for more information and the entire article on downloadable PDF, go to https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices
December 20, 2011
Our lives are on our laptops – family photos, medical documents, banking information, details about what websites we visit, and so much more. Thanks to protections enshrined in the U.S. Constitution, the government generally can’t snoop through your laptop for no reason. But those privacy protections don’t safeguard travelers at the U.S. border, where the U.S. government can take an electronic device, search through all the files, and keep it for a while for further scrutiny – without any suspicion of wrongdoing whatsoever.
Why might people want to protect their data at the border?
Business travelers, lawyers, doctors, or other professionals may have confidential or privileged information on their laptops that they don’t want others to see or that they are obligated by law or contract to protect.
People may have sensitive personal information on their devices such as medical records, financial documents, and years of correspondence with family, friends and business associates.
Some travelers may have repeated difficulties crossing the border, and wish to take proactive steps to protect their data in light of their past experiences.
Some may feel as a matter of principle that the government shouldn’t be able to view their private information simply because they choose to travel internationally.
For doctors, lawyers, and many business professionals, these border searches can compromise the privacy of sensitive professional information, including trade secrets, attorney-client and doctor-patient communications, research and business strategies, some of which a traveler has legal and contractual obligations to protect. For the rest of us, searches that can reach our personal correspondence, health information, and financial records are reasonably viewed as an affront to privacy and dignity and inconsistent with the values of a free society.
Despite the lack of legal protections against the search itself, however, those concerned about the security and privacy of the information on their devices at the border can use technological measures in an effort to protect their data. They can also choose not to take private data across the border with them at all, and then use technical measures to retrieve it from abroad. As the explanations below demonstrate, some of these technical measures are simple to implement, while others are complex and require significant technical skill.
Why Can My Devices Be Searched at the Border?
The Fourth Amendment to the United States Constitution protects us against unreasonable government searches and seizures. This generally means the government has to show a court probable cause that a crime has been committed and get a warrant before it can search a location or item in which you have a reasonable expectation of privacy. But searches at places where people enter or leave the United States may be considered “reasonable” simply because they happen at the border or an international airport.
Several federal courts have considered whether the government needs any suspicion of criminal activity to search a traveler’s laptop at the U.S. border. Unfortunately, so far they have decided that the answer is no.1 Congress has also weighed several bills to protect travelers from suspicionless searches at the border, but none has yet passed.2
For now, a border agent has the legal authority to search your electronic devices at the border even if she has no reason to think that you’ve done anything wrong.
How the Government Searches Devices at the Border
There are two government agencies primarily responsible for inspecting travelers and items entering the United States: the Department of Homeland Security’s Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE). (Occasionally, CBP or ICE can make special arrangements to question a passenger departing from the United States or inspect her belongings, but neither agency routinely does so.)
Which Three-Letter Acronym Was That Again?
The Department of Homeland Security (DHS) has several departmental missions, including to “secure… the nation’s air, land and sea borders to prevent illegal activity while facilitating lawful travel and trade.” Department of Homeland Security Missions and Responsibilities, http://www.dhs.gov/xabout/responsibilities.shtm (last visited Oct. 4, 2011).
Customs and Border Protection (CBP) is the primary agency that inspects and searches travelers entering the United States. For example, when you arrive in the U.S., you can expect to be interviewed at the border by a CBP agent and to present your Customs declaration to another CBP agent.
Immigration and Customs Enforcement (ICE) investigates violations of laws related to borders. Although ICE has border search authority, it isn’t routinely involved in searching or interviewing travelers at ports of entry.
The Transportation Security Administration (TSA) is responsible for transportation security within the United States, and does not perform searches at the border. Normally, TSA searches travelers before they board a plane, not after they land. You can expect to be searched by TSA when departing the U.S. by air, but the screening TSA performs is usually identical for domestic and international passengers.
The law gives CBP and ICE agents a great deal of discretion to inspect items coming into the country. While it’s impossible to know for sure how they’ll handle every border search situation, agencies have published their policies for searching electronic devices and data.
CBP tells its agents that “with or without individualized suspicion,” they can inspect electronic devices and data encountered at the border.3 The agency can keep your computer or copies of your data for a “brief, reasonable” amount of time to be searched on- or off-site. Ordinarily, this isn’t more than five days.4 CBP recognizes that agents might run across privileged or sensitive information stored on devices, but does not clearly explain the procedures for handling it.5 When CBP agents experience technical difficulties or encounter information that is encrypted or written in a foreign language, they may send the device or a copy of the data to other government agencies that might be able to help access the information.6 Border agents don’t need any suspicion of wrongdoing to seek this assistance,7 and it’s unclear whether the cooperating agencies can keep copies of the data they receive indefinitely.
Like CBP agents, ICE agents may inspect electronic devices and the information on them “with or without individualized suspicion.”8 ICE will typically complete searches of devices and copies of data within 30 days,9 though anecdotal reports suggest that travelers’ devices are sometimes detained for significantly longer periods of time.10 ICE’s policy, like CBP’s directive, says that agents may seek technical assistance from others to translate or decrypt data,11 and is similarly vague about how agents should handle privileged or sensitive information.12
Beyond seizing the device at the border, the government may take a device to a location away from the border for further inspection.13 If this occurs, searches of devices that are conducted at a time and/or place removed from the initial border stop can become extended border searches that require reasonable suspicion of wrongdoing or even regular searches that require a probable cause warrant.14
In short, border agents have a lot of latitude to search electronic devices at the border or take them elsewhere for further inspection for a short period of time, whether or not they suspect a traveler has done anything wrong.
For now, the government searches only a small percentage of international travelers’ electronic devices. According to documents obtained by the American Civil Liberties Union through the Freedom of Information Act, more than 6,500 people traveling to and from the United States had their electronic devices searched at the border between October 2008 and June 2010, an average of more than 300 border searches of electronic devices a month. Almost half of those travelers were U.S. citizens.15 This means that these searches are a regular occurrence, but one that most travelers will never encounter given the number of travelers who cross the border each month.
The frequency of technology-oriented searches at the border may increase in the future. Researchers and vendors are creating tools to make forensic analysis faster and more effective, and, over time, forensic analysis will require less skill and training.16 Law enforcement agencies may be tempted to use these tools more often and in more circumstances as their use becomes easier.
Deciding How to Protect Your Data
Different people will choose different kinds of precautions to protect their data at the border based on their experience, perception of risk, and other factors. There is no particular approach we can recommend for all travelers. These are some of the considerations you might take into account:
Case Scenario: Business Concerns
Alice is a frequent business traveler who often needs access to proprietary information that her company considers highly sensitive and confidential. When she travels for work, she takes a special laptop that contains the minimum information necessary for her trip. Before she leaves the country, she uses strong cryptography to encrypt that information. She also sets up two separate log-in accounts on the computer: a protected account where the encrypted files may be accessed, and a separate account for other uses of the laptop. Anyone who wants to view the confidential data must log in to the protected account and then decrypt the files. Only Alice’s employer knows the passwords to the account and encrypted data, and the company’s IT department sends the passwords to her in an encrypted email message so that she can access the data abroad. Before she returns to the U.S., she securely wipes her laptop.
• Your citizenship, immigration, or residence status. If you are not a U.S. citizen, you may be more easily denied entry into the country, and so you may want to be especially careful to avoid situations where border agents might consider you uncooperative for taking steps to protect your data or politely refusing to provide encryption passwords.
• Time sensitivities. Is it important for you to reach your destination by a certain time? If border agents hold you up with questioning or attempts to search your devices, it may wreak havoc on your travel schedule.
• How much hassle you’re willing to tolerate from border agents. If you want to secure your data but are uncomfortable about the possibly of appearing uncooperative with border agents, it might be best to avoid such awkward situations all together. For example, you might choose to take a blank device over the border and download your data once you reach your destination rather than face an uncomfortable interaction with a border agent who wants to search the data on your device.
• How important it is for you to have access to your data during your journey. Consider whether you’ll need your data with you on the plane, or whether you can wait until you’ve crossed the border to access it.
• How good your Internet access will be during your travels. If you’ll have access to lots of bandwidth, you might be able to download the data you need once you reach your destination.
• The countries you’ve visited before entering the United States. Travel to certain countries may draw additional scrutiny from border agents.
• Your history with law enforcement. If you are subject to an ongoing investigation or otherwise under suspicion for any reason, you may be screened or questioned more intensively.
Some Basic Precautions
All computer users who carry important information on portable devices should be aware of two basic precautions:
• Making regular backups, which ensures that your important information stays available to you if your computer is ever taken from you, lost, or destroyed. (If you don’t have access to your computer, you’ll still have access to your data.)
• Encrypting the information on the computer, which ensures that your information stays confidential from other people whom you don’t authorize to access it. (If you lose control of your computer, other people won’t have access to your data.)
