Planning a trip abroad? The chances are you will be bringing your phone, an iPad, or your laptop. While your devices mean a lot to you, their contents are far more valuable. Think about what you keep on your phone or laptop: All your contacts. Passwords. Bank and investment account information. Medical documents. Private conversations. Web browsing histories. Social media postings. Emails. Pictures.
If you’re traveling for work, you could be carrying priceless business or marketing plans, formulas, presentations, or sensitive corporate information.
In short, practically all that matters to you, and everything anyone would need or want to know about you live in your pocket or briefcase.
What if someone took this? I’m not talking about a thief, although that’s bad enough. I’m describing someone every bit as violating, and there is little you can do to stop them: The United States Customs and Border Protection agency, or CBP.
When you return to the U.S. and go through Customs, a CBP agent can ask to look at your phone, tablet, laptop, even your camera. They can examine and share your account information and access password to your social media accounts, postings, and “friend” lists; electronic communications; e-commerce history; even your cloud storage files. This is especially true if you are visiting the United States from another country.
You read that correctly.
According to the Electronic Frontier Foundation (EFF), the U.S. government reported a five-fold increase in the number of electronic media searches by Customs agents at our borders, from 4,764 in 2015 to 23,877 in 2016. And glancing at news headlines about extreme vetting at our borders since February 2017, this number could grow astronomically.
Mind you, I am not writing to rant about the power of the U.S. federal government. CBP is tasked with a tremendous responsibility to protect the country. It’s not an easy job.
For this reason, federal courts have given CBP significant powers and latitude to search your belongings extensively without a warrant as you enter the United States by land, sea, or air, and the discretion to seize them for further inspection if they deem necessary.
In simple terms, the First, Fourth, and Fifth Amendment rights from unreasonable search and seizure often do not apply at our borders.
Stop and think about that.
Just how far can a Customs agent dig into your phone, tablet, or computer? What rights do you have? And how can you protect the data on your devices when going through a Customs inspection at our borders or airports? Below are some questions and answers.
What could a Customs agent do? Bad news: Despite the Fourth Amendment’s protections against unreasonable searches and seizures, based on federal statutes, regulations, and past court decisions, CBP officers can conduct a warrantless search of anything in your belongings without having probable cause (suspicion) that your or your belongings are involved in a crime.
This is true not just at airports and ports of entry, but also any location within 100 air miles of a U.S. boundary. CBP can also question you about your citizenship or immigration status and ask for documents proving your admissibility into the country.
But wait! There’s more!
According to EFF, with a supervisor’s approval, CBP officers can also seize your electronic devices or even make a copy of the information on them “for a brief, reasonable period to perform a thorough border search.”
Such seizures typically shouldn’t exceed five days, although officers can apply for extensions in up to one-week increments, according to CBP policy. If a review of the device and its contents does not turn up probable cause for seizing it, CBP says it will destroy the copied information and return the device to its owner.
You can’t win. Now for the bad news: A Customs agent can demand that you unlock your devices, provide your device passwords, or disclose your social media information. It’s a no-win dilemma. If you comply, it’s party time for Mr. Customs man. They can examine and copy any sensitive digital information they find. If you tell them to pound sand, the agents can seize your gear, subject you to additional questioning under hot lights, detain you, and basically make your life a living hell.
Why? Because they can.
Better call Saul. Mind you, if you are a U.S. citizen, a Customs agent can’t deny you admission back into to the country. But foreign visitors don’t enjoy the same rights. As I mentioned previously, if you are coming to the U.S. on a foreign passport, CBP can deny you entry into the United States, especially if you refuse to cooperate with their demands to inspect your devices. It is why carrying the name and contact number for an attorney is not a bad option.
Feeling reassured yet?
What are the limits to the CBP’s authority? Answer: Not much. The CBP’s blanket authority for warrantless, routine searches at a port of entry ends with invasive procedures (or what we like to call extreme vetting), such as a body cavity search. To do so, a CBP officer needs to have reasonable suspicion that you might be engaged in illegal activity, and not just that you are trying to enter the U.S.
However, if you are visiting the U.S. from abroad, or have either a foreign-sounding name or are from a country of origin considered suspicious, the recent headlines will give you little comfort.
