If you keep up with the news, you will know that our Customs and Border Protection agency has gotten a little overzealous with their ability to check our electronic devices. It isn’t just foreigners, we apparently have no rights when crossing our own borders even though we are American citizens. So how can you keep your data safe if you’re travelling in and out of the US?
The stories of American citizens Haisam Elsharkawi or NASA employee Sidd Bikkannavar make for stark reading. It isn’t just travelers from the supposed majority Muslim countries that need to worry. It is all of us.
If you take a company phone, laptop or any electronic device abroad with you, CBP are entitled to search it. They are not entitled to force you to unlock it or provide PINs or passwords but can make life difficult enough for you that you may as well. So what do you do? How can you keep your data safe when traveling abroad?
The very best way to keep your data safe when crossing our border is to plan ahead. Most large corporates now have specific policies for handling international travel but if yours doesn’t or you work for a smaller concern, you need to take steps to maintain data security.
All of the following pieces of advice require adequate planning. Fortunately, a day or two is enough time and you can travel forensically ‘clean’ for less than $500.
Mr nice guy
The very first piece of advice is to cooperate with CBP as much as you can. Do not lie, do not try to fool or deceive them. Work with them, show willingness to cooperate and be respectful at all times. Border agents are mostly normal people doing a tough job. They are often just following guidance from above and with the odd exception, are nice people who are polite and professional.
Do not give them an excuse to detain your further. Working with CBP helps them get their job done and you get on with your journey so work with them, not against them.
Remember though, if you are transporting confidential commercial information, the device it is stored on is subject to search. However, CBP cannot compel you to give them PIN numbers or passwords. What they can and likely will do is make life unpleasant enough for you that you end up surrendering them anyway.
This goes for fingerprint sensors and biometrics too. It is better to turn them off altogether and use a standard PIN. Law enforcement can get a warrant to compel you to provide biometrics whereas your right to remain silent remains inviolable (for now).
If you are traveling on business and need to stay in contact, consider using a burner phone for your trip. While it won’t have all the neat features your usual smartphone will, it will contain no personal information, no commercially sensitive data or anything that could be used against you.
There is no issue with allowing CBP to search it and no need to not give them the PIN. As they can be bought for less than $80, this is the best way to keep your data safe when crossing the border.
If you do take a smartphone with you when you travel, remove all social media apps, or at the very least, log out of them fully before you hit the border. Turn the device off completely too, don’t just put it to sleep as this does not log you out of any accounts.
The same principle can be used for any laptop or tablet you need to take with you. Using a cheap laptop or Chromebook with only the data relevant to your trip is another way to keep data safe without compromising productivity or being impractical. With cloud computing, you can work on any machine that has an internet connection so this is a very workable solution.
If you need to access commercially sensitive data, you can do it through a secure VPN and keep everything stored on your company or third party cloud storage. That way, the device you travel with has nothing on it that could compromise you or your company.
Two factor authentication
If you really must travel with commercially sensitive data on your person, you should use two factor authentication to keep it secure. You can use two factor authentication for most things now. If you use your cellphone as the second factor and it’s at home, you cannot conceivably provide access to that data while a ‘guest’ of CBP.
The easiest way to implement this is to use your primary cell as the second factor and leave it with someone you trust. When you need access to something, you call that person and ask them for the SMS code or whatever method is used. That way, you still get access to the things you need, your company’s security is maintained and CBP gets nothing.
Even if you are using a ‘clean’ phone and laptop, encrypting the data you so have is a necessity. Not only to protect it from CBP but from loss or theft while you are traveling. Data loss due to these two reasons is very common indeed and while the device hardware still has value to someone. If the device was taken in the hopes of getting some useful data out of it, the thief will be disappointed.
I and my data recovery team always advocate using encryption when traveling. Even ignoring the CBP issue, loss and theft can have a serious impact on your employer and your career!
Finally, you need to be realistic in that any amount of denial, obfuscation, misdirection or attempts to not provide your passwords or PIN codes may not work. While the movies would have you believe otherwise, it is impossible to resist interrogation and while I haven’t heard of border agents waterboarding anyone for their information, sometimes it is just more practical to give it up than it is to make a fuss.
Protecting your data is important but it isn’t not as important as losing your freedom or subjecting yourself to further detention or investigation. Sometimes it really is better to take one for the team!