Author: Andy Greenberg. Andy Greenberg Security
Nick Veasey/Getty Images
When Ryan Lackey travels to a country like Russia or China, he takes certain precautions: Instead of his usual gear, the Seattle-based security researcher and founder of a stealth security startup brings a locked-down Chromebook and an iPhone SE that’s set up to sync with a separate, non-sensitive Apple account. He wipes both before every trip, and loads only the minimum data he’ll need. Lackey goes so far as to keep separate travel sets for each country, so that he can forensically analyze the devices when he gets home to check for signs of each country’s tampering.
Now, Lackey says, the countries that warrant that paranoid approach to travel might include not just Russia and China, but the United States, too—if not for Americans like him, than for anyone with a foreign passport who might come under the increasingly draconian and unpredictable scrutiny of the US Customs and Border Protection agency. “All of this applies to America more than it has in the past,” says Lackey. “If I thought I were likely to be a targeted person, I would go through this same level of protection.”
In the weeks since President Trump’s executive order ratcheted up the vetting of travelers from majority Muslim countries, or even people with Muslim-sounding names, passengers have experienced what appears from limited data to be a “spike” in cases of their devices being seized by customs officials. American Civil Liberties Union attorney Nathan Wessler says the group has heard scattered reports of customs agents demanding passwords to those devices, and even social media accounts. And newly sworn-in Department of Homeland Security Secretary John Kelly told Congress earlier this week that the agency is considering requiring foreign travelers from seven Muslim-majority countries to hand over their social media passwords or be refused entry.
“Requesting passwords is just beyond the pale,” says Wessler. He points out that the practice doesn’t just affect individual travelers, but everyone they’ve communicated with, potentially reducing the overall trust and security of social media in general. “If this were to go forward, it would risk really wreaking havoc with tourism and business travel to the US. What traveler is going to want to lay bare every intimate detail of their social media history, exposing years of their lives?”
In fact, US Customs and Border Protection has long considered US borders and airports a kind of loophole in the Constitution’s Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, they’ve used that opportunity to hold border-crossers on the slightest suspicion, and demand access to their computers and phones with little formal cause or oversight.
As those intrusions become more common and aggressive in the Trump era, WIRED has assembled the following advice from legal and security experts to preserve your digital privacy while crossing American borders. But take all of these strategies with caution: Given CBP’s unpredictable and in many areas undocumented practices, none of the experts WIRED spoke to claimed to have a privacy panacea for the American border.
Lock Down Devices
If customs officials do take your devices, don’t make their intrusion easy. Encrypt your hard drive with tools like BitLocker, TrueCrypt, or Apple’s Filevault, and choose a strong passphrase. On your phone—preferably an iPhone, given Apple’s track record of foiling federal cracking—set a strong PIN and disable Siri from the lockscreen by switching off “Access When Locked” under the Siri menu in Settings.
Remember also to turn your devices off before entering customs: Hard drive encryption tools only offer full protection when a computer is fully powered down. If you use TouchID, your iPhone is safest when it’s turned off, too, since it requires a PIN rather than a fingerprint when first booted, resolving any ambiguity about whether border officials can compel you to unlock the device with a finger instead of a PIN—a real concern given that green card holders are required to offer their fingerprints with every border crossing.
Keep Passwords Secret
This is the tricky part. American citizens can’t be deported for refusing to give up an encryption or social media password, says the ACLU’s Wessler. That means if you stand your ground and don’t reveal passwords or PINs, you may be detained and your devices confiscated—even sent off to a forensic facility—but you’ll eventually get through with your privacy far more intact than if you divulge secrets. “They can seize your device, even for months while they try to break into it,” says Wessler. “But you’re going to get home.”
Be warned, however, that denying customs officials access can at the very least lead to hours of uncertain detention in a bleak, windowless CBP office. And for visa and even green card holders, the right to enter the US is far less clear. “If they truly want to come into America, then they’ll cooperate,” DHS secretary Kelly told Congress last Tuesday. “If not, you know, next in line.” If the DHS does adopt that hardline policy of privacy invasion, it could leave non-citizens without easy answers.
Before going into customs, alert a lawyer or a loved one who can contact a lawyer, and contact them again when you get out. If you are detained, you may not be able to access your devices or otherwise have the opportunity to reach the outside world. And in the worst case scenario of a lengthy detention, you’ll want someone advocating for your release and legal representation.
Make a Travel Kit
For the most vulnerable travelers, the best way to keeping customs away from your data is simply not to carry it. Instead, like Lackey, set up travel devices that store the minimum of sensitive data. Don’t link those “dirty” devices to your personal accounts, and when you do have to create a linked account—as with iTunes for iOS devices—create fresh ones with unique usernames and passwords. “If they ask for access and you can’t refuse, you want to be able to give them access without losing any sensitive information,” says Lackey.
Social media accounts, admittedly, can’t be so easily ditched. Some security experts recommend creating secondary personas that can be offered up to customs officials while keeping a more sensitive account secret. But if CBP agents do link your identity with an account you tried to hide, the result could be longer detention and, for non-citizens, even denial of entry.
Deny Yourself Access
Better than telling customs officials that you won’t offer access to your accounts, says security researcher and forensics expert Jonathan Zdziarski, is to tell them you can’t. One somewhat extreme method he suggests is to set up two-factor authentication for your sensitive accounts, so that accessing them requires entering not only a password but a code sent to your phone via text message. Then, before you cross the border, make sure you don’t have the SIM card that allows you—or customs officials—to receive that text message, essentially denying yourself the ability to cooperate with agents even if you wanted to. Zdziarski suggests mailing yourself the SIM card, or destroying it and then recovering the accounts with backup codes you leave at home (for American residents) or keep in an encrypted account online. “If you ditch your SIM before you approach the border, you can give them any password you want and they won’t be able to get access,” Zdziarski says. He cautions, however, that he’s never tested that know-nothing strategy in the face of angry CBP agents.
Those more involved subversion techniques, warns University of California at Davis law professor Elizabeth Joh, also create the risk that you’ll also arouse more suspicion, making CBP agents all the more likely to detain you or deny entrance to the country. But she has no better answer. “There’s not that much you can do when you cross the border in terms of the government’s power,” she admits.
‘There’s still no good set of protections for a portal into your private life.’ Elizabeth Joh, UC-Davis Law Professor
In fact, the issue of privacy rights for digital devices at the border remains troublingly unsettled, Joh says. While the Supreme Court decision in Riley vs. California in 2014 declared warrantless searches of devices at the time of arrest unconstitutional, no case has set such a precedent for the American border—much less for non-Americans seeking those same privacy rights.
Until such a precedent is set, that border zone will remain in a kind of legal limbo. The government has the power to open bags crossing into its territory or even dismantle cars to search for contraband, she points out. “What does that mean in an age when people bring their digital devices across borders? The Supreme Court hasn’t spoken to that issue,” Joh says. “The real problem here is there’s still no good set of protections for a portal into your private life.”