Hacker News new | past | comments | ask | show | jobs | submit login
What could happen if you refuse to unlock your phone at the US border? (arstechnica.com)
445 points by nkurz on Feb 16, 2017 | hide | past | web | favorite | 477 comments



Worth remembering: US citizens can play chicken with CBP and lose nothing more than their computer/phone hardware (perhaps having it returned 6 months later). But non-citizens, possibly including LPRs, cannot: if an alien attempts to cross the border with a device they can't unlock "because they don't have the corresponding 2FA token with them" (as one friend suggested they do), they'll be detained, their devices confiscated, and then put on a flight out of the country.

The current best practice for border crossings --- really anywhere in the world --- is simply not to carry anything you're unwilling to unlock for Customs.

This is going to get harder still. CBP will begin asking everyone for Facebook logins. You'll think of 10 different ways to conceal your Facebook doings from CBP, but CBP has advance traveler's manifests from flights and will know that people have profiles --- and, sometimes, what was on those profiles.


> The current best practice for border crossings --- really anywhere in the world --- is simply not to carry anything you're unwilling to unlock for Customs.

Or, to simply stop traveling to countries that refuse to play nice with the rights of foreigners. The whole idea that this sort of thing is even anywhere near acceptable behavior revolts me.


Yeah, I pretty much decided to never travel to the US again the first time I heard you may be compelled to unlock your Facebook profile for the customs.

Not because I have something particular to hide, but as a gay person in a hostile world I have learned to care about my privacy.

Not a huge loss for me, not a huge loss for the US, but it accumulates.


I agree with you.

Asia and Eastern Europe are off the list for me too. China is willing to kidnap people out of Thailand [1]; people being arrested over political tweets [2]; Russia can poison people [3], shoot them [4], or have them accused of fake crimes[5].

I really hope the U.S. never comes close to this and hope I see this trend reversed in my lifetime. But people should be aware that it can happen in a modern society and is already happening in large parts of the world.

[1] http://time.com/4371283/hong-kong-bookseller-china-detention...

[2] http://mashable.com/2016/11/26/zunar-arrested-malaysia/#AHwL...

[3] https://www.nytimes.com/2017/02/06/world/europe/russia-vladi...

[4] http://www.newyorker.com/news/news-desk/the-unaccountable-de...

[5] http://www.dw.com/en/russian-court-finds-alexei-navalny-guil...


>China is willing to kidnap people out of Thailand [1]; people being arrested over political tweets [2]; Russia can poison people [3], shoot them [4], or have them accused of fake crimes[5]. I really hope the U.S. never comes close to this

Well, the US can drone-kill people (including bystanders irrelevant to the primary non-tried target), abduct them from all over the world and transport them with no trial to Guantanamo, allows cops to shoot innocent people (e.g. for walking while black) at a record rate (compared to even developing world dictatorship standards) without much repercussions, and let's not get started with people forced to go to jail with BS accusations and plea deals or stuff like "three strikes" that can put people on life for ...stealing a pizza thrice.

Just because these people are not all local citizens or white, doesn't mean they are not wronged.

And all that's under Obama, so not much hope for those getting better under Trump...


Totally agree.

Starting with "Well," suggests it somehow negates my point though.

I think "Also" would be more appropriate, which kind of acknowledges the problems in other countries I cited while also pointing out very real weaknesses in America's justice system.

This might seem pedantic, but the common reply I see to "this country does bad stuff" reduces to "well this country does bad stuff too!" It's not a productive argument because it tries to deflect attention and normalize the actions in question. Instead, we should be focusing on how to address all of these issues, because they definitely exist.


But... your previous post specifically says "China is willing to kidnap people out of Thailand" and goes on to say "I really hope the U.S. never comes close to this".

Can you explain how exactly the U.S. has yet to "come close to" your list? Your post created the very "us vs them" separation you now claim to disagree with. The child post was fairly clearly just answering that statement

And while we're talking deflection, you are the one who took a thread about the US border and its impact on travellers and made it about civil rights abuses by the rest of the world. Yes, they are all important; no, it is usually not possible to solve them all at once.


I think the implication is that he sees the things the US currently does as less bad than his own list. I'm not weighing in on the validity of his assessment, but I'm pretty sure that's what he meant.


> Can you explain how exactly the U.S. has yet to "come close to" your list?

Show me a similar incident to the Chinese booksellers thing in America. Or anyone being killed because they represented the political opposition. Miles away.

But that's not even my point. My point is: read the links listed; I'm not traveling to those countries; I hope the world becomes less crazy. That's all!

> And while we're talking deflection, you are the one who took a thread about the US border and its impact on travellers and made it about civil rights abuses by the rest of the world

Huh? I posted some links above. People should read them and make up their own mind, in addition to the OP. It's not a "one or the other" kind of thing, not sure why it would be.


>This might seem pedantic, but the common reply I see to "this country does bad stuff" reduces to "well this country does bad stuff too!"

I think it's valid to see things its perspective though, because people who say "we shouldn't turn it into 'yes, but X does this too'" are often using it as an excuse to continue to point fingers only towards one side, and not even the worst acting one...


> the common reply I see to "this country does bad stuff" reduces to "well this country does bad stuff too!"

It's not pedantic if you care about being rational. This act is a common logical fallacy called the "tu quoque fallacy": https://en.wikipedia.org/wiki/Tu_quoque

Why is this a fallacy?

Suppose country A is accused of doing something bad. It's logically irrelevant to that question whether some other country B also has done something bad.

