What's a reasonable way to protect yourself here? Other than wiping and restoring. Are there any encryption tools, or ways to keep your emails and other data on your device safe?
What is on the device in their hands, on US soil, is subject to their stupidities, whatever those stupidities may be on the day their grubby hands get hold of your phone.
What is located remotely, in a privacy conscious jurisdiction, say Switzerland, is outside of their remit. I know US courts like to think they have power over the world, but they don't. US courts and US law power stops at US borders.
The trick is to make sure nothing gets cached on your local device (including authentication credentials, obviously). A bit like the old Thin Client computing really.
If you want to go one step further, don't travel with working credentials. Rely on someone outside of US jurisdiction to provide you the last piece of the jigsaw in a secure manner once you are in a safe location.
Well, in theory, yes. In practice, there have been recorded instances where the US Government has asked people to disclose their social media [1] and in other ones (I failed to find the source) refused access to people who refused to log into their accounts.
Also, if you're a non-american traveler, all the constitutional rights you're afforded as an American don't apply. So they can pretty much ask whatever and refuse you access for any reason.
It's like the US is becoming more and more like China. But it's a worlwide trend, really, with old men screaming "We're gonna be in the dark !" ... It's thoroughly depressing.
Edit: As written down in the comments, the part about foreigners' rights is wrong. See comment for correction.
But can’t they just deny you entry? I mean you can have all the rights but if they can just let you in (especially if you live in the US), that’s still a pretty big lever.
I’ve always considered America’s uniform worship to make the 3rd irellevent, I guess it goes to show that ensuring rights via law is good even if you think it unnecceraary
I've been to the US and there's no passport control whatsoever when you leave. You don't ever see a border guard on your way out — you go through security at the airport and then straight to the gate.
The real problem is that they now require social media handles on the visa application.
US “law power” extends as far as the enforcers of that power are able and motivated to extend their reach, which very often extends far outside of US borders.
OTOH, there's places and contexts where that reach tends to encompass more casually and with less case-specific motivation.
It's interesting that you single out Switzerland as a jurisdiction that the US can't touch.
It used to be that Switzerland had iron-tight bank secrecy regulations that the US (and the rest of the world) really couldn't breach. Yet over the years the US has managed to force massive changes on Switzerland's financial institutions, and for decades now there's been much more transparency, and Switzerland's banks are not nearly as secret nor as effective at hiding assets as they used to be.
Apart from getting other countries to change their financial regulations to be more in line with what the US wants, the US has also been very successful in doing the same in regards to issues like drug enforcement, human trafficking, child molestation, and many other issues.
So, depending on your threat model and what data you're trying to keep private, I wouldn't count on any jurisdiction ultimately being and remaining safe for your data.
Something else to consider is that once your data is out of your hands, it's easy for whoever has it to make a copy to archive and work on at their leisure. Even if they don't share, sell, compromise, or trade away that data today, that doesn't mean they won't do so at some time in the future when laws, technical capabilities, or incentives change.
I think you're drastically overstating what happened regarding Swiss banking secrecy.
Switzerland agreed to FATCA, which only applies to people subject to US taxes and allows those people to refuse to have their information shared with the IRS, in which case the IRS has to specifically request it.
The "massive changes" you mention essentially consist of banks asking you if you're a US person and then, for the big banks, making you fill out a bunch of paperwork and for the small banks, refusing to open an account for you. If you're not subject to US taxes, there's no effect on you whatsoever.
I think the _much_ more interesting thing, which is unrelated to the US (as it's not a party to the agreement) is the AEOI [0].
Anyhow, Switzerland is still very much a sovereign nation and the fact that it has agreed to give limited financial information to the US, with consent of the account holder, does not change that.
A fun bit of proof: copyright infringement, one of the US's pet peeves, is still very much alive in Switzerland. It's your legal right to make as many copies of something as you want and give them to your friends and family [1].
And ultimately, the US' power over Switzerland is quite limited due to the referendum system. Any change they'd like the government to make has to have the consent of the people. The Swiss are quite protective of their privacy so I don't see the US having any success weakening that.
I don't know if you realize how absurd this is: imagine if you, as a US citizen, in the US, had to answer whether you are subject to Swiss taxes any time you wanted to open a US bank account.
Also, for stock accounts, you'd be required to fill out a form in German/Italian/French regarding Swiss taxation.
It wasn't the US alone. The pressure increased from pretty much all the important trade partners in the west and a lot of the bank secrecy breaking a bit had to do with the Swiss banks really really wanting to do business in those countries, preferably without following their laws. But in the end it was the big banks that gave up on the iron-tight secrecy themselves and pushed for deals before the Swiss government did.
