How to Protect Your Digital Data at the Border

In 2018, U.S. Customs and Border Protection (CBP) agents conducted over 33,000 border searches of electronic devices, a six-fold increase from 2012. Because of the amount and types of information devices like smartphones and laptops contain – including private conversations, family photos, medical documents, and banking information – a search of these devices is a search of the most intimate aspects of our lives. Professionals such as doctors, journalists, and lawyers have a heightened need to keep electronic information confidential to protect the privacy of their patients, sources, and clients.

Laws Governing Border Searches of Electronic Devices

The Fourth Amendment protects an individual’s property or person against unreasonable searches and seizures by the government. Generally, this means the government must obtain a warrant from a judge based on probable cause that the thing to be searched or seized contains evidence of illegal activity.

However, in the case of “routine” border searches, courts have recognized a heightened governmental interest in border security that outweighs an individual’s right to privacy and thus ruled that the government may conduct such searches without a warrant or suspicion. This is known as the border search exception.

Border searches are permitted to enforce immigration and customs laws, specifically to determine that travelers are authorized to enter the United States and to prevent contraband like drugs and obscene materials from entering the country. This means that border agents can search your luggage or car at the border without a warrant or suspicion.

However, courts have held that “non-routine” border searches – for example, searches that are highly intrusive and impact the dignity and privacy interests of travelers, or are carried out in a particularly offensive manner – require at least reasonable suspicion that the search will reveal an immigration or customs violation. “Non-routine” border searches include body cavity searches and searches that result in the permanent destruction of property.

Courts are still figuring out if and how the border search exception applies to digital data. In 2017, EFF and the ACLU filed a federal lawsuit, Alasaad v. McAleenan, challenging the government’s warrantless, suspicionless searches of electronic devices at the border. In July, we asked a judge to decide the case without a trial. For more information on the current state of the law related to border searches of electronic devices and why we argue for a warrant, read our whitepaper published by the American Constitution Society.

How Do Border Agents Conduct Searches of Digital Data?

CBP and U.S. Immigration and Customs Enforcement (ICE) mainly conduct electronic device searches at the border in two ways:

The first is a manual (“basic”) search, where an agent searches your devices by tapping or clicking on icons or using search functions already within the device. The second is a forensic (“advanced”) search, where an agent uses external software to search or make a copy of your device’s contents. Although a forensic search may sometimes enable recovering deleted files, the information revealed through either search is largely the same.

Under CBP and ICE’s respective policies, a border agent may conduct a basic search without suspicion. Agents may conduct advanced searches when they have reasonable suspicion of a violation of the laws enforced by ICE or CBP. CBP agents may also conduct an advanced search if there’s a “national security concern.” 

According to CBP’s policy, border agents can only access information on the device itself, meaning not content in the cloud or your live social media feeds. Agents must put the device in airplane mode or otherwise disconnect it from the internet. ICE’s policy has no similar limitation. However, even if agents can’t access content in the cloud, they can often see cached content (a snippet of data from the last time your app refreshed.)

How to Protect Yourself and Your Data at the Border

While the law around border searches of electronic devices continues to develop, here are four things you can do to protect your digital data at the border.

  1. Understand your risk. Border searches are an area where one size does not fit all. You need to understand that factors about you, your data, and your devices are crucial to helping you determine your likelihood of being subject to secondary screening, how you should prepare before you arrive at the border, and how you should respond to an agent’s demand that you unlock your device.

Generally speaking, if you comply with an agent’s demand to unlock your device, an agent may scrutinize and store your data, but you may get through screening quicker. If you refuse, the government may confiscate your device for weeks or even months, but you may prevent agents from accessing your data.

One of the most important factors is your immigration status. If you refuse to unlock your device and you’re a U.S. citizen, an agent must allow you back into the United States, though your device may still be confiscated. If you’re a lawful permanent resident, you must also be allowed entry, but your green card status may be questioned. If you’re a foreign visitor, you may be denied entry altogether.

Other risk factors about you to consider are your:

  • Travel history (e.g., if you have visited countries associated with terrorism, drug trafficking, or sex trafficking, or have frequent and/or lengthy international travel, you may be more likely to be sent to secondary screening)
  •     Law enforcement history (e.g., if you have prior convictions, you may have had a “lookout” or flag placed on your travel profile making it more likely that you’ll be sent to secondary screening)
  •     Tolerance for hassle from border agents (e.g., if you have a low tolerance for confrontation or delay, you may consider complying with a request to unlock your device)
  •     Interest in advocating for your privacy (e.g., if you are eager to protect your privacy, you may consider not complying with a request to unlock your device)

Risk factors about your data and devices include:

  •     Sensitivity of the information (e.g., if you’re a doctor, journalist, or lawyer, you may consider limiting the sensitive data you carry on your device)
  •     Potential confiscation of the device (e.g., if you don’t have the resources to bear the financial cost of replacing your device, you may consider decreasing the likelihood your device will be confiscated)
  •     Lost access to data (e.g., if your device is confiscated and losing access to that data would be consequential, you may consider backing up your data before arriving at the border)
  •     Internet access at your destination (e.g., if you expect to have fast and reliable internet access while traveling, consider uploading your data to the cloud and downloading it at your destination so you have less data on your device when crossing the border)
  •     Ownership of your device (e.g., if it’s a work device, your employer may have specific rules)

Irrespective of how your specific risk factors may influence how you prepare to cross the border with your electronic device, the following is some general advice. 

  1. Minimize the data you carry. If you’re trying to prevent the government from prying into your personal information, one way to do that is by limiting the amount of data that you carry with you across the border. You can do this in the following ways:
  •     Use a temporary device rather than your everyday smartphone or laptop.
  •     Upload data to the cloud rather than carrying it on your device, as CBP policy prohibits officers from searching beyond the data resident on your device.
  •     Delete data from your device (though it is difficult to delete all data and an agent finding limited information on your device may further raise suspicions).
  •     Clear, log out, or delete cloud apps and browsers.
  1. Protect the data you carry. After minimizing data on your device, protect the information that you do carry across the border.
  •     Ensure that full-disk encryption is engaged on your device, rather than just a screen lock (most modern smartphones integrate encryption with the passcode).
  •     Use strong passwords, both for your device and your apps and websites.
  •     Disengage biometric-only locks that use technology such as face recognition or fingerprint identification to unlock your devices.
  •     Power down your device, which will resist a variety of high-tech attacks against the phone’s security.
  •     Back up the data on your device.
  1. Take precautions. Whether you provide border agents with access to your electronic devices or not, take the following precautions when crossing the border.
  •     Have a plan before you cross the border. You don’t want to be in a situation where you’re attempting to assert your rights while worrying about what happens if you miss your connecting flight.
  •     Stay calm and respectful.
  •     Do not lie to border agents or hide data on your device, which are violations of federal law.
  •     Do not physically interfere with border agents. Agents may inspect the physical aspects of your device (e.g., the battery compartment) to determine whether you’re bringing in any contraband.
  •     Record the names, badge numbers, and agencies of border agents if you’re concerned about a negative interaction.
  •     If a border agent decides to confiscate your device, demand a custody receipt (CBP Form 6051D) and contact information for a supervisor.  

For more information on how to protect your digital data at the border, read through our how-to guide, Digital Privacy at the U.S. Border. Read more about EFF’s border search work.

EFF is a close CREDO ally in the fight to protect privacy in the digital world, and we’re proud to have donated $366,760 to EFF since 2007 to help the organization defend civil liberties and protect user privacy through impact litigation, policy analysis, grassroots activism and technology development. To learn more about CREDO’s donation program, please visit www.CREDODonations.com