Store the information you need somewhere else, then download it when you reach your destination. Store your confidential data on your employer’s servers or with a third party. Then take a clean device on your trip, download the information you need when you’ve reached your destination, and securely delete the files from your device before you return home.
This approach doesn’t offer absolute protection for the data you’ve stored elsewhere. The FISA Amendments Act of 2008 loosened the requirements for government surveillance of people reasonably believed to be located outside the United States, so international communications can now be monitored without a warrant. Furthermore, law enforcement officers can access communications stored by third-party providers through the Electronic Communications Privacy Act as long as they have appropriate legal process, which might not be more than a subpoena in certain circumstances.
If your goal is to keep border agents from perusing vacation photos on your camera, storing your files with a third-party service and then deleting them from your device might be fine. (Note, however, that deleted images on a camera, if not actively overwritten, can be easily undeleted, just like other kinds of computer files.) But if you’re concerned about government access to confidential business email, encrypting your data is a more effective solution. Also use an encrypted VPN, and/or SSH or HTTPS, to send and receive communications and other data while abroad.
Protect the data on your devices with passwords. Many devices such as laptops and phones give you the option to set a password, numeric PIN, pattern or other authentication method to control access to your data. Take advantage of this security feature to give your data a little more protection.
As with encryption keys, border agents can’t force you to turn over passwords. However, researchers have demonstrated flaws that make it easy to get around iPhone passcodes, and Android patterns are often not hard to identify. And, as we discuss below, user-account passwords, if not combined with encryption, can always be bypassed by simply removing the hard drive and putting it in another machine.
You might also consider creating separate password-protected user accounts on your laptop for your personal data and work data. Then you can allow a border agent to examine your own account, while storing client data or trade secrets in a separate account controlled by your employer. Your employer might disclose the password for this account to you only after you reach your destination.
Under certain circumstances, a border agent might be satisfied to take a look at your personal data. But simply storing confidential information in a separate password-protected account will not absolutely shield that data from government scrutiny. Many forensic search tools can access and search unencrypted data in every account on a machine, even if you yourself don’t know the passwords to log in to those accounts or don’t have administrative privileges on the machine. An agent can use these tools, for instance, by taking the hard drive out of your machine and putting it in their investigative machine. This allows reading the data right off the disk, regardless of the file and account permissions in your operating system. Don’t rely on passwords to be your only form of security — encryption is still critically important to protect the information stored on a device.
For more thoughts on protecting data at the border, see Wired’s wiki on how to protect data during border searches, Declan McCullagh’s Security Guide to Customs-Proofing Your Laptop, and Chris Soghoian’s Guide to Safe International Data Transport.
This guide was written by Marcia Hofmann and originally published at the Electronic Frontier Foundation.