Bringing privacy to the Border

[Wilhelm]

The right time to start protecting your digital privacy is before your trip, when you are at home or work and have more time and greater access to information and people who can help you get set up properly.

Please be aware, however, that taking some precautions may attract unwanted attention and scrutiny, even if the precautions otherwise succeed in protecting your information. For example, if detected by a border agent, the fact that you wiped your hard drive may prompt the agent to ask why you did so. Even traveling without devices or data that most travelers typically have could attract suspicion and questions.

One more caveat: in what follows we touch on the technology of privacy protection at a high level. If you would like further information on this topic (such as the challenge of secure deletion), please see Part 3.

Talk to Your Employer
For work-owned devices and those that contain work-related information, talk to your employer about data security before traveling. Some employers have policies and procedures that can help protect both travelers and sensitive data, including from threats beyond searches at the border. CBP agents may be more sympathetic to travelers who truthfully state that the traveler does not have access to data or was prohibited by their employer from granting anyone access to it.

Minimize the Data That You Carry Across the Border
The simplest and most reliable precaution against border searches is to reduce the amount of information that you carry across the border.

Leave Your Devices at Home or Work
If you can leave electronic devices at home or work (or, in some cases, send them separately through the mail6), border agents cannot examine them as part of your entry into the country.

Use a Temporary Device
If you can obtain a device just for travel, you can avoid loading information on it that you do not need for your trip. Many businesses have adopted some form of this approach, both because of border search risks and because of theft and hacking risks that may be heightened during travel. Individuals can do the same.

Mobile phones that use the GSM standard (ubiquitous in most countries) let you switch a SIM card from one phone to another, so you can choose to keep your phone number while using a temporary travel phone. Depending on your priorities, a Chromebook can make a particularly good travel laptop when traveling somewhere with decent Internet access. Several models are available for under $200 as of this writing; they focus on storing most information online and using Google’s cloud services. Chromebooks minimize the data stored on the device itself and are particularly easy to clear or reset.

Shift Content From Devices to Cloud Services
If you move information from your device to cloud services, you can minimize what you will actually have in your possession as you cross the border.

This can be a good approach, but we offer three cautions.

First, storing data in the cloud carries its own risks. For example, border agents and other government officials may try to search your cloud data without your knowledge by dealing directly with the service provider. The good news: such demands are typically subject to greater legal safeguards than a border search.7

Second, border agents may ask you specifically about online accounts. If proposals being floated as of this writing are adopted, they may even ask some travelers for usernames and passwords in order to access the data themselves. Depending on your risk factors, the consequences of saying no can be significant.

Third, it can be difficult to thoroughly delete data from your devices. Even when you think you have “moved” data to the cloud, some of it could still actually be present on your devices. If agents seize your device and subject it to a forensic examination,8 they may recover significant amounts of incompletely deleted data.

Delete Information From Your Devices
If you know you will not need certain information during a trip, you can delete it before crossing the border. If you want to remove all of your data, you can use third-party software or, sometimes, built-in options to “wipe” or “factory reset” a device to a blank or pristine state where no user data is readily accessible. However, border agents may find it suspicious if they realize that you have deleted some or all of your data before crossing the border.

In addition, it can be difficult to delete information securely in a way that leaves no traces. Please see Part 3 for more information on securely wiping your device.

Use Private Browsing Mode
Most browsers offer a private browsing mode. In this mode, the web browser avoids saving browsing history to the hard drive at all. Files are also not saved to the disk cache and so the forensic footprint of things you do online is reduced.9

Private browsing mode is not a way of clearing your browsing history after-the-fact. And clearing your browsing history may still leave the information vulnerable to forensic recovery by CBP officials. Rather, to get this benefit, you have to regularly use private browsing mode whenever you browse the web.

Digital Cameras
Border agents may demand to look through the photos or videos on your cameras or phones. Most cameras do not come with encryption, so there are no convenient technical means that would prevent this kind of inspection.

If you do not want border agents to see your photos or videos, the simplest approach is to delete them or move them to a secured laptop or cloud storage. You should be aware that forensic examination can typically recover deleted photos, unless the storage media has been securely wiped.

