On January 27, President Donald Trump signed an executive order that immediately changed US immigration and travel policies as they related to seven majority-Muslim countries. The change sparked protests that touched the technology industry, so much so that over 100 companies eventually co-signed a document objecting to the order.
A revised version of the order, intended to be on firmer legal standing than the first, was signed on March 6 and was scheduled to go into effect on March 16, but it too was halted by the courts.
Amid stories of visa holders, green card carriers, and even United States citizens being detained at the US border were also reports that some people's phones were searched by Customs and Border Protection (CBP) agents. In some cases, it seems that the CBP compelled individuals to unlock their phones as part of a search.
Take a moment to consider your smartphone. In it are all your text messages and photos. Your contacts list and call log show who you've been communicating with—a critical piece of information in counter-terrorism investigations.
Consider also, all the apps on your phone that don't require additional authentication. Once your phone is open, anyone could browse the entirety of your Facebook profile, read all your messages on encrypted messaging services like WhatsApp or Signal. Having immediate, physical access to a device—even a locked one—is a major security risk.
Nathan Wessler, a staff attorney with the ACLU speech privacy and technology project, said CBP agents have two tactics when performing searches of digital devices. (Note that the author is an ACLU donor.)
"In some circumstances, they'll do a cursory search and stand there and thumb through or click through the device to see whether they might look through emails, and pictures and contacts, just looking for anything suspicious," he said. "Then there are the real forensic searches, where they are downloading the contents of the device onto their own computer system and running forensic search algorithms across it, which can reveal all the data, including deleted files that haven't yet been overwritten and metadata that the owner didn't even know was there."
Given what's at stake, travelers may not wish to simply hand over their devices to law enforcement agents to be searched. But Wessler told me that case law for this particular issue is undeveloped and unclear.
"CBP claims the authority to search anyone's electronic device at the border anytime they want to, for any reason or no reason at all, and a person does not have any real, practical options to prevent a border agent from seizing your phone," he said.
There's no way, he explained, to prevent a CBP agent from taking your bag off a conveyor belt in the airport. The agency has a clear right to search luggage and travelers, after all. That's just how law enforcement works. "Similarly, there's no good way to prevent them from taking your phone out of your bag or out of your hand," according to Wessler.
US Citizens at the Border
Of course, having the device in hand does not mean that it can be easily searched, which is presumably why CBP agents are compelling individuals to unlock those devices. Wessler said that for US citizens, who cannot be denied re-entry to the United States, refusing to unlock their phones has fewer risks. But there will almost certainly be consequences.
"We do not think [citizens] can be legally compelled to turn over their passwords, but every person has to make their own practical decision," said Wessler. "It's possible that border agents will seize your cell phone and you will not get it back for weeks or months while they send it to another facility for an examiner to try and break into it.
"We have heard from people who have tried to refuse to turn over their passwords, and CBP agents gave them what was presented as a choice—although it's quite coercive: Either you give us the password or you're not going to see your phone for a month while we try to get access to this data ourselves."
I pressed Wessler on this point about whether CBP or other agencies within intelligence or law enforcement were actually working to break into citizen's phones. "We have no information about how often or if they are ever successful in cracking the passwords. But when they're seizing a phone, that's quite clearly what they are intending to do," he said. I reached out to CBP for comment, but did not hear back in time for publishing.
Green Card and Visa Carriers, Everyone Else
Being a citizen at the US border means that CBP and other law enforcement cannot simply send you back to the country you came from. You may, at worst, end up in CBP or police custody, but even then you remain on United States soil and within the purview of the US legal system.
That is not the case for non-citizens, who could simply be refused entry to the US and put back on a plane. This creates an enormous incentive for non-citizens to cooperate fully with CBP and other border agents.
"Green card holders have a much stronger right to re-enter the country after a short trip abroad, while visa holders may be more vulnerable," said Wessler. "Folks in that situation should consider talking to an immigration attorney before their trip, so they have a good handle on what their risks are."
Biometric or Passwords?
Apple and other smartphone makers now include a biometric option for unlocking phones. This was mostly done as a means for faster authentication but also to encourage people to lock their phones. Smartphone users had resisted locking their devices with a passcode for years, but the fast and simple action of using biometric authenticators is very tempting.
