Since the tightening of US border entry rules, readers have been emailing asking:
Canadian readers (and non-US) travelers to the US wanted to know what the new tighter controls mean when crossing into the US.
The first important truth most travelers need to accept is that "entering another country is a privilege and not a right". Although the controls may have tightened a bit, they haven't changed materially. Having visited over 40 countries in the last 30 years, I accept the fact that anytime I cross a national border, I am subject to the controls of that country and prepare accordingly.
The cardinal rule of information security is "know your risk". The first step is to determine all your risk factors (status entering that country, data you will be traveling with, travel history, your background, travel risk level of the region you are entering, etc).
Before you leave
- Minimize the amount of information you travel with. People often forget the treasure trove of information they carry on a daily basis. Your smartphone (as an example) contains all your contacts, login information for all your social networks, health information, GPS location history, networks you have connected to, etc. Anytime you cross a border (not just the USA but this applies to any national border crossing), the agents are tasked with protecting that county and may "take" any information you are entering the country with to determine your traveler risk. Do not take anything you wouldn't want to hand over.
- Minimize the amount of devices you travel with. This may sound stupid but I have seen business travelers cross the border with a personal smartphone, work smartphone, a personal tablet, a work tablet and a work laptop. Understand that anything you enter the country with can be seized or taken for analysis. With all the Snowden, Vault7, Wikileak dumps, its clear that if a border agent touches your device, you shouldn't use it anymore. You should assume it has been permanently hacked. Where possible, do not bring devices with you. If you do, try to bring "disposable" devices you wouldn't mind throwing away if need be.
What should I do before crossing the border?
- Remove all information from your devices that you do not absolutely need to bring with you.
- Anything you could need, try to move it to the cloud and securely delete your local copy.
- Delete any apps from your smartphone for which you don't want to hand over login credentials to.
- If you use a password vault solution synchronized with the cloud, you may want to delete that (Lastpass, 1Password) and reinstall it after you enter the country.
- If you use a cloud synchronized 2-factor authentication solution, you may want to delete that (Authy) and reinstall it after you enter the country.
- If you can, leave the device at home. If you have a work phone, bring it with you but leave your personal back home. Instead of bringing a tablet, try to load your content on the smartphone.
- If you can, travel with the least complex device possible (chromebook instead of a laptop or tablet instead of a laptop)
- Ensure device encryption is turned on.
- Turn off your devices before crossing the border.
- Switch the unlock mechanism from fingerprint to password based.
At the border
Never lie to a border agent. Never! Ever! Ever!
Any foreigner that refuses to comply with a border agent request (any border not just the USA) will likely be turned away and sent back to their home country. In extreme cases, you can even be bared from entering that country again.
This means that you are "forced" to comply with any request made by the border agent. If asked for your device password, you can provide it and cooperate or defy them. If you defy the request, they will likely take the device and send it for investigation while denying you entry (maybe even keeping you for secondary questioning). Either way, once you "lose control" of your device, you should assume it has been permanently hacked and that a clean re-install will not make it trustworthy again.
They may also ask you for your social media login information. Even if you do not have the app installed on your devices, they know you have an account and can ask for the credentials. Never lie. Refusing to cooperate can cause you to be detained for additional questioning and given an entry ban.
What should I do while crossing the border?
- Always be polite and respectful. Remember the agent is doing his/her job.
- Never lie. Always be truthful.
- If asked to hand over a device or password, I would do it without putting up a fight. Once you are at the border, you have decided you are engaged and have to cooperate.
After crossing the border
If your work device was accessed at the border, notify your company information security group immediately.
If your personal device was accessed, you have to think long and hard about what you want to do. Know that there may be a permanent (un-removable) backdoor or tracker installed on the device. In some cases even a complete factory reset won't remove it. What do you want to do? In the security space, we recommend throwing the device away and buying a new one but this is a personal decision especially with a $1000 smartphone, tablet or laptop.
Also if they accessed your device or asked for your social media login information (username/password), assume they downloaded you social graph (all of your contact info and the contact info of your contacts). I would change all my social media passwords and double check my account information (email address, recovery phrases, telephone numbers, etc). Also notify your network that you lost control of your social media account and to be extra vigilant with requests and the information being shared with you.
If you travel to the US regularly, think about applying for a Nexus card (if you are a Canadian). Having a Nexus card means you have been deeply vetted and all of your fingerprints are on file. My experience has been that the Nexus has made crossing into the USA much easier.
If you are a tech neophyte, take the time to read up on device security and security best practices. The truth is you are solely responsible for your privacy and security.