Visiting The States? Have Your Passwords Ready


There’s been a lot of buzz about this on Twitter, if you’re visiting the states anytime soon you might want to have your social media login credentials handy – as they might be requesting them at the border.

Visiting The States? Have Your Passwords Ready

I find the whole thing rather contrived though as I use 2FA for everything, so they are welcome to my passwords – they can’t log in even with them.

Over 50 human rights and civil liberties groups, nearly 100 law professors and security experts, and lawmakers have launched a campaign against digital searches at the US border.

An open letter condemns recent comments by Homeland Security secretary John Kelly in which he proposed requiring selected non-citizens entering the US to provide the passwords to their social media accounts.

The letter has been signed by, among others, the American Civil Liberties Union, Center for Democracy & Technology, Consumer Technology Association, Electronic Frontier Foundation and Internet Society, as well as a wide range of law professors, internet engineers and security experts, including Bruce Schneier.

“Demanding passwords or other account credentials without cause will fail to increase the security of US citizens and is a direct assault on fundamental rights,” the letter argues.

It warns that the approach would not only invade people’s privacy – including those of US citizens – but also discourage travel to the United States as well as set a dangerous precedent that would likely see other countries institute similar entry requirements for US citizens.

“The first rule of online security is simple: Do not share your passwords,” the letter concludes. “No government agency should undermine security, privacy, and other rights with a blanket policy of demanding passwords from individuals.”


There’s some good points made as well with so many sites offering authentication and identity management based on Google and Facebook accounts giving up the access to those gives them the ability to access a LOT of sites and a huge amount of information about you.

The whole thing is rather draconian and Orwellian, sometimes especially since 2016 turned out the way it did (Hello Brexit and President Trump) I feel like I’m living in 1984.

And this kind of stuff DOES not help.

The issue has also attracted the attention of Senator Ron Wyden (D-OR), who sent a letter to Secretary Kelly saying he was “alarmed” by reports of Americans being detained by border agents and being pressured into handing over their smartphone PINs.

“These reports are deeply troubling,” Wyden noted, “particularly in light of your recent comments suggesting that CBP [US Customs and Border Protection] might begin demanding social media passwords from visitors to the United States.”

He continues: “Circumventing the normal protections for such private information is simply unacceptable. There are well-established legal rules governing how law enforcement agencies may obtain data from social media companies and email providers” – rules that require warrants or court orders.

He then asks five questions of Kelly, digging into the legal authority that the Department of Homeland Security (DHS) feels it possesses to demand passwords and asks for stats on how often it has happened.

The whole thing makes travelling to the USA quite unattractive with border agents able to demand your phone PIN code and now your social media login details.

I hope it all goes away when some judge realises this is a HUGE violation of privacy and doesn’t actually make anything more secure.

Source: The Register

Posted in: Legal Issues, Privacy


Latest Posts:


Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc


2 Responses to Visiting The States? Have Your Passwords Ready

  1. sudon't March 20, 2017 at 7:35 pm #

    How do you figure two-factor auth is going to help? They’ll just click “send a text to my phone”, and when the text comes in, they’ll have your phone in hand. If they’ve decided to have a look at you social media, do you think they’ll leave you holding your phone? No, they’ll want your phone’s passcode as well.

    • Darknet March 23, 2017 at 2:13 am #

      Set the 2FA number to a feature phone in your check-in luggage. Or use a YubiKey (also not with you) etc.