To see it more clearly, take the same fallacy on an individual level. Person A is accused of murdering someone. Is it a valid defense to say "Well, my neighbor Person B also murdered someone, therefore it's OK that I did"? No, of course not. It's totally irrelevant whether someone else -- even the accuser -- has also murdered someone.

Yet making this fallacious counter-accusation is often effective in terms of emotional (i.e. irrational) manipulation of the audience, particularly when they are predisposed against B in some way.


[flagged]


Respect for policemen could also mean: "nothing wrong with what you're doing, keep being trigger happy".


How exactly did Obama stimulate racial fights?


Don't worry, the Republicans are working to fix all the horrible Obama policies, like making sure people can get health care, or keeping firearms out of the hands of people whose mental illnesses are so bad they can't even manage their own day-to-day lives.


I really hope the U.S. never comes close to this and hope I see this trend reversed in my lifetime. But people should be aware that it can happen in a modern society and is already happening in large parts of the world.

The US has kidnapped people from Italy, and assassinated its own child citizens. The US (and most western countries) are already close to this, it's just that most citizens felt they were immune up till now.

This kind of overreach should always be opposed, no matter who it is done to, or where, because once it is acceptable to assassinate people with missiles, kidnap opponents, or record everyone's digital life whenever information crosses the border, all it takes is the wrong sort of people to take power and all the mechanisms are in place to control and oppress entire populations.


It's amazing that with the forces of globalization and Internet we think of the planet as whole and then a new government flips to us vs them mentality reversing peace work of years.

Less humans kill other humans now than ever in the past. I wonder if the media is to blame for the fear mongering?


I agree, globally many important indicators are positive in the long term but we shouldn't be complacent because perception and relative wealth over time can be more important to people than reality.

https://ourworldindata.org/a-history-of-global-living-condit...

The recent rise in nationalism after the 2008 crash is eerily similar to post 29. Globalisation has caused discontents, even if they are unjustified and the solutions proposed by demagogues are absurd and damaging, they appeal to some. Re the media, no I don't think so, humans are tribal and not very rational.


The right response to improvement, is to continue to improve. The world ain't perfect yet.


I see you mentioned Eastern Europe but only include Russia. Eastern Europe includes many other countries open to LGBT communities. Don't always believe the news headlines as they tend to exaggerate. Hungary and Romania have done big efforts towards this, still churches have a lot to say but peoples mentality changed, accepting diversity.


>Hungary and Romania have done big efforts towards this, still churches have a lot to say but peoples mentality changed, accepting diversity.

Really? Try talking to locals there not just about gays but also about refugees or even gypsies...


You're mixing up blatant discrimination (the first category) with two very complicated social problems.

People aren't necessarily against refugees, per se, but more against the idea of accepting anyone who declares himself to be a refugee, without checking that he is, in fact, one. Things are made worse by a few "refugee" cases where the "refugees" preferred to move away and live as illegal immigrants in Germany than as legal refugees in Hungary or Romania (a status which includes state aid, as meager as it may be in these countries).

The third point is really complicated and it does include discrimination but also a lack of trust and respect for the others from both sides. A lot of it has to do with the difficulties of integrating a very tight-knit nomadic culture into a modern, sedentary society where property rights are clear and respected.


I wouldn't judge the whole of Eastern Europe or Asia based on one country, there's plenty of safe and welcoming places in both, E. Europe and Asia.


My philosophy is that Facebook provides a window into who I am and what I do, but also who my friends are and what they do. Gaining access to my Facebook account doesn't just tell them about me, it tells them about everyone I know. It lets them harvest the feeds of everyone who's ever friended me and then not stuck me in a 'sees none of my posts' group.

Even if I've never posted anything on FB that they'd find objectionable, it's possible someone I know from the US posted privately ('close friends only', for example) "Man I wish someone would put a bullet in Trump's head", feeling as though it was a safe place to vent. Suddenly they're getting investigated by the secret service, and possibly deported, because I gave up my Facebook login because "I have nothing to hide".

This is ridiculously insidious. For every one person whose Facebook info they get, they get to collect previously inaccessible data on potentially hundreds of people, none of whom agreed to share their data with the government, or even knew that it was happening. With one Facebook login the government can start building profiles on hundreds of people, and with each successive login that net expands.


Call me cynical, but I believe that those concerns are totally unfounded because the "evil government" doesn't need your FB login for that, IMHO they most likely can access that information directly without your consent. I would be really surprised if they really had to do this mass harvesting of profiles based on a series of one-time access to individual profiles of a small fraction of population; They had much more effective ways to do mass harvesting many years ago (as illustrated by various leaks) and probably do them now, having to involve thousands of immigration agents would be simply counterproductive.

I do believe that immigration services look at your account exclusively for their goals of evaluating immigration. They ask you to unlock your account because for them it's objectively simpler to ask that information from you than to get it from the other government agencies that have that information but won't disclose it because formally they shouldn't have it. There's no "the government", it is an amalgamation of many organizations that have conflicting goals and don't coordinate, so it's reasonable to expect that "the government" has some information and at the same time "the government" (i.e. other parts of it) don't have it and need to request it from you or do without.


In one breath you say the government would coordinate sharing fb data, in the other you say they don't. Which one is it?


Where does it look like I am I saying that multiple agencies would coordinate sharing FB data? I feel that the parent post was needlessly worrying about a risk of e.g. border teams using unlocked phones as a routine way to harvest data and hand it over to e.g. NSA or whatever "evil government" snooping agency they'd be worried about, because (a) NSA doesn't need this assistance because they are likely to have better mass collection methods on their own, and (b) they wouldn't coordinate this with a large number of DHS grunts, neither by asking them to gather data nor by providing them with a list of all data that they have. DHS is likely to have a lot of data themselves, but anyway unlocking a phone provides extra information in a simple&practical manner.


