in that country. As we have discussed, sensitive business information on your devices may be subject to search at border crossings.
While abroad:
• Do not let your devices out of your sight.
• Avoid charging your phone or device by plugging it into a computer or other device that you do not control. Malicious software could be transferred when your device is connected. Plug directly into a wall socket instead.
• Turn your Bluetooth off when you’re not using it. Some devices allow for automatic connection, meaning other Bluetooth networks can connect to your device without authorization.
• Turn off your devices completely when not in use. Don’t allow them to be in “sleep” mode.
• Be aware that Wi-Fi hotspots are common targets for identity thieves. These networks may be unsecure and accessible to anyone. Unless you are using a secure Web page, you should never send or receive private information when using public Wi-Fi. When available, use a hard-wired connection.
• If you plan on using Wi-Fi provided by your hotel, ask what security measures are taken to protect the guests’ information.
• Free Internet access points are sometimes established for malicious or deceitful purposes. These Internet access points are purposely named to imitate trusted access points. For example, a hotel may have established an access point called HotelABC Internet. A malicious individual may set up a misleading or deceptive access point in the vicinity of that hotel called SecureHotelABC Internet. This access point may even have better signal strength than the legitimate one. You should confirm with your hotel the name of any Internet connection it provides.
• Be careful about broadcasting your travel plans. For example, avoid posting updates and photos that reveal your whereabouts on social media sites.
On your return home:
• Reset credentials for access to your device and all accounts, including personal accounts (even if not accessed while abroad) that have similar usernames and/or passwords. These may include banking, social networking and webmail accounts.
If you are traveling outside North America on government or corporate business, there are special precautions you should consider. Canada’s main spy agency, the Canadian Security Intelligence Service, produced a guide for senior personnel warning of the dangers from state agents out to pilfer confidential files.
A copy of the 2012 CSIS publication, Far from home: A travel security guide for government officials, was obtained by The Canadian Press under the Access to Information Act.
Among the spy service’s advice:
• Information you provide on a visa application form could be used to assess your worthiness as a target, meaning only necessary details should be provided. For example, some countries will request passport numbers of family members, even if they are not traveling with you.
• Travel with an alternate telecommunications device that contains no sensitive data and can be wiped clean when you return home. You do not want to take abroad a device packed with emails, contacts and documents.
• Conceal baggage tags and assume luggage will be searched in transit.
• Any details given to airline or border control agents may be collected by the host country — or shared with other countries.
• Border searches may entail copying of documents, including those on a laptop or smartphone.
• Classified documents are best kept on one’s person or in secure storage at your country’s embassy.
• While some might think foreign spies are after only big-ticket quarry like fighter jet plans, they might simply covet a government agency’s personnel organization chart.
• Know that in many countries you will be subject to physical surveillance.
• Never talk shop or volunteer information in front of taxi drivers, waiters and bartenders, who could be intelligence officers or informants. Every little bit of information can be useful to a competitor.
• Be wary of gifts such as digital memory keys that can give someone remote access to a computer once plugged in.
• Foreign agents may employ the relatively subtle technique of eliciting information through random conversation, perhaps appealing to one’s ego or emphasizing mutual interests.
• Some travelers have returned to their hotel rooms to find people searching their belongings or conducting unnecessary maintenance activities. Intrusions are frequently accomplished with the co-operation of hotel staff.
• Beware the “honey trap” — sexual seduction as a means of blackmail through the secret recording of an intimate encounter. There are also reports of individuals who have suspected they were drugged and who awoke to find that their hotel room had been searched, smartphone stolen and secret business documents missing.
• In some countries the threat of kidnapping is significant, as many groups depend on such activities to fund their operations. Consequently, you may want to look for signs of hostile reconnaissance, as well as to vary your routines and the routes you take to and from your hotel and place of work.