How to protect your phone or computer when crossing borders

Border agents have broad powers to search people crossing borders, including their phones and laptops.But there are ways to protect your data when crossing international borders if you understand the technology and the law.

Crossing an international border is often a stressful experience. It becomes all the more stressful if you are pulled aside for further inspection. Border searches, including phone searches and laptop searches, have become more common in recent years, particularly in the United States. There, electronic device searches rose from 8,503 in 2015 to 30,200 in 2017. But the US isn’t the only country where your device can be searched, seized, or analyzed at the border. The UK, Canada, and plenty of states with even weaker privacy protections (Israel, Turkey, etc.) allow similar searches.

But what if you don’t want to forfeit your right to privacy and data security just because you travel? While the law doesn’t make it easy for you to keep your data safe, that doesn’t mean you have to make it easy for the border guards, either. This article explores the issues surrounding data privacy at the border, including what border police can and can’t do, and the steps you can take to minimize your risks. Most of the information here relates to protecting your data at the US border because device searches there are widespread, invasive, and formalized in agency policy (and therefore easier to analyze). But many of the same principles apply to crossing any international border.

Broadly speaking, if you are a citizen of the country you are trying to enter, you will not be denied entry for refusing to let agents search your device. But your device can be taken, and you can be detained for hours or days. If you are not a citizen of the country you want to enter, you can be denied entry for refusing a device search.

Border police are allowed to search your devices

US Customs and Border Protection (CBP) agents are responsible for enforcing immigration laws and preventing the entry of criminals. Courts have so far ruled that they are allowed to search your devices for any reason or no reason at all. You might get flagged for a device search because there is something wrong with your travel documents, your name is in a law enforcement database, or you were simply chosen for random search.

There are two levels of search, according to the CBP policy on device searches. A basic search is a simple inspection of your data, including your apps, photos, chats, and other files. An advanced search involves using external equipment to access files (including deleted data), copy data, and analyze it. CBP agents need to have reasonable suspicion of a crime or violation, or a national security concern and supervisor approval.

Agents can also “detain” your device for a “reasonable period of time” while they extract your data, copy it, or attempt to break your passwords or encryption.

How to protect your data at the border

You must weigh the practical risks when deciding whether to resist a device search because doing so risks escalating the situation. For non-citizens, including permanent residents, the risks are greater: You could be denied entry. For citizens, you cannot be denied entry (in the vast majority of countries), but you can be detained, which is stressful and could mean missing your connecting flight. You may also be forced to give up your device for days.

But if you decide to take measures to protect your data at the border, despite the risks, it requires a bit of planning in advance. Below is a list of things to keep in mind when preparing for an international trip. The security measures you ultimately decide to take will require you to weigh your risk tolerance against your desire to enforce your right to privacy.

Be polite and do not lie

The most important thing to keep in mind when dealing with law enforcement is that they have the power to detain you, charge you with a crime, and even physically subdue you. Lying to law enforcement agents is a crime in most countries, so you should avoid making any false or misleading statements. The Electronic Frontier Foundation (EFF) also recommends that you do not try any technical tricks (such as using a second password that unlocks a dummy user account, disguising data, etc.) that could be seen as lying. Be calm and polite, but assertive.

Delete apps and data from your device

The only sure way to protect data from a border agent is to delete it from your device. We recommend using erasing software that completely wipes data so that it cannot be recovered later. Be sure to back up your data first using a secure cloud backup (or using an external storage device that is not traveling with you).

In the US, border agents are only allowed to access data on the device itself, not cloud data. Therefore, to avoid inadvertently accessing remote data, they are required to ask you to set your device to airplane mode (or they may do it themselves in some circumstances). However, many apps retain cached data in cleartext. So you may want to consider temporarily deleting these apps or clearing their data.

Note: border agents may find it suspicious if you present them with a device with no data or apps on it. This, in turn, may give them justification to confiscate your device, flag your name for future border screenings, or deny you entry to the country.

Turn off your device

Most devices use elevated security settings after being powered off, such as encrypting the hard disk or requiring a password to unlock rather than a fingerprint or face recognition. Turning off your device before arriving at border security will make it more difficult for them to access your data if you decide not to give them your password.