I don't want to be one of those people who go on about the fact that they're not on Facebook, but what if they asked me for my Facebook logins and I told them I don't have any social media accounts? (I mean, bar Github if you count that as a social network).


If you are telling the truth you will be fine. But if you do have a facebook account and you lie about it you could be in trouble (it is an offence to lie to federal agents).


What would you do if you have an account but haven't used it for many years, lost your access to the email that you registered it with and don't remember the password. Are you genuinely a liar then?


If you are telling the truth that you haven't used it in many years then you will be fine -- ultimately. Of course, if you've tweeted/posted from it recently that won't work, and you could end up in detention for lying about it. But on the whole it would be better to take the time to delete that account.


Same situation for me. I wonder if I'd get treated like a liar and a criminal for not using a commercial product.


I applied to an interesting research job for a US university a few years back, but only got to the first interview stage. I was going to try again with much more relevant experience in a couple months, but that's now completely out of the question for the next eight years at least. This is what happens when people stop taking democracy seriously.


> Or, to simply stop traveling to countries that refuse to play nice with the rights of foreigners.

s/foreigners/citizens/

i.e. everyone.

I'm a Canadian Citizen. When I enter Canada from abroad, they claim the same rights as the US CBP.

http://www.cbc.ca/news/canada/nova-scotia/alain-philippon-cb...


I was detained and aggressively searched at the Canadian border (Montana/Alberta, for about 2 hours) in 1997; not because they thought I was a terrorist, but because they wanted to confirm that I wasn't coming to Canada to work. Friends of mine were turned back at the Canadian border later that same year. Canada has always claimed these rights.


I flew up to Vancouver for a wedding. I'd lived there before and strangely I was aggressively questioned at Canadian Customs.

Why are you here? A wedding. Where are you staying? 2400 Motel out on Kingsway. Oh, a site of known criminal activity.

I rolled my eyes. The bride chose it because it was an X-Files filming location.


I live in Washington and go to Whistler quite often to mountain bike. I've probably crossed the border 25 times in the last few years, and the only thing that the Canadian border patrol seems to care about is that I'm not bringing weapons into Canada. I wonder if they have knowledge that I have a CCW in WA. But in general they are always quite polite about things, which I can't say about crossing the border on the return trip.


What's changed between then and now? Because it seems they now welcome all the workers they can get, refugees or otherwise.


Tagential but is it not absolutely bizzare that at the US/Can border relocating to work is seen as a deadly sin, while broader US policy has brought so many immigrants into the country since JFK? Without saying either side is right or wrong, US Gov policy wholistically appears schizophrenic


If you're on a work visa then you're being upfront about planning to work and have the appropriate visa for it.

If you enter on a tourist visa (or visa waiver, whose conditions are usually the same as tourist visa) they want to be sure you aren't committing visa fraud and planning to work. That's what causes the grilling.


Yes, but why is that a big deal in the first place, vs. being offered a job and paying a small administrative fee to adjust a visa? The siege mentality is part of the problem.


As a German tourist the most annoying thing getting into Canada is to wait in line while all these other nationalities get questioned extensively before being waved through in 20secs. Wear your bright colored gore tex jackets guys!


Sorry if I'm spoiling a joke here, but does a Berghaus gore tex jacket really give you credibility at the border?


Paired with socked sandals ofc...


The Alain Philippon vs CBSA action was never tested in court. Failure to divulge information hasn't been defined as 'hindering' before, so the case would probably have to go to the Supreme Court of Canada for it to be decided. Secondly, even at the border you can choose to remain silent. The most likely worst outcome is you get refused entry if you are not Canadian.

See linked page for advice from actual lawyers.

https://bccla.org/2016/08/what-happens-if-you-dont-provide-y...


I've never had a nice experience returning to Canada (either by plane or car) after a trip to the US or Mexico. I get the full "random search" in a secluded room every single time.


Anecdotal, but: I suspect that the CBP have very specific criteria that can flag specific situations. I know someone who would systematically get arrested/interrogated by plain clothes officers if she was returning back to Canada alone. When not alone, no problem. Once, she was on the point of being arrested, when she pointed to her partner, and they stepped back. Although they never wanted to admit why.

After a bit of A/B testing, it seems to have been "older woman traveling alone with a fancy watch" that was flagging her. Without the watch, the problems went away.


CBP is Customs and Border Protection which is the American department for that. Canada has the CBSA - Canadian Border Services Agency. So you wouldn't get harassed by the CBP if you were entering Canada, it would be the CBSA.


sorry yes, I meant the CBSA :)


Same here! When I was on a green card, I got grilled probably 30% of the time going to Canada. We're talking accusations of smuggling a car into the country and harsh questions about exactly what family I was visiting.

Going back to the US (even as a non-citizen!) I usually just got a "Welcome home!".


As an Indian that used to live in Canada for some time, I got the same "Welcome home" with a smile from Canadian immigration. I still miss that as I don't even get that when I actually come home to India.


I had a nightmare of an experience crossing into Canada and am never visiting again.


Ugh. Canadian border crossings used to be so nice.


No, they were not.


I suspect that part of the reason here is a tit-for-tat.

The USA has a long history of being nasty to Canadians on the suspicion of them going there to work. Similar things happening to US visitors to Brazil and several other places.

Having a Dutch passport this never was a problem for me when returning to Canada, even though I was actually working there.


Entering Brazil as a US citizen was an interesting experience. Long pseudo-interrogation, fingerprinting, the whole nine yards. It wasn't until later I learned they basically just decided to do to all US citizens what the US was doing to Brazilians (and certainly others).


Brazil has a weird policy (the "reciprocity" law) that makes them apply to visitors from some countries whatever that country applies to visitors from Brazil. In theory that only applies to what kind of visas are necessary, but often they do so in terms of immigration/customs policy too.

So yeah, a while ago the US started requiring electronic fingerprints from Brazilian visitors (and everyone else I think?) so that's why Brazil started requiring that from US visitors.


I don't think that's weird, I think it's pretty awesome. But I'm biased, since I'm Brazilian :)


I'm not Brazilian and I think it's awesome too. More countries should do this.


I am Brazilian, and I think it's an outdated measure that serves little to no benefit, especially for Brazil itself.

It's fun (in a semi-vengeful way) to submit, say, Americans to the same level of scrutiny they apply to Brazilians. But it also means you're creating artificial barriers against making the country a more popular tourism destination. People in some countries are just not used to having to go throw all these hops to get to visit a country, just because they don't have to; when they learn that they have to go to a consulate in person, in select cities, stand in line for hours, go through an interview, and pay about $150 or so for the right to visit the country, they're quick to change their mind and just pick some other destination that is either easier or that allows you to do all of that online.

The country is basically making it difficult for people to bring you money.

This policy hurts Brazil more than it hurts anyone else.


It does make sense to do this, more countries need to stand up and say if you treat our citizens this way we are going treat yours the same. I mean the travelers interact with border control and the citizens are the only ones who legitimately can bring these complains to their border agencies. Ultimately it comes to be that citizens need to defend non-citizens rights and "reciprocity" policy might be effective because most people only act on their selfish interests.


This policy has been in place for decades with no change. That makes me doubt it effectiveness. I've heard of plenty of USA -> BR travelers being turned away at the border because they didn't realize they needed visas (a common occurrence for people traveling for conferences). Ultimately they understand the reasons and even empathize with the country, but it doesn't change the fact that for them it's easier to just not come.

To me it's more about an ineffective, vain attempt to show power than anything else.


If you're on a work visa you're obviously allowed to work.

If you enter on a tourist visa (or visa waiver, whose conditions are usually the same as tourist visa) they want to be sure you aren't committing visa fraud and planning to work. That's what causes the grilling.


The land borders in the western US were pretty nice.


"Or, to simply stop traveling to countries that refuse to play nice with the rights of foreigners. "

Which countries would those be? As far as I know, every country (or quasi-country, such as the EU) asserts the right to carry out a full inspection of anything crossing its border.


As far as I know, Swiss border police/customs officers (which often operate at random places in the country, not necessarily at the border) are not allowed to check the content of any electronic device without a search warrant.

They can ask you to unlock the phone and show the IMEI number when suspicious of theft, but that's about it.

Source: friend of mine worked there.


With phones without sealed batteries, the IMEI(s) are usually printed on a sticker in the battery compartment. Samsung and Apple engrave the IMEI on the outer casing of sealed devices.

Always know where the manufacturer printed the IMEI, so you don't have to unlock the phone in front of police.


Of course, if you give them the IMEI it facilitates them listening to your phone calls and tracking your location. The 'checking for stolen phones' thing seems totally implausible to me.


It's quite effective, tbh. Stealing phones is still a way to net loads of money if you know a buyer who doesn't give a damn about the source. Hard-reset the phone so it appears clean and off you go.

The only vendor that actively prevents the usage of stolen phones is Apple, because the owner can remote-lock it even if the phone gets wiped via iCloud.

The ideal way would be if network operators cooperated by maintaining a list of "supposedly stolen" IMEI codes and alerted police if a matching phone tries to log in into the network.


None of the carriers cooperate across borders! The phones that can't just be flashed with a new IMEI are rebirthed overseas.


I'm intrigued that you think that requires an IMEI.


It doesn't require it, but it helps. The IMEI gives away information like manufacturer, device model and rev, and persists across changes in SIM.


IMEI is sent when you register to operator's network, so you get that kind of information anyway. Asking for IMEI at the border links person to a physical device so you have a complete set for tracking.


The point is that the problem "Listen to Ms Jane Robert's phone calls" goes from "Of all phones on the network, identify Ms Jane Robert's" to "Ms Jane Roberts has a phone with IMEI xxxx, log all traffic for all SIM identities; prepare implant for LG G5 sold with Vodafone config."


I think this is more an issue of practice than theory. Every country might claim the authority to search phones, but if they never actually use it, there is no concern entering those countries in a practical sense.


And considering that something like 0.01% of travelers into the US are ever affected by this, you could say in a practical sense there is no concern here either. That's basically a rounding error worth away from 0%.

In fact it sounds more like they generally target specific individuals based on their politics or whatever red flag gets thrown on them from the system. That's certainly dangerous in a way, but in essence harmless to the vast majority of us.


It doesn't appear that most countries are using this kind of search as a tool of political harassment or intimidation, while there's enough evidence that the US is for people to be concerned.


> 0.01%

The same could be said about the proportion of innocent people who would be jailed without the presumption of innocence. Yet I still support the presumption of innocence, even though I personally have never needed it. It makes me feel safer and allows me to trust and cooperate with the authorities.


Saying that a breach of due process is ok because it's not very frequent is a really short-sighted position.


"First they came for a few people for their political beliefs, and I did not speak out because I was not one of those people..."

Do you know how that one ended?


Yea, nice. The Government/Law enforcement harassing dissidents at the border is definitely equivalent to the Nazis rounding up and executing political and religious minorities. /s

Not to make light of this issue, it's a serious matter, but don't be ridiculous.


I'm not sure it's ridiculous to suggest that failing to stop law the misuse of law enforcement tools to harass dissidents early invites worse oppression later. These things have a way of ratcheting up until they get significant push back.


Maybe. Seems like the FBI and federal agencies were harassing dissidents a lot worse in the 60s and 70s through COINTELPRO than they are now. I don't know if it's really worse now so much as different with new avenues of harassment into our digital lives. You think dissidents weren't harassed at the border before everyone carried a cell phone?

The post I was replying to was basically a vague reference to creeping fascism/nazism, and then implying that the same is happening in the US and that we're on the brink of descending into nazism. It's stupid sophomoric comparison to make.

Yea we should fight back against this type of legal harassment. Sure it's similar to how nazis once operated. But what does that comparison really provide in this situation other than throwing FUD onto it. Do you really think the US is about to rise into the Fourth Reich? I mean seriously... even if you feel like Trump is the antichrist, this policy undoubtedly came into effect during the Bush/Obama years when laptops and cell phones became ubiquitous.


I think a lot of it is that there's so much more digital paper trail and so much more stuff is done electronically nowadays you can't as easily stop being a thorn in their side (i.e activist for some cause) without them continuing to treat you like one.

In the 1960s you could decide that you'd done enough and move to a new city across the country and get a fairly fresh start. Now any trivial interaction with "the system" would get you red flagged at every subsequent interaction.

The cops "randomly" stop an acquaintance of mine fairly regularly and give him much more crap ever since one of his kids got a misdemeanor speeding ticket (threshold is 20-over which is typical traffic speed in some places) in that vehicle with those plates.

>think the US is about to rise into the Fourth Reich?

Not literally but people have diverse sets of political beliefs. It's not a stretch to imagine individual groups that are for/against something being persecuted. Imagine how civil rights activists or the pro-socialist hippies would be treated today.


Are you able to provide sources for the position you put forth about similar US harassment of political dissidents decades ago?

Obama prosecuted more journalists and whistle blowers than any president in history.

And we're not talking about turning into Nazi Germany. We're talking about why government crimes against their own people, especially for political speech, should never be allowed to happen because they can result in worse outcomes than you would expect.


> And we're not talking about turning into Nazi Germany. We're talking about why government crimes against their own people, especially for political speech, should never be allowed to happen because they can result in worse outcomes than you would expect.

And Germany didn't turn up Nazi overnight. It's always a slippery slope to prosecute people for political purposes. What happens in Canada with it misuse of human rights tribunal and what happens in many other western countries where the social climate currently is that everyone considers to be okay to suppress free speech because someones feelings are hurt. It is not a human right to be able to silence uncomfortable opinions, yet it is exactly what we see in these phenomenon of social justice warriors only there is no justice there to be made. This entitlement and the need to control of others is actually what scares me the most. You see it everywhere, people in uniforms and people in academia specially social sciences.


https://en.wikipedia.org/wiki/COINTELPRO

Read history outside of school, might learn a thing or two.


That's not the point. The point is that when you say "the ends justify the means", you are putting the rule of law below what is personally convenient for you. And if you can do that, then anyone can do that. And when anyone can do that, then you have a clear path towards authoritarianism.


Hah. As a matter of fact, the Nazi movement did get started by harassing political dissidents, not by executing minorities. Although this took the form more akin to the AntiFa riots (the Nazi Brownshirts) than border inspections, but the targeted abuse to political dissidents was the same


[flagged]


They don't even let you into Iran without making you perjure yourself into pretending to be religious. "Atheist" or "none" is not an option on the form and is grounds for deportation or execution (if you're Iranian and renounce Islam).

Iran's reputation for evil is well-deserved.


If you're atheist, agnostic, or nonreligious, and are forced to declare a religion, just say "Unitarian Universalist". Official church doctrine is essentially, "believe whatever you want; spirituality is a deeply personal experience, yet it can be shared with others".


Wonder if they accept Pastafarians?


Show up in your colander and full pirate regalia, write a blog post about your experience, and submit the link to HN.


That may be easy for people who live in other countries, but keep in mind that it's not "simply" for the millions of non-citizens who legally live here.


I was in a position to move the the USA about 10 years ago and decided against it because I foresaw quite a bit of the developments since then. So indeed, that's not simple once you have made that choice. But for some it may be a reason to move back to where they originally hailed from and in my circle of friends this is already happening (and many more people are talking about it and considering it).

This is going to hurt America quite a bit by the time it has run its course.


This is rather naive. All countries in the world assert similar rights to search you and your devices at their borders. This is not by any means unique to the US.

This is also very rare at the US border, as it says in the article. Most countries in the world are far more aggressive about searching you, and even actively demanding bribes to let you in.


I usually agree with you but I question the validity of that approach. Insofar as freedom is compromised in the US, it's likely to have a substantial ripple effect, just as economic upsets do. Were the US ever to devolve into an autocracy, it's not like there is any other country positioned to sweoop in and save the day.


That doesn't leave very many places to go.


The rise of terrorists and other dangerous activists with the "world has no borders" mindset have given rise to the border security policies we are now being exposed to. We should expect more tightening of borders throughout the world as governments' catch up.

