After two years of preparation, the Trump administration is rolling out plans to require most U.S. visitors, including applicants for tourist and business visas, to disclose their social-media account identifiers when entering the country. The new policy is a natural extension to the broad leeway Customs and Border Patrol agents already have to ask travelers for access to their devices, the administration argues.
The Visa Waiver Program has been asking participants to voluntarily provide social-media account handles since 2016; providing them is now compulsory for the approximately 15 million travelers applying for visas. Only diplomats are exempted. The policy change follows a 2017 executive order by President Trump that calls for visitors from seven majority-Muslim countries to provide their social-media account usernames and, if requested, log in to the accounts. It also follows the March 2018 release of Department of State policy guidelines.
Increasing rates of CBP device searches aren’t new. In the two years before Trump even took office, device searches at the U.S. border tripled, Rachel Levinson-Waldman, senior counsel to the Liberty and National Security Program at the Brennan Center for Justice, noted in a column for The Hill.
READ MORE ON TRAVEL AND SECURITY
Suspect a hidden camera in your Airbnb or hotel? Here’s how to tell
How to protect your data when traveling internationally
How to securely send your personal information
New Zealand defends its border device search policy (Q&A)
Your next flight itinerary could be easily hacked
How to protect yourself when using airplane Wi-Fi
According to the CBP, these searches still affect only a tiny percentage of U.S. visitors: After tripling, they impacted less than 0.007 percent of all people arriving internationally in 2017. Still, CBP agents searched the devices of more than 30,000 travelers that year, and Caroline DeCell, staff attorney at the Knight First Amendment Institute at Columbia University, says that until the courts rule on the several legal challenges mounted against device searches at the border, she expects the number to continue to rise.
“Border searches have been problematic for a long time, since 2009, when [officers] were first authorized to search devices at the border,” DeCell says. “Travelers, non-U.S. citizens but U.S. citizens as well, are in a somewhat-precarious position.”
The Department of Homeland Security, which oversees CBP and Immigration and Customs Enforcement, lumps together device search numbers with social media-only searches. One tally estimates that 20 percent of those whose devices are searched at the border are U.S. citizens, Levinson-Waldman wrote.
In one recent high-profile case, CBP officers insisted on searching the employer-owned devices of Apple employee and former Mozilla Chief Technology Officer Andreas Gal, an American citizen. He declined, and was eventually let go, though his Global Entry card for fast-track travel was confiscated.
The rights of travelers entering the United States and other countries have been hotly debated in the decade since phones became powerful repositories of our daily lives, carrying not only proprietary employer documents but also personal emails, text messages, photos, and videos.
Open questions include under what circumstances a CBP officer or ICE agent may demand to search the contents of a phone, hard drive, smartwatch, or laptop. CBP regulations require CBP agents to put devices that can communicate wirelessly in the nontransmitting Airplane Mode to limit searches to data stored on the device. ICE, however, has no such restrictions, DeCell says, and the rules vary from country to country.
One legal case filed by rights advocacy groups American Civil Liberties Union and Electronic Frontier Foundation could help narrow federal agents’ device search parameters. The lawsuit they filed on behalf of 10 U.S. citizens and one legal permanent resident, arguing that government searches of their devices were unlawful, has been allowed to proceed, despite a DHS attempt to have the case dismissed.
“Generically, we say, minimize the data on your device, and strongly encrypt the data still on your device.”—Sophia Cope, senior staff attorney, Electronic Frontier Foundation
In an April blog post describing DHS actions as using “the pretext of the ‘border’” to make an end run around the Constitution,” the ACLU described the agency as “asserting near-unfettered authority to search and seize travelers’ devices at the border, for purposes far afield from the enforcement of immigration and customs laws.”
These purposes include “enforcing bankruptcy, environmental, and consumer protection laws”; advancing ongoing investigations; searching devices based on the requests of other government agencies; searching devices to investigate their family, friends, colleagues, or associates; and sharing that information with “state, local, and foreign law enforcement agencies.” Based on their findings, the ACLU and EFF are asking the judge to rule against the federal government.
For now, there isn’t a one-size-fits-all way to prepare for or respond to social-media search demands—or device searches—at the border, says Sophia Cope, senior staff attorney at the EFF.
The EFF has created a guide to help travelers identify their “threat model”—who might want access to their device, how they could get access, and what to do about it.
“Generically, we say, minimize the data on your device, and strongly encrypt the data still on your device,” she says. What that can mean is carrying a device that doesn’t have any of your most personal documents, files, photos, or other data on it. Then, if you submit to a search, “you’ll be in a situation where you’ll appear to be compliant,” Cope says.
Modern iOS and Android devices encrypt the data stored on them, making it harder for snoops to access it remotely. But with direct access to an unlocked device, encrypted data would be visible, and using digital forensics tools and methods, a government agent could access the data long after returning the device, DeCell says.
One way to minimize the data on your device is to uninstall, or delete, social-media apps before crossing the border, then reinstall them later.
“I recommend taking precautions before you travel rather than objecting to the search,” she says. “It’s better to travel with a device that doesn’t have very much information stored on it. In an ideal world, that device doesn’t have any apps logged into it. Short of that, log out of your account before crossing the border.”
Update, June 17 at 11:42 a.m. PST: Clarified a Carrie DeCell statement.