This article originally appeared in TidBITS on 2017-04-14 at 11:13 a.m.
The permanent URL for this article is: http://tidbits.com/article/17173
Include images: Off

Getting Your Devices and Data Over the U.S. Border

by Geoff Duncan

Many travelers have had the experience of showing documents and answering questions while crossing an international border. But these days most of us carry smartphones, tablets, and computers that can contain or access tremendous portions of our daily lives.

Sure, some data is innocuous, like snapshots of yesterday’s lunch or last week’s sports scores. But some of it can be deeply sensitive, including banking and financial information, medical histories, dossiers of our friends and acquaintances, private conversations — even records of where we have been.

As tensions rise over border and immigration issues (think walls, immigration bans, and terror threats), and as we become more dependent on our devices, demands to examine the contents of digital devices are becoming more common at the U.S. border and other border crossings around the world.

What would you do if a border agent wanted you to unlock your device? Or if they demanded passwords to your social media, email, or banking services?

If these questions give you even a moment’s pause, it’s best to give some thought to crossing into the United States before you actually get there.

What Can Border Agents Do? -- Contrary to some popular opinion, the U.S. Constitution does apply at U.S. border crossings, so U.S. citizens have rights of free speech and association, freedom from unreasonable searches and seizures, and freedom from forced self-incrimination.

However, U.S. border agents also have broader powers than U.S. police officers, including the ability to conduct warrantless searches of vehicles, luggage, and other possessions. Put another way: in the United States a police officer can’t pull you over, then search and disassemble your car unless they have probable cause and a warrant approved by a judge. However, a border officer can, no warrant needed.

U.S. border agents have these extended capabilities because courts have held the government’s interest in maintaining border integrity is more important than an individual’s privacy. In legal terms, these extended searches are considered “routine,” and are meant to enable border agents to enforce trade and import laws, to prevent dangerous people from entering the country, and to ensure entrants are authorized and properly documented.

It’s absolutely within a border agent’s purview to inspect the physical aspects of any device you are carrying, whether that is a phone, tablet, laptop, camera, or any other digital gear. This includes not just inspecting its case and controls, but also removing batteries, memory, storage, and other components.

Moreover, Customs and Border Protection (CBP) directives grant border agents the authority to examine any information “encountered” on devices [1]. That can mean flipping through pictures on your digital camera, and (if the device is unlocked) swiping through your phone and its apps, and poking around your computer.

Many travelers are perfectly OK with this. For instance, if a border agent wants to flip through my terrible pictures (Look, a blurry thumb!) or the massive list of blocked numbers on my iPhone, I don’t particularly care: I’m nowhere near as dependent on devices as many people, and I don’t really use social media.

But my computer often contains encrypted, confidential data belonging to my clients. If border agents wanted to look through that, I might have a legal obligation to refuse. Plenty of people — especially folks like doctors, attorneys, and journalists — would be very uncomfortable with border agents flipping through patient records, correspondence, photos, financial information, and more.

Turn Off, Turn Down, or Turn a Blind Eye? -- So, if you don’t want U.S. border agents going through your devices, the solution might seem easy: lock them or turn them off! That way, border agents won’t “encounter” any information during their inspections, right?

That’s true. But now imagine a border agent asks you to activate or unlock the device, or provide a code or password to do so? It’s surprisingly common. Maybe the agent wants your Facebook or Twitter password so they can examine everything about your social media presence, not just what’s public. Maybe they want your passwords to WhatsApp, iCloud, Dropbox, or your bank. Maybe these aren’t requests: maybe they’re orders.

Now things get tricky.

Requests, Orders, and Consent -- You can refuse to disclose passwords or unlock devices. The border agent might say “OK,” and move on to the next part of their inspection. Or, the agent may insist, perhaps suggesting that unlocking devices is in your best interest. If you unlock a device, that may constitute legal consent to being searched. With consent, border agents may search nearly any aspect of a person or their property.

If you refuse a request, border agents can escalate to an order. Agents are sometimes ambiguous about the distinction between a request and an order because implicit consent to a request gives them better legal footing. If in doubt, ask.

You can refuse an order to disclose passwords or unlock or activate devices, but border agents can seize your devices. How long can you go without your phone, computer, and the information they contain? Can you afford to replace them? Agents can also escalate the engagement to include additional officials or even detain you.