I agree that you can't count on jurisdiction alone for your data remaining safe. Neither will a technical solution like encryption. The latter might keep your data safe, but not you and your loved ones if there are not some legal limits what people wanting to access it can do.
> Yet over the years the US has managed to force massive changes on Switzerland's financial institutions, and for decades now there's been much more transparency, and Switzerland's banks are not nearly as secret nor as effective at hiding assets as they used to be.
Eh not really unless you're a US citizen, which is a US problem not a Swiss problem. When I arrived, several years ago, and was opening an account I was asked multiple times If I was (or ever was) a US citizen and had to sign (again multiple times) that I wasn't a US citizen. Many small and even cantonal banks will outright refuse to open accounts for US citizens.
That’s not true. A US court can order you to go to another country, retrieve documents, and bring them back to the US, even if you doing so is in violation of that other country’s laws. This is more reasonable than you might think, because otherwise companies and individuals could hide all of their incriminating data in such ways and evade accountability under US law.
Further, being involved in any violation of or conspiracy to violate American law is a crime, even if you never actually step foot in the US. Companies can be sued in US courts for actions they took overseas. None of this is particular to American law, the same is true in any advanced legal system. American law just has particular significance because of American economic preeminence. Some of the most vexing legal issues, both theoretical and practical, surround this cross-border application of law. And I guarantee you wouldn’t like the result if countries took a strictly physical, territorial approach to their legal authority.
That's not really accurate. The US, due to its historical position as a super power, has extradition treaties for many countries around the world. If charged with a crime in the US, your physical location might not matter.
It very case/situation specific. The host country might block extradition for various reasons, but often, the US has global reach.
Calling your congressman makes the most sense, IMO. As technologists we have an inclination to jump to the technical workaround, but the workaround should not be needed to begin with.
This would have no effect. “Call your congressperson” should never, under any circumstances, be considered useful or effective.
Policies are decided in the interest of plutocrats. Very occasionally when it would generate good PR or if disenfranchisement gets too bad, some retroactive number fudging will be used to whip up a press release or report on the number of calls or letters to a congressional office, as if to make it seem like a policy was affected by democratic consideration of constituents, but that is purely theatrics and publicity and has no bearing on or connection to the way congressional offices pursue legislation.
The alternative cynical view (which I subscribe to) is that this small-to-medium amount of pain can sometimes tip the scales in the right direction.
There are of course other tools, but they require a bit more dedication: regular donations to think tanks and lobbyists who agree with you and can spend time schmoozing/convincing congressmen, regular donations to legal foundations who challenge overreach in court, and of course voting when the time comes.
Well, you're not talking to a congressman. You're talking to an office aide. I'm not convinced causing "pain" for interns and aides is what transmutes into political change.
I’m still not understanding. How is my comment distrustful? It’s just a factual description of a decision making and PR process.
The tone I imagine when I say something like “legislators only consider the desires of plutocrats” is like saying “plants survive by photosynthesis” or “the Efficient Markets hypothesis is only useful as an occasional approximation” or something - neutral observations of factual descriptions of how systems work.
“Cynical” implies a normative judgment, or some extended assumption as if my comment has anything to do with presumed self-interest or distrust of sincerity.
The rule is apparently phrased as being within 100 miles of any "external boundary", which doesn't just mean borders with other countries, but also the entire coastline, including the coasts of the Great Lakes. Most Americans live in this area.
Note that the "border" here is not the coastline, but the limits of territorial waters (12 miles). This also means that proximity to, say, the upper Chesapeake Bay or the southern tip of Lake Michigan aren't relevant, as those coastlines are of internal waters and not the larger ocean.
> Note that the "border" here is not the coastline, but the limits of territorial waters (12 miles)
No, the Border Patrol interpretation of the “reasonable distance from the external boundary rule” is that it extends to at least 100 miles from any land border or any part of the US coastline (whether or not it is or is in proximity to an international border.)
That's what the ACLU says the Border Patrol's interpretation is. When I actually read the regulations and the statutes themselves, as far as I could infer, the external boundary was meant to refer to the international water boundary.
I'm afraid I don't recall the exact citation off the top of my head, but I'd like to see more evidence for the ACLU's claims than, well, just the ACLU saying so. Especially when the ACLU itself points out that the law and regulations doesn't actually give the Border Patrol some of the powers it has.
(I should note there's a distinction between the actual legal authority and the actual policies applied in practice--I'm arguing that the legal authority is 100 miles from the international waters boundary; that the Border Patrol is exceeding that is probable, but the ACLU is, IMO, conflating the legal and actual effects to lobby specifically against the law rather than lobbying against the Border Patrol acting illegally).
