Border agents have ample powers to look for people crossing borders, including their phones and laptops. But there are ways to protect data when crossing international borders if we understand technology and the law.
Crossing an international border is often a stressful experience. It becomes even more stressful if you are put aside for further checks. Edge searches, including telephone searches and searches on laptops, have become more common in recent years, particularly in the United States. There, searches for electronic devices have gone from 8,503 in 2015 to 30,200 in 2017. But the United States is not the only country where your device can be searched, seized or analyzed at the border. The United Kingdom, Canada and many states with even weaker privacy protections (Israel, Turkey, etc.) allow similar research.
But what if you do not want to give up the right to privacy and data security just because you travel? Even if the law does not make it easier for you to keep your data safe, that does not mean you have to make it easy for border guards too. This article explores issues related to data privacy at the border, including what border police can or can not do and measures that can be taken to minimize risks. Most of the information here concerns data protection at the US border because device searches are widespread, invasive and formalized in agency policy (and therefore easier to analyze). But many of the same principles apply to cross any international border.
In general, if you are a citizen of the country where you are trying to enter, you will not be denied access for refusing to allow agents to search your device. But your device can be taken and you can be held for hours or days. If you are not a citizen of the country you wish to enter, you may be denied access to refuse to search for a device.
Border police are authorized to search for your devices
US Customs and Protection Agents (CBPs) are responsible for enforcing immigration laws and preventing criminal entry. So far, the courts have ruled that it is allowed to search the devices for any reason or without reason. You may be flagged to search for a device because there is something wrong with your travel documents, your name is in an ordering force database, or you have simply been chosen for random searching.
There are two levels of research, based on the CBP policy on device searches. A basic search is a simple inspection of your data, including your apps, photos, chats and other files. An advanced search involves the use of external equipment to access files (including deleted data), copy data and analyze them. CBP agents must have a reasonable suspicion of a crime or violation, or a national security problem, and the supervisor's approval.
Agents can also "hold" the device for a "reasonable period of time" while extracting data, copying it, or attempting to break passwords or encryption.
How to protect your data at the border
You have to weigh the practical risks when you decide whether to resist the search for a device, because doing so risks aggravating the situation. For non-citizens, including permanent residents, the risks are greater: they could be denied entry. For citizens, you can not deny entry (in the vast majority of countries), but you can be held back, which is stressful and could mean the lack of connecting flight. You may even be forced to give up your device for days.
But if you decide to take steps to protect your data at the border, despite the risks, it requires some early planning. Below is a list of things to keep in mind when preparing for an international trip. The security measures you eventually decide to take will require you to weigh your risk tolerance against your desire to assert your right to privacy.
Be polite and do not lie
The most important thing to keep in mind when dealing with the forces of order is that they have the power to restrain you, to accuse you of a crime and even to physically submit you. Lying for the forces of order is a crime in most countries, so you need to avoid making false or misleading statements. Electronic Frontier Foundation (EFF) also advises you not to try technical tricks (such as using a second password that unlocks a fictitious user account, masking data, etc.) which could be considered liars. Be calm and polite, but assertive.
Delete apps and data from your device
The only safe way to protect data from a border agent is to delete it from your device. We recommend using the erasing software that completely deletes data so that it can not be restored later. Be sure to back up your data first using a secure cloud backup (or using an external storage device that does not travel with you).
In the United States, border agents are only allowed to access data on the device itself, not cloud data. Therefore, to avoid inadvertently accessing remote data, you need to ask you to set up your device in airplane mode (or they could do it yourself in some circumstances). However, many apps keep data cached in the clear. Therefore, you may wish to consider temporarily deleting these apps or deleting their data.
Note: Border agents may find it suspicious if you present them with a device without data or app on it. This, in turn, can give them the justification for confiscating your device, marking your name for future projections of borders or denying access to the country.
Turn off the device
Most devices use high security settings after being turned off, such as hard disk encryption or requesting a password to be unlocked instead of a fingerprint or face recognition. Turning off the device before arriving at border security will make data access more difficult if you decide not to provide them with the password.
The decision to give up your passwords
The CBP policy states that agents are allowed to request passwords for their device and for password-protected apps, and "travelers are forced" to help agents search for their devices. If you decline your request to give up your passwords, agents can confiscate your device to try to intrude or contact their lawyers to force them legally to provide them with their password. And you could be detained (if you're a citizen) or expelled from the country (if you're not).
If you are a lawyer, you can invoke the attorney-client privilege, which triggers a series of procedures to try and separate the privileged data from the rest of the search. Other people carrying sensitive data, such as journalists or doctors, can also notify officers because they have a special obligation to protect their data, but it may not work.
If the agents orderto give them your password, you may have no choice but to respect. But according to the American Bar Association, you should declare that you do not consent to the research, which may leave the door open for you to pursue the legal appeal in the future.
Encrypt your device
Typically, the password entered to unlock the device limits access to unencrypted data. This will not prevent border agents from accessing your data using forensic tools. The use of full disk encryption, however, can block access on the condition that they do not learn the decryption password.
Write down everything
If border agents try to search on your phone or laptop, you should write down everything you remember from the experience. Get their names, badge numbers and agencies. This information will be useful later if you decide to file a complaint or a case. The EFF can offer you assistance if you believe your rights have been violated.
Protect your ProtonMail account
If you are worried about border agents reading your ProtonMail emails, we recommend that you delete the ProtonMail app from your phone or tablet before you arrive at the checkpoint and disconnect from your account in the web browser. If you use ProtonMail Bridge, delete your folders containing ProtonMail emails. You can easily resynchronize them with your email client later.
Dealing with border agents is always stressful. Addressing them on your right to privacy can make the experience even more excruciating, not to mention inconvenient. At ProtonMail, we believe that your right to privacy should not be violated just because you are crossing a border. In our guide for journalists you can get more information on privacy and data security, which contains useful tips and links to other resources.
The ProtonMail team
Here you can get a secure e-mail account protected by ProtonMail.
We also provide a free VPN service to protect your privacy.
ProtonMail and ProtonVPN are financed by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!