Wessler advises travelers to ensure their operating systems on both laptops and smartphones are updated before crossing the border. This precaution is important because Customs and Border Protection (CBP) may utilize tools like Cellebrite or GrayKey to exploit any unpatched vulnerabilities in those devices, allowing access without the user unlocking them. “If your operating system is outdated by six months, your device could be at risk,” Wessler notes. “The latest version might not have those vulnerabilities.”
Keep Your Passwords Confidential
This is the challenging aspect. According to Wessler from the ACLU, American citizens cannot be deported for refusing to disclose passwords to social media accounts or devices with encryption. Thus, if you choose not to share your passwords or PINs, you could face detention and have your devices confiscated—even possibly sent to a forensic lab—but you will eventually cross the border with your privacy largely preserved compared to if you divulge sensitive information. “They are permitted to seize your device, potentially for an extended period while they endeavor to access it,” warns Wessler. “But you will return home.” (Despite some alarming cases involving foreign permanent residents during the Trump administration, this protection extends to green card holders as well, Wessler clarifies.)
However, be prepared for the fact that refusing customs officials access may lead to long hours of uncertain detention in an uninviting, windowless CBP facility. Court decisions at certain U.S. airports and in various states have imposed limitations and restrictions on CBP’s ability to access electronic devices, but there is no guarantee that these limits will be adhered to in reality when border agents have custody of your computer or phone without oversight.
Generally, CBP describes two categories of device searches: basic searches, where an officer manually reviews a device’s content, and advanced searches, where a device is connected to external devices and its contents can be examined, copied, or analyzed. An advanced search necessitates a “reasonable suspicion” of criminal activity, according to CBP. The agency’s official guidelines carefully avoid explicitly stating that individuals must provide passwords, instead suggesting that devices should be offered “in a condition that allows for examination.”
“If an electronic device cannot be inspected due to passcodes, encryption, or other security measures, that device may be subject to exclusion, detention, or other appropriate actions or decisions,” the agency states online.
For non-U.S. citizens entering the U.S. on a visa or from a visa waiver country, Wessler warns that the situation is significantly more complicated: If you refuse to surrender a passcode or PIN, you might be denied entry. “Individuals must weigh what matters most to them: gaining entry but sacrificing privacy, or safeguarding privacy at the risk of being turned away at the border,” he explains.
Limit the Data You Bring Along
For the most vulnerable travelers, the solution is clear: The best way to keep customs authorities away from your sensitive information is simply to avoid traveling with it. Instead, as Lackey suggests, set up travel devices that minimize the amount of sensitive data stored on them. Avoid linking these “clean” devices to your personal accounts, and if you must create a linked account—like an Apple ID for iOS—use entirely new usernames and passwords. “If you must provide access and cannot refuse, you should ensure you can do so without exposing any sensitive information,” advises Lackey.
(Social media accounts are more challenging to discard. Some security experts recommend creating secondary personas to present to customs officials while keeping your more sensitive accounts private. However, if CBP agents connect your identity to an account you tried to conceal, it could result in extended detention and, for non-citizens, even denial of entry.)
