International travelers may know U.S. Customs and Border Protection (CBP) can scroll through your phone in a "random search." But new details paint a picture of broad and messy data collection that puts your privacy at risk.
Data
copied from devices at entry points into the United States - including
airports and border crossings - gets saved for 15 years in a database
searchable by thousands of CBP employees without a warrant, The
Washington Post's Drew Harwell reported this week. The data includes contacts, call logs, messages and photos
from phones, tablets and computers, according to CBP. It could also
contain social media posts, medical and financial information, or
internet browsing history, according to a report from the New York think tank Brennan Center for Justice.
Customs officials have copied Americans' phone data at massive scale. It's
unclear to what extent federal agents can use the copied data because
there are few meaningful safeguards, said Saira Hussain, a staff
attorney at the privacy rights nonprofit Electronic Frontier Foundation (EFF). Hussain has argued in court that CBP's current data collection practices violate Americans'
constitutional protections. Based on her interviews with search
subjects, agents often profile people from Muslim or Muslim-adjacent
communities, she said, but these searches impact people from "all walks
of American life."
"You
don't have to have committed a felony to want to keep some parts of
your life private from meddling government agents," said Nathan Freed
Wessler, deputy project director of the Speech, Privacy, and Technology
Project at the American Civil Liberties Union. "That could be medical
diagnoses, mental health struggles, romantic associations, information
about our children, you name it." A
CBP spokesman said in a statement that the agency searches devices "in
accordance with statutory and regulatory authorities" and that its
guidelines make sure each search is "exercised judiciously, responsibly,
and consistent with the public trust."
Unlike
other law enforcement, border authorities don't need a warrant to
search your device. They may conduct a basic search - in which they
scroll through your device inspecting texts, photos or anything else
they can easily access - even if they don't suspect you of wrongdoing.
But if an agent suspects you pose a "national security concern," they
can run an advanced search using a digital forensics tool to copy the
data from your device.
How
you prepare to cross the border with your devices depends on what risks
you're willing to tolerate, said Nathan Freed Wessler, deputy project
director of the Speech, Privacy, and Technology Project at the American
Civil Liberties Union. If
you're more worried about agents rifling through your messages and
photos in a basic search, removing files from your device would do the
trick. If you're a political dissident, human rights activist,
journalist or anyone else looking to avoid government surveillance or
overreach, your focus will likely be preventing agents from accessing
your device at all.
If
you're an American citizen, you can refuse to unlock your devices for
CBP agents and still enter the country. (This may not be clear from the
information sheet agents are supposed to give you during the search,
which says the process is "mandatory.")
If you decline to cooperate, CBP can hold onto your device. It says
detention generally shouldn't last longer than five days, but Hussain
said she's spoken with people who didn't get their devices back for
months. Noncitizens, meanwhile, aren't guaranteed entry if they decline to unlock their devices.
The fewer devices you travel with, the fewer opportunities for searches, Wessler said. Consider adopting a separate phone or laptop for traveling without sensitive data saved. Power
down devices before going through customs. This guards against advanced
search tools that may bypass the screen lock on devices left powered
on, according to EFF. Encrypted
data gets scrambled into a format unreadable to people who don't have
the code - in this case, a password. iOS, Android, Windows and MacOS all
come with built in full device encryption options.
Most
contemporary smartphones are encrypted by default (make sure you lock
your device). Here are general directions for Windows and MacOS. The
quickest methods to unlock your device - such as face ID or a weak
passcode - are also the least secure. If you decline to unlock your
device for a search, CBP may try to unlock it themselves, Wessler said. A
strong password with both letters and numbers, or a passcode with at
least six digits will make this harder.
CBP
guidelines instruct agents to review only the data that's stored on
your device itself - not all the information apps like Facebook and
Gmail send to the cloud. If you consent to a search, flipping your
device into airplane mode will limit the inspection to what's saved or
cached. You may choose to move your data to a cloud storage provider- such as iCloud, Google or Microsoft OneDrive - and then wipe or
factory reset your device. This would protect your data from a basic
visual search. But be aware: Most methods of file deletion leave behind
traces a forensic search would uncover. Furthermore, walking through
customs with a blank device could arouse suspicion and make you more
likely to become a target, Hussain said.
Different
states have different laws governing what CBP can inspect at U.S. entry
points. In Arizona, for example, CBP can only search devices without a
warrant if they're looking for specific digital contraband. If you want
to protect your privacy, it might be worth flying into a state with more
stringent boundaries for CBP.
No comments:
Post a Comment