US border controls, electronic devices and privacy: what to think about

Since the new US president’s executive order, designed to improve screening and vetting procedures in the name of reducing illegal immigration and terrorist threats, privacy groups like the American Civil Liberties Union and Electronic Frontier Foundation (or the EFF) have voiced concerns about an increase in the number of invasive digital practices during border inspections.

In other words – privacy groups saying that more travellers are being asked to surrender their devices and passcodes are often.

The Privacy groups maintains that the Fourth Amendment requires a warrant based on probable cause for border searches of cell phones, laptops and other mobile devices that contain gigabytes of highly personal information.

And the democratic Senator for Oregon, Senator Wyden, agrees. He even recently announced last month that he plans to introduce new legislation requiring law enforcement agencies to obtain a warrant prior to instigating data dives on digital devices.

So we wanted to find out whether this was a big problem and to provide advice to our readers.

Last month, the New York Times reported that about 5000 electronic devices were inspected in 2015. This number represents a teeny tiny percentage of the 383 million US arrivals.

But the number of device inspections rose sharply in 2016. 23,000 searches were conducted. While still a teeny tiny percentage of all US arrivals, it is still a rather sharp 3.6x increase year on year.

So is it surprising that a growing number of travellers entering the US – be they citizens or not – are looking for ways to control this type of “data leak” at border crossings?

A quick online search revealed a number articles providing advice on what to do. Some of it may carry consequences that these sites are not being open and honest about.

Consider the following examples:

  • Carry no devices.
  • Carry wiped devices.
  • Refuse to comply.
  • Claim not to have master password to 2FA device with you.

In all these cases, the goal is clearly and obviously to deny the Customers and Border Patrol officer access to your data, but very few are talking about the consequences associated with data blocking.

I personally agree that it is a good thing to encourage people to exercise their rights to privacy, but sending folks into a border control situation without highlighting clearly that consequences of these actions can include detention, device and asset confiscation, being added to a persons of interest list, let alone being concerned about how it might affect future international travel plans.

Now think about it. Does it constitute a data breach if an employee relinquishes his device and passcode if the device has Personally Identifiable Information of more than 500 or 1000 individuals? Must this too be reported to State Attorneys of the affected “breach” of confidentiality? Organizations wanting specific advice on how to handle this should speak to experts on compliance and privacy, such as https://tbgsecurity.com.

Perhaps we can realign our thinking here, and consider the executive order, which is backed by immigration and terrorism mitigation techniques. Why not come prepared to dispel any concerns the officers might have seems a smart approach to me:

  • prepared to answer two questions: what’s the purpose of your visit and how long is the visit?
  • Have proof that you are not planning to stay in the US indefinitely.
  • Have a clear schedule of where you will be and what you will be doing during your stay.
  • Review what is your on your devices and delete and data or accounts that you don’t want anymore.
  • Encrypt all sensitive data, but note that you might get asked by the officers to decrypt it.
  • Bring what you need for the trip, no more.

And as we mentioned, organizations would be wise to think about how to they store data, and review access rights. Now more than ever, tighter controls on data access is key.

It is worth checking this article by the Grugq, which offers a sensible approach to thinking about how to control the information flow at a border crossing

And if you are into podcasts, check out Episode 11 of Smashing Security: 011: WikiLeaks and the CIA.

If you feel that you have been a victim of unwarranted digital invasion of privacy, the EFF would love to hear your story. Get in touch at borders@eff.org.


For more information on how TBG Security can help your organization with your information security initiatives please visit https://tbgsecurity.com.

Previous ArticleWhy you can’t find a good CISO for love or money (but we have a solution…) Next ArticleTrump’s budget blueprint: what’s it mean for cybersecurity?