EFF’s Guide to Protecting Electronic Devices and Data at the U.S. Border

Electronic Frontier Foundation

Amid recent reports that security researchers have experienced difficulties at the United States border after traveling abroad, we realized that it’s been awhile since we last discussed how to safeguard electronic devices and digital information during border searches. So just in time for holiday travel and the 27th Chaos Communication Congress in Berlin, here’s EFF’s guide for protecting your devices and sensitive data at the United States border.

The Government Has Broad Legal Authority to Search Laptops, Phones, Cameras, and Other Devices at the U.S. Border.

The Fourth Amendment to the United States Constitution prohibits unreasonable government searches and seizures. This generally means that the government has to get a warrant to search a location or item in which you have a reasonable expectation of privacy. Searches at places where people enter or leave the country are considered “reasonable” simply because they happen at the border or its functional equivalent, such as an international airport.

While the Supreme Court has not yet decided the issue, several courts have considered whether the government needs even a reasonable suspicion of criminal activity to search a traveler’s laptop at the border, and have regrettably decided that the answer is no. E.g., United States v. Arnold, 533 F.3d 1003, 1008 (9th Cir. 2008); United States v. Romm, 455 F.3d 990, 997 (9th Cir. 2006); United States v. McAuley, 563 F. Supp. 2d 672, 979 (W.D. Tex. 2008).

The unfortunate upshot of these decisions is that a border agent has the legal authority to search your electronic devices at the border, even if he has no reason to think that you’ve done anything wrong. Several bills have been introduced in Congress over the past few years to protect travelers from these suspicionless border searches, but none of them has passed.

Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) have published their policies on searching electronic devices at the border, and the ACLU is challenging their constitutionality in court. According to CBP’s policy, your computer or copies of your data can be kept for a “brief, reasonable” amount of time to be searched on- or off-site, ordinarily not more than five days. ICE’s policy says that searches of devices and copies of data will typically be completed within 30 days. Anecdotal reports suggest that travelers’ devices are sometimes detained for significantly longer periods of time.

Searches of devices that are conducted at a time and/or place removed from the initial border stop can become extended border searches that require reasonable suspicion of wrongdoing, or even regular searches that require a probable cause warrant. See, e.g., United States v. Cotterman, No. CR 07-1207-TUC-RCC, 2009 U.S. Dist. LEXIS 14300 (D. Az. Feb. 24, 2009) (reasonable suspicion required to search laptop detained for two days and moved 170 miles from the border), appeal docketed, No. 09-10139 (9th Cir. April 7, 2009); United States v. Hanson, No. CR 09-00946 JSW, 2010 U.S. Dist. LEXIS 61204 (N.D. Cal. June 2, 2010) (reasonable suspicion required to search laptop about two weeks after it was detained at the border and sent away for forensic analysis, and probable cause required to search laptop about four months after initial detention at border).

Related Post:  Ubuntu TV: Can it gain a foothold in the market place?

If you’ve had your devices detained by border agents for an extended period of time, please contact EFF.

There Are Several (Imperfect) Ways That You Can Make Your Data Less Vulnerable at the Border.

What can you do to keep the government from arbitrarily rummaging through your sensitive or confidential information during your international travels? There are several ways that you can protect your data at the border, though none is 100% gauranteed to keep the government’s hands off your devices or your travels stress-free. Different approaches might be better for different travelers, devices, and data, but all of these precautions will help to keep your information significantly more secure during border crossings:

Carry as little data as possible over the border. Travel with a clean device that contains only the information you need for a particular trip, and then securely delete those files before returning to the United States.

Remember that merely deleting files from a device doesn’t mean that they’re unrecoverable. Deleted files can be trivially undeleted, in whole or in part, by forensic software. You must overwrite the file contents to securely delete them.

Consider taking an inexpensive “travel” laptop with you instead of a machine that you use every day. Or if your laptop allows you to remove the hard drive easily — for instance, by sliding it out a side bay — you might use a totally different hard drive for international travel and leaving your regular drive safely at home.

Keep a backup of your data elsewhere. Government agents could seize your laptop, phone, or other devices for no reason at all. You should be prepared for the possibility that you could be deprived of access your data for some time, and store copies somewhere else that you can easily access if your devices are detained at the border.