Once border agents have a device, they can copy its contents and share the data with other agencies or third parties for interpretation or forensic analysis. If the device is not unlocked, they may attempt to copy and store its data anyway, even if it’s encrypted. After all, if the government gets a password (or has/finds/buys a loophole or flaw in the software protecting the data), they may be able to decrypt it anyway. Same with any encrypted data on an unlocked device.

How long can the government hold on to data or devices? Generally, the CBP is supposed to destroy copies of data and return seized devices within five days, but retention of both can be extended almost indefinitely. Additional data about travelers and searches entered into a system called TECS — formerly known as the Treasury Enforcement Communications System — can be retained as long as 75 years [3]. This may include passwords and other credentials [4] revealed to disclosed agents.

How to Protect Your Data -- If for any reason you don’t want to be put in the position of disclosing your entire digital life to U.S. border agents, you need to plan ahead. If you’re already in line at a border crossing and suddenly decide you want to protect your data, it’s too late.

First, assess your risks, perhaps by making a list of potential problems if your devices were seized or information on them was accessed (and potentially copied and shared) by border officials. For instance, if you rely on your iPhone to manage your boarding passes, lodging, and car rentals — or perhaps use Apple Pay while traveling — having your phone seized by border agents could present a major problem for the rest of your trip.

Worse, if you’re a physician traveling with patient records, an attorney with confidential documents, or a journalist with sensitive information, having the government leaf through your data could represent a huge professional and ethical problem.

Honestly, for most people, the risk analysis stops here. Even people who are tremendously reliant on their smartphones, devices, and social media rarely do anything sensitive. Sure, we might not want border agents reading text messages to our friends and relatives, but it’s not really a privacy disaster if they flip through selfies or uncover a group chat planning a surprise party for the grandparents.

However, if you feel the risks are significant — perhaps you’re party to a high-profile lawsuit, planning a divorce, work with classified information, have data on your device that is legal but perhaps controversial, or have legitimate worries about your status in the current political climate — you can take some steps to protect your data.

If Your Devices or Information Are Taken… -- If border agents seize your devices, politely insist on a property receipt. If you feel you are being mistreated by border agents or your rights are being violated, politely ask for their names, badge numbers, and agencies of the officers you encounter. Do not be rude, aggressive, or belligerent: it will never work in your favor. Also do not physically interfere with border agents: they can respond with physical force.

Want To Know More? -- This article is just an overview of some issues involved with crossing the United States border with your personal data. Furthermore, I am not a lawyer, so this article should not be construed as legal advice!

Fortunately, there are more-extensive guides to these topics written by real lawyers. If this topic is of particular interest to you, I recommend them highly:

Plus, many of the legal issues surrounding what border agents may and may not search on devices at the U.S. border are still poorly defined, with cases still working their way through courts, and members of Congress introducing potential legislation [10] that would require a warrant before searching digital devices.

The situation is complicated and getting more so all the time. But if you’re at all concerned about the privacy of your data while crossing the U.S. border, it’s best to be prepared before you show your passport or identification.

Will these device searches cause you to change your behavior when traveling? Let us know in our informal Twitter poll [11], which is open until 25 April 2017. So far, the overwhelming majority have said, yes, it will cause them to act differently.

[1]: https://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdf
[2]: https://www.law.cornell.edu/uscode/text/18/1001
[3]: https://www.federalregister.gov/documents/2008/12/19/E8-29807/privacy-act-of-1974-us-customs-and-border-protection-011-tecs-system-of-records-notice
[4]: https://www.theatlantic.com/technology/archive/2017/02/border-agents-personal-information/517962/
[5]: http://tid.bl.it/tco-filevault-tidbits
[6]: http://tid.bl.it/tco-passwords-tidbits
[7]: https://www.aclu.org/blog/free-future/can-border-agents-search-your-electronic-devices-its-complicated
[8]: https://www.aclu.org/know-your-rights/what-do-when-encountering-law-enforcement-airports-and-other-ports-entry-us
[9]: https://www.eff.org/wp/digital-privacy-us-border-2017
[10]: https://www.wyden.senate.gov/download/?id=9CDE0A37-24DD-4D05-B199-C7E160CAA088
[11]: https://twitter.com/TidBITS/status/854736282249035776