Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud

[Togijak]

Digital Privacy at the U.S. Border:
Protecting the Data On Your Devices and In the Cloud

by Sophia Cope, Amul Kalia, Seth Schoen, and Adam Schwartz

EXECUTIVE SUMMARY

The U.S. government reported a five-fold increase in the number of electronic media searches at the border in a single year, from 4,764 in 2015 to 23,877 in 2016.1 Every one of those searches was a potential privacy violation. Our lives are minutely documented on the phones and laptops we carry, and in the cloud. Our devices carry records of private conversations, family photos, medical documents, banking information, information about what websites we visit, and much more. Moreover, people in many professions, such as lawyers and journalists, have a heightened need to keep their electronic information confidential. How can travelers keep their digital data safe?

The U.S. Constitution generally places strong limits on the government’s ability to pry into this information. At the U.S. border, however, those limits are not as strong, both legally and practically. As a matter of the law, some legal protections are weaker – a fact EFF is working to change. As a matter of practice, border agents may take a broad view of what they are permitted to do. Border agents may attempt to scrutinize the content stored on your phones, laptops, and other portable electronic devices. They may try to use your devices as portals to access your cloud content, including electronic communications, social media postings, and ecommerce activity. Moreover, agents may seek to examine your public social media postings by obtaining your social media identifiers or handles. As of this writing, the federal government is considering requiring disclosure from certain foreign visitors of social media login credentials, allowing access to private postings and “friend” lists.

This guide (updating a previous guide from 20112) helps travelers understand their individual risks when crossing the U.S. border, provides an overview of the law around border search, and offers a brief technical overview to securing digital data.

As an initial matter, readers should note that one size does not fit all. We are deeply concerned by invasive and even abusive practices of some border agents, and we are well aware of the serious consequences some travelers may face if they run afoul of a border agent. Many groups, including EFF, are working to establish clear legal protections to help alleviate that fear. In the meantime, however, we know that some travelers will want to take a highly conservative approach, while others will be less concerned. This guide is intended to help you make informed choices according to your situation and risk-tolerance.

Part 1 identifies the risk assessment factors that all travelers should consider (such as immigration status, travel history, and the data stored on the device) and the potential actions that travelers can take to secure their digital privacy at the U.S. border. Those actions include:

• Before your trip. Travelers should decide whether they can reduce the amount of digital information that they carry across the border. For example, they may leave certain devices at home, use temporary devices, delete content from their devices, or shift content to the cloud. Travelers should protect the information they do carry over the border. Most importantly, they should use full-disk encryption and backup their data somewhere else. Also, shortly before arriving at the border, travelers should power off their devices, which will resist a variety of high-tech attacks against encryption. Travelers should not rely solely on fingerprint locks, which are less secure than passwords.

• At the U.S. border. Agents may ask travelers to unlock their devices, provide their device passwords, or disclose their social media information. This presents a no-win dilemma. If a traveler complies, then the agents can scrutinize and copy their sensitive digital information. If a traveler declines, then the agents can seize their devices, subject the traveler to additional questioning and detention, and otherwise escalate the encounter.

  
Border agents cannot deny a U.S. citizen admission to the country. However, if a foreign visitor declines, an agent may deny them entry. If a lawful permanent resident declines, agents may raise complicated questions about their continued status as a resident.

  Your response to this dilemma may vary according to your risk assessment. However, all travelers should stay calm and respectful, should not lie to border agents or physically obstruct them, and should plan for this dilemma ahead of time. Try to document or politely ask for the names, badge numbers, and agencies of the government officers you interact with.

• After your trip. If you feel that U.S. border agents violated your rights by searching or seizing your digital devices or online accounts, please contact EFF at [email protected]. Also, write down everything that happened as soon as possible.

Part 2 provides a primer on the law and policies related to border search of digital devices to help you understand the broader legal context. In particular, we address:

• Your rights at the border. Compared to people and police in the interior of the country, border agents have more power and people crossing the border have less privacy. But the border is not a Constitution-free zone. The powers of border agents are tempered by the First Amendment (freedom of speech, association, press, and religion), the Fourth Amendment (freedom from unreasonable searches and seizures), the Fifth Amendment (freedom from compelled self-incrimination), and the Fourteenth Amendment (freedom from discrimination).