The free flow of immigrants has its risks and unless these activists stop poisoning the well then things will continue to be unpleasant.


Solution: No Facebook (which is a solution to so many other problems too), partition and hide what you don't want browsed by some inept CBP agent, and then play your part in their security theatre. It might even be nice if someone could make some programs that offer false home screens for various devices that only open when a given password is input... your CBP "clean slate".

Don't say, "I don't have x,y,z..." accounts... have them, have accounts you never use and hand them over. Have your real identity online not be publically linked to your real identity for the purposes of something as trivial as social media.


It is probably a bad idea to try to fool a federal agent with "false home screens"... but I upvoted nonetheless because of the "No Facebook" part.

A feature I really would want to see from social media is read-only, time limited passwords. You provide this to a 3rd party and they can see everything you do, but change nothing. Upon first activation, you grant 72hrs access and don't have to remember to change the password again. If this activation does not happen within 15 days of first activation, the password is invalidated.

Acknowledging that this is a valid use case has many benefits. Social media provider can check if the password is used from government or corporate IP addresses and block non legitimate access (like, a rouge CBP employee stealing credentials and stalking individuals from his home computer). It would also be possible to keep logs of which information was accessed/consulted by each one time password, which can be used during investigations if some form or another of abuse is reported, etc.


The words "inept CBP agent" get you in trouble here. If you're a citizen, by all means, play chicken! If not: remember, they have vastly more resources than you do. Money buys a lot of forensics techniques --- in fact, governments are better at computer forensics than software developers. They're the ones doing it all the time, and funding all the research.

They don't have to decrypt. They just have to decide you're suspicious enough to confiscate equipment and bar you from entry.


> They just have to decide you're suspicious enough to confiscate equipment and bar you from entry.

That's fine with me. I don't take anything to a foreign country which I'm not willing to lose, and I have no problem turning around & heading back home if the country I wish to visit turns out to have unacceptable rules.

If someday I visit someplace that has an implicit rule, 'all visitors must have Facebook accounts,' then I'll just go back home.


Hold on, once again, because you're oversimplifying the situation here. You might be comfortable being turned back at the US border, but there are plenty of people who aren't in that situation --- they're children, or are coming to take care of their children, &c --- and being turned back at the border can mean it's very difficult to return to the country under any circumstances for years afterwards.


I think you're looking for an argument, but I'm not. It's always been possible for a country to turn a visitor away (talk to folks who've been to Israel and try to travel to an Arab country …), and that does have consequences which one must be prepared for.

I'm certainly not going to claim that 'all your password are belong to us!' is a good or desirable policy, but I am going to claim that anyone who travels between countries must be prepared to deal with the local regime, no matter how ill-conceived its rules may be.


One of the pieces of important advice I am planning on passing on to my children is: Never have children with someone who has citizenship of a country that you don't.


Given that border agents may go as far as cloning hard drive contents, what advantage does an additional partition have? A thorough search may uncover the hidden/encrypted partition, which then becomes another item for which you'd be requested to provide "technical assistance."


They aren't going to inspect the HD partitions at the border. They clone for a later time - at which point, you'd already be admitted and are not obliged to assist them.


"Have your real identity online not be publically linked to your real identity" is actually not so simple, as it requires cooperation of everyone you know. Would your mom, spouse or boss have your "account that you never use" in their social network contacts or your real online identity?

All kinds of advertising companies and spammers have such information obtained from people who share their contact list with some free app, providing a permanent link between your real name (which they entered in their contact list), your real phone number, and various online accounts. Would you be so sure that the gov't agents don't have it? IIRC there were some cases where some agencies simply bought such data from advertising info aggregators.


It's not about keeping secrets at that level, and frankly I'm a lot less sure about my ability to evade advertisers than the CBP. Advertisers are hooked into everything, as therefore so are aggregators. That said, the aggregators and advertisers can be blocked, ignored, and spoofed. Even if you don't, they don't get physical access to your devices, they don't get to clone your HDD and keep a copy!

By contrast, the CBP doesn't have the profit motive or apparatus to keep a "file" on each of us and match that file on the fly with our testimony at the border. You don't need to fool them in some grand way, just the digital equivalent of a false bottom with a safe hidden underneath. Beyond that, share some basic crap and explain you're not that into social media, but share what you have.

They're not going to be shocked that some people have little presence, what's going to get them interested is refusing to unlock something or conveniently forgetting passwords.


--> The current best practice for border crossings --- really anywhere in the world --- is simply not to carry anything you're unwilling to unlock for Customs.

How do password managers play into this? I'm likely going to be traveling to the US on business. I'll be bringing a travel phone rather than a normal phone (This is my standard travel practice for any country). I could do the same with a computer.

I don't mind unlocking that. But passwords are a thornier issue. All of my passwords are stored in a password manager. On my computer, these are actually stored in a physical file, so if CBP cloned my hard drive they'd potentially have all my passwords. That would amount to ~400 passwords I'd need to change.

I could make a travel profile for my password manager and only bring in a limited, strictly necessary set of passwords.

But then this raises a further issue: do I keep social media passwords on that list, or leave them off? If I kept them off, I could honestly say "I can't login. I didn't want distracting social media on a business trip". But it might be safer just to have them? I could change the passwords after. I'm not sure of the risks of having CBP log into Facebook.

This is probably not a likely case I have to worry about, but I'd still like to figure out the best practice.


If you're not a citizen, I think this is probably pretty simple: don't carry anything across the border that you would be uncomfortable being forced to unlock. There's nothing you can encrypt with a passphrase that is protected from a border search, unless you're comfortable being sent back home, losing your computer hardware, and not being allowed back to the US at least until the next Presidential administration, probably 10 years, and possibly forever.

