The Register's guide to protecting your data when visiting the US

Summary: You're (mostly) screwed without preparation

Be prepared!

The key to protecting your data when crossing any border is practicing self-defense against surveillance before your trip, Adam Schwartz, senior staff attorney with the EFF's civil liberties team, told El Reg.

Before your trip, work out exactly what you will need for that time period, and bring no more than that. It's now commonplace for businesses to issue clean mobile phones and laptops to staff traveling overseas, and you're advised to do so by the US and UK government when visiting places like China.

Any device that can handle it needs to have full-disk encryption and a strong password. Disable any fingerprint reader and/or wipe the fingerprint pattern recognition files, since a peculiarity of the American Constitution makes fingerprints a lousy security mechanism.

Under the Fifth Amendment, no person can be "compelled in any criminal case to be a witness against himself." Court cases have decided that this means that passwords, because they are in your head, are covered by this. Fingerprints are physical evidence and are not, so you can be compelled to press your digit onto your handheld to unlock it, but not type in your long passcode.

On the encryption side of things, always make sure you power down encrypted devices before you get to the border. Some devices won't fully encrypt the contents of its storage when put in sleep or hibernation mode.

As for phones, it's a good idea to take all apps off the device. If you do give up your password to unlock a device when asked, and you still have software installed and logged into accounts, an agent can just click or tap on your apps to gain full access to your social media and other work or cloud services with no extra security checks. If you do leave your apps on, and hand over access, don't think changing your passwords later will be any protection – it'll be too late by then.

"What you may not realize is that a forensics tool is capable of imaging potentially your entire life from a single access to your account," writes security expert Jonathan Zdziarski in an excellent blog post on the matter.

"Whether it's old iPhone backups sitting on iCloud that can date back years, or your entire Facebook or Skype message history, once an API is wired into a forensics tool, that one moment in time exposes all of your historical data to the border agent."

Also never, ever try to bring pirated content in from overseas. It goes without saying that piracy is bad, and CBP can search devices for ripped material. If they find pirated content on them, you might have your details passed on to the relevant law enforcement office for followup.

"The border search justification is to detect contraband," Schwartz explained. "But the tragedy is that the courts have given the government an inch and they are taking a mile. If they find something suspicious while conducting general investigations, they may pass it on."

So in short, don't bring any data or software or hardware into the country you don't want to surrender to border officials. Bring a clean empty phone, bring a clean empty laptop, and log in your accounts once you're safely through and well past the immigration checkpoint. And use long passwords and passphrases with storage encryption just in case you're stopped at any point after.

If you're worried that carrying an empty phone or hard drive looks suspicious, scatter a few harmless apps and files on them. Make sure you're logged out of your personal accounts. Log into decoy Instagram, Twitter and Gmail accounts that you use purely for travel, in case the worst comes to worst and you're forced to unlock your device.

The golden rule – don't be an idiot

Border patrol work is a thankless but essential job. In 30 years of traveling to and from America, I've found the vast majority of staff to be pleasant and competent, with some epically bad exceptions that were thankfully few and far between.

If you go into a meeting with CBP and are immediately hostile, you can expect things to take a long time. Go in shouting, "Am I being detained?" and you very likely will be, and it won't be pleasant. We're not talking lubricant and a shoulder-length glove unpleasant, but enough to ruin your trip.

When you're being interviewed, be polite and consistent – be aware that anything you say can be recorded and put on file. Lying to a CBP officer almost certainly will turn around and bite you on the ass.

"I never recommend lying to a border agent, no matter what country you're in. Misdirection is also a far better alternative to securing your data," said Zdziarski.

"If, by happenstance, you've set up your security so that you cannot access what they need yourself, this in my opinion is far better than simply telling someone that you don't have a social media account. 'My Twitter account only works from my home computer' is an honest and accurate response, and much better than getting caught in a lie later on about not having a social media account."

Above all, don't panic. If you appear vaguely Middle Eastern or have a Middle Eastern name, expect some questioning at the border, and prepare your devices for seizure.

It pains me to say it, but if you're white, have an English-sounding name, and have no stamps from the Middle East in your passport, you're unlikely to have problems. However, that may not last.

"The drift of federal policy for years has been toward more and more invasion of privacy," Schwartz said. "Since Trump's Executive Order on border issues we've seen a very sharp spike in the quantity and quality of intrusion for international travelers." ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021