In response to my last post, I received an email with a question. Without disclosing any personal information, the question was essentially this:
What do I do if Customs and Border Protection (CBP) asks me for my social media handles?
My answer: evaluate the consequences of refusing to comply, and evaluate the consequences of compliance.
Failure to comply
If you refuse to provide the information requested of you at the border, you might be subject to additional search and scrutiny or you might be turned away and denied entry (either for that trip only, or permanently). You, and anyone you’re travelling with, may be subject to a long detention at the border and to further interaction with CPB, DHS, and other law enforcement and intelligence bodies. Essentially, by refusing to comply with a CBP instruction you are volunteering to be added to a list of people who may present problems when confronted by authority; any interaction with authority from then on may be coloured by this.
If you provide your social media handles (e.g. Twitter username, Facebook URL, etc.) to CBP, your minimum expectation should be that information visible to the public will be reviewed by CBP and the Department of Homeland Security (DHS). Based on what we know about the National Security Agency (NSA)’s access to data that is nominally private it’s very likely that if anything that a cursory review pulls up is determined to be of interest, then private data will also be reviewed. It’s important to note here that privacy controls available to the average user are likely not sufficient to prevent this; setting your Twitter to private isn’t going to prevent a dedicated intelligence analyst from finding out who you’ve been RTing.
A new(ish) wrinkle
Though it’s not the first time it’s been suggested, DHS is considering requiring some travelers to provide their social media passwords. This would give CBP (at least temporarily) the ability to impersonate travelers online and to view their complete and unfiltered profiles, friend and follower lists, contact information, etc. Further, given the average user’s tendency to use identical passwords for multiple services it is entirely possible that CBP would be able to access many more services than the ones to which they explicitly request access.
This new power hasn’t been officially implemented yet, nor has it been tested in court, but it’s something to bear in mind – especially if you’re travelling from one of the countries that were initially subject to the initial travel ban proposed by Trump, or travelling with (or as) someone who has a passport, citizenship, or a visa from one of those countries.
There are a number of ways in which you could provide plausible deniability of your ownership of or ability to access a given account. For example, before you travel you could change the email address associated with an account to that of a trusted friend, and have them change the password to something you don’t know. The drawbacks to this approach are pretty easily identifiable, though:
- You don’t have access to your account until your friend releases it to you
- This is willfully obtuse and CBP will likely treat you as someone who is refusing to comply with their instructions
If you are planning to comply with CBP requests, you should make sure that you have two-factor/multi-factor authentication enabled so that your active participation is required during the login attempt by CBP (and so that you can revoke their device’s access easily later, and receive updates if they try to regain access later). If you’re looking for help getting two-factor authentication set up, you should look at twofactorauth.org – it lists a wide variety of services that support two-factor authentication and links to the services’ help files on getting set up.
You should also make sure that you’re using a complex, unique password for every service. this can be challenging to maintain, but programs like KeePass and services like LastPass can help you generate unique passwords that you don’t have to remember; LastPass can also help you identify places where you’ve reused passwords and get them changed to something different.
Maintaining your personal privacy and security while crossing into the US isn’t going to get any easier, so now is the time to start taking it seriously. Have tips or questions? Comment below, or contact me!