The only point I really want to make:

It is a very bad plan to attempt to outsmart CBP with clever encryption strategies. If you want to protect something, don't bring it to a border crossing. CBP's budget is tens of billions of dollars, and they don't have to break your encryption; they just have to fuck up your entry into the country. The math doesn't work out here for nerds.


Say you bring no electronic hardware. Could they make you login to your social media accounts from one of their computers?


Yes, they can.


This is unclear. They can ASK, but as far as I know it's unsettled territory whether this is refusable.You can definitely refuse it as a USC and I would bet, as an LPR. Gets trickier when on any other visa as then your entry is essentially all "discretion"


The problem is that it's pretty much CBP's discretion whether you --- a non-citizen --- are being responsive. There aren't statutes for this stuff.


Any speculation as to what might happen in that situation if your password is non-trivial and not with you?


What about 2-factor? Should i just disable it?


Right. Since they may ask for social media passwords, would that imply making a travel profile for my travel devices that has password access to things like Facebook and a subset of sites I'd need, but not necessarily all 400+ of my logins?

I don't care if they login to my Facebook (well, I think I don't). I just don't want to have them have everything, because then I'd have to change it all.

To be very clear, not planning to use any encryption strategies. And as you mentioned, being unable to access Facebook is not a sensible option. My question is about what to bring, not how to secure it.


It doesn't matter what you have in your password manager. If you're not a US citizen, they can demand your facebook access. If you don't have it, can't unencrypt it, or just feel like telling them to fuck off doesn't matter. You have no legal right to enter the country except with their permission, and they may well tell the person who didn't put their facebook passwords in the password manager to get back on a plane and go home.

US citizens have it better in at least that one regard. They can't keep me from entering the country. They can confiscate my laptop, but if I don't want to give them facebook access, there's not much they can do to stop me. They can of course add me to some list that makes my life miserable every time I fly, but there's no constitutional provision that allows preventing a citizen from entering the country.


So basically, as a non-US citizen, if you don't bring a device that can log into your Facebook account, they might deny you entry? Of course rhey might deny you entry for any reason, and them caring so much about your social media accounts is probably a sign you're on a shitlist somewhere, so maybe it doesn't matter so much.

I wonder, though, if you don't have FB etc. accounts, do they believe you?


I think the only way to interpret this that's even remotely practical to implement is that while they have the right to ask anything of anyone, in practice, it will likely be targeted. If they're asking, they probably already know quite a bit about you, including whether they think you match some social media profile they've red-flagged.

I'm certainly not suggesting that Trump isn't stupid enough to think having CBP attempting to guess whether 800,000 grandmothers every hour are lying about not knowing what Facebook is would be a plan he could seamlessly roll out, but I think any such plan would crater pretty spectacularly.


There's a big factor of subjective evaluation, but it can be quite effective.

A large majority of people do have FB accounts, and even care about their FB accounts as illustrated by their worries about providing access to them.

For most people they wouldn't bother to look, only a tiny fraction of travelers get their devices checked. And if you really don't have FB etc. accounts, they may believe you - I have little reason to doubt that; I feel that if that was their policy then we'd hear about many such cases.

However, if you claim that you don't have a FB account and their automated system (seeded by the information submitted by the airline before your arrival) shows a FB account with your face, then that seems a sure way to get turned back at a border.


So, basically there probably going to be honest people where they would tell the truth, that they don't use thefcnkfacebook but because some scammer has created a fake profile of them would be turned back at the border. Amazing brave new world we live in...


> shows a FB account with your face

Which, amusingly, is a Facebook spammer strategy — clone someone's account, including profile picture. So even if you delete your account, there may be a spammer clone that shows up in CBP's database.


Why is this being accepted as even remotely reasonable? What about 'login with Facebook' sites?

We here know that we should change our password and logout of existing sessions ASAP after being made to do it, but our non-technical family members may not.

"Add TSA as a friend" is borderline reasonable, (pun intended) "give us your password" is not even close.

It also damages public awareness of importance of maintaining secure and private passwords more generally.


> Why is this being accepted as even remotely reasonable?

That it's unreasonable and unacceptable doesn't mean that it's illegal. Despite your and my hopes, not all unreasonable and unacceptable things are illegal.

> What about 'login with Facebook' sites?

Don't do that then.

> We here know that we should change our password and logout of existing sessions ASAP after being made to do it, but our non-technical family members may not.

If you've given access to your account to someone else, you've already lost, whether you log out quickly afterwards or not.

Don't put yourself in a position in which you must log into an account you care about.


You're missing my point entirely:

People do 'login with Facebook'; people will (perhaps grudgingly) log in for them/hand over their password.

You won't, I won't, but people will because they're asked to by the uniformed officer, despite how mad it is.

I'm just amazed at the lack of significant opposition to this, there doesn't even really seem to be any opposition. Here on HN where one might expect it to be most opposed, we're merely discussing how to mitigate the effects (you can't, don't go - or be prepared to be turned around).

I wouldn't pay for my own travel to the USA (while I've been before, and enjoyed my trips, etc.) because I'm not an idiot - and handing over a password is idiotic - and I can't really afford a wasted trip. Sure, sunk cost, whatever - the cost/risk isn't worth it, at least for now until it's shown that they rarely do it, and really it's only x,y,z countries from where I do not hail.


