Want to Protect Your Data at the Border? Delete It
It’s getting harder and harder to enter the United States with your privacy intact. In the wake of President Trump’s executive orders on immigration, travelers have reported increasingly invasive stops by border agents. On January 30th, NASA scientist and US citizen Sidd Bikkannavar was coerced into unlocking his phone for Customs agents at the border, possibly exposing sensitive information. Homeland Security leaders are also considering more invasive requirements, like demanding social media passwords from travelers.
Legally, customs agents have the right to physically inspect items as they enter the country, part of the legal mandate for keeping contraband from crossing the border. In theory, they’re still subject to the Fourth Amendment prohibitions against unreasonable searches, but courts have found that the standard for reasonableness at the border is extremely low, so the prohibitions have little force. Customs agents still don’t have the right to compel passwords or access cloud services, and while they can hold devices for weeks or even months as they’re examined, modern device encryption typically prevents any data from being recovered. That legal vulnerability raises a troubling practical question: what can you do to protect your data as you enter the US?
Before you fly, delete
Because data is so vulnerable at the border, your best protection is to carry as little of it as possible. That means deleting sensitive files from your phone and computer before you get on the plane, since you can’t turn over information you don’t have. And even if you decide to give agents access, always unlock the device yourself rather than handing over the password, which could be used to decrypt the hard drive forensically to recover deleted files. (Device encryption will also help with this, which we’ll talk more about in the next section.)
The same logic applies to social media accounts. Uninstalling the Twitter and Facebook app from your phone makes it much harder for agents to read private messages sent through those services, and it’s another good measure to take before heading to the airport. That’s particularly true if you can plausibly claim to not remember the password, and have two-factor protections in place to prevent unverified logins. Customs agents will still be able to read the public-facing content, but they won’t be able to see anything they couldn’t get through Googling your name.
Cloud storage can also play a role, although it comes with certain drawbacks. Backing up phone data to the cloud (either through iCloud or Google Cloud) makes it easy to restore everything once you land. That means you can delete more upfront, and carry less data with you across the border. The drawback is that, if you’re under active investigation, police could access all that data through a court order. That process happens less often and comes with more oversight than border searches, so it’s hard to recommend for genuinely sensitive data — but if you’re worried about the CBP rather than the FBI, it could make your crossing a lot easier.
Should I unlock my phone?
The decision of whether or not to unlock your phone for CBP agents is a personal one, and ultimately depends on a variety of factors. Because border agents have the power to temporarily detain you without suspicion, many travelers see unlocking a device as the simplest way to get through questioning. In some cases, including Bikkannavar’s, travelers have been released after unlocking their phones. Still others have had that data used to justify an even more intensive inquiry. As a result, it’s difficult to craft a blanket rule for all cases.
“In terms of giving advice, it really depends on the goals travelers have and their tolerance for risk,” says the EFF’s Sophia Cope. “If you’re not a US citizen and you really want to get into the country, you’re probably going to figure out how you can comply as much as possible.”
Those that choose not to unlock their phones: know your rights. Border agents don’t have the power to prevent US citizens from entering the country, though they can detain you for hours, often long enough to miss a connecting flight. Non-citizens can face a harder path, as immigration agents can often deny entry for seemingly arbitrary reasons.
Crucially, you should make sure your devices are fully disk-encrypted. That’s true by default on iOS, and available on Android at Settings > Security > Encrypt Device. For laptops, it’s available through FileVault on macOS and in Settings for many Windows 10 machines. Border agents are authorized to hold devices for forensic analysis, but that’s less likely to happen if they realize up front that such analysis will be impossible, so be honest about the encryption you’re using.
If you do decide to unlock your devices: remember that you’re not out of the woods. Complying with the agents doesn’t necessarily mean being immediately released — and any investigation scans will be a lot more intrusive if you’ve already decrypted your device. Your data may also be copied and shared with other agencies, particularly the FBI.
“Understand that when you’re traveling, the government may potentially hold you for hours, and they may potentially confiscate your devices,” says Hassan Shibly, director of CAIR’s Florida branch. “That’s true whether you answer questions or not, or whether you unlock devices or not.”
Crucially, none of these measures involve deceiving border agents or actively destroying information after you’ve been stopped, since doing so could raise serious legal issues. It’s a crime to lie to a customs agent or take any action to obstruct their investigation. You can still refuse to answer questions on constitutional grounds or decline to turn over passwords, but more complicated measures like duress passwords could potentially get you held up on charges of obstructing justice.
“We very strongly urge people not to do anything that would be considered lying or misleading government agents,” says Cope. “You could be prosecuted for that.”
Report any violations
The most important measure might be one you take after you’re safely through customs: reporting any inappropriate behavior to advocacy organizations, who can use it to hold Customs and Immigration agents accountable. Questions about your political or religious beliefs are a violation of your first amendment rights, as are demands that you provide passwords. You may not be able to do much about it while you’re being detained, but descriptions of those experiences can be very useful to organizations like the ACLU and CAIR as they seek to hold border agents accountable, whether through lawsuits or reports to oversight mechanisms like the DHS inspector general.
CAIR says they’ve been overwhelmed with complaints in the weeks since Trump took office, but still believes most incidents go unflagged. “There’s a tremendous problem of underreporting,” says Shibly. “It’s important for us that we have the data. They can’t claim that there’s no problem when we have a record of complaints.” If you think your rights were violated by a border agent, you can report it to CAIR or a state ACLU affiliate, which will retain a record and forward it to the relevant agencies.
None of these solutions are perfect. Current law simply doesn’t provide very many rights at the border, and there’s no easy way around that. You may do everything right and still be held until you miss your flight because of a publicly accessible tweet that looks strange out of context. The problem can’t be solved by clever technology, but only through arduous political work that will take years to come through. In the meantime, the best you can do is get through the border with as much dignity intact as possible.