Protect What You Carry Over the Border
Whether or not you plan to cooperate with border agents’ demands, you should take two basic precautions: make backups and use encryption. Backups prevent your data from being lost if your device is seized, stolen, or broken—risks that are significantly heightened during international travel. Encryption prevents others from accessing your data in certain scenarios. Even if you are prepared to unlock your devices or provide the passwords, using encryption still prevents your devices from being searched or examined without your knowledge.

Backup Your Data
Travelers should always have backups of their data. Your need to access the backup during your trip may vary, so depending on your situation, you may want to leave a backup at home or at work as a fallback option, or you may want an online backup that can be accessed during your travel. Backups are especially important for password managers as they grant you access to your online accounts. You can make backups of a phone or tablet onto a computer (often over a USB, Thunderbolt, or Firewire cable). You can make backups of a computer onto an external hard drive, or sometimes other media like DVD-R or a home or office file server.

In places with fast Internet access, online backups have become the most popular option for backing up all kinds of devices. They are discussed in Part 3.

Encrypt Your Data
Encryption is an important technology to protect all kinds of data from unauthorized access in all kinds of circumstances. We focus here on encryption of stored data on devices (rather than end-to-end encryption of communications). More details are included in Part 3, including encryption tools that may be available for your device.

People often decide to “set a password” on their device in order to protect their data. This intuition is right, but the details matter significantly. Not all ways of “setting a password” provide the same kind of protection, and many do not involve any encryption at all. For strong data protection, you need to ensure that your password will actually encrypt the hard drive content, rather than only controlling access to the device.

A screen-lock password or user account password is enforced by the operating system code and only controls access to the device. The operating system is configured to ask for the password and will not allow access unless the right one is provided. But the data is still simply present on the hard drive in unencrypted form. Forensic tools can easily bypass such passwords and access the unencrypted hard drive content. CBP, ICE, and other federal law enforcement agencies have staff with training and access to these tools.

By contrast, a password used for storage encryption uses mathematical techniques to scramble the data on the hard drive so it is unintelligible without the right cryptographic key. This mathematical protection works independently of the operating system software. A different device or software program cannot just decide to allow access, because no device or software program can make any sense of the data without the right key.

Fortunately, modern phone, tablet, and computer systems usually come with comparatively easy-to-use “full-disk” storage encryption features that can encrypt the full contents of the device with a password that will be required when the device is first powered on. Using these tools is the most fundamental security precaution for travelers who have sensitive information on their devices and are concerned about losing control of them—not just at a border crossing, but at any point during a trip.

Use Strong Passwords
Strong passwords are critical for encryption. A border agent once accessed a traveler’s digital devices by correctly guessing that the traveler used her birthday as her password.10 Even a random password that’s too short or predictable could be easy for someone to crack by machine, allowing them to decrypt data on a seized device. So you should create a password that is long and unpredictable—but also memorable. One approach is a phrase made of several words randomly selected by a computer or by rolling dice. More information about strong passwords is in Part 3.

Power Off Your Devices
We recommend that you power off all of your devices before you arrive at a border checkpoint. This will resist a variety of high-tech attacks against encryption that only work when a device is already powered on. For some mobile devices, powering off also resets the device to a higher-security state that requires a password to unlock, which may not be true in day-to-day use.

Do Not Rely Solely on Biometric Keys
Many phones and tablets, and some laptops, can be locked with a biometric feature like a fingerprint. While this can be a convenient security precaution, it may not offer the same security and legal benefits as a password that you memorize. Before arriving at the border, make sure that your device requires a password to decrypt, and that your device has been powered off.

Traveling Without Knowledge of Your Passwords
You can arrange not to know information necessary to decrypt your device, including your password. If so, you cannot be compelled to divulge that information. This would provide the highest possible level of protection for devices that you carry across the border. Also, it may provide a disincentive to agents to try to force you to reveal what you do not know. However, it may also cause agents to escalate if they find it suspicious that you are carrying a device you cannot “unlock.”

If you take this approach, you have a few options. For example, you could generate a new random password that is too long for you to remember, change your password to the new one, and then give this password to someone else, send it via a different channel, or store it online where you can only retrieve it once you have Internet access. A variation on this idea is to tell it to a lawyer, so that nobody can retrieve it without getting your lawyer involved.

These approaches are probably most useful to people whose highest priority is protecting their information: while you cannot be forced to unlock a device, border agents may still seize the device or escalate the situation. Again, not knowing your password is very unusual and agents may find it suspicious or difficult to believe. If you choose this approach, you may wish to have some information to substantiate the fact that you really don’t know your password, and recognize that this may still not satisfy the agents.

Do Not Try to Hide Data on Your Devices
Some people have proposed technical means of hiding data on a device so that it is not apparent to a border agent. For example, a “hidden volume” feature may make different data appear depending on which password is entered. Other possible techniques may make searches harder or less fruitful, make data available under some conditions but not others, make data self-delete, or make it less apparent where data is kept, who can access it, or what its nature is.

We appreciate and respect technologists’ efforts to find ways to help travelers protect their data. However, we recommend against using methods that may be, or even appear to be, calculated to deceive or mislead border agents about what data is present on a device. There is a significant risk that border agents could view deliberately hiding data from them as illegal. Lying to border agents can be a serious crime, and the agents may take a very broad view of what constitutes lying.11 We urge travelers to take that risk very seriously.

If you are reluctant to have the government review what you post on social media, you can change your social media privacy settings (at least temporarily) to make your posts not viewable by the general public.

On your devices, you should consider logging out of browsers and apps that give you access to online content, and removing saved login credentials. This may help prevent border agents from reviewing browser and app information that may be cached in your device. You could also temporarily uninstall mobile apps, and clear browser history, so that it is not immediately apparent which online services you use.12

Note that while certain messaging apps provide end-to-end encryption, if a border agent has access to your app, they will be able to see your cached messages in plain text within the app itself.

When You Are at the Border
The hardest part of protecting your privacy at the border is deciding how to respond if a border agent demands that you help them invade your digital privacy.

If you are a U.S. citizen, border agents cannot stop you from entering the country, even if you refuse to unlock your device, provide your device password, or disclose your social media information. However, agents may escalate the encounter if you refuse. For example, agents may seize your devices, ask you intrusive questions, search your bags more intensively, or increase by many hours the length of detention. If you are a lawful permanent resident, agents may raise complicated questions about your continued status as a resident. If you are a foreign visitor, agents may deny you entry.

Unjustified escalation may violate the law and, as discussed in the next section, you may have some recourse after you exit. However, some travelers may want to avoid any risk of escalation if they can.

What to Expect
When you arrive at the border, agents may seek access to your device by demanding that you type in your password, tell them your password, or (if you use a fingerprint key) press your finger to the sensor. This will give the agents access to information you store on your device. Border agents may also ask you to disclose your social media identifiers, which would allow them to scrutinize your public social media content, even if they do not have access to your devices. If proposals being floated as of this writing are adopted, border agents may ask for your social media login credentials (usernames and passwords), which would allow them to scrutinize your private social media content.

Basic Rules for Everyone
First, decide how you will respond to border agents’ demands before you arrive at the border. Make this decision holistically, in light of your unique risk assessment factors, along with all of the other before-you-arrive decisions discussed above.

Second, stay calm and respectful. Staying calm will help you make better decisions. Also, if you get emotional or disrespectful, some agents may escalate the encounter. CBP, in turn, pledges to treat travelers with “courtesy, dignity and respect.”13

Third, do not lie to a border agent. It is a crime to make a false statement to a law enforcement official who is asking you questions as part of their job.14

Fourth, do not physically interfere with a border agent. This includes complying with demands to open your luggage or hand over your digital devices. Border agents may legally inspect the physical aspects of a device—for example, the battery compartment or inside a case—to ensure that it does not contain contraband such as drugs or explosives.15 If you do physically interfere, border agents may respond with physical force.

Fifth, if you have any problems, try to document the names, badge numbers, and agencies of the officers you interact with at the border. If you decide later to file a complaint about the way the officers treated you, it will be easier to do so if you know who they were. Also, if officers seize your digital devices, politely demand a property receipt (Customs Form 6051D).

Try to Avoid Implicit “Consent”
Law enforcement officials often try to persuade civilians to consent to searches. Once the civilian consents, it can be harder to challenge the search in court.

