Border agents have broad powers to search people crossing borders, including their phones and laptops.But there are ways to protect your data when crossing international borders if you understand the technology and the law.
Crossing an international border is often a stressful experience. It becomes all the more stressful if you are pulled aside for further inspection. Border searches, including phone searches and laptop searches, have become more common in recent years, particularly in the United States. There, electronic device searches rose from 8,503 in 2015 to 30,200 in 2017. But the US isn’t the only country where your device can be searched, seized, or analyzed at the border. The UK, Canada, and plenty of states with even weaker privacy protections (Israel, Turkey, etc.) allow similar searches.
But what if you don’t want to forfeit your right to privacy and data security just because you travel? While the law doesn’t make it easy for you to keep your data safe, that doesn’t mean you have to make it easy for the border guards, either. This article explores the issues surrounding data privacy at the border, including what border police can and can’t do, and the steps you can take to minimize your risks. Most of the information here relates to protecting your data at the US border because device searches there are widespread, invasive, and formalized in agency policy (and therefore easier to analyze). But many of the same principles apply to crossing any international border.
Broadly speaking, if you are a citizen of the country you are trying to enter, you will not be denied entry for refusing to let agents search your device. But your device can be taken, and you can be detained for hours or days. If you are not a citizen of the country you want to enter, you can be denied entry for refusing a device search.
Border police are allowed to search your devices
US Customs and Border Protection (CBP) agents are responsible for enforcing immigration laws and preventing the entry of criminals. Courts have so far ruled that they are allowed to search your devices for any reason or no reason at all. You might get flagged for a device search because there is something wrong with your travel documents, your name is in a law enforcement database, or you were simply chosen for random search.
There are two levels of search, according to the CBP policy on device searches. A basic search is a simple inspection of your data, including your apps, photos, chats, and other files. An advanced search involves using external equipment to access files (including deleted data), copy data, and analyze it. CBP agents need to have reasonable suspicion of a crime or violation, or a national security concern and supervisor approval.
Agents can also “detain” your device for a “reasonable period of time” while they extract your data, copy it, or attempt to break your passwords or encryption.
How to protect your data at the border
You must weigh the practical risks when deciding whether to resist a device search because doing so risks escalating the situation. For non-citizens, including permanent residents, the risks are greater: You could be denied entry. For citizens, you cannot be denied entry (in the vast majority of countries), but you can be detained, which is stressful and could mean missing your connecting flight. You may also be forced to give up your device for days.
But if you decide to take measures to protect your data at the border, despite the risks, it requires a bit of planning in advance. Below is a list of things to keep in mind when preparing for an international trip. The security measures you ultimately decide to take will require you to weigh your risk tolerance against your desire to enforce your right to privacy.
Be polite and do not lie
The most important thing to keep in mind when dealing with law enforcement is that they have the power to detain you, charge you with a crime, and even physically subdue you. Lying to law enforcement agents is a crime in most countries, so you should avoid making any false or misleading statements. The Electronic Frontier Foundation (EFF) also recommends that you do not try any technical tricks (such as using a second password that unlocks a dummy user account, disguising data, etc.) that could be seen as lying. Be calm and polite, but assertive.
Delete apps and data from your device
The only sure way to protect data from a border agent is to delete it from your device. We recommend using erasing software that completely wipes data so that it cannot be recovered later. Be sure to back up your data first using a secure cloud backup (or using an external storage device that is not traveling with you).
In the US, border agents are only allowed to access data on the device itself, not cloud data. Therefore, to avoid inadvertently accessing remote data, they are required to ask you to set your device to airplane mode (or they may do it themselves in some circumstances). However, many apps retain cached data in cleartext. So you may want to consider temporarily deleting these apps or clearing their data.
Note: border agents may find it suspicious if you present them with a device with no data or apps on it. This, in turn, may give them justification to confiscate your device, flag your name for future border screenings, or deny you entry to the country.
Turn off your device
Most devices use elevated security settings after being powered off, such as encrypting the hard disk or requiring a password to unlock rather than a fingerprint or face recognition. Turning off your device before arriving at border security will make it more difficult for them to access your data if you decide not to give them your password.
The decision to give up your passwords
CBP policy states that agents are allowed to request passwords for your device and for password-protected apps, and “travelers are obligated” to help the agents search their devices. If you decline their request to give up your passwords, agents are allowed to confiscate the device to try to break their way in or to contact their lawyers to legally compel you to give them your password. And you may be detained (if you are a citizen) or expelled from the country (if you are not).
If you are a lawyer, you may invoke attorney-client privilege, which triggers a series of procedures to try to segregate privileged data from the rest of the search. Others carrying sensitive data, such as journalists or doctors, may also notify officers why they have a special obligation to protect their data, but it may not work.
If the agents orderyou to give them your passwords, you may be left with no option but to comply. But according to the American Bar Association, you should state that you do not consent to the search, which can leave the door open for you to pursue legal recourse later.
Encrypt your device
Typically, the password you enter to unlock your device only restricts access to your unencrypted data. This will not prevent border agents from accessing your data using forensic tools. Using full disk encryption, however, can block access so long as they don’t learn your decryption password.
Write down everything
If border agents try to search your phone or laptop, you should write down everything you can remember about the experience. Get their names, badge numbers, and agencies. This information will be useful later if you decide to file a complaint or a lawsuit. The EFF can offer you assistance if you feel your rights were violated.
Securing your ProtonMail account
If you’re concerned about border agents reading your ProtonMail emails, we recommend deleting the ProtonMail app from your phone or tablet before you arrive at the checkpoint and logging out of your account in the web browser. If you use ProtonMail Bridge, delete your folders containing ProtonMail emails. You can easily re-sync them with your mail client later.
Dealing with border agents is always stressful. Confronting them over your right to privacy can make the experience even more harrowing, not to mention inconvenient. At ProtonMail, we believe your right to privacy should not be infringed just because you are crossing a border. You can learn more about data privacy and security in our guide for journalists, which contains useful tips and links to other resources.
The ProtonMail Team
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.