So you are traveling to the US, and you’re wondering about the potential search of your electronic devices by Customs and Border Patrol when you enter. You have reason to be concerned. CBP has been going through people’s devices with no declared probable cause, and the numbers have been going up, from 0.002% of all travelers crossing into the US in 2015, 0.005% in 2016 to 0.007% in 2017. In the past they have searched the devices of a lawyer for the ACLU and a scientist at NASA. The ACLU and EFF have sued the CBP in 2017 over this practice, but it’s unknown when the final verdict and clear new guidelines will emerge. It might still be a year or two. In the meantime, you have to go and you want to take precautions.
I had my laptop searched coming into the country in the past, so when I was visiting the US last year I decided to be prepared. For me, the reason is just because it’s none of the CBP’s business. It feels like a violation for a stranger to go through my personal messages to my wife and see my pictures of my children playing around the house.
I researched the topic but found very few detailed guides. For example, this thread on Twitter talks about using travel devices and completely new online accounts, which is not great for keeping in touch with friends and family or for conducting normal business. Other articles offer general advice to “scrub your devices,” which sounds simple but doesn’t address how to get back to your digital life once past the border. This EFF article is comprehensive but also general.
I decided I would enter the country with “clean” devices that were devoid of personal information. However, I was going for a 2-week period and while I was in the US I wanted to have access to my email, social media, pay my bills and access certain work files — pretty much be able to carry on as I would have if I weren’t taking these precautions.
The following steps for what I call a “clean pass”, as far as I can see, violate no laws. I cannot guarantee that they will let you get through unscathed or that CBP still won’t confiscate your devices. If you’re not a US citizen, I don’t know how far your rights extend and whether you would be required to divulge some of your cloud information, although in a 2017 response to questions by Senator Ron Wyden the CBP said it’s authority was restricted to content physical on the device. So proceed at your own discretion. Lastly, this guide should work while traveling to other countries as well.
Let’s start with the assumption that as a privacy-minded person you already take some measures to protect your online privacy and security. These may include:
- A firewall app for your laptop
- A VPN for your laptop and phone
- Browser settings configured for privacy, such as turning on “Do not track,” no auto-fill, no location access, etc.
- Ad and tracker blockers on your laptop browsers
- Ad blockers (many of them also block trackers) on your mobile phone
- E-mail app settings such as “Do not load remote images” and do not send read receipts
- Messaging apps set to not send read receipts
- You use different passphrases for every account and a password keeper
- 2-factor authentication for email and social media accounts
Assuming you come through with a clean pass, you will want to have these protections back in place after entering the country. Restoring these protections can be a major chore if you don’t prepare in advance. So, to be clear, the challenge isn’t traveling with scrubbed devices, but preparing in advance to then recover your digital life.
When preparing for a clean pass, you also have to decide whether you will use a second set of devices, at a minimum a laptop and a mobile, while you are traveling, or whether you will use your primary devices. In my case, I didn’t have a second laptop and so I took my primary, but I did take an older iPhone I had lying around instead of the one I regularly use. If you use a travel set you have to decide which apps to install, while using your primary means wiping your personal data off the device, a risky move in case your backup goes awry. For the most part the other prep-work is the same in either case.
Also remember that any messages you receive on your travel mobile may not be synced to your home mobile if the user identification is based on the mobile number. For example, Apple Messages uses an Apple ID, so all devices that are signed into the Apple ID have a copy of your messages. On the other hand, WhatsApp uses your mobile number, so you will not have your message history while traveling and your messages during your travels will not be available on your home mobile.
To summarize, the objectives are:
1. You take your devices into the US with you, but if pressed by CBP, you will let them search your devices. However, you don’t want to expose any information.
2. Once you are safely past the border, you want to carry on with your normal activities: email, social media, content, financial transactions, etc.
3. You want the same privacy protections while you are traveling as you have at home.
4. You want access to at least some of your files and data.
In order to fully prepare your devices for a clean pass, you need to give yourself time to prepare, preferably a week. You can probably do it in 48 hours, but you’ll be cutting it really fine. Here are some prerequisite steps you need to take:
1. Choose whether you will use a travel set of devices or your primary devices. If you are using travel devices, then install and upgrade all apps that you use to match your primary devices. Some apps may give away private information that you would rather not divulge (hobbies, entertainment or sexual interests — they’re no-one else’s business), so do not install those.
If you will be using your primary devices, then remove apps from your laptop that may reveal information you’d rather not. You will be factory-resetting your mobile, so it’s not as much an issue there.
2. Get cloud storage. You will need this to access data you need on your trip. You could use the one that is provided by the maker of your OS, or some other one. If you use the same one as your OS provider, it implies putting all your data eggs in one basket, which may make it easier for authorities to recover, but it also makes it easer on you.
3. Get a password keeper for your laptop and mobile. There are many and this is not a password-keeper guide, so you’ll have to research them. I use the open-source KeePassX.
Once you have the above items in place, it’s time to actually prepare your devices. Depending on what precautions you take, you may have to do all the following, or skip those that don’t apply.
