This post focuses on entering the US (from anywhere), and entering Canada (from the US), which is information of obvious relevance to Canadians traveling abroad. If you have links or information to share about travel to and from other countries, please comment below!
Though it’s not a new practice, many people aren’t aware of the extent of US Customs and Border Protection (CBP)’s authority to search electronic devices that travelers carry across the border. The ACLU received a response to a Freedom of Information Act request (August 2010) that indicated that even under the Obama administration, travelers’ electronic devices were routinely subjected to detailed scrutiny when crossing the border. The devices the government searched included laptops, cell phones, cameras, hard drives, flash drives, and even DVDs.
Many people traveling to the US are (perhaps justly) concerned that the level scrutiny applied to their devices will only be increased under the Trump administration. Several people close to me have asked me to attempt to provide ways to mitigate the risk that personal and private data may be compromised when making border crossings; this post is my first attempt to do so.
Option 1: don’t cross the border
This suggestion may seem both obvious and obtuse, but it’s worth serious consideration if you have concerns about your devices being searched and the technical difficulty of keeping your data private. You may find that it’s more secure to “meet” via video conference or telepresence and to transfer your files via a secure connection (e.g. a VPN).
Option 2: leave your devices at home
If you must cross the border, consider leaving your devices and data at home. There are several options for remotely accessing data, including encrypted, zero-knowledge cloud storage, backup services like CrashPlan, a wide variety of remote desktop services (like TeamViewer, LogMeIn, GoToMyPC, RealVNC, TightVNC (free and open source!), etc.) and the option of setting up an FTP server on your network. With these options, you can largely leave your devices and storage at home and simply obtain any required data from where it is stored when you arrive at your destination. Note that with closed-source remote access applications, you may not be able to fully evaluate the risks of accessing or transferring data via their services!
If you plan to take this approach, you should also plan to regularly test your access to your remote systems and computers – verify your password and the integrity of your data when transferred, and confirm that you have access to the data you expect to need – and you should plan to have access to a trusted computer at your destination so that your passwords and data aren’t retained without your consent. You should also check for software updates for your chosen software regularly, and watch for reports of any security vulnerabilities.
Option 3: wipe, travel, restore
If it’s critical that you have your devices with you, do your best to travel with them in a clean state. My approach:
- Arrange for access to a tusted Wi-Fi network at my destination
- Make a list of critical applications that will need to be reinstalled on my phone
- Check that any critical data on my phone and any other device I’m traveling with is backed up to either CrashPlan or to Sync (if I’m going to need it) or to a home computer (if I can do without it until I get back home)
- Ensure that two-factor authentication for all of my apps and services is set to a method I can access if I wipe my phone (e.g. SMS, or by sending a subset of backup codes to a secure third party)
- Wipe my phone and other devices, using secure erasure tools where possible
- Connect to the secure Wi-Fi network and reconfigure my devices
- Repeat the process for the trip home
Your devices should be in as close to factory condition as possible when you travel with them. Ideally, they will have no data on them that cannot be recovered without significant forensic effort, will not be protected with a password that you might be obliged to disclose, and will therefore be of minimal use to CBP agents.
This is the solution requiring the least technical knowledge and money – it boils down to factory-resetting your phone – but also the one that requires the most personal effort, as the process is time-consuming on both sides of the border and at both ends of the trip.
Final thoughts – be careful!
Remember that CBP is authorized to use force (here are their statistics, if you’re interested), and that under US law they generally do not need a warrant to search your devices, request your passwords, or to compel you to provide your fingerprint or other biometrics to unlock a device or for other reasons. Some of this has not been tested rigorously in court, but being the first person to undergo that particular examination could be extremely costly and time-consuming.
Also bear in mind that by taking steps to actively avoid search and seizure of your devices and data, you may make yourself more interesting (if less useful) to CBP. If you plan on crossing the border on a regular basis while actually maintaining the level of data security described in this post, remember that you may need to leave increasing amounts of time for border crossings and that you may be subjected to increased scrutiny on a more regular basis.
Finally, i you have any questions – about why I wrote this, about additional tools I use, or about anything else – or if you have information or tips to share, please comment below!