• Government policies and practices at the border. For many years, the federal government has asserted broad powers at the border to search and seize travelers’ digital information. These intrusions are growing in frequency and intensity.

Finally, Part 3 is a primer on the technology of privacy protection. To secure our digital lives, we often must rely on (and understand) encryption, passwords, effective deletion, and cloud storage. In Part 1, we highlight some of the ways you can use these tools and services to protect your privacy. Part 3 offers a deeper dive.

Want to learn more about surveillance self-defense? Since you are reading this guide, you may be interested in digital security in general, and not just while you are crossing international borders. If so, check out EFF’s Surveillance Self-Defense guide.3

Want to help EFF protect everyone’s digital privacy at the border? Contact your U.S. senators and representatives, and ask them to support legislation requiring government officials to get a warrant from a judge based on probable cause of criminal activity before searching digital devices at the border. Also, please join EFF!

 

Contents

• Download
• Executive Summary
• Part 1: Digital Privacy Guide for Travelers
  • What is the Border?
  • Risk Assessment Factors
    • Factors About You
    • Factors About Your Data and Devices
  • Before You Arrive at the Border
    • Talk to Your Employer
    • Minimize the Data That You Carry Across the Border
    • Protect What You Carry Over The Border
    • Social Media and Online Accounts
  • When You Are at the Border
    • What to Expect
    • Basic Rules for Everyone
    • Try to Avoid Implicit "Consent"
    • What Could Happen When You Comply With An Order?
    • If You Comply With an Order, Should You State That It Is Under Protest?
    • What Could Happen if You Refuse To Comply With an Order?
    • Should You Attempt to Persuade the Agents to Withdraw Their Order?
  • After You Leave the Border
    • Make a Record of What Happened
    • Change Your Passwords and Login Credentials
    • Government Offices That May Help You
• Part 2: Constitutional Rights, Government Policies, and Privacy at the Border
  • The Law of Border Searches and Seizures
    • The Fourth Amendment at the Border: Digital Privacy
      • The Default Constitutional Privacy Rule
      • The Border Search Exception
      • The Exception to the Exception: "Non-Routine" Searches
      • Border Searches of Digital Devices
      • Interior Checkpoints
    • The First Amendment at the Border: Freedom to Privately Speak, Associate, Acquire Information, and Gather News
    • The Fifth Amendment at the Border: Freedom From Self-Incrimination
      • Passwords
      • Fingerprints
    • The First, Fifth, and Fourteenth Amendment Intersection at the Border: Freedom From Discrimination
    • Consent: Waiving Constitutional Rights at the Border
    • What If You Are Not a U.S. Citizen?
  • Federal Policies and Practices on Digital Searches
    • Federal Agencies that Oversee the Border
    • Device Search Policies
      • Search
      • Seizure
    • Searching Social Media and Other Cloud Content Without Using Travelers' Devices
• Part 3: The Technology of Privacy Protection
  • Encryption
    • Understanding Weaker Screen-Lock or User Account Passwords
    • Strong Full-Disk Storage Encryption
    • Activating Encryption
    • Choosing a Strong Password
    • Do Not Forget Your Password
    • Turn Off Your Device
  • Secure Deletion and Forensics
    • Some "Deleted" Information is Not Really Deleted
    • Overview of Secure Deletion
    • Built-In Factory Reset Features
    • Wiping Hard Drives and Removable Media
    • Individual File Secure Deletion
    • Clearing Free Space
    • Flash Media
    • Encryption and Secure Deletion
  • Cloud Storage
    • The Role of Cloud Storage in a Border Data Protection Strategy
    • Forensics
    • Risks Associated with Cloud Storage
    • Personal Cloud Storage
  • More Elaborate Data Minimization Ideas
• Conclusion

 

Download

Download the complete Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud report as a PDF

 

article source https://www.eff.org/wp/digital-privacy-us-border-2017

[humble3d]

Border patrol can search your cell phone...

whenever they feel like it

Securing our digital lives might require offline solutions

Sidd Bikkannavar, it should be noted, is chill.

I’m not sure if it’s because he’s from Southern California—Bikkannavar was born in Pasadena—or because his side hobby, racing solar-powered vehicles, requires a certain amount of calm.

Whatever the source, over the course of our 30-minute conversation about his experience being detained by US Customs and Border patrol, his voice betrays frustration only once.

And it’s not when he admits—only after I ask him—that this wasn't the first time.

