Privacy advocates and lawyers are advising travellers to wipe their phones of all data when crossing the U.S. border following a number of new reports of border agents seizing mobile devices and demanding passwords.
This week, American customs agents seized the phone of a NASA employee and U.S. citizen and demanded his PIN. In November, Canadian photojournalist Ed Ou had his phone confiscated by border agents, who told him to unlock it, and questioned him for six hours when he refused. Two Moroccan Canadians were denied entry into the U.S. this month, but only after agents had rifled through their phones.
The issue could get worse, if a proposal from Homeland Security Secretary John Kelly to demand the social media passwords of some travellers becomes reality.
Growing uncertainty over the rules is putting the onus on people to protect themselves. Here's how.
Know your rights
Phone and password seizures were happening under the Obama administration. But in the wake of President Donald Trump's now suspended travel and refugee ban, the American Civil Liberties Union says it has noted an increase in those types of reports from people crossing the border.
You can't be compelled to hand over your PIN or passwords at the U.S. border, according to Nathan Freed Wessler, staff attorney for the ACLU's Speech, Privacy and Technology Project, but depending on your status, there could be consequences for refusing to divulge them.
U.S. citizens and green card holders can be detained, and border agents can hold their devices, while visa-holders can be denied entry to the U.S. if they refuse to give their PIN or password.
"People's phones and computers contain tremendous quantities of extremely sensitive, private and personal information."
There have been few court cases in the U.S. testing the authority of border agents to search devices, Wessler said, and in most parts of the country, there is no court decision addressing this issue, so the government claims it can search any personal electronic device at the border.
"We are tremendously concerned with that position because people's phones and computers contain tremendous quantities of extremely sensitive, private and personal information ... so we think that there should be an impediment to the willy-nilly searching of these devices," he said.
A 2013 appeals court ruling covering the western edge of the U.S. found that border security could not conduct forensic searches of devices — that is, download the full contents of a device and use forensic tools — without "reasonable suspicion" of criminal wrongdoing. Reasonable suspicion means they have evidence, not just a hunch, leading them to suspect wrongdoing.
But the catch-22 with "reasonable suspicion" is that it's not possible for the traveler to know at the time their device is seized what evidence the border agent has to back up their suspicion.
At Canada's border, the legal circumstances are similar. Brenda McPhail, director of the Privacy, Technology and Surveillance Project for the Canadian Civil Liberties Association, says the Customs Act allows border agents to search any goods coming into Canada, but the law is being interpreted so broadly that electronic devices can be searched, too. And in Canada, if you refuse to divulge the password to your device, you can be charged with obstruction.
"The border is what we call a zone of reduced privacy expectation, which means there's more leeway to do things at the border than in other situations," she says. "But even at the border, privacy invasions should be minimally impairing and they should be proportionate to the state interest or risk to the traveller."
The power to demand passwords hasn't been constitutionally tested in Canada, although she says the CCLA is looking for a test case so the law can be updated or clarified.
How to secure your device
Every security expert and privacy advocate VICE News spoke to advised travellers to back up their data on another device and then wipe their phones completely before crossing the border.
"Defeating encryption when they're sitting there off is a lot harder."
"I completely wipe it, back it up and go across the border with a fresh device," says James Donaldson, head of Toronto-based organization Toronto Crypto. He recommends a "minimum data lifestyle" for those concerned about privacy.
Another simple trick is to power off your phone when crossing the border to ensure data can't be easily extracted from it, explains Ryan Lackey, a Seattle-based security researcher who often visits Canada, China and Russia.
"The security of cell phones is a lot stronger when they're sitting there cold and not running," he said. "I'm pretty confident that there are ways to extract data from even the latest iPhones and Android devices when they're operational. But defeating encryption when they're sitting there off is a lot harder."
When the device is turned back on, you must enter a passcode to access the phone. You want them to compel you to provide that passcode, Lackey says. "That's a sign that everything else has worked up to that point," he says.
You can also use tamper-proof tape or even pearlescent nail polish to create a seal over the SIM card slot and the screws holding your phone together so that if it is removed or altered after your phone is seized, you can tell your phone was tampered with.
Securing your phone will protect not only you, but any of your friends who may be vulnerable — journalists and activists, for example.
Topics: the border