In the infancy of personal computing, experts put particular emphasis on the need to make backups. Today, we think these two precautions are really halves of a larger whole: making sure that that information stays available to those you want to have it, and that it’s not available to others. Applying these precautions can help you deal with travel incidents well beyond the comparatively unusual case of border searches, like if you leave a laptop in a taxi or if someone steals your backpack or purse from a café.
The right time to get started with both of these precautions is before your trip, when you’re at home or at work and have more time and greater access to other people who can help you get set up appropriately.
There are also other more elaborate precautions which you might find useful. After discussing the basics, we’ll suggest several of these below. Note that many of the precautions we will discuss address the possibility that your electronic devices are taken away from you, and examined for hours by a trained expert. For travelers who feel that this is an important concern, it’s worth understanding what the capabilities of that expert examiner may be.
Hard Drive Image Backups
If you have a large external hard drive at home, you can make a byte-for-byte image copy of your laptop hard drive before your trip; then you can install a fresh operating system for travel purposes, overwriting the laptop contents. When you return home, you can restore the image copy onto your laptop (overwriting the travel operating system) and pick up where you left off.
Regardless of what operating system you usually run, you can do this most easily with a Linux live CD. (This operation happens below the level of the operating system, so it can be used on any operating system.) The external drive to which you make the backup should itself be encrypted, because the backup contains all of the information from your hard drive (including things you may think are deleted, and including saved passwords and authorization credentials) in a usable, accessible form.
Note that making or restoring a full-drive backup can take a long time; it’s usually limited by the capacity of the connection to the external hard drive and could be up to several hours for a large laptop drive.
Since hard drive sizes have been growing faster than Internet connection speeds, image backups over the Internet are unlikely to be feasible except in the most highly Internet-connected places. (An Internet-based image backup is similar to swapping hard drive images onto an external disk, except that the external disk isn’t physically plugged into the local computer but is located somewhere else. Encryption should be used to protect the hard drive’s contents.)
Every year millions of computer users lose important information accidentally for want of a good, current backup, so there are many good reasons other than the possibility of a border search or seizure for you to have a current backup. In modern practice, backups are most often made onto another computer over a network. (See our discussion of on-line service privacy in the next section – Backups Using the Internet.) You can also back up to an external hard drive, which can be extremely quick and easy.
Backups are especially important for travelers, since, aside from the possibility of a border search or seizure, travel presents many opportunities for losing your computer or data.
Backups Using the Internet
When you’re backing up your computer over a network, bear in mind that
• Your connection to the server should be encrypted to prevent eavesdropping that would reveal the contents of your backup.
• The content of your backups should also be encrypted so that the backup service itself can’t read them. (Currently, only a few services automate this process for you.)
• Your backups should be frequent, especially while you’re traveling away from home. They can be incremental so that only things that have changed since your previous backup are actually transmitted over the network.
• Your Internet access will need to be fast enough to transfer the amount of information you have to back up in the time you have available.
Storing information with an online service, sometimes also called a “cloud service,” is a popular choice today; it may have significant benefits for reducing the amount of data that could be exposed to a border search. For instance, you could keep your email with a webmail provider and not on your laptop, or edit documents on a network service like Google Docs, or store files with a service like SpiderOak instead of on your computer. Devices like Chromebooks can do this automatically so that you rarely physically store information on a laptop at all. Relying on network services and network storage has both advantages and disadvantages for privacy.
Pro: Data is not stored on your device, is not actually carried across the border, and is not subject to a physical border search. You can truthfully tell agents that the data is simply not present on your device at all; you are not carrying it with you.
Con: Some data that you store with a third-party online service provider in the United States enjoys less legal protection than data you store on your own computer.
You can get the best of both worlds when you encrypt your data separately before storing it with a cloud storage provider. Then the cloud storage provider does not know the information required to decrypt the data, so it can’t access your data at all. Some cloud storage providers like SpiderOak17, Tarsnap18, and Wuala19 make this kind of protection a standard part of their services, while tools like Duplicity20 and Tahoe-LAFS21 let you set up your own encrypted backup infrastructure.
If you decide to move some files into cloud storage before crossing the border rather than keeping your files there all along, remember that merely deleting files won’t always remove their names or contents from your device. See The Challenges of Secure Deletion, below.
Backups Using an External Hard Drive
You can also easily make a backup onto an external hard drive instead of (or in addition to) a network server. This hard drive can, and should, be encrypted so that only someone who knows the proper passphrase can read its contents. In general, store and transport your backup and your computer separately. In particular, we recommend you don’t carry your backup across the border at the same time as the computer it’s backing up!