Sometimes law enforcement officials achieve so-called “consent” by being vague about whether they are asking or ordering a civilian to do something. You can try to dispel this ambiguity by inquiring whether border agents are asking you or ordering you to unlock your device, provide your device password, or disclose your social media information. If an agent says it is a request only, you might politely but firmly decline to comply with the request.

What Could Happen When You Comply With an Order
If you do comply with an order to unlock your device, provide your device password, or disclose your social media information, several things may occur.

Border agents may scrutinize all of the content stored in your device, manually or with powerful forensic software.
Border agents may copy and store all of this content for their later use.16
If you later bring a legal challenge to the search of your device, the government may defend its actions by saying you consented to the search.
If You Comply With an Order, Should You State That It Is Under Protest?
If you elect to comply with a border agent’s order to unlock your device, provide your password, or disclose your social media information, you can inform the agent that you are complying under protest and that you do not consent. If you later assert a legal challenge, this may help you defeat the government’s claim that you consented to the search.

What Could Happen if You Refuse to Comply With an Order?
If you refuse to comply with an order to unlock your device, provide your password, or disclose your social media information, several things may occur.

The border agent may escalate the encounter.
Border agents may seize your devices. Then CBP and ICE agents may attempt to access your digital data without your assistance. Even if they cannot decrypt your devices, they may be able to copy the encrypted contents of your devices. If they later obtain your passwords, or find vulnerabilities in the encryption, they may be able to decrypt their copies. The government’s scrutiny of your devices may take months. During this time, you may need to purchase replacement devices, and you will not have access to the information on the devices.
You may be flagged for heightened screening whenever you cross the U.S. border in the future.
The border agent may let you pass through without further interference.
Should You Attempt to Persuade the Agents to Withdraw Their Order?
Some travelers may attempt to avoid this no-win dilemma by trying to persuade the border agent to withdraw their demand to unlock a device, provide a device password, or disclose social media information. For example, the traveler may object that the information is especially sensitive, such as attorney-client correspondence or journalistic sources. Likewise, the traveler may object that the devices belong to their employer, and that the agent should speak to their employer’s lawyers if they want to search the devices.

This tactic may work for some travelers. But it carries risks. For example, it may induce a conversation with the agent about the contents of your device, which carries the risk that you will make statements against your interests.

After You Leave the Border
If you believe that border agents violated your digital rights at the border, please contact EFF at [email protected].

Make a Record of What Happened
If you are unhappy with how border agents treated you, then you should write down everything you remember about the event as soon as you can. This may help you later if you choose to challenge the agents’ actions. You should also try to identify witnesses.

You may also want to ask the government for its written records about you and your encounter at the border. Anyone can do this with the Freedom of Information Act.17 U.S. citizens and legal permanent residents also can do this with the Privacy Act.18

The CBP and ICE websites for records requests are:

https://www.cbp.gov/site-policy-notices/foia
https://www.ice.gov/foia/request
Change Your Passwords and Login Credentials
If you gave your device passwords or account login credentials to a border agent, then the government has continuing power over your digital information. For example, there are reports that CBP agents store device passwords for use the next time a traveler crosses the border.19 If you aren’t comfortable with that continuing power, you should change your passwords and credentials.

Government Offices That May Help You
You may wish to file a complaint with, or seek help from, the government. However, you would benefit from speaking with a lawyer before doing so, especially if it is possible that you will file a lawsuit about your experience at the border.

You can file a complaint with CBP:
https://help.cbp.gov/app/forms/complaint

You can file a complaint with DHS’s Office of Civil Rights and Civil Liberties:
https://www.dhs.gov/file-civil-rights-complaint

If border agents have repeatedly referred you to secondary screening over the course of several international trips, and you think you may be on a government watchlist or misidentified as someone else who is listed, you can seek help from DHS’s Traveler Redress Inquiry Program (TRIP):
https://www.dhs.gov/dhs-trip

In this section we address the legal framework that allows, and limits, border searches and seizures. The law in this area is evolving and adapting, imperfectly, to technological changes, creating uncertainty for travelers and government agents alike. EFF is fighting in the courts and in legislatures to resolve that uncertainty and ensure that travelers can count on strong protections for their digital rights at the border.20

This primer provides general information only. When in doubt, you should consult with a lawyer.