Am I legally required to disclose the password to my electronic device or social media, if CBP asks for it? That’s still an unsettled question. Until it becomes clearer, CBP will continue to ask. Customs officers have the statutory authority “to demand the assistance of any person in making any arrest, search, or seizure authorized by any law enforced or administered by Customs officers, if such assistance may be necessary.”
That includes demanding that you unlock your phone or laptop, applications, reveal your passwords, and more.
Wait. You’re kidding, right? Isn’t this illegal? Aren’t we protected by the Fifth Amendment from divulging our passwords? For now, the courts have not rendered a final decision.
Even if you have court decisions on our side, CBP agents can still use their authority to lean on you to share your password information. How? Because they know you are in a hurry to catch your next flight and get home, or simply be allowed to enter the country. That’s usually all the leverage they need.
If you refuse to give up your passwords, a CBP officer can seize your electronic device for further inspection. Worse, they can hold you up from entering the country and take a deeper dive into your belongings. If you are visiting the U.S. from abroad, you could be turned away at the border. Or if you have a green card, you can be questioned and challenged about your legal status.
Not good. As in, you are totally screwed.
So, what can I do? How can I protect my digital information?
Before traveling in general, especially before you travel outside the U.S., plan ahead. Below are some tips and strategies you can follow:
- Consider which devices you absolutely need for your trip.
- Set a strong password and encrypt your electronic devices. However, you might still lose access to your devices for an undetermined period should Customs agents decide to seize and examine what’s inside.
Another option is to leave all your devices behind and carry a travel-only phone free of most personal information (or what I like to call a “burner” phone). However, even this approach carries risks.
“If you go to extreme measures to protect your data at the border, that itself may raise suspicion with border agents,” said to Sophia Cope, a staff attorney at the Electronic Frontier Foundation. “It’s so hard to tell what a single border agent is going to do.”
Protection starts before you leave. Less is more. Think hard about what digital information you absolutely don’t need on your trip and delete anything unnecessary. Before embarking on your trip abroad, back up everything on your electronic devices to a secure location. You can restore your devices to their original condition once you are home safely.
Lock and load. Set your device’s screen lock to the maximum protective setting. Protection options include:
- Locking your device automatically after a period of inactivity
- Requiring a password to unlock on start-up or awakening from sleep mode
- Disabling fingerprint lock protection
- Limiting the number of attempted password guesses before the device either permanently locks or erases its data
Encrypt your devices. Password protection is not enough. Give serious consideration to using full-disk encryption.
Important: Use passwords, not fingerprint locks. Yes, fingerprint locks are convenient and a highly effective protection if your phone or tablet are either lost or stolen. (Just ask the FBI. They hate it.) But contrary to what you might think, when it comes to Customs inspections, mobile device fingerprint locks such as Apple’s excellent Touch ID offer no legal protection. A Customs agent can demand that you unlock your device with your fingerprint. You have more legal leverage if a Customs agent demands that you give up your passwords than submitting your fingerprint.
Choose a Strong Password. Strong passwords are essential protection. If your device does not have special hardware to limit the number of password guess attempts, Customs agents can crack your encryption using a separate computer to try trillions of guesses very quickly. The EFF recommends not using a password based on a phrase that appears in a dictionary, one that could be predicted by rules (like changing certain letters into digits or punctuation marks), or any password shorter than about a dozen characters.
When it comes to strong passwords, the more characters, the merrier.
There are many ways to create long, unpredictable, yet memorable passwords. One trick is choosing a phrase made of several random words. You may then be able to make up a mental story or mnemonic about these words to help you remember them. The folks at EFF offer guides to creating passwords using a version of Arnold Reinhold’s “Diceware” technique, which you can find at:
- https://ssd.eff.org/en/module/animated-overview-how-make-super-secure- password-using-dice
There are other methods of making long, memorable passphrases based on sentences that you make up and then modify in some way. Using full sentences with spaces that are easy for you to remember are a nightmare for someone else to crack. But don’t pick a phrase that has been published anywhere, such as a sentence in a book or song lyric. Computers are smarter than you think.
