by Geoff Duncan
Many travelers have had the experience of showing documents and answering questions while crossing an international border. But these days most of us carry smartphones, tablets, and computers that can contain or access tremendous portions of our daily lives.
Sure, some data is innocuous, like snapshots of yesterday’s lunch or last week’s sports scores. But some of it can be deeply sensitive, including banking and financial information, medical histories, dossiers of our friends and acquaintances, private conversations — even records of where we have been.
As tensions rise over border and immigration issues (think walls, immigration bans, and terror threats), and as we become more dependent on our devices, demands to examine the contents of digital devices are becoming more common at the U.S. border and other border crossings around the world.
What would you do if a border agent wanted you to unlock your device? Or if they demanded passwords to your social media, email, or banking services?
If these questions give you even a moment’s pause, it’s best to give some thought to crossing into the United States before you actually get there.
What Can Border Agents Do? — Contrary to some popular opinion, the U.S. Constitution does apply at U.S. border crossings, so U.S. citizens have rights of free speech and association, freedom from unreasonable searches and seizures, and freedom from forced self-incrimination.
However, U.S. border agents also have broader powers than U.S. police officers, including the ability to conduct warrantless searches of vehicles, luggage, and other possessions. Put another way: in the United States a police officer can’t pull you over, then search and disassemble your car unless they have probable cause and a warrant approved by a judge. However, a border officer can, no warrant needed.
U.S. border agents have these extended capabilities because courts have held the government’s interest in maintaining border integrity is more important than an individual’s privacy. In legal terms, these extended searches are considered “routine,” and are meant to enable border agents to enforce trade and import laws, to prevent dangerous people from entering the country, and to ensure entrants are authorized and properly documented.
It’s absolutely within a border agent’s purview to inspect the physical aspects of any device you are carrying, whether that is a phone, tablet, laptop, camera, or any other digital gear. This includes not just inspecting its case and controls, but also removing batteries, memory, storage, and other components.
Moreover, Customs and Border Protection (CBP) directives grant border agents the authority to examine any information “encountered” on devices. That can mean flipping through pictures on your digital camera, and (if the device is unlocked) swiping through your phone and its apps, and poking around your computer.
Many travelers are perfectly OK with this. For instance, if a border agent wants to flip through my terrible pictures (Look, a blurry thumb!) or the massive list of blocked numbers on my iPhone, I don’t particularly care: I’m nowhere near as dependent on devices as many people, and I don’t really use social media.
But my computer often contains encrypted, confidential data belonging to my clients. If border agents wanted to look through that, I might have a legal obligation to refuse. Plenty of people — especially folks like doctors, attorneys, and journalists — would be very uncomfortable with border agents flipping through patient records, correspondence, photos, financial information, and more.
Turn Off, Turn Down, or Turn a Blind Eye? — So, if you don’t want U.S. border agents going through your devices, the solution might seem easy: lock them or turn them off! That way, border agents won’t “encounter” any information during their inspections, right?
That’s true. But now imagine a border agent asks you to activate or unlock the device, or provide a code or password to do so? It’s surprisingly common. Maybe the agent wants your Facebook or Twitter password so they can examine everything about your social media presence, not just what’s public. Maybe they want your passwords to WhatsApp, iCloud, Dropbox, or your bank. Maybe these aren’t requests: maybe they’re orders.
Now things get tricky.
- If you agree, border agents can scrutinize and copy your information.
- If you refuse, border agents can seize your devices and even detain you. The CBP cannot refuse to let a U.S. citizen into the country; however, they don’t have to make it easy, quick, or pleasant. The CBP can refuse entry to both foreign nationals and lawful permanent residents. All of this increases pressure to comply.
- If you lie to border agents — “Uh, I forgot my password! That’s not my phone!” — you’ve committed a crime carrying a prison sentence of up to five years.
Requests, Orders, and Consent — You can refuse to disclose passwords or unlock devices. The border agent might say “OK,” and move on to the next part of their inspection. Or, the agent may insist, perhaps suggesting that unlocking devices is in your best interest. If you unlock a device, that may constitute legal consent to being searched. With consent, border agents may search nearly any aspect of a person or their property.
If you refuse a request, border agents can escalate to an order. Agents are sometimes ambiguous about the distinction between a request and an order because implicit consent to a request gives them better legal footing. If in doubt, ask.
You can refuse an order to disclose passwords or unlock or activate devices, but border agents can seize your devices. How long can you go without your phone, computer, and the information they contain? Can you afford to replace them? Agents can also escalate the engagement to include additional officials or even detain you.
Once border agents have a device, they can copy its contents and share the data with other agencies or third parties for interpretation or forensic analysis. If the device is not unlocked, they may attempt to copy and store its data anyway, even if it’s encrypted. After all, if the government gets a password (or has/finds/buys a loophole or flaw in the software protecting the data), they may be able to decrypt it anyway. Same with any encrypted data on an unlocked device.
How long can the government hold on to data or devices? Generally, the CBP is supposed to destroy copies of data and return seized devices within five days, but retention of both can be extended almost indefinitely. Additional data about travelers and searches entered into a system called TECS — formerly known as the Treasury Enforcement Communications System — can be retained as long as 75 years. This may include passwords and other credentials revealed to disclosed agents.
