On January 30 – three days after US President Donald Trump signed an executive order restricting immigration from several predominantly Muslim countries – an American scientist employed by NASA was detained at the US border until he relinquished his phone and PIN to border agents. Travellers are also reporting border agents reviewing their Facebook feeds, while the Department of Homeland Security considers requiring social media passwords as a condition of entry.
Intimidating travellers into revealing passwords is a much greater invasion of privacy than inspecting their belongings for contraband.
Technology pundits have already recommended steps to prevent privacy intrusion at the US border, including leaving your phone at home, encrypting your hard drive and enabling two-factor authentication. However, these steps only apply to US citizens. Visitors need a totally different strategy to protect their private information.
Giving border agents access to your devices and accounts is problematic for three reasons:
1) It violates the privacy of not only you but also your friends, family, colleagues and anyone else who has shared private messages, pictures, videos or data with you.
2) Doctors, lawyers, scientists, government officials and many business people’s devices contain sensitive data. For example, your lawyer might be carrying documents subject to attorney-client privilege. Providing such privileged information to border agents may be illegal.
3) In the wake of revelations from Chelsea Manning and Edward Snowden, we have good reason to distrust the US government’s intentions for our data.
This problem cannot be solved through normal cybersecurity countermeasures.
Encryption, passwords and two-factor authentication are useless if someone intimidates you into revealing your passwords. Leaving your devices at home or securely wiping them before travelling is ineffective if all of your data is in the cloud and accessible from any device. What do you do if border agents simply ask for your Facebook password?
And leaving your phone at home, wiping your devices and deactivating your social media will only increase suspicion.
What you can do
First, recognise that lying to a border agent (including giving them fake accounts) or obstructing their investigation will land you in serious trouble, and that agents have sweeping power to deny entry to the US. So you need a strategy where you can fully cooperate without disclosing private data or acting suspicious.
Second, recognise that there are two distinct threats:
1) Border agents extracting private or sensitive data from devices (phone, tablet, laptop, camera, USB drive, SIM card, etc.) that you are carrying.
2) Border agents compelling you to disclose your passwords, or extracting your passwords from your devices.