How to legally cross a US (or other) border without surrendering your data and passwords

The combination of 2014's Supreme Court decision not to hear Cotterman (where the 9th Circuit held that the data on your devices was subject to suspicionless border-searches, and suggested that you simply not bring any data you don't want stored and shared by US government agencies with you when you cross the border) and Trump's announcement that people entering the USA will be required to give border officers their social media passwords means that a wealth of sensitive data on our devices and in the cloud is now liable to search and retention when we cross into the USA.

On Wired, Andy Greenberg assembles some best-guess advice on the legal and technical strategies you can deploy to maintain the privacy of your sensitive data, based on techniques that security-conscious travelers have arrived at for crossing into authoritarian countries like China and Russia.

The most obvious step is to not carry your data across the border with you in the first place: get a second laptop and phone, load them with a minimal data-set, log out of any services you won't need on your trip and don't bring the passwords for them (or a password locker that accesses them) with you, delete all logs of cloud-based chat services. I use POP mail, which means that I don't keep any mail on a server or in a cloud, so I could leave all my mail archives at home, inaccessible to me and everyone else while I'm outside of the USA or at the border.

Call your lawyer (or a trusted friend with your lawyer's number) before you cross the border, then call them again when you're released; if they don't hear from you, they can take steps to ensure that you have crossed successfully, or send help if you need it.

One thing Greenberg misses is the necessity of completing a US Customs and Immigration Service Form G-28 before you cross the border. This form authorizes an attorney to visit you if you are detained at the border, but it has to be completed and signed in advance of your crossing. It also should be printed on green paper. The current version of the form expires in 2018, so you can complete it now, file it with your attorney or friend, and leave it until next year.

Remove any fingerprint-based authentication before you cross and replace them with PINs. Greenberg's experts recommend using very strong passwords/PINs to lock your devices. I plan on a different strategy: before my next crossing, I'll change all of these passwords/PINs to 0000 or aaaaaaaa, so that I can easily convey them to US border officials and they can quickly verify that I have no sensitive data on any of my devices. Once I have successfully crossed, I'll change these authentication tokens back to strong versions.

Another thing missing from this advice (possibly because it's viewed as obvious, but I think it bears stating): never, ever lie to border officials. Lots of privacy tools include "plausible deniability" partitions and similar ruses to allow you to login to what appears to be all the data on your device, but using these to attempt to deceive border guards is radioactively illegal and fantastically stupid. I have never -- and will never -- lie or shade the truth with border officials, because the penalties for lying at the border are generally significantly worse than whatever you're trying to keep to yourself. In the wake of Cotterman, and in the current authoritarian climate, the way to keep a government from using a border-crossing as a basis for acquiring your sensitive data without a warrant is to make sure that you do not possess, and cannot access, your data at a border.

Better than telling customs officials that you won’t offer access to your accounts, says security researcher and forensics expert Jonathan Zdziarski, is to tell them you can’t. One somewhat extreme method he suggests is to set up two-factor authentication for your sensitive accounts, so that accessing them requires entering not only a password but a code sent to your phone via text message. Then, before you cross the border, make sure you don’t have the SIM card that allows you—or customs officials—to receive that text message, essentially denying yourself the ability to cooperate with agents even if you wanted to. Zdziarski suggests mailing yourself the SIM card, or destroying it and then recovering the accounts with backup codes you leave at home (for American residents) or keep in an encrypted account online. “If you ditch your SIM before you approach the border, you can give them any password you want and they won’t be able to get access,” Zdziarski says. He cautions, however, that he’s never tested that know-nothing strategy in the face of angry CBP agents.

Those more involved subversion techniques, warns University of California at Davis law professor Elizabeth Joh, also create the risk that you’ll also arouse more suspicion, making CBP agents all the more likely to detain you or deny entrance to the country. But she has no better answer. “There’s not that much you can do when you cross the border in terms of the government’s power,” she admits.

A Guide to Getting Past Customs With Your Digital Privacy Intact [Andy Greenberg/Wired]

Notable Replies

  1. Enkita says:

    I'm never going to visit the US again - I can't afford the insurance - but I doubt I would be let in based on social media postings. I don't use FB, I don't use Twitter - how do I persuade an official of the absence of something?
    And it seems to take so little to arouse suspicion. At one time I was visiting NY roughly every 4-6 weeks and travelling very light - I could keep spare clothes etc. at the office. Every single time I was getting tested for drugs. White guy in business suit with overnight bag and laptop. Every single time nothing found and stony faced official returned bag without a word. I guess somehow I got on a list.

  2. Having travelled the world, in some fairly sketchy and/or police statey type places, I've learnt a few lessons. The most important one is that you have to have something to give them. For example, if you choose to walk thru a slum in the back end of a third world city, say Mogadishu or Detroit, it is a good idea to carry an old wallet with some expired ID in it (for verisimilitude) and a small amount of money (usually the minimum amount needed to score some drugs). You get mugged, you hand it over, the mugger goes away happy and you go away alive.

    Similarly when crossing a border and dealing with the government thieves, you have to have something to give them. Hence my old lap top. Runs Windows, uses Explorer with a judicious amount of malware. Has a facebook account that friends various family members and innocuous friends (none with say Arabic names, none not residing in North America). It links to a hotmail/outlook email account, in my own name, with a lot of spam and cruft in it. Terrible passwords on both, which I am slightly reluctant to share with the border officer but of course do. I browse (carefully) on it once or twice a week, a bit more often before I travel, mostly visiting very mainstream news and entertainment sites for the vacant. And of course a bit of pretty vanilla porn surfing for the logs (this is a pretty important piece of verisimilitude). There is nothing that might seem sophisticated to a dumbass border officer. I am the very image of an unsophisticated computer user, much like themselves. I gave them something, they are happy and I am not a suspicious person. And it is all 100% legit, I did not tell a lie, and thanks to the powers of the internet it is not difficult to access things I need or want once I am safely through.

    Only a moron attempts to cross a police state (like the US) border with either an obvious secret, or nothing embarrassing at all. Don't fight or resist, and have something to give them. Just like with a mugger.

  3. How about just setting your password to 2444666668888888? If they ask, you just say "my password is one two three four five six seven eight" and if they can't figure it out, fuck em!

    Seriously though, I don't care what the ruling has been, I will never give my password up. I don't believe that the US constitution allows authorities that access to the property and papers of a US citizen, ever. I'd go to jail for that principle.

  4. I respect the principle, but bear in mind that non-compliance may prove to be extremely taxing.

  5. This is some fucking Soviet Russia papers-please bullshit.

Continue the discussion

104 more replies