Sunday, December 18, 2022

Privacy Warning if You're Traveling Internationally These Holidays

International travelers may know U.S. Customs and Border Protection (CBP) can scroll through your phone in a "random search." But new details paint a picture of broad and messy data collection that puts your privacy at risk.

Data copied from devices at entry points into the United States - including airports and border crossings - gets saved for 15 years in a database searchable by thousands of CBP employees without a warrant, The Washington Post's Drew Harwell reported this week. The data includes contacts, call logs, messages and photos from phones, tablets and computers, according to CBP. It could also contain social media posts, medical and financial information, or internet browsing history, according to a report from the New York think tank Brennan Center for Justice.

Customs officials have copied Americans' phone data at massive scale.  It's unclear to what extent federal agents can use the copied data because there are few meaningful safeguards, said Saira Hussain, a staff attorney at the privacy rights nonprofit Electronic Frontier Foundation (EFF).  Hussain has argued in court that CBP's current data collection practices violate Americans' constitutional protections. Based on her interviews with search subjects, agents often profile people from Muslim or Muslim-adjacent communities, she said, but these searches impact people from "all walks of American life."

"You don't have to have committed a felony to want to keep some parts of your life private from meddling government agents," said Nathan Freed Wessler, deputy project director of the Speech, Privacy, and Technology Project at the American Civil Liberties Union. "That could be medical diagnoses, mental health struggles, romantic associations, information about our children, you name it."  A CBP spokesman said in a statement that the agency searches devices "in accordance with statutory and regulatory authorities" and that its guidelines make sure each search is "exercised judiciously, responsibly, and consistent with the public trust."

Unlike other law enforcement, border authorities don't need a warrant to search your device. They may conduct a basic search - in which they scroll through your device inspecting texts, photos or anything else they can easily access - even if they don't suspect you of wrongdoing. But if an agent suspects you pose a "national security concern," they can run an advanced search using a digital forensics tool to copy the data from your device.

How you prepare to cross the border with your devices depends on what risks you're willing to tolerate, said Nathan Freed Wessler, deputy project director of the Speech, Privacy, and Technology Project at the American Civil Liberties Union.  If you're more worried about agents rifling through your messages and photos in a basic search, removing files from your device would do the trick. If you're a political dissident, human rights activist, journalist or anyone else looking to avoid government surveillance or overreach, your focus will likely be preventing agents from accessing your device at all.

If you're an American citizen, you can refuse to unlock your devices for CBP agents and still enter the country. (This may not be clear from the information sheet agents are supposed to give you during the search, which says the process is "mandatory.")

If you decline to cooperate, CBP can hold onto your device. It says detention generally shouldn't last longer than five days, but Hussain said she's spoken with people who didn't get their devices back for months.  Noncitizens, meanwhile, aren't guaranteed entry if they decline to unlock their devices.

The fewer devices you travel with, the fewer opportunities for searches, Wessler said. Consider adopting a separate phone or laptop for traveling without sensitive data saved.  Power down devices before going through customs. This guards against advanced search tools that may bypass the screen lock on devices left powered on, according to EFF.  Encrypted data gets scrambled into a format unreadable to people who don't have the code - in this case, a password. iOS, Android, Windows and MacOS all come with built in full device encryption options.

Most contemporary smartphones are encrypted by default (make sure you lock your device). Here are general directions for Windows and MacOS.  The quickest methods to unlock your device - such as face ID or a weak passcode - are also the least secure. If you decline to unlock your device for a search, CBP may try to unlock it themselves, Wessler said. A strong password with both letters and numbers, or a passcode with at least six digits will make this harder.

CBP guidelines instruct agents to review only the data that's stored on your device itself - not all the information apps like Facebook and Gmail send to the cloud. If you consent to a search, flipping your device into airplane mode will limit the inspection to what's saved or cached.  You may choose to move your data to a cloud storage provider- such as iCloud, Google or Microsoft OneDrive - and then wipe or factory reset your device. This would protect your data from a basic visual search. But be aware: Most methods of file deletion leave behind traces a forensic search would uncover. Furthermore, walking through customs with a blank device could arouse suspicion and make you more likely to become a target, Hussain said.

Different states have different laws governing what CBP can inspect at U.S. entry points. In Arizona, for example, CBP can only search devices without a warrant if they're looking for specific digital contraband. If you want to protect your privacy, it might be worth flying into a state with more stringent boundaries for CBP.


No comments: