On Fri, Mar 31, 2017 at 11:59:49AM -0500, Paul Wouters wrote: > I don't know when I will be refused entry for not handing out > passwords or pins. This is worth noting on an equal basis with the question of whether travelers will be refused entry or only permitted entry after considerable delays, interrogation, and abuse. There is at this moment no articulated, consistent, and uniform policy in place specifying: - who will be asked for passwords - why they'll be asked - who will do the asking - under what circumstances they'll be asked - what the ramifications of refusal are - what the ramifications of not remembering them are - what the ramifications of agreement are - what use will be made of them - what use will be made of any data they provide access to - if they'll be retained - if the data they provide access to will be retained - if they'll be shared with other US agencies - if they'll be shared with other non-US agencies - if computing devices will be confiscated - if computing devices will be searched - if computing devices will be returned - if the contents of computing devices will be copied - who will have access to that data - what use will be made of that data - if that data will be retained - if that data will be shared with US agencies - if that data will be shared with non-US agencies - what auditing controls (if any) exist to prevent mis-use - when any retained passwords/data will be destroyed (if ever) - etc. Moreover, the ad hoc policies that are in place are used very inconsistently -- at the personal whims of those enforcing them -- and are subject to change not only without advance notice, but without any notice of any kind. Because of this, asking anyone to come to the US at this time is equivalent to asking them to incur unknown but possibly very large privacy and security risks, as well the financial risk of losing any/all computing devices they bring with them. ---rsk