The number of mobile phones being intercepted and inspected at the US border – so-called “digital strip searches” is on the rise. According to data from the Department of Homeland Security (DHS), searches of mobile phones by border agents grew from fewer than 5,000 in 2015 to 25,000 in 2016. A CBP spokesman told The New York Times that agents inspected around 5,000 phones and electronic devices in 2015, but DHS data reviewed by NBC News found that agents analyzed almost 25,000 phones last year, a 460% increase that represents a worrying trend.
It seems nobody’s data is safe from this intrusion; Green card and visa holders, and Canadians have been stopped. US-born NASA engineer Sidd Bikkannavar was pulled into additional screening when he entered the US and made to hand over not only his phone, but the passcode, even though he made it clear to officials that the device contained sensitive work-related data and actually belonged to NASA.
This might seem shocking, but the fact is that border agents don’t need a warrant or even a good reason to conduct such invasive searches. Not only can they go through your text messages, social media accounts and photos, but they also have powers to confiscate devices for a further forensic examination.
If they do retain your device for further investigation, they only need to establish “reasonable suspicion” — a looser criteria than probable cause which does not require court approval – to use a variety of tools to attempt to unlock it and search through your data, making full copies of it and sharing it with other government agencies if they so wish.
Companies like Elcomsoft make “forensic software” that can suck down all your photos, contacts — even passwords for your email and social media accounts — in a matter of minutes. Such companies are getting huge investment from governments, so their software is likely to improve to the point where soon it will only take a few seconds to download all the data from your phone.
Apart from personal considerations, this brings up very real business concerns, as many people like Bikkannavar carry confidential work-related data on devices they routinely travel with. This has prompted recommendations that people seek advice from their employers before setting out, especially if their travels take them across the US border.
You can, of course, always exercise your right to remain silent— and this extends to not revealing your password or PIN when asked. However, refusing to collaborate fully can result in you being turned away altogether, depending on your immigration status. Also, although some courts have found that a person cannot be compelled by the government to disclose their password (as it violates their right against self-incrimination) this protection does not extend to devices which can be unlocked with fingerprints or other biometric indicators. Users should therefore disable those features on their phones and other devices beforehand.
So what else can be done to avoid this? According to security experts, we’d ideally just leave our phone and laptop at home. You can rent phones at most international airports that include data plans, or employers can arrange for loan devices to be made available after employees are in the country. You can’t, after all, hand over for inspection something that you don’t actually have.
But if the thought of being parted from your own devices fills you with a sense of dread and brings on withdrawal symptoms, the next best thing is to delete data from whatever device you do take. The same applies to social media accounts. Uninstalling apps such as Twitter and Facebook makes it much harder for agents to read private messages sent through those services. Do this by factory-resetting your phone before boarding an international flight. This process will also delete the keys necessary to unencrypt any residual data on the device. Since most of our data these days lives in the cloud, you can reinstall apps and get reconnected at the other end. A hassle, for sure, but less so than the alternative.
Always choose long, strong, unique passwords for each device and account and turn on full-disk encryption options and power down your device completely before going through customs, as that is when encryption is at its strongest. This is default on iOS, and available on Android at Settings > Security > Encrypt Device. For laptops, it’s available through FileVault on macOS and in Settings for many Windows 10 machines. If you do decide to give agents access, always unlock the device yourself rather than handing over the password, which could be used to decrypt the hard drive forensically to recover deleted files.
It’s a concerning situation from a data privacy perspective if we can be compelled to hand over the skeleton key for our digital lives in this way, but it’s something that’s unlikely to change anytime soon. In an era of mass surveillance where governments around the world are passing terrifying new anti-privacy laws the new Department of Homeland Security chief, John Kelly seems to be comfortable with the direction of travel. He recently told the House Committee on Homeland Security that he wanted officers to be able to deny entry to those who refuse to give up their passwords for inspection. It’s only a matter of time then, some argue, before downloading the contents of people’s phones becomes standard procedure for entering most countries. You’d have to routinely unlock your phone and hand it over to a customs agent while you’re getting your passport swiped, which already happens in Canada. It might feel strange, but so did putting all your liquids into a clear bag or taking your shoes off at security when those measures were first introduced.
This means that in one move, the years of work and huge amounts of resources ploughed into data encryption by companies like Google and Apple would be rendered null. What’s the good of encryption if you’re forced to hand over access? There’s a movement within government to make all data from all departments available to all staff at a local, state, and federal level. The more places your data ends up, the more vulnerable your data becomes. A security breach in a single police station in the middle of nowhere could result in your data ending up in the hands of hackers, and potentially used against you for the rest of your life.
As Science Fiction Writer and Tech Blogger Cory Doctorow once said, “We should treat personal electronic data with the same care and respect as weapons-grade plutonium – it is dangerous, long lasting and once it has leaked there’s no getting it back.”