International travellers might know US. Customs and Border Protection (CBP) can scroll through your phone in a “random search”.
But new details paint a picture of broad and messy data collection that puts your privacy at risk.
Data copied from devices at entry points into the US – including airports and border crossings – gets saved for 15 years in a database searchable by thousands of CBP employees without a warrant, The Washington Post’s Drew Harwell reported this week.
The data includes contacts, call logs, messages and photos from phones, tablets and computers, according to CBP. It could also contain social media posts, medical and financial information, or internet browsing history, according to a report from the New York think tank Brennan Center for Justice.
Senator Ron Wyden (Oregon.) wrote a September 15 letter asking the commissioner of the CBP to stop allowing “indiscriminate rifling through Americans’ private records without suspicion of a crime”.
It was unclear to what extent federal agents could use the copied data because there were few meaningful safeguards, said Saira Hussain, a staff attorney at the privacy rights non-profit Electronic Frontier Foundation.
Hussain has argued in court that CBP’s current data collection practices violated Americans’ constitutional protections. Based on her interviews with search subjects, agents often profiled people from Muslim or Muslim-adjacent communities, she said, but the searches impacted people from “all walks of American life”.
“You don’t have to have committed a felony to want to keep some parts of your life private from meddling government agents,” said Nathan Freed Wessler, the deputy project director of the Speech, Privacy, and Technology Project at the American Civil Liberties Union.
“That could be medical diagnoses, mental health struggles, romantic associations, information about our children, you name it.”
A CBP spokesperson said the agency searched devices “in accordance with statutory and regulatory authorities” and that its guidelines made sure each search was “exercised judiciously, responsibly, and consistent with the public trust”.
Not keen on potentially opening your contacts, call logs and messages to thousands of government-employed strangers? Here’s what you can do before hitting customs:
Weigh your risk
Unlike other law enforcement, border authorities don’t need a warrant to search your device. They may conduct a basic search – in which they scroll through your device inspecting texts, photos or anything else they can easily access – even if they don’t suspect you of wrongdoing.
But if an agent suspects you pose a “national security concern,” they can run an advanced search using a digital forensics tool to copy the data from your device.
How you prepare to cross the border with your devices depends on what risks you’re willing to tolerate, said Nathan Freed Wessler, the deputy project director of the Speech, Privacy, and Technology Project at the American Civil Liberties Union.
If you’re more worried about agents rifling through your messages and photos in a basic search, removing files from your device would do the trick. If you’re a political dissident, human rights activist, journalist or anyone else looking to avoid government surveillance or overreach, your focus will probably be preventing agents from accessing your device at all.
Know your rights
If you’re an American citizen, you can refuse to unlock your devices for CBP agents and still enter the country. (This might not be clear from the information sheet agents are supposed to give you during the search, which says the process is “mandatory.”)
If you decline to co-operate, CBP can hold onto your device. It says detention generally shouldn’t last longer than five days, but Hussain said she had spoken to people who didn’t get their devices back for months.
Non-citizens, meanwhile, aren’t guaranteed entry if they decline to unlock their devices.
Travel with few devices and turn them off beforehand
The fewer devices you travel with, the fewer opportunities for searches, Wessler said. Consider adopting a separate phone or laptop for travelling, without sensitive data saved.
Power down devices before going through customs. This guards against advanced search tools that might bypass the screen lock on devices left powered on, according to EFF.
Encrypt your data
Encrypted data gets scrambled into a format unreadable to people who don’t have the code – in this case, a password. iOS, Android, Windows and MacOS all come with built-in full device-encryption options.
Most contemporary smartphones are encrypted by default (make sure you lock your device).
Set a strong password
The quickest methods to unlock your device – such as face ID or a weak passcode – are also the least secure. If you decline to unlock your device for a search, CBP might try to unlock it themselves, Wessler said.
A strong password, with both letters and numbers, or a passcode with at least six digits will make this harder.
Turn on airplane mode
CBP guidelines instruct agents to review only the data that’s stored on your device itself – not all the information apps like Facebook and Gmail send to the cloud. If you consent to a search, flipping your device into airplane mode will limit the inspection to what’s saved or cached.
You might choose to move your data to a cloud storage provider – such as iCloud, Google or Microsoft OneDrive – and then wipe or factory reset your device. This would protect your data from a basic visual search.
But be aware: Most methods of file deletion left traces a forensic search would uncover. Furthermore, walking through customs with a blank device could arouse suspicion and make you more likely to become a target, Hussain said.
Hide sensitive data
If you’ve got sensitive photos, messages or other data easily visible on your device, move it somewhere private, such as a hidden or password-protected folder. (I’m begging you not to accidentally show nudes to a customs agent – or anyone else. Here’s how to hide them.)
Consider where you enter the country
Different states have different laws governing what CBP can inspect at US entry points. In Arizona, for example, CBP can search devices without a warrant only if they’re looking for specific digital contraband. If you want to protect your privacy, it might be worth flying into a state with more stringent boundaries for CBP.
The Washington Post