Case Scenario: Doctor Confidentiality
Akina is a doctor in Japan. She is traveling to the United States with her young son to attend a relative’s wedding. She wants to ensure that she can access any email messages that her patients send her while she is abroad, and considers it critical to protect the confidentiality of those messages. On the other hand, she doesn’t want any confrontation with the border agents — she worries that being detained will upset her child, and, if they are refused entry, they will miss the wedding. Akina chooses not to carry a laptop at all. Instead, before her trip, she mails a travel laptop to her relative in the United States. After the wedding, she securely wipes the laptop and takes it back to Japan with her.
Remember that backups can take time, so plan accordingly. Using a USB connection, a 60 GB laptop drive could take over 15 minutes to back up (probably longer), while a 1 TB drive could take around five hours. You can use incremental backups together with encryption to make the time a bit shorter. USB’s peak data rate is 60 MB/s (for USB 2, the latest version you can assume is widely supported), so plan ahead and use incremental backups where appropriate. Note that current computers might let you connect external drives using Firewire, or eSATA interfaces as well, although the most universally compatible is USB, which is also the slowest (unless you have USB 3, which is still uncommon as of mid-2011).
A 2 TB external drive (self-contained and ready to use) is relatively cheap and is probably more than sufficient for a complete encrypted backup of any computer you’re likely to use. You can also get an enclosure to turn an internal hard drive into an external hard drive. High-quality enclosures are also relatively inexpensive and protect the internal drive against physical damage, as well as providing power and making it easy to plug and unplug the drive.
Case Scenario: Documentary Filmmaker
Bill is a filmmaker who has made several documentaries over the past few years about the efforts of authoritarian governments to suppress dissent in their nations. He traveled to a couple of Middle Eastern countries last year, and has faced heavy questioning at the U.S. border ever since. He is working on a new project in Tunisia, where he filmed interviews with several dissidents, and he wants to do everything possible to protect the confidentiality of this footage. He needs to transport several hundred GBs of video into the United States from Tunisia. His Internet access is not good, so uploading it to a remote server is not a realistic option. Bill chooses to store the encrypted video files on discs with a strong passphrase and asks a friend to mail them to him in the United States. Then he securely wipes his laptop and brings it back into the United States with him.
Case Scenario: Activist Associations
Vera has lots of friends who are involved in controversial activism, and some of them have had their laptops seized at the U.S. border. Vera isn’t an activist herself, but worries that the government will take an interest in her if it learns that she’s friendly with people who are activists. She takes a travel laptop on an international trip with the minimum information necessary, leaving most of her data at home. Before she enters the United States, she signs out of her Gmail, Twitter and Facebook accounts and makes sure that the passwords aren’t stored in her browser. She also uses WhisperCore’s full disk encryption app to secure the contacts, text messages, and other content stored on her Android phone. If asked for the passwords, she intends to say no. She knows this might cause the agents to seize the devices, but they are unlikely to break the passwords, which are very strong. If that happens, Vera will still be able to access all the information on the devices because she has stored it remotely.
Flash memory devices (including USB flash drives and SD cards) are used as the internal storage in most cell phones and digital cameras. Securely erasing their contents can pose an extra challenge because of a technology called wear leveling, which tries to prevent you from repeatedly writing to the same place on the disk. That means that special forensic techniques involving physically disassembling the flash drive can sometimes reconstruct contents that you attempted to overwrite, because the flash drive decided to put the overwriting data in a different physical location from the overwritten data.40 This kind of forensic examination is much rarer than basic disk forensics and is probably only a concern in a tiny number of situations.
Mobile Phones and Similar Devices
Devices like mobile phones increasingly hold tremendous amount of sensitive information, including photos and email messages that just a few years ago might have been found only in cameras and laptops. Often, they contain lists of your friends and colleagues and detailed logs of when you communicated with them. Some mobile phones also store detailed logs of your physical location over time.
Although setting a password on your phone can be a sensible precaution, it’s worth emphasizing that the password and screen-locking features that come with most phones provide no meaningful protection against a skilled examiner. These passwords are like user account passwords on a PC, not like passphrases for disk encryption; an examiner will not need to discover what the password is in order to bypass it.
Temporary Phones for Travel
If your mobile phone uses the international GSM standard (usually the case for non-U.S. mobile subscribers, or for U.S. customers of T-Mobile and AT&T Wireless), you can avoid taking your normal phone on your international trip at all, even if you want to use your existing phone number.41 Just get a different GSM-compatible phone and transfer your SIM card from your regular phone into the new phone. Your temporary phone will have far less of your private data on it, but since your phone number is associated with the SIM card rather than with the phone itself, you can still be reached at your normal telephone number (assuming that you have chosen to enable international roaming services on your cell phone account). When your trip is over, you can swap the SIM card back.