“When there are random searches, I'll often get pulled into the random
search,” said Bikkannavar.

“That doesn't offend me. I know they need to search people and if it’s me, it’s me.

You know, I know I have a foreign sounding name, I know my skin is a little darker, so if it makes me more likely to be searched so be it. I've really never taken issue with that or been offended by that.”

 

“But what happened this time,” he adds, “was different.”

Losing His Chill

 

What frustrated Bikkannavar, a self-described pretty private person, enough to make him talk to the press was this: “I've now compromised the privacy of my friends, and family, colleagues, contacts—anyone whose digital life kind of touched my phone.”

 

How did Bikkannavar betray his friends and family?

He left the United States. Or, to be more precise, he returned.

 

The same weekend that President Trump signed an executive order restricting travel from certain countries, Bikkannavar arrived at the United States border in Houston, Texas.

He’d spent two weeks racing cars down in the Patagonia Region of Chile. Chile was not on the list of countries outlined in the executive order, but even if it was Bikkannavar wouldn’t have automatically qualified for extra scrutiny.

 

To begin with, Bikkannavar is an American citizen.

His father is of Indian descent, hence his name, but on his mother’s side his family has lived in the United States since colonial days.

In fact, his grandparents worked at the Jet Propulsion Laboratory (JPL) just like Bikkannavar does now.

 

“When we’re working with spacecraft,” said Bikkannavar, “we're working with equipment that costs maybe billions of dollars or is highly dangerous, so there is a process to make sure that we are trustworthy and safe.”

 

JPL is part of NASA, but in addition to rocketry it does a significant amount of work for the Department of Defense. As a result, even low level employees at JPL undergo a background check invasive enough that employees once sued to stop it..

 

But even if Bikkannavar didn’t work for JPL, there's still the fact that he forked over $100 and underwent a background check to qualify for Global Entry—the “U.S. Customs and Border Protection (CBP) program that allows expedited clearance for pre-approved, low-risk travelers upon arrival in the United States.”

 

Despite a level of vetting that some might even call extreme, Bikkannavar was still detained and placed in a holding room at Customs and Border Patrol.

 

“There were some people asleep [in the room].

I arrived at 5am in the morning, so I'm assuming that those people who were in there sleeping on the recliners and the cots had already been there stranded,” said Bikkanavar.

 “Eventually I get called into an interview room and they explain to me that because I'm trying to enter the country they need to search my property to make sure that I'm not bringing anything dangerous in.

 

And they gave me a slip of paper that explains their rights to do all of this stuff.”

 

That stuff included searching his phone. After hesitating, and explaining that the phone was his work phone, he complied.

“As soon as I gave them the PIN they sort of pulled the phone back, wrote down the pin, and left with my phone,” said Bikkannavar.

“They returned me to the waiting area with all of my luggage, and they didn't search any of that.

They didn't swab it for bomb stuff, they didn't even open it. They didn't check what was in my pockets. They were only interested in the phone.”

 

“I've now compromised the privacy of my friends, and family, colleagues, contacts—anyone whose digital life kind of touched my phone.”

 

If they had gone through Bikkannavar’s luggage, that would have violated his privacy. But going through his phone?

That violated the privacy of anyone who had texted, messaged, or otherwise contacted him since the last time he'd wiped the device.

 

“Not only is the privacy and the free speech rights of the device holder at stake,” said Sophia Cope, a staff attorney with the Electronic Frontier Foundation, “but also that of all of their associates.”

 

This may include people who have never set foot near a border, people who have never set foot in this country.

That it’s considered a privacy issue is obvious—how happy would you be to have strangers flipping through your cell phone for no reason?

But it’s also considered a free speech issue, because many argue that there’s no such thing as free speech without privacy.

If your thoughts and words are closely monitored by the government, can you really consider yourself free?

“Free speech and privacy are considered human rights in international law,” said Cope,

“So there's that issue of whether or not the US is going to uphold those international principles.”
 

Brian Turner, Flickr

Can They Do That?

If you’re wondering if this is legal, you’re not alone.

In theory, the fourth amendment of the US Constitution (which begins, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…") sounds like it protects us from, well, unreasonable searches and seizures.

 

“But the law,” said Cope, “is unfortunately fuzzy.”

 

Here’s what’s clear: within the United States, the fourth amendment prohibits unreasonable search and seizure.

 Pretty much every procedural court drama gets this part right. A government entity shows up in court, presents evidence that there was probably a crime, and that searching the item in question will confirm it.

If the judge thinks that the evidence supports a reasonably high chance—say 60-70 percent—of criminal activity she will issue a search warrant.

A warrant isn’t a carte blanche though. It’s “particularized” to the crime.

 

If they’re searching your phone looking for a terrorist threat and discover that you’ve illegally downloaded the Rolling Stone’s entire back catalog, that’s a separate issue.

But there is some wiggle room.

If a police officer sees you stuff a pile of crisply-bound $100 bills into a duffel as you run out of a bank that’s sounding its alarm, that’s enough probable cause to seize you—i.e. arrest you.

 

Checkpoints like the kind used to check for drunk drivers are another exception.

 

After all, everyone gets checked whether or not the police officers suspect them of being drunk. The Supreme Court rules this is ok because the scope is narrow and it’s in the broader public interest.

 

“At the border,” said Cope, “the Supreme Court says there's a discrete interest in protecting the welfare and the safety of our nation.”

Basically, it’s in the national interest to make sure that we pay duties on the $3,000-dollar bottle of wine we picked up in Italy, that we don’t secretly bring in seeds that pose a threat to the American farm industry or drugs and weapons that pose a risk to the American people.

 

So the Supreme Court ruled that routine searches at the border are permitted, even without a warrant or probable cause. This decision was made, however, before we were carrying around computers, never mind ones that contain the level of information contained in a smartphone.

 

“The problem now,” said Cope, “is that a piece of luggage contains nowhere near that type of personal information, sensitive information.

 

Even if you have a diary or some sexy photos in your luggage that still does not equate to what is essentially your entire life, particularly on your smartphone.”

 

The decision also doesn’t take into consideration the fact with cell phones, it’s not just the person who crosses the border whose information is being searched and potentially cataloged, but anyone who has communicated with that person. It’s this that compelled Bikkannavar to speak out, and a thought that should give us all pause.

 

It’s also an act that chills speech. How freely would you speak (or text) if you knew all of your communications were being observed? You don’t even have to work very hard to see the difference—compare your text and email conversations to your public social media posts.

 

The directive that guides U.S. Customs and Border Protection (CBP) electronic seizure rules dates back to 2009—it’s called CBP Directive No. 3340-049. It was only released because of a Freedom of Information Act, or public disclosure request.

 

And while lawsuits in recent years suggest that there have been policy changes, those changes have not been disclosed to the public. That makes it awfully difficult for citizens to know their rights.

 

In 2009, the year of CBPs publicly available guidelines, the iPhone was 2 years old.

 

Most of us were using blackberries or a flip phone, and apps were few and mostly entertainment based. Now our phones contain personal photos, banking information, inside jokes…the shape and breadth of our lives.

 

We are expected to entrust that information—without cause—to a department that, according to the The New York Times, recently found that over 10 years almost 200 employees and contract workers had taken nearly $15 million dollars in bribes.

 

In 2015 police officers found 110 pounds of cocaine in a US Border Patrol agent’s car. One could be rightly concerned as to what an agent might do if they had access to banking information, blackmail fodder, or proprietary info from a border crosser's business life.

 

The policy as disclosed says that they can only search—not copy or hold onto the device—unless they see evidence of a crime.

 

“But we were hearing reports at the border of CBP officers writing down like names of people from contact lists and stuff,” said Cope. And in Bikkannavar’s case the phone was taken out of the room, making it impossible to know whether the contents were copied.

 

To be clear, what’s happening isn’t new.

There are reports Customs and Border Patrol searching laptops and phones dating back to 2008.

 

Hard data on searches is difficult to find (and PopSci will update if it becomes available), but anecdotes suggest that it is becoming more frequent.

 

And Cope argues that even one person is too many. Especially when you consider how many people are in your contact list.

 

Protecting Yourself

 

The natural question, is how can we protect our information at the border?

 

Since technology, in part, created this problem, it can be tempting to turn to technology to resolve it.

 

For example, it’s possible to partition a laptop’s hard drive to boot one way with one passcode and another way with a different one.

 

“You have to be careful,” said Scope.

 

“If there is evidence that you are lying or misleading a government agent, that is itself a crime.”