How to Protect Your Data — If for any reason you don’t want to be put in the position of disclosing your entire digital life to U.S. border agents, you need to plan ahead. If you’re already in line at a border crossing and suddenly decide you want to protect your data, it’s too late.
First, assess your risks, perhaps by making a list of potential problems if your devices were seized or information on them was accessed (and potentially copied and shared) by border officials. For instance, if you rely on your iPhone to manage your boarding passes, lodging, and car rentals — or perhaps use Apple Pay while traveling — having your phone seized by border agents could present a major problem for the rest of your trip.
Worse, if you’re a physician traveling with patient records, an attorney with confidential documents, or a journalist with sensitive information, having the government leaf through your data could represent a huge professional and ethical problem.
Honestly, for most people, the risk analysis stops here. Even people who are tremendously reliant on their smartphones, devices, and social media rarely do anything sensitive. Sure, we might not want border agents reading text messages to our friends and relatives, but it’s not really a privacy disaster if they flip through selfies or uncover a group chat planning a surprise party for the grandparents.
However, if you feel the risks are significant — perhaps you’re party to a high-profile lawsuit, planning a divorce, work with classified information, have data on your device that is legal but perhaps controversial, or have legitimate worries about your status in the current political climate — you can take some steps to protect your data.
- Take fewer (or no) devices. You can’t be asked to unlock something you don’t have. A colleague who travels regularly between Japan and the United States has stopped carrying any devices at all. Another who does a similar commute from Sweden uses a travel-only phone.
- Use device encryption. iOS devices have had on-device encryption for most of your data enabled by default for years. On Macs, this means enabling whole disk encryption via FileVault, which has been available since 2011 (for assistance, see “Take Control of FileVault”).Then, turn your devices off. A device that’s merely asleep or locked is considerably more vulnerable to having its security compromised than an encrypted device that is fully shut down. This is probably the strongest (and easiest) thing most travelers can do to protect their data — as long as you’re using strong passwords and passcodes (for details, see “Take Control of Your Passwords, Second Edition.”) Do not rely on biometric security like fingerprint readers.
- Consider migrating some of your data to the cloud. In many cases, there’s no reason you need to carry your data with you on your devices: you can simply upload it to a cloud service — whether iCloud, Dropbox, or some other provider — then delete the data from your device, and re-sync with the cloud provider once you reach your destination. The process might take some time (or involve expensive data roaming charges), but it eliminates the need to physically transport your data over the border.There are two main potential problems with this approach. The first is that deleted data on a device can often be recovered via forensic analysis. Just because you delete an item from a device doesn’t mean it can’t be recovered by an expert. Second, border agents may just demand passwords to your cloud accounts. (Remember, lying to border agents is a crime.)
- Don’t know your passwords. This is perhaps the trickiest option — and takes the most planning — but an attorney I’ve worked with occasionally over the years uses it. When he has had to travel with sensitive information recently, he has encrypted it with a strong password that is too long to remember, and then sent that password in an encrypted note to his own attorney. The result is that if he is asked to unlock the encrypted data, he can truthfully reply that he does not have the password. Further, if officials demand he retrieve the note that could reveal the password, it would be protected by attorney-client privilege.You could use a similar approach to passwords used to unlock devices, email, social media accounts, banking information, and more. But doing so requires a great deal of effort and almost certainly needs a trusted third party. (And if that third party makes a mistake, you may lose access to your accounts altogether.) Moreover, border agents may regard it as highly suspicious if a traveler doesn’t know the passwords to their own accounts or devices — and that may increase the likelihood of greater scrutiny or an escalated encounter.
If Your Devices or Information Are Taken… — If border agents seize your devices, politely insist on a property receipt. If you feel you are being mistreated by border agents or your rights are being violated, politely ask for their names, badge numbers, and agencies of the officers you encounter. Do not be rude, aggressive, or belligerent: it will never work in your favor. Also do not physically interfere with border agents: they can respond with physical force.
Want To Know More? — This article is just an overview of some issues involved with crossing the United States border with your personal data. Furthermore, I am not a lawyer, so this article should not be construed as legal advice!
Fortunately, there are more-extensive guides to these topics written by real lawyers. If this topic is of particular interest to you, I recommend them highly:
- The American Civil Liberties Union has published a detailed outline of issues surrounding border searches of devices and data. They also offer information on all manner of border crossing issues.
- The Electronic Frontier Foundation recently published a guide to Digital Privacy at the U.S. Border, available both on the Web and as a printable PDF.
Plus, many of the legal issues surrounding what border agents may and may not search on devices at the U.S. border are still poorly defined, with cases still working their way through courts, and members of Congress introducing potential legislation that would require a warrant before searching digital devices.
The situation is complicated and getting more so all the time. But if you’re at all concerned about the privacy of your data while crossing the U.S. border, it’s best to be prepared before you show your passport or identification.
Will these device searches cause you to change your behavior when traveling? Let us know in our informal Twitter poll, which is open until 25 April 2017. So far, the overwhelming majority have said, yes, it will cause them to act differently.