Protecting Your Data at the U.S. Border

The Trump administration, continuing a disturbing trend that started under the Obama administration, is moving ahead with its policy of "extreme vetting" of visitors and immigrants, including stepping up searches of mobile devices and online accounts at the border. Searches of mobile devices increased five-fold in 2016 vs. 2015, from 5,000 to 25,000, and February 2017 alone (just after Trump's inauguration) saw more searches than all of 2015 combined, per CBP stats released earlier this year.

While the number of searches are still a small fraction of total border traffic, policy changes, emboldened border agents who have significant leeway and discretion, and forensic technology that's getting faster and smarter will only drive these figures up. The writing is on the wall. Since search and seizure laws generally don't apply at the border, device searches are a convenient front door for governments to access your data; no need to serve a warrant to Facebook if you can just make someone give up their password.

To be clear, the searches have been happening to citizens and visitors alike. If you think this doesn't apply to you because you have a US passport, think again.

"I have nothing to hide."

If you're selected for secondary screening and asked to unlock your device, the agent doesn't stand in front of you and thumb through your email, looking for anything suspicious. Instead, your device leaves the room for some time, typically 30 minutes to an hour, during which forensic software captures, analyzes, and retains every bit of information on it.

cellebrite.jpg

Modern forensics tools, like the Cellebrite device shown above, can extract bit-for-bit every single piece of data on your unlocked smartphone in very little time; even, in some cases, data you've deleted. To a border agent armed with these tools, an unlocked phone is a gateway into your entire world. Everything you've ever written, everything anyone's written to you (or shared where you can see it), every photo you've taken, everywhere you've been, everyone you've talked to, everything you've Googled, everything you've looked at online, every account in your name potentially -- it's all exposed when you cough up your PIN or passwords.

Once extracted, your data is analyzed and linked to other existing data from other travelers or bought from third parties. You can see where this is going, and the possibilities are endless for how this information can be used in the future, as there are virtually no concrete rules on the books as to how this data is stored, who gets to see it, or how long it's kept.

Many people also use personal devices for work in some capacity, such as checking company email from a personal smartphone or using services like Dropbox to work on documents from home occasionally. Depending on your profession, a search of your personal device at the border could cause serious repercussions in your work life. If you're a doctor, you may inadvertently leak medical information pertaining to your patients. If you're a lawyer, you may be violating attorney-client privilege by having your files and communications copied and retained by the government. If you work in financial services, you may be exposing account information on your clients. In many cases you could end up having to disclose a breach to your clients -- an embarrassing, time-consuming, and potentially very expensive process.

On the off-chance you still think you have nothing to hide, consider this: what about your family or friends? Do they have anything to hide? Government systems are far from impenetrable, and we've seen that organizations like Wikileaks will indiscriminately publish reams of personal data on the internet without regard for relevance or public interest. Imagine this kind of data for millions of travelers getting dumped online and made searchable by anyone. That might have seemed far-fetched a decade ago; today, it's more when than if.

The steps you should take before you travel will depend on a variety of factors: where you work, where you're going, what your online habits are, and so on. The recommendations below are intended to get you closer to can't, and away from won't. Refusing a border agent's request to search your device is a poor choice, and so is lying. Focus on putting yourself in a position where you can't give access to something you don't have or know, and be prepared to explain why that's the case.

Disclaimer: I'm not a lawyer, so I can't give advice about your rights or what you should/should not do or say, but I can explain the technical side of this issue and provide general options that anyone can use. You accept full responsibility for using any of this information.

Use Burners

The most important step you can take has long been conventional wisdom for business travelers heading to places like China, where there's no expectation of digital privacy or security: use dedicated travel devices, or "burners", and leave your regular phone and laptop at home.

You have plenty of options for sourcing burner devices. Personally, I use an old MacBook Air and iPhone 5, both of which are a few generations old but still work fine for light use. Selecting a burner will depend on what you'll need to do while you're away, but you can likely cover all your bases with a budget of around $500. A few options:

  • An old iPhone/Android that's been neglected since you upgraded (you probably have one sitting in a drawer somewhere), or a refurbished model. Charge it up, update it, and contact your cellular carrier to ask about a pre-paid plan for voice and data that includes international roaming.
  • For most of my clients, their "work" while traveling consists almost entirely of email and maybe some occasional web app usage, such as Office 365 or Dropbox. If that describes you, iPads and Chromebooks are great options to replace your laptop while traveling. Refurbished iPads can be found for as little as $200 on Apple's clearance store, and can be paired with keyboard covers. Check out The Wirecutter's guide to Chromebooks too.
  • If you need a full-blown Windows PC while traveling, ask your company's IT department if they have any older models that have been cycled out of production and can be repurposed for limited use (it should run Windows 10 Pro and have a TPM chip, so it can be encrypted with BitLocker). Refurbished Microsoft Surface tablets are a good choice, too.

Encrypt, Sign Out, and Power Off

This actually applies to any devices you own, including your burners. Always enable full-disk encryption (screensaver/login passwords will not cut it):

Before going through customs (or really before any encounter with law enforcement in your day-to-day life), sign out of any apps or logged in sessions (i.e. completely clear your browser cookies and history) and power off your devices. Not sleep or standby -- completely shut them down, and power them back on only after you cross.

Enable Two-Factor Authentication (2FA) and Change Your Passwords

Again, this applies to your day-to-day life as well, not just in this context. Enabling two-factor authentication is the single most important step you can take to protect yourself against online fraud.

2FA is a process in which you log into an account using your usual credentials (username and password), but you're also prompted for a one-time-use "token", typically delivered by text message or iPhone/Android app. So even if someone has the right username and password combination, if they don't have physical possession of the phone or app that generates the token, they can't log in.

Virtually every name-brand online service out there offers 2FA for free. Here are a few the major ones:

If you're traveling with your burners and you've left your primary phone at home with your spouse or friend, and a border agent asks for your email password, you can disclose it without giving up access to the account, as the 2FA token will be sent to a device you don't have with you.

While setting up 2FA, you'll be asked for a recovery email (in case you lose your phone and can't get the token). Set this to an account not in your name, like a close friend or family member's email.

Also, your account passwords should be unique. Don't show up at the border and give up the password you use for everything, because it will be saved by the border agent and attached to your file for future use. Password management will be covered in a future post, but for now, start using 1Password to effortlessly keep track of your accounts and stop reusing the same password for everything.

Update 5/23: 1Password just announced 'Travel Mode', which is a perfect way to travel with only the credentials you need while maintaining strong security standards.

Stay Calm and Be Honest

If you're selected for secondary screening and asked to give up your PIN or passwords, the worst thing you can do is escalate the situation. Stay calm and be prepared to explain why you can't do what they're asking -- for example, that your company IT policies/professional obligations to clients or patients/etc forbid traveling internationally with sensitive data -- not that you won't.

If you've taken the necessary steps before you left home, it'll be much easier to get through an uncomfortable situation with your privacy intact.