1. To start with, encrypt your laptop drive. This may not be necessary for your travel but if you value privacy and security, it makes no sense to leave it behind unencrypted. If you will travel with your primary laptop, then it would be a good idea anyway.
2. Do a full, encrypted backup of your laptop. If you are leaving the backup behind, then you wouldn’t want anyone else to access the backup data while you’re gone. If you are taking your primary, you will need this backup to restore your data once you return.
Test your backups by restoring to another device and check that everything is restored: files, user settings, stored passwords. If you don’t have a second device, at least on your laptop you can create a new account and restore to that (if you have the disk space).
If you are using Apple’s backup methods, then there’s another reason to encrypt. Apple Support statesthat in iOS, unencrypted backups don’t include stored passwords and other sensitive, so it would be consistent to apply the same policy on OS X. In my experience, restoring an unencrypted backup in OS X does not restore the keychain, browser data, etc., but restoring from an encrypted backup does.
3. Save your password-keeper master file to the cloud. Save all your passphrases to the password keeper. If you have already been using a password store, you may not need to do any additional work, but if you’re just starting, make a list of all the services you use. This would include email, social media, bank accounts, mobile wallets, airline and travel web sites and work-related sites. You can also reset your passwords, of course, but that will cost you time.
4. Work through how to sync the passwords across your devices. Paid services do it automatically, but for others it will require some manual setup. This will be necessary once you’re past the border.
5. Save your private encryption keys to the password keeper or the cloud: SSH, PGP, and any others that you use. It’s easy to forget a key because many apps store it for you somewhere on disk, so review all the apps you use and the behind-the-scenes authentications they may be doing.
6. Export your firewall settings to a file and save it to your cloud storage.
7. Save your browser privacy extensions settings, either to the extension provider’s servers or to your cloud storage. For example if you use an ad blocker and have white-listed certain sites, then you will want to save this. The same goes for your anti-tracking extensions.
8. If you use a POP server for email, you will not have access to your old emails after the clean pass. You can download what hasn’t been deleted on the server, but then you may end up downloading hundreds or thousands of messages that you don’t want. So delete old emails that you do not want from the server. This may also be valuable if for some reason you are compelled to divulge the access to the mail server.
9. Save all documents that you’re working on, are going to need to work on or will need, to your cloud storage. If you want to continue to work on them, modify the cloud versions.
10.Save license keys to apps that you have not installed or have deleted but that you will want to use after the clean pass.
11.Wherever possible, set your 2FA to use email or some other method instead of SMS, and certainly not using any hardware keys that you will carry with you. Otherwise if your SIM card or hardware token is confiscated, then you have no privacy left because all your passwords can be reset. If using email is not possible, consider scrubbing your accounts of content you want to keep private. The major social media companies let you download your data, and searching is far faster on your desktop. Then delete anything that is online that you are concerned about.
12.The last step in preparation of the trip is to clean your devices of all personal information.
If you are using a travel laptop, then it should have a fresh user account that you will use, but the account should not be configured in any way. Don’t sign into any cloud services, don’t provide any email addresses, nothing. There should be no other accounts on the device.
On the other hand, if you are using your primary laptop, then create a new admin user. Log in as this new user and delete your old user, including the associated data. Make sure your OS uses irrecoverable erasure techniques. Alternately, you can wipe the device and start from scratch, but this will add significantly to your preparation time.
On a mobile, perform a factory reset that deletes all user data and settings. Go through the setup process so that you can make and receive phone calls, but do not provide your email address or sign in to any cloud services. Put essential phone numbers into the address book that you won’t mind border patrol seeing. Do all this before getting on the plane, because in order to sign out of some services or to reset your phone, you may need a data connection.
Be sure to set passphrases on your clean devices. Even with nothing to hide, it is still a good idea to deter theft or misuse.
Finally, before you go you will need to commit the passphrases for the following to memory.
- Cloud storage
- Password keeper/master
- Your laptop
- Your mobile
When you are ready to access your personal information again, get a data connection, sign in to your cloud storage and restore your settings and data to your computer and phone. Give yourself a couple hours to fully download all apps, configure accounts and restore all the setting. You’ll need your mobile phone on and able to receive SMS texts for any 2FA codes that get sent to you while signing in.
Start by restoring your cloud storage. If you use Apple devices you’ll want to log into your iCloud account through System Preferences/Settings again. This will then give you access to your passphrases and other settings. Launch your browser and install your privacy extensions, then import any settings files that you’d saved to cloud storage. Set up your mail accounts. Log into social media and tell whomever you want that you’ve made it safely. Go through the rest of normal activities and restore settings as needed.
In my case, after all these precautions, I wasn’t stopped at the border, and I spent a morning restoring my devices to a usable state in a coffeeshop, wondering why I put myself through it. Ultimately, though, to me it was worth it, because had CBP wanted to search my devices I would have been quite annoyed with myself. It also proved that there is an alternative to leaving my devices behind or letting border patrol see all my private data. The process is time-consuming, but with practice and a checklist, it should get faster. I will do it again on my next trip.