Follow-up: Restoring and backing up your devices every time you cross a border

Three weeks ago, with news that US Customs and Border Patrol was coercing travelers into decrypting their private files upon entry into the United States, I floated a strategy to avoid such an invasion. With a flight into the United States just days away, I announced my intention to wipe my devices before entering the United States. Because I needed to stay connected at the airport, I also created a travel-only gmail account which, if searched, would yield very little.

U.S. Customs and Border Protection. Photo by James Tourtellotte.

Since then, I’ve done exactly what I proposed. Before a flight from Chile to Denver (via Mexico City), I wiped and reset my laptop, chromebook, USB sticks, and phone. With two-factor authentication disabled, I was able to recover most of my digital life using only what I’d committed to memory. I carried almost no information across the border.

I intend to never cross an international border with any kind of personal data again.

Despite the predictions of some readers, goons in black suits did not read my article and single me out for any kind of harassment. I scanned my Global Entry-enrolled passport and waltzed out of the airport without so much as a second glance from CBP.

Here’s what I’ve learned since my last article.

  • The United States is not the only country up to these shenanigans. Canada (yes, Canada!) is doing the same shit. At this point, I consider any international border a privacy danger zone. Until governments change policy, I intend to never cross an international border with any kind of personal data again. If nothing else, I’m going to get really good at my backup and restore procedure.
  • I need my phone first and immediately. The computer can wait. When I left US Customs at Denver International Airport, I immediately needed to communicate with my ride from the airport. Unfortunately, because my password manager (1Password) syncs from the desktop, I wasn’t able to restore much of my phone’s data until I first restored my computer. 1Password for Android would not restore a desktop-saved password database. That’s a giant problem I need to immediately solve, and it may mean changing password managers.
  • During travel, I lost messages sent to me over Signal. After wiping my phone, I had forever lost my phone’s Signal encryption keys. This is, of course, by design. WhatsApp messages did go through, with some senders receiving a warning about the change in my encryption key. Though mostly unavoidable, this is a mechanic of encryption and should be planned for nonetheless.
  • Doing a full restore of 200GB+ takes forever. Just after checking in, I connected my laptop to hotel wifi and watched the restore estimate go into the “days” category. I realized immediately that having one big download was not the solution. I need a way to hit the ground running.

Having said all that, my recovery system did work as intended. Over time, I’m expecting backup and recovery to become second nature. In that vein, here is my checklist for all international border crossings:

  1. Create (if necessary) a travel gmail account and forward my itinerary to it.
  2. Create a phone-recoverable password manager restore file. Confirm it works and store it in the cloud — encrypted, of course.
  3. Create a “hit the ground running” backup folder. I’ll recover this first and it must have everything I need to be productive, including my GPG/SSH keys for servers and git repositories.
  4. Create an “everything else” backup. This means photos, mp3’s, and other files I have hanging around.
  5. Wipe all USB drives, memory cards, and other removable media.
  6. Disable two-factor authentication on the storage provider with my password manager archive.
  7. Wipe the cell phone. Then, try restoring the cell phone and its password manager to make sure they work.
  8. Wipe the cell phone again, along with the laptop, chromebook, and anything else that stores data.
  9. Log phone into travel gmail account.

It’s likely that my “everything else” backup will never fully be recovered when I’m frequently traveling. That is unfortunate and I resent being subjected to this.

It’s worth pointing out that if I, as a relatively computer literate software developer and product manager, can circumvent CBP’s searches, so can anyone genuinely wishing to do the United States harm. That may be the real irony of the digital privacy debate: invasive digital searches will functionally only harm innocent travelers who aren’t savvy or well-informed enough to take countermeasures.

My advice is to take your privacy seriously, because the threat is more than just abstract. As it stands now, CBP in the United States, along with customs agents in other countries, considers a 10-year-old conversation you’ve had with your therapist every bit as relevant to border security as a firearm in your duffle bag. As ludicrous as such a claim is, be prepared for it and follow the CBP’s own advice: don’t cross the border with anything you don’t want searched.