Protecting Electronic Devices When Crossing U.S. Borders

By: Jacob Smith , CDT Intern

This is the first in a series of blog posts regarding Customs and Border Protection searches of digital devices.  

Border agents have broad authority to examine phones, laptops, and other digital devices of U.S. citizens and non-citizens entering and exiting the U.S. These searches can have serious consequences even if devices contain no illicit content. The government is currently seeking to revoke visas based on political statements and ideology, and travelers recently appear to have been denied entry based on political statements found on their devices. Risks to travelers continue after entry to the U.S. because Customs and Border Protection (CBP) can search, copy, and store for later examination the contents of electronic devices containing highly personal information or details about sensitive work activities.[1] The following information can help travelers mitigate privacy risks when crossing the U.S. border:

• Consider leaving your device behind. Some travelers cross the border using a temporary, travel-only device with minimal stored data rather than their primary device. In situations requiring maximum sensitivity, it may be possible to restore a device from a cloud backup (ideally using a service that provides full disk encryption) after crossing the border. Some travelers send their device ahead via mail or courier in a powered-off and encrypted state to reduce the likelihood of a search occurring. 
• Password-protect your electronic devices with strong passwords (12+ characters, not derived from common phrases or personal information, is a good rule of thumb) and deactivate any alternate unlock methods (FaceID, fingerprints, etc.). If you choose to comply with any request to unlock a device, unlock it yourself rather than providing your password or other means to unlock the device.
• Back up data before traveling. Storing the backup securely elsewhere enables a traveler to access important information if their device is seized.
• Remove sensitive data from a device before traveling. Storing necessary data in the cloud can ensure access to it after crossing the border, without risking its seizure.
• Remember that “deleted” files can be searched.  Trash bins, recycle folders, cached app data, and browser history can  be accessible to border agents unless these files are cleared manually. Turning a device off completely (not just putting it in sleep mode) activates full-disk encryption protection and makes it more difficult for a device to be searched without consent. Android users can enable encrypted storage in the advanced settings tab.
• Log out of cloud accounts (including email, messaging apps, photos, social media, etc), and disable cellular and wifi network access to help ensure that agents abide by CBP polices limiting searches to data physically present on the device and excluding content stored in the cloud.
• Know your rights and legal status. Foreign visitors who do not consent to a search of their device may be denied entry. U.S. citizens and lawful permanent residents cannot be denied entry for refusing to unlock devices, but their devices may be seized, and LPRs may be at risk of  additional scrutiny. 
• Keep emergency contact information (including for an attorney) on paper to make this information available if a device is seized. 
• If your device is seized, request a receipt (CBP Form 6051D) that describes your device and includes contact information for follow-up.
• Do not lie. Lying to a border agent or physically obstructing their investigation may constitute a criminal offense.
• After a search, be sure to change your passwords. Changing passwords used on devices that were searched or seized can help protect them. CBP may collect, record, and maintain a record of any passwords it obtains.

Bearing in mind this information can mitigate – but not eliminate – privacy risks that travelers face when crossing the border. 

[ PDF version ]

[1] In some jurisdictions reasonable suspicion is required for an “advanced” search, in which a device is electronically analyzed, and its contents are copied and stored. Current CBP policies do place some limits on when such searches can occur, but the law remains uncertain and CBP policies can change.