The decision to give up your passwords

CBP policy states that agents are allowed to request passwords for your device and for password-protected apps, and “travelers are obligated” to help the agents search their devices. If you decline their request to give up your passwords, agents are allowed to confiscate the device to try to break their way in or to contact their lawyers to legally compel you to give them your password. And you may be detained (if you are a citizen) or expelled from the country (if you are not).

If you are a lawyer, you may invoke attorney-client privilege, which triggers a series of procedures to try to segregate privileged data from the rest of the search. Others carrying sensitive data, such as journalists or doctors, may also notify officers why they have a special obligation to protect their data, but it may not work.

If the agents orderyou to give them your passwords, you may be left with no option but to comply. But according to the American Bar Association, you should state that you do not consent to the search, which can leave the door open for you to pursue legal recourse later.

Encrypt your device

Typically, the password you enter to unlock your device only restricts access to your unencrypted data. This will not prevent border agents from accessing your data using forensic tools. Using full disk encryption, however, can block access so long as they don’t learn your decryption password.

Write down everything

If border agents try to search your phone or laptop, you should write down everything you can remember about the experience. Get their names, badge numbers, and agencies. This information will be useful later if you decide to file a complaint or a lawsuit. The EFF can offer you assistance if you feel your rights were violated.

Securing your ProtonMail account

If you’re concerned about border agents reading your ProtonMail emails, we recommend deleting the ProtonMail app from your phone or tablet before you arrive at the checkpoint and logging out of your account in the web browser. If you use ProtonMail Bridge, delete your folders containing ProtonMail emails. You can easily re-sync them with your mail client later.

Conclusion

Dealing with border agents is always stressful. Confronting them over your right to privacy can make the experience even more harrowing, not to mention inconvenient. At ProtonMail, we believe your right to privacy should not be infringed just because you are crossing a border. You can learn more about data privacy and security in our guide for journalists, which contains useful tips and links to other resources.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!

About the Author

Ben Wolford

A journalist by training, Ben has reported and covered stories around the world. In 2014, he founded a magazine, Latterly, devoted to international reporting on human rights. He joined ProtonMail to help lead the fight for data privacy.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

7 comments on “How to protect your phone or computer when crossing borders

  • There is another option: send your phone by postal mail to your destination ahead of time.

    Take out your simcard (if possible) and put it in a throw away phone, that way you can still text and call during travel.

    Don’t forget to encrypt the phone you’re mailing.

    Reply
  • Is there a general consensus about travelling with a device that has had the decryption keys deleted?

    Will they destroy the data if they can’t access it?

    Reply
  • Future thoughts… ProtonOS! I’d love to have a security minded phone that made it easy to cross borders, to travel, knowing that there’s nothing on my phone when it’s powered up that I need to worry about Customs agents rooting around in uninvited.

    Reply
  • Oh really?
    Your phonny gives you additional user accounts as option so if you don’t like state sponsored thugs watching your wife’s pics or reading love letters you’ve sending her – just delete the sensitive one temporarily (hope you keep your data remotely in sync – home NAS, NSA cloud or so ;))
    Carrying laptop or such is more tricky : doubt if you are so paranoic to keep whole system inside matroska on hidden partition microSD but veracrypt gives such possibility (there’s something for Android as well) but the official account trick should work as long as you don’t mention the hidden, encrypted partition inside hidden system partition to them nasty guys – grub can’t see it so why would they?
    It’s trivial, nasty solution to the trivial and nasty problem, can’t believe some “civilized” countrys force ppl in such situation, certainly expected more from protonmail “experts”.

    Reply
  • Guys for those people that are using an android based phone that has the reliability of a root access you build the operating system first root it stick on the apps and based on what you intend to do with the phone giving the many options available on android buy a piece of software called Titanium Backup can be linked to many online storage providers make a whole copy based on the operating system you have built once applied and based on the fact you are ready and have made a full backup of the operating system upload it to online storage keep in mind a encrypted one hearsay download the operating system anew from any website re format it deletes all traces of processes and logs basically like a new operating system carry the phone like new make it look like a normal phone re-root it easy enough download Titanium Backup download your preloaded operating system with a vpn check the phone has not been implied by compriseable software before hand you get what i am saying people……

    Reply