At minimum, you should practice basic digital security: enable two factor authentication on your social media accounts. Disable any biometric locks—fingerprint locks in particular area notoriously easy to forge, and it’s not hard for a CPB agent to simply press your finger against your phone to make it unlock. Enable hard disk encryption.

 

None of that matters, however, if you unlock your device for an agent.

 

American citizens traveling to the United States have the right to return.

 

You can’t be denied entry into your own country. So you can simply refuse to comply—though you do risk them taking the device.

 

Increasingly, customs and border patrol agents have been asking people—primarily foreign nationals—for the passwords to their cloud accounts. Americans don’t have to comply, and Americans do have the right to an attorney—but foreign nationals have less of a choice.

 

Cope suggests literally wiping the device before you're forced to hand it over.

 

Or, if you’re an American citizen, encrypting the device in the strongest way possible and refusing to comply. They might take the device away, but at least you'll know they (probably) can't get at your information.

 

For those of us who travel a lot, our best option may be to use two sets of devices—one which we use in our everyday lives, and one which we use just for traveling and that we wipe each time we prepare to cross the border.

 

But the most important way to secure our devices isn’t at the border—it’s with the law. Until legislators or the courts clarify the law, we’ll all have to keep watching our devices.

 

Bikkannavar said that the interaction between he and the CBP agents was unfailingly polite on both sides, but the situation itself intimidating, in part, because he didn’t really know his rights. So before you travel, make sure you know yours.

 

https://www.aclu.org/files/kyr/kyr_english_5.pdf


http://www.popsci.com/border-patrol-secure-devices#page-8

 

[steven36]

3 hours ago, humble3d said:

Border patrol can search your cell phone...

whenever they feel like it

So?  if  we go up too Canada  they do US citizens  the same way leave you're phone at home  and they wont have nothing to search . That's whats so funny all those Libtraids saying the was going move to Canada when Canada they do the same thing lol.  If you dont want to be harassed at the border just stay home .You be better off it's not really safe for  immigrants  right now and its not just  the Govt you have to worry about. Some private citizen may think you're a terrorist and mess you up.

 

Many come here to work and go to school they should be checked out before they let them in the USA. The OP  dont say nothing  about  parts of  South America are giving passports to terrorist ether.  Just because the EU has a problem with immigrants dont mean we  wont them in the USA. If private citizens ran the USA we all be dead by now someone would have done pushed the button.or let terrorist in  to take over. When It comes to some things I draw the line .I may be open minded but not so open minded that endangers me and my family like a lot of protesters are.

 

Back when they was letting all the immigrants in to the EU many on this board said they wish there country had tougher immigration laws . We let people come in the USA for every since it existed but times have changed,  terrorist sneak in and the cartels bring drugs in  and someone has to try to do something about it .

 

If i'm driving down the road and a cop stop me and if hes thinks im doing something wrong hes going search me. If i go to a train or bus station somewhere along the line i'm going  get searched  if people didn't think they had to always have a phone they would be no problem with them. This is were technology backfires on you and its you're problem not mine Buy a phone after you get here or something you know there going too do this when you bring them . You come to USA and other countries when you step on there soil you belong to them  , You give you're privacy up tell you are cleared to go you're merry little way.  They are responsible for you're actions while you're there and you must obey the law or they will send you home packing.

[steven36]

12 hours ago, Togijak said:

Every one of those searches was a potential privacy violation.

Sorry but no it's not it may of been  back when Obama was in there but Trump changed that law  if  you  dont open it when asked  they may send you back or something. 

Quote

 

When you’re entering the United States, whether at an airport or a border crossing, federal agents have broad authority to search citizens and visitors alike.

And that can include flipping through your phone, computer, and any other electronic devices you have with you.

 

https://www.businessinsider.nl/can-us-border-agents-search-your-phone-at-the-airport-2017-2/?international=true&r=US

You best bet if you have a phone that have stuff on you dont want  them to see is leave it home and get a spare phone for travailing  to the USA or Canada that you dont care about if they find you hiding something  you may  end up detained or even deported back. .When you're in a public place in the USA you can even be driving down the road and end up getting searched.  Its always been this way long before there was smartphones or  the internet. they have  manhunts and stuff  you never know when you will be stooped if they thing you're hiding something they will search you  . why should people at airports or borders have more right than me if  I go outside? I seen the cops beat people up because they think they have something illegal on them if they resisted .