The Law of Border Searches and Seizures
As a general principle, government agents at the U.S. border enjoy more power than police officers working in the American interior. Most of the time, border agents exercise these powers on travelers arriving in the United States, but they sometimes apply them to travelers leaving the United States as well.

However, the U.S. border is not a Constitution-free zone. The powers of border agents are tempered by our Fourth Amendment right to digital privacy, our First Amendment rights to speak and associate privately and to gather the news, our Fifth Amendment right to freedom from self-incrimination, and our Fourteenth Amendment right to freedom from discrimination.

The Fourth Amendment at the Border: Digital Privacy
The Default Constitutional Privacy Rule
The Fourth Amendment to the U.S. Constitution is the primary protector of individual privacy against government intrusion. The Fourth Amendment prohibits “unreasonable” searches and seizures by the government.21 The default rule to ensure that a search or seizure is reasonable is that law enforcement officials must first obtain a “probable cause” warrant.22 This means that the officer must present preliminary evidence to a judge that shows that the thing to be searched or seized likely contains evidence of illegal activity.

The Border Search Exception
The Supreme Court has interpreted the Fourth Amendment to include a “border search exception” to the standard warrant and probable cause requirements. The Court has held that the government has an interest in protecting the “integrity of the border”23 by enforcing the immigration and customs laws.24

For “routine” searches, such as those of luggage and other common possessions presented at the border, the Supreme Court concluded that this specific governmental interest outweighs an individual’s privacy interests. The Court presumes that warrantless and suspicionless border searches are critical to:

Ensuring that travelers entering the U.S. have proper authorization and documentation;
Enforcing the laws regulating the importation of goods into the U.S., including duty requirements;
Preventing the entry of harmful people (e.g., terrorists) and harmful items (i.e., contraband) such as weapons, drugs, and infested agricultural products.25
In sum, the border search exception provides that “routine” searches at the border do not require a warrant or any individualized suspicion that the thing to be searched contains evidence of illegal activity.26

The Exception to the Exception: “Non-Routine” Searches
The Supreme Court has also recognized that not all border searches are “routine.” Some of them are “highly intrusive” and impact the “dignity and privacy interests” of individuals,27 or are carried out in a “particularly offensive manner.”28 At minimum, such non-routine border searches require that border agents have some level of individualized suspicion about the traveler.

“Individualized suspicion” is a legal term that means that the border agent has a factual reason to believe a specific person is involved in criminal activity.

Thus, for example, the Supreme Court held that disassembling a gas tank is “routine” and so a warrantless and suspicionless search is permitted.29 However, detaining a traveler until they have defecated to see if they are smuggling drugs in their digestive tract is a “non-routine” search that requires “reasonable suspicion” that the traveler is a drug mule.30 Likewise, lower courts have held that body cavity searches and strip searches are “non-routine” and also require reasonable suspicion.31

Border Searches of Digital Devices
Given that digital devices like smartphones and laptops contain highly personal information, are border searches of digital devices “routine?" There is some legal uncertainty at the moment, but we believe the final answer is no.

In U.S. v. Cotterman (2013), the U.S. Court of Appeals for the Ninth Circuit held that border agents need reasonable suspicion of illegal activity (at least within the authority of border agents to investigate) before they could conduct a forensic search, aided by sophisticated software, of the defendant’s laptop. Unfortunately, the court also held that a manual search of a digital device is “routine” and so a warrantless and suspicionless search is “reasonable” under the Fourth Amendment.32

One year later, however, in Riley v. California (2014), the Supreme Court held that the police had to obtain a probable cause warrant to search the cell phone of an individual under arrest. The police had argued that the warrantless and suspicionless cell phone search was permissible as a “search incident to arrest,” the same way it would be possible for the police to search the pockets or wallet of an arrestee for drugs or weapons. In short, the police invoked an exception to the Fourth Amendment similar to the border search exception. Rejecting that argument, the Court held that “a warrant is generally required before such a search, even when a cell phone is seized incident to arrest.”33

No appellate court has yet applied the Riley decision in the border context, but the Supreme Court itself has recognized that the search-incident-to-arrest exception invoked by the government in Riley is similar to the border search exception.34 Thus, we believe that all border searches of digital devices should require a probable cause warrant.