Related Post:  webOS: The latest open source, Linux distribution

Encrypt the data on your device. Encrypt your hard drive with a strong crypto protocol. Choose a strong passphrase that can resist brute force attacks. Even if border agents seek assistance from other agencies to attempt to decrypt your data — as provided by CBP and ICE’s policies — they are unlikely to be able to access your information without either getting your help or investing far more time and effort into reviewing your data than they may want to spend.

What if a border agent asks you to turn over your encryption keys? As a legal matter, border agents can’t force you to decrypt your data, divulge passphrases, or answer questions — only a judge can, and only if the Fifth Amendment privilege against self-incrimination does not apply. This privilege protects people from being forced to make statements that could lead the government to prosecute them for a crime. The right does not shield the actual data on a laptop or phone from disclosure. But two federal courts have held that even a judge can’t make a person divulge his passphrase to the government when the act of revealing the passphrase would show that he has control over potentially incriminating files. In re Boucher, No. 2:06-mj-91, 2007 U.S. Dist. LEXIS 87951, at *13 (D. Vt. Nov. 27, 2007), reversed on other grounds, 2009 U.S. Dist. LEXIS 13006 (D. Vt. Feb. 29, 2009); United States v. Kirschner, Misc No. 09-MC-50872, 2010 U.S. Dist. LEXIS 30603, at **10-11 (E.D. Mich. March 30, 2010). If you’re facing a situation in which the government is trying to force you to reveal encryption keys, let us know.

Be aware that if you fail to provide a passphrase or decrypt information upon request, there are a number of possible consequences. A border agent may seize your device and allow you to continue on your trip. The agent may detain you at the border. Or the agent may just shrug and and let you pass. It’s hard to predict what will happen, but you should be prepared for any of these possibilities, and consider how you would deal with each of them.

If you choose to answer government officials’ questions, always be honest about the contents of your computers and whether you’re carrying other data storage devices over the border. The consequences of lying to the government could be much more severe than the consequences of declining to answer questions or provide assistance.

Remember to shut down your device completely before going through customs so that the cold boot attack investigated by EFF, Princeton University and other researchers can’t be used to retrieve your encryption keys.

Share:

Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest
Share on linkedin
LinkedIn

Hola! Did you notice that LinuxBSDos.com no longer run network ads?  Yep, no more ads from the usual suspects that track and annoy you across the Internet. But since I still need to pay to keep the site running, feel free to make a small donation by PayPal or your favorite cryptocurrency.

  • Bitcoin
  • Ethereum
  • Xrp
  • Bitcoin cash
  • Bitcoin sv
  • Litecoin
  • Binance coin
  • Cardano
  • Ethereum classic
Scan to Donate Bitcoin to bc1qzvlte2m224zkayhdc7fdfjkp2rsgt0l5a496ua

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0F4362DFF77F3Ba0Dc637F5f3Eba35D09a2fA60C

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Xrp to r4ggjvL36njsMCYTkJ3S7cTHscPsMsSGQv

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Bitcoin cash to qrs0dedzp9t55af3nfwypydghp29r0xguy9s20fz2k

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Bitcoin sv to 15K9TLyVDBtLuG9cYvXCX9SSkq9C9oUKHK

Donate Bitcoin sv to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin sv

Scan to Donate Litecoin to LetJ9QQMb7u2LMZ9Tu6rtHwcBcQFW98fbG

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Binance coin to bnb1ga8trq08ssqepd90v6225nzfgy448pu5pw8gxp

Donate Binance coin to this address

Scan the QR code or copy the address below into your wallet to send some Binance coin

Scan to Donate Cardano to addr1qx2354yw49etstfljpdhwja3ajjlt487lg95vu9ngy2q6vu4rf2ga2tjhqknlyzmwa9mrm997h20a7stgectxsg5p5esq5l7d9

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Ethereum classic to 0xcD6CC972a2297FcafACDcfE042C55C69516a9264

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Subscribe for updates. Trust me, no spam!

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
4. Axo Finans.

Upcoming events

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
4. Axo Finans.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.

Categories
Archives

The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.