Go to Top

Consider Leaving Sensitive Data At Home

When crossing an international border, most of us know that we may have to declare certain items we are carrying with us or open our bags if asked to do so.

Increasingly, however, travelers run the risk of being asked to open their entire digital lives to scrutiny as well. And that trend seems to be spreading.

Since the Obama administration, U.S. Customs and Border Protection agents have occasionally asked – or, according to travelers’ reports, demanded – to inspect not only the exterior of laptops, smartphones or other mobile devices, but to rifle through their contents as well. Such searches require no warrant, or even probable cause. The government has justified this invasive practice as a necessity for fighting terrorism and other forms of crime. Then-Department of Homeland Security Secretary John Kelly said in 2017 that such searches were no different than a bag search at a port of entry. “Generally speaking, it’s done for a reason,” he added.

Most people, however, can easily imagine why full access to a mobile device or laptop is substantially more invasive than a bag search. Most of us live a great deal of our lives online, and a CBP agent could theoretically view anything from an intimate email between romantic partners to the extent of a user’s social media activity to personal financial or medical information in the course of such a search. And while most people protect their devices with a password, encryption or both, border agents often demand that customers unlock their electronics to facilitate such intrusive searches.

Instead of correcting the previous administration’s overreach, the Trump administration seems determined to double down on the practice. Border agents inspected more than 30,000 phones and other devices in 2017; while this is a miniscule number in terms of overall travelers, it is nearly a 60 percent increase over the number of such searches in 2016. Kirstjen Nielsen, Kelly’s successor as secretary of Homeland Security, explained an updated CBP directive on this policy to the Senate in a January hearing. The new directive established criteria for certain practices, such as downloading documents stored in the cloud, but Nielsen confirmed that agents still did not need probable cause to demand a password.

The United States is not alone in this practice. Canadian border agents, too, have asked travelers to provide access to password-protected devices. As Robert Currie, director of Dalhousie University’s Law and Technology Institute, told the National Post, the Supreme Court of Canada has upheld the importance of privacy for electronic devices in a variety of cases, but these decisions have not yet been reconciled with the idea that privacy rights are all but suspended at border crossings. In New Zealand, a law that came into effect on Oct. 1 makes explicit that customs officers need only reasonable cause to make a full search of a mobile device, including compelling the device’s owner to provide a PIN or password. Those who refused can be fined.

At home, Americans are protected by the Fourth and Fifth Amendments, which respectively shield us from unreasonable search and seizure and from self-incrimination. The extent to which the Fifth Amendment protects citizens from having to give passwords to law enforcement is still subject to debate in a variety of contexts. But the direction our government and others have moved in this area seems to suggest that any expectation of such protections should be abandoned any time you wish to cross a national border.

We are not yet at the point, as New Zealand is, where people who refuse to hand over passwords or encryption fees face legal penalties in the form of fines. But CBP agents have broad powers to make life difficult for people who don’t cooperate. They can detain you for long stretches of time, interrogate you, or confiscate your device for days (or longer). If you are not a U.S. citizen, they can deny you entry to the country. Such tactics, or the prospect of them, may intimidate many people into simply giving in.

The calculus can be more complex for certain travelers. Consider Sidd Bikkannavar, an American who works for NASA’s Jet Propulsion Laboratory and is a member of the CBP’s Global Entry program, which offers low-risk travelers expedited customs processing. In early 2017, Bikkannavar was pulled aside by CBP officers on his return from a trip to Chile. The agents told Bikkannavar to hand over his phone and give up the passcode, and were unmoved by his explanation that he wasn’t allowed to do so because the device contained sensitive data for a U.S. agency. In the face of CBP persistence, Bikkannavar ultimately gave in. As soon as he returned home, he took the device to Jet Propulsion Lab’s IT department. He told The Verge that the lab’s cybersecurity team was, understandably, unhappy about the security breach. He also said that the CBP agents he spoke to would not tell him why he was chosen for extra scrutiny.

Not all of us are NASA engineers, but many of us carry sensitive professional data on our devices, including lawyers, journalists, psychotherapists and other medical professionals, just to name a few examples. In other words, it is not only the individual user’s privacy that may be violated when a CBP agent demands access.

We can hope that the courts will eventually rein in such overreach, at least in the United States. But as such invasions become more common, international travelers will need to take steps to protect their digital privacy.

Ryan Lackey, a computer security professional, told Wired in 2017 that he has long taken such precautions when visiting countries like Russia or China. These include taking separate devices connected to nonsensitive online accounts. Lackey loads the minimum data he will need for the trip, wiping everything else before he travels. He suggested that, with the CBP’s current aggressive stance, travelers who often cross the U.S. border or who feel they might be targeted for special scrutiny may want to consider taking similar precautions on trips to or from the United States. Some companies, too, issue travel-specific devices to their staff to keep proprietary data safe.

If you don’t travel frequently enough to make separate devices practical, you can still take steps such as making sure your device is encrypted and completely powering down your devices before entering customs. You may also want to log out of apps such as social media or financial management programs, so that someone with your phone’s passcode does not automatically have access to those accounts. But know that such steps are no guarantee that you will not face pressure from an agent regardless. Some security experts offer more extreme methods, such as setting up two-factor authentication and not carrying the SIM card necessary to receive the code, which makes it logistically impossible to give an agent access to your device. I doubt most travelers will go so far.

When securing your phone, don’t overlook your laptop or tablet devices, either. Many of us travel with more than one piece of equipment that holds the keys to our digital kingdoms.

Finally, if you do end up giving your password to a customs agent, don’t forget to change it promptly once you get home. While the CBP cannot keep any files or data it copied from your device longer than a week without probable cause, the agency can hang on to passwords to facilitate future searches.

Individual travelers, for now, will have to pick their battles when deciding whether to give in to demands for their passwords and sensitive digital information. Many people may not find the consequences worth refusing. But that does not mean this overreach is justified in the long run.

, , , , , , , , ,