One Tech Tip: Locking down your device when crossing borders
Planning an international trip? Travelers should prepare for the possibility of extra scrutiny of their phones when crossing borders, especially when entering the United States.
The Canadian government warned travelers in a recent travel advisory that U.S. border agents are entitled to search electronic devices and “don’t need to provide a reason when requesting a password to open your device.” Some recent cases have made travelers nervous about their privacy, such as when a Brown University professor with a U.S. visa was deported to Lebanon after border agents found a photo of Hezbollah’s leader on her phone.
“While 100% privacy may be impossible in these situations, there are a few things you can easily do that make it much harder for someone to see your private data even with physical access to your device,” said Patricia Egger, head of security at encrypted service Proton Mail.
If possible, leave your phone at home. If you need one on your trip, borrow a tactic used by corporate executives looking to avoid hackers: get a temporary or “burner” device. It can contain just the information you need for your trip. Download anything else from the cloud when you need it.
If you have to bring your phone or laptop, upload sensitive information to a cloud storage service that uses end-to-end encryption, then delete the originals from your device. Also, encrypt your phone or laptop’s storage drive and protect it with a strong password. Be aware this is different from merely having a device passcode lock, which is more easily cracked.
Turn off fingerprint or facial recognition features and use the PIN or passcode instead. This will make it much harder for border agents to compel you to unlock your device using biometrics.
There are two kinds of searches, according to the U.S. Customs and Border Protection website. In a basic search, an officer scrolls through your phone’s photos, emails, apps and files. No suspicion of wrongdoing is needed to conduct this type of search.
In an advanced search, the contents of your device could be copied for analysis. But a senior manager needs to sign off on the request and you need to provide the password or PIN. This type of search can raise serious privacy concerns.
Experts say that powering off your devices is another way to protect against sophisticated attacks in case you don’t consent to a search. Most modern phones and some laptops encrypt their data using a strong cryptographic key only accessible when the user unlocks it with the passcode.
If the device is locked but not turned off, the key remains loaded on the device’s memory. Powerful hacking tools made by companies like Cellebrite can recover the key and decipher the data. But if the device is off, the key is unloaded and can’t be accessed until it’s turned on again and unlocked with the passcode.
“This is why a border agent can’t simply turn a device on to use a tool like Cellebrite,” said Will Greenberg, the EFF’s senior staff technologist. To be on the safe side, delete your social media apps and reinstall them later. Even though content is mainly stored on a social media company’s servers, some posts or images might remain on your phone’s memory cache and therefore viewable even in airplane mode.
It’s not just phones and laptops. Digital cameras, smartwatches, tablets, external hard drives and other electronic devices can be searched. Some tactics might backfire. If you’re tempted to completely wipe your phone or laptop hard drive before you travel, experts warn it could raise scrutiny.
“If detected by a border agent, the fact that you wiped your hard drive may prompt the agent to ask why you did so,” the EFF’s guide says. “Even traveling without devices or data that most travelers typically have could attract suspicion and questions.”
Also don’t try to hide information on your device, because border agents could find out. “Lying to border agents can be a serious crime, and the agents may take a very broad view of what constitutes lying,” it says.
Check local laws of your destination before you travel. For example, Britain’s counterterrorism law allows police to demand that people passing through the country’s border hand over devices along with passwords and PINs. If they refuse, they can be charged with terrorism.
Is there a tech topic that you think needs explaining? Write to us at onetechtip@ap.org with your suggestions for future editions of One Tech Tip.