Finally, Wessler recommends that travelers be sure to update their operating systems on both laptops and phones before crossing the border. That’s because CBP could, in some cases, use tools like Cellebrite or GrayKey to exploit unpatched vulnerabilities in those devices, accessing them without the user unlocking them. “It may be that if your operating system is six months out of date, your device is vulnerable,” Wessler says. “The newest version may not be.”
Keep Passwords Secret
This is the tricky part. American citizens can’t be deported for refusing to give up passwords for social media accounts or encrypted devices, says the ACLU’s Wessler. That means if you stand your ground and don’t reveal passwords or PINs, you may be detained and your devices confiscated—even sent off to a forensic facility—but you’ll eventually get through with your privacy far more intact than if you divulge secrets. “They can seize your device, even for months while they try to break into it,” says Wessler. “But you’re going to get home.” (Despite the Trump administration’s shocking treatment in some cases of foreign permanent residents, this protection applies to green card holders too, Wessler says.)
Be warned, however, that denying customs officials access can at the very least lead to hours of uncertain detention in a bleak, windowless CBP office. At some US airports and in various states, court rulings have put limitations and restrictions on what CBP officials can do to access your devices, but there’s little guarantee those restrictions will be followed in practice if border agents have your computer or phone in their custody without oversight.
Broadly, the CBP outlines two types of device searches: basic, where an officer “manually” reviews a device’s content; and an advanced search where a device is connected to external equipment and its contents can be reviewed, copied, or analyzed. The latter search requires a “reasonable suspicion” of a crime, CBP says. The agency’s official guidance avoids explicitly saying people are required to hand over passwords, skirting around the issue by saying devices should be presented “in a condition that allows for the examination.”
“If the electronic device cannot be inspected because it is protected by a passcode or encryption or other security mechanism, that device may be subject to exclusion, detention, or other appropriate action or disposition,” the agency says online.
For non-Americans coming to the US on a visa or from a visa-waiver country, Wessler warns that they face a far starker dilemma: Refuse to give up a passcode or PIN and you may be denied entry. “There’s a very practical assessment people have to make about what’s most important to them,” he says. “Getting into the country but sacrificing privacy or protecting your privacy—but risking that you may be turned around at the border.”
Minimize the Data You Carry
For the most vulnerable travelers, there’s one clear solution to that dilemma: The best way to keep customs away from your data is simply not to travel with it. Instead, like Lackey, set up travel devices that store the minimum of sensitive data. Don’t link those “dirty” devices to your personal accounts, and when you do have to create a linked account—as with an Apple ID for iOS devices—create fresh ones with unique usernames and passwords. “If they ask for access and you can’t refuse, you want to be able to give them access without losing any sensitive information,” says Lackey.
(Social media accounts, admittedly, can’t be so easily ditched. Some security experts recommend creating secondary personas that can be offered up to customs officials while keeping a more sensitive account secret. But if CBP agents do link your identity with an account you tried to hide, the result could be longer detention and, for noncitizens, even denial of entry.)