For the passwords you use inside your device (as opposed to your device’s master password), a password protection app such as 1Password, Dashlane, or mSecure, is a smart idea. Use unique passwords for every different app and account on your devices, and make sure they are strong and long. Not only can a well-encrypted password application protect against intrusion, many of the best apps can also generate long and complicated passwords. I highly recommend investing in one.
Pick a password you won’t forget. Encrypting your device carries one risk: Nobody, including the computer’s manufacturer, will be able to retrieve your master password if you forget it. You. Will. Be. Permanently. Locked. Out. Remember that. If you must, secure a copy of the master password with a trusted friend or loved one back home. You’ve been warned.
Turn off your devices. Before you walk up to the Customs desk, be sure to shut down your devices. Don’t just put your devices to sleep or in hibernate mode. Turn them OFF. Why? The experts at EFF explain that a complete shut-down helps resist high-tech attacks against device encryption that could extract the secret key or bypass the screen lock on a powered-on device.
Factory reset your tablet or phone. Many devices have a removable memory card, like an SD card, which is used to store photos and other information. Factory reset often does not erase the portable memory card, so you should remove and wipe it separately, or swap it out for a new, blank memory card.
The EFF suggests that if your device offers an account-based cloud sync feature like Apple’s iCloud, you may be able to sync your device before crossing the border, then factory reset it. You can then re-associate the device with your account and re-sync it after crossing the border. That makes for some extra dance steps, but it’s worth it. Make sure that the sync includes all the data that you care about so that you do not lose anything important. The folks at EFF do caution that re-syncing the device may take a long time and require downloading a lot of data. You will need a good internet connection too.
Mail it home. Another workaround is to travel with an external portable hard drive, SSD, USB flash drive, or SD card. Instead of storing your data on your laptop, tablet or phone, use the external drive. Then, before you travel to the United States, ship the device to your home or destination address. That does not guarantee that U.S. Customs can’t or won’t open a FedEx package, but it’s a lot less likely. This is especially important if you plan to travel on business.
Keep it in the cloud. If you need to access important information as you travel, consider backing it up with a cloud storage service. While Dropbox, Google, or Microsoft are popular personal options, if you are really security conscious, consider a company like SpiderOak, which offers highly secure, encrypted storage. If you are traveling abroad on business, talk with your company’s IT and information security administrators about protecting access to their email and data servers when returning to the U.S.
Pro tip: Don’t keep a cloud service app on your device. That’s a rookie mistake because a Customs agent will dig deeper. Instead, access a cloud storage service using a web browser in incognito (private or stealth) mode to prevent an agent from even knowing that you have an account with that company. Be sure to memorize your user ID and password, and don’t store those on your device.
Play dumb. If a Customs agent demands that you disclose your Facebook or Twitter profile name, or especially any cloud storage services you might use, smile, shrug your shoulders, and don’t admit to using them.
Granted, a persistent Customs agent could easily troll Facebook to see if your name comes up. If you worry about controversial things you post might land you in trouble with Customs, keep multiple social media accounts. Only post G-rated adorable kitten and puppy videos with accounts linked to your name, and your more political posts under a nom de plume account.
Cloud services are something you will want to keep a state secret. Leave no telltale breadcrumbs on your device that you even use a cloud service, and don’t admit to this if you get questioned. Customs can’t inspect what they can’t find.
Use Global Entry. While this is no guarantee that a Customs agent won’t pull you aside to inspect your devices, enrolling in the CBP’s Global Entry program can often get you waved through without a second glance. The reason: If you are approved for Global Entry, you will already have been vetted carefully and awarded a Trusted Traveler designation. That and a long line of travelers waiting for Customs can work in your favor. If getting expedited Customs processing isn’t reason enough, increasing the odds that your electronic devices don’t get inspected should be a motivation to spend the time and money to have Global Entry. I highly recommend it.
After your trip. If you feel that Customs agents violated your rights by searching or seizing your digital devices or online accounts, contact EFF at email@example.com. Also, write down everything that happened as soon as possible. The folks at EFF are an excellent resource, and their website has a wealth of useful information. Security expert Brian Krebs has an excellent website filled with articles that can make you a smarter traveler.
This is not a fun topic. I offer no guarantees. But an ounce of preparation is worth a pound of cure. No matter what, don’t let the thought of a Customs inspection dissuade you from traveling international travel. The rewards are simply too great.