Secure Deletion of Data and Disk Encryption for Mobile Devices
It’s very hard to be sure that information on mobile devices has been truly deleted. You might choose to delete information such as SMS messages so that they are not visible to someone looking through your phone, but there is typically no meaningful secure deletion option. A sophisticated forensic analysis may still reveal the contents of these deleted messages.
If your mobile device has a removable memory card such as an SD card, you can most securely wipe its contents by physically removing it from the mobile device and wiping it using secure deletion software in a PC.
In most cases, it may be better to travel with a separate mobile device that holds little private data rather than trying to rely on your phone’s security features to prevent border agents from reading private data.
If you prefer to travel with your everyday mobile device, it may support specialized encryption software. The most recent release of Android for tablets (but not mobile phones) has a comprehensive encryption option, while some Android devices can be protected with add-on software like WhisperCore (which requires a fresh installation of the phone software). WhisperCore also supports making a networked backup of a phone’s contents, securely erasing them, and re-downloading them later. BlackBerry devices also have potentially effective security options that may be able to protect data even against an expert; if you have an enterprise-managed BlackBerry, you can check out your user manual or ask your IT department about these features.
Agents may well ask to look through the contents of cameras, whether to try to disprove someone’s claim about where they traveled, in search of sexually explicit photographs, or simply out of curiosity.
Be aware that border agents may search your camera, copy its contents, or try to undelete images or videos that you believe you’ve deleted and that are no longer visible from the camera’s user interface.42 There is no simple precaution against this, although low-level formatting or low-level overwriting a memory card in its entirety, using a computer and not a camera, should prevent undeletion; you should not rely on this unless you’re familiar with exactly what the formatting process is doing. (Notably, high-level formatting of memory cards, or of hard drives, is totally ineffective against forensic analysis.)
The same considerations apply to camcorders and to the camera in your mobile phone.
Interacting with Border Agents
Border agents have a great deal of discretion to perform searches and make determinations of admissibility at the border. Keep in mind that any traveler, regardless of citizenship status or behavior, can be temporarily detained by border agents for more detailed questioning, a physical search of possessions, or a more extensive physical search.43 Refusal to cooperate with searches, answer questions, or turn over passwords to let agents access or decrypt data may cause lengthy questioning, seizure of devices for further examination, or, in extreme circumstance, prevent admission to the country.44
For this reason, it may be best to protect your data in ways that don’t require you to have awkward confrontations with border agents at all. If you find yourself in such a situation, however, keep these tips in mind:
It’s extremely important that you do not tell a lie to a border agent. Doing so is a serious crime for which you may be prosecuted even if your lie was not told to conceal any wrongdoing.45 If you are absolutely sure that you don’t want to answer a specific question, it’s better to politely decline to answer than to give a false answer.
Don’t Obstruct an Agent’s Investigation
Once it’s clear that a border agent is going to search your device or other possessions, don’t take any steps to destroy data or otherwise obstruct that process. Like lying, knowingly interfering with a border agent’s investigation is a serious crime.46 Write down the agent’s identifying information and collect a receipt for property if appropriate. Then file a complaint or consult a lawyer about getting the item back. (For information on filing a complaint to CBP or ICE, see the Appendix to this paper.)
It’s in your interest to be courteous to agents at all times during the border inspection process. CBP agents should also be courteous and professional while searching your belongings, detaining, or questioning you.47 If they fail to do so, you can file a complaint.
Resources for International Travelers With Border Search Issues
Problems with or questions about an ICE or CBP examination?
If you have a question about CBP or wish to submit a formal complaint about a CBP examination, please go to .
To file a civil rights complaint against either CBP or ICE, you can file a complaint with the Department of Homeland Security Office of Civil Rights and Civil Liberties. You may download a complaint form at .
Have you been repeatedly referred to secondary screening? Do you suspect your name is on a watch list?
You may submit a complaint to the Department of Homeland Security’s Traveler Redress Inquiry Program at .
Want to know what information CBP or ICE has on file about you?
Anyone can seek copies of records about themselves through the Freedom of Information Act. You can use the Privacy Act to ask for the same information if you’re a U.S. citizen or lawful permanent resident.
For information about submitting a request to CBP, see .
To request records from ICE, see .
Feel as though your privacy or civil rights have been violated during a border search?
Please visit the Department of Homeland Security’s Traveler Redress Inquiry Program to specify all scenarios that apply to your travel experience at .