In both the Cotterman and Riley cases, courts stressed the significant privacy interests in all the data modern digital devices contain—call logs, emails, text messages, voicemails, browsing history, calendar entries, contact lists, shopping lists, personal notes, photos and videos, geolocation logs, and other personal files. Digital devices typically cover many years of information and include the most intimidate details of a person’s life. The Supreme Court in Riley rejected the notion that cell phones are the same as physical items: “That is like saying a ride on horseback is materially indistinguishable from a flight to the moon” just because both are “ways of getting from point A to point B.”35

Both courts also raised special concerns about the government accessing cloud content via digital devices. The Ninth Circuit in Cotterman stated:

With the ubiquity of cloud computing, the government’s reach into private data becomes even more problematic. In the “cloud,” a user’s data, including the same kind of highly sensitive data one would have in “papers” at home, is held on remote servers rather than on the device itself. The digital device is a conduit to retrieving information from the cloud, akin to the key to a safe deposit box. Notably, although the virtual “safe deposit box” does not itself cross the border, it may appear as a seamless part of the digital device when presented at the border.36
Similarly, the Supreme Court in Riley stated that using the search incident to arrest exception to justify searching files stored in the cloud “would be like finding a key in a suspect’s pocket and arguing that it allowed law enforcement to unlock and search a house.”37

Therefore, to the extent that border searches of digital devices access cloud data, the privacy interests are even more significant. Given these interests, the border search exception should not apply.38

Interior Checkpoints
Border agents may establish permanent checkpoints on roads that are miles away from the international border, where agents may stop motorists for brief questioning, even in the absence of any individualized suspicion.39 However, border agents at these checkpoints cannot search a car without probable cause.40 Likewise, border agents at these checkpoints should not be able to search a digital device without probable cause.

The First Amendment at the Border: Freedom to Privately Speak, Associate, Acquire Information, and Gather News
When border agents scrutinize the massive volume of sensitive information in our digital devices, they infringe on our First Amendment rights in at least four distinct ways.

First, border searches of digital devices may intrude on the First Amendment right to speak anonymously. This includes the right to use a pseudonymous social media handle.41 Border agents will unmask anonymous speakers by linking the passport-verified identities of travelers to pseudonyms revealed through device searches or disclosure of social media handles.

Second, border searches of digital devices may disclose private membership in expressive associations, like being part of a political group or social club. The First Amendment protects the right to join together with other people to advance a shared message.42 This includes the right to privately participate in an expressive association, for example, in an advocacy organization with a private membership list.43

Third, border searches of digital devices may reveal the private decisions that travelers make to acquire expressive materials, such as books and movies. The First Amendment protects the right to receive information,44 and to do so without telling the government what we are reading and watching.45

Fourth, border searches of digital devices may disclose confidential journalistic sources and work product. This burdens the First Amendment right to freedom of the press, specifically the ability to maintain the integrity and independence of the newsgathering process. The Supreme Court has said that journalists are not “without constitutional rights with respect to the gathering of news or in safeguarding their sources.”46

To protect these First Amendment interests, border agents should be required to get a warrant supported by probable cause before searching digital devices. Indeed, when police officers demand records from booksellers, for example, about the purchases of individual customers, courts have held that an ordinary probable cause warrant is not enough. Instead, the First Amendment requires police to additionally show a compelling need, the exhaustion of less restrictive investigative methods, and a substantial nexus between the information sought and the investigation.47 Obviously, a device search is far more intrusive of First Amendment rights than disclosure of what books a person buys at a single bookseller.

The reason for this protection is simple: government snooping will chill and deter First Amendment activity. Rather than risk border agent examination, many people will refrain from anonymous speech, from private membership in political groups, or from downloading certain reading material. This is especially true for people who belong to unpopular groups, who espouse unpopular opinions, or who read unpopular books. Likewise, confidential sources who provide invaluable information to the public about government or corporate malfeasance may refrain from whistleblowing if they fear journalists cannot protect their identities during border crossings.

Unfortunately some courts have rejected First Amendment challenges to border searches of digital devices.48 Given the increasing amount of sensitive information easily accessible on and through our devices, and the increasing frequency and intensity of border searches of this information, we hope that other courts will rule differently in the future.