That said, there are numerous arguments against using biometrics alone as a means of authentication. Researchers have shown that Apple's Touch ID can be fooled with dummy thumbs. And security experts have criticized overreliance on biometrics, because the unique physical characteristics of our bodies cannot be changed the way we change passwords. If biometric data is compromised, it's unfixable.
Biometrics may also be a legal liability at the border. Wessler said there currently is no case law about law enforcement demanding biometric information at border crossings. But more established precedent exists for compelling individuals to be fingerprinted in domestic policing contexts than for just handing over passwords. That could mean that CBP and law enforcement might be on firmer legal footing in trying to compel travelers to unlock devices biometrically than in forcing them to hand over passwords. Unfortunately, Wessler explained that it's not clear how this would translate to the context of a border crossing.
With that in mind, Wessler recommends switching off biometric protection at the border and instead relying solely on a passcode. You can, of course, always reactivate your phone's biometric capabilities once you have cleared customs control.
The Risk of Refusal
Legal issues aside, there is also the problem of whether phones and other digital devices are secure enough to stand up to focused scrutiny. Generally, the rule is that if an attacker—or investigator—can physically access the device, it will eventually be cracked.
In the case of smartphones, many of the risks depend on what kind of phone you own. "Some phones are very secure right out of the box because they have preset security features. The owner doesn't have to do anything to get robust security. Other phones require the owner to set the security standards," said Leo Taddeo, Chief Security Officer for Cryptozone and former Special Agent in charge of Cyber and Special Ops for the FBI.
We know from the recent dump of CIA documents from WikiLeaks that US intelligence agencies are actively working to gain access to consumer smartphones. The vulnerabilities outlined in these documents that affect Android phones appear to be quite old, though, and Apple says that its issues have already been addressed.
"No matter what the settings, if your phone (or tablet or laptop) is open and running when the authorities seize it, they will have just about complete access to anything on it," said Taddeo. This has been an issue in other cases as well. When law enforcement moved to arrest Silk Road mastermind Ross Ulbricht, they were certain to secure his laptop before he could shut it down. Retrieving the information from a password-locked computer would be much more difficult than simply preventing it from locking in the first place.
After hearing Wessler's warnings about government agents impounding cell phones and other devices with the intention of cracking their protection and harvesting user data, I asked Taddeo what (if any) capabilities law enforcement has at its disposal.
"As we have seen in recent cases, such as the 2015 terrorist attack in San Bernardino, law enforcement agencies like the FBI have access to very sophisticated techniques to gain access, examine, and extract evidence from seized phones," he said.
In that case, the FBI claimed it was unable to access data on a locked device without assistance from Apple. In the end, the FBI said it was able to access the information with the help of an outside contractor.
A major factor as to whether law enforcement will be able to access data on your phone has less to do with technology and more to do with money: Taddeo explained that not every agency or police precinct has a budget large enough for sophisticated data forensics. The FBI and New York Police Department are examples of organizations that have access to the expertise and technology to potentially bypass security measures and retrieve information from locked devices.
"Many smaller departments, however, know where to find the required expertise when the importance of the evidence demands it," he said. "In the end, if the case is serious enough, a state police forensics unit or a federal agency will be called in."
Privacy by Omission
Given all that, Wesler suggests the best way to secure your information when traveling to the US is simply to bring as little as possible. "The first thing people need to think about is whether or not they need to travel with all of their devices when they're taking an international trip."
Related
- The Best VPN Services of 2017The Best VPN Services of 2017
Alternatively, you could wipe your phone before entering customs, or keep a separate phone just for travel. These might be good options, as cloud-based services like Google Drive and Google Photos can be reconnected and disconnected from devices as necessary. Note, however, that very advanced digital forensics might be able to retrieve information that has been deleted from devices but not yet overwritten.
Taddeo suggested using additional security measures on top of those available on your phone or computer. "This could include a second layer of encryption and requiring separate multi-factor authentication for files and applications you must keep safe," he said.
While people can disagree about the Trump administration's policies, it's undeniable that the atmosphere at the US border has changed. The new reality is a strange one for anyone that has thought of this country as a bastion for personal privacy. "We unfortunately are getting to a place where people are having to make some of the same choices that travelers to China and Russia have had to make for some years now," Wessler said.