> I think the rule applies to incoming travellers only, not everyone who happens to be near the border.
No, it applies to where the Border Patrol asserts authority to conduct warrantless stops and searches of any person/vehicle/etc. for potential immigration or violations.
(There's also a similar 25-mile zone where they assert authority to do so on private property other than physically entering houses.)
They also claim similar authority to the 100-mile limit in cities with international airports, if they happen to be outside of the 100 mile zone.
> The Fourteenth Amendment doesn't just lose force for everyone living in one of the coastal cities.
The Fourteenth Amendment limits the power of state governments, it's the Fourth Amendment that is at issue here. But the legal theory is that warrantless searches in these circumstances, are reasonable and thus compliant with the Fourth Amendment.
Searching someone's phone or laptop isn't just done to determine their immigration status. So if a person shows their U.S passport, would BP still be allowed to search their electronics?
That is of course terrible and should never happen, but I think it's also erroneous or illegal, not something the law permits.
I'm not defending BP or ICE practice. I was just wondering if the law actually permits the authorities to search electronic equipment of U.S citizens for no other reason than being within 100 miles of the border. That I would find truly astonishing.
That’s the law as I understand it, yes. CBP set up search checkpoints on highways (even those parallel to the border) to stop and search all vehicle traffic sometimes.
I offered that information about citizen arrests to illustrate that whether or not something is legal or permitted by law does not have much practical effect on the ability to constrain ICE/CBP. They have repeatedly ignored injunctions from federal judges.
> Searching someone's phone or laptop isn't just done to determine their immigration status. So if a person shows their U.S passport, would BP still be allowed to search their electronics?
Sorry, “immigration status” was not quite what I should have said, it's to determine border violations, both immigration and contraband related. As warrantless electronics searches are for “digital cobtraband”, they would seem likely to have the same status in the border zone (to the extent it is valid) as at the border, where manual checks with no specific basis and forensic checks with “reasonable suspicion” have been upheld, IIRC.
From all I've read, they will certainly try, even if they don't technically have the authority (I don't know if they do or do not, but CBP has broad authority). Encryption also incurs their ire.
You need to either wipe the phone or have stegnograpic volumes.
There are a plethora of full disk encryption tools. Linux has dm-crypt, Windows has BitLocker, iOS and Android have it. I assume there's a way to enable full disk encryption in OSX but I'm not familiar with the ecosystem.
They can force you to unlock/provide password to your devices if they have probable cause that there is evidence of a crime on the disk. Typically this is because someone looked over a shoulder and saw child porn on the screen. I'm not aware of anyone being forced to provide passwords or keys in any other circumstance, but I'm not an expert.
Encrypt your data, keep your devices off. Do this even if you have "nothing to hide".
If you're seriously concerned about the security of the information on your phone, you could look at the NSA's Security Configuration recommendations. [1] These recommendations are intended for "Apple iOS 5 Devices", and many of the recommendations sound like they would not be appropriate for the average traveler.
What I would recommend is to keep as much information off your phone as possible. Save emails on your personal computer, and delete them from your phone before traveling. Log out from online accounts like web-based email accounts before traveling. Don't have sensitive files on your phone; encrypt them and download them from a server somewhere that you control.
Finally, as "sumanthvepa" recommended, "keep all interactions with (Border Patrol Agents) on a cordial basis and cooperate immediately and completely when ordered."
VeraCrypt encryption tool for one, offers hidden encrypted volumes. If I remember correctly, you would have 2 passwords for the same encrypted container. One pw for a decoy volume if forced to decrypt your files such as in this case, other pw would reveal your true data.
You could try to push your luck, if you're an American citizen.
More realistic is to just wipe your phone and reset it to factory settings using a throwaway google account. They probably won't ask for it but that way it looks unremarkable and you don't have to waste your time arguing with them.
I wouldn't even bring a computer across the border anymore, at least not for a vacation. I always use full disk encryption and I am not interested in giving the CBP (which I'm sure has great IT security) copies of all my confidential work documents to just leave sitting around for the next 20 to 75 years waiting to get exfiltrated by who knows what hacker group will get to it first.
Chromebooks are great for this - they're fast to wipe and fast to set back up. I travel with a Chromebook and a phone that I wipe before crossing international borders.
Wiping and restoring is underrated. I feel pretty safe about my Apple encrypted cloud backups. It's a minor inconvenience to wipe the phone before crossing the border, and restore on the other side.
Now - if they can make you restore in their presence, that would be a big problem.
Can CBP make you unlock your own phone?