> I'm just amazed at the lack of significant opposition to this

I'm amazed at all the many ways people will give up their rights, and yet folks continue to advocate for their rights to be taken away.

> Here on HN where one might expect it to be most opposed, we're merely discussing how to mitigate the effects (you can't, don't go - or be prepared to be turned around).

I can't change the law, but I can change my behaviour.

> I wouldn't pay for my own travel to the USA (while I've been before, and enjoyed my trips, etc.) because I'm not an idiot - and handing over a password is idiotic - and I can't really afford a wasted trip. Sure, sunk cost, whatever - the cost/risk isn't worth it, at least for now until it's shown that they rarely do it, and really it's only x,y,z countries from where I do not hail.

a) they rarely do it (roughly 4,500 times last year, IIRC)

b) any country might do it, and many do; this is not a U.S.-only thing


> they rarely do it (roughly 4,500 times last year, IIRC)

My mistake, I hadn't heard of this until recently (and clearly didn't read the article properly) and assumed it was a new policy under Trump.

At a rate of around 0.0012%, and assuming it's more targeted than random, my actual chance of being asked is much lower, yes sure, that probably is worth the risk of being turned around.


> My mistake, I hadn't heard of this until recently (and clearly didn't read the article properly) and assumed it was a new policy under Trump.

The really great thing about having a Republican (even if only technically) president is that the news media suddenly rediscover the virtues of small government, and the dangers of an unbalanced power structure (a similar phenomenon holds with Democratic presidents & conservatives). It'd be awesome if people would just be principled, but apparently that is too much to ask.

> At a rate of around 0.0012%, and assuming it's more targeted than random, my actual chance of being asked is much lower, yes sure, that probably is worth the risk of being turned around.

Yes, but I just carry a clean device with no access to my accounts. I can honestly and without deception say that I cannot do what is asked.


> I can honestly and without deception say that I cannot do what is asked.

The general consensus seems to be that you'll be turned around.


Login with gmail/Facebook isn't that awful. They won't get your login credentials and you don't have to set a password. It's kind of like having a super fast "verification email" every time you log in.


Yes, but my point is that a user who has handed over Facebook access has with it handed over 'login with Facebook' access.


What do you think would happen if you don't have facebook?


> If you're not a citizen, I think this is probably pretty simple: don't carry anything across the border that you would be uncomfortable being forced to unlock.

I think this applies whether or not you are a citizen, whether or not you entering the U.S. or another state, and frankly whether we're talking about electronic data or not. If you don't want it searched, examined or confiscated, don't enter a nation state with it!

> It is a very bad plan to attempt to outsmart CBP with clever encryption strategies. If you want to protect something, don't bring it to a border crossing.

Excellent advice. You can't outsmart customs with clever encryption strategies.


But if they can force you unlock your Facebook, can't they force you unlock your Gmail, AWS, Salesforce, internal company archive or some actually classified missile bunker?


If you know something they want to know and they decide to make you reveal it, then you have the choice of going back home or revealing it. Entering the USA is not a right unless you are a citizen.

But you're much more vulnerable if you bring data with you. The first level of protection is making a backup, formatting your devices as new, and restoring once you're on US soil. Better yet is not bringing devices at all. But certainly don't bring secrets with you: bank records, medical records, and military secrets should never be carried with you through customs.


If you're a non-citizen and you choose to go back home, you're probably also choosing not to be admitted back into the US for a long stretch of time, at least without a struggle.


This depends on the particulars of what happened, and it's going to be difficult for most non-experts to navigate, in the same fashion as "determine whether this code is Python or Ruby" is difficult if you've never seen a command line.

Say you're talking to your friendly neighborhood CBP officer and they say this:

"I think you're an immigration risk and, accordingly, I'm issuing an Order for Expedited Removal. You get on the next plane back home." Your passport gets tagged with a 5 year timeout.

However, they could say something like:

"I think you're not eligible for the Visa Waiver Program, because some factors suggest you're an immigration risk. I recommend you withdraw your application for entry into the United States and voluntarily get on the next plane back home." You will not get timed out for 5 years.

Note that the second one is neither a recommendation nor a request.

Disclaimer: IANAL but IA someone who has to have an anomalously-good-for-most-Americans understanding of immigration procedure.


Yes, it's a small but real risk foreigners should consider every time they chose to cross the US border.


It's no small risk. It's forcing you to whistleblow with no protection. Forcing you to do something, that they kill their own citizens for.


> not being allowed back to the US

And potentially any other country that has the "have you been denied access to any country for any reason" rider on its immigration questionaires.


What does the searching of devices at the border have to do with presidential administrations? This policy has been in place for years (from the article).


> But then this raises a further issue: do I keep social media passwords on that list, or leave them off? If I kept them off, I could honestly say "I can't login. I didn't want distracting social media on a business trip".

To go a step further, what if you don't even have a Facebook account? How do you even prove that, if there are other accounts with the same name as you that show up when searching (and the profile picture is not sufficient to rule it out)?

> I'm not sure of the risks of having CBP log into Facebook.

There's a non-zero chance you're going to be detained and grilled if any of your friends have talked about terrorism, drugs, have criminal records, or are on or share a name with someone on a terrorist watch list (and that may extend to their friends or further).

They could also potentially take a copy of your friends list, posts or any other content and do who knows what with it at some point in the future.


I use syncthing.

Mostly for syncing all my music and pictures between phone / laptop and home server.

For your use case, there is a solution with the caveat that your password manager is unavailable on the flight. Simply have a dumb phone on entry with Syncthing and your Password manager installed but no password file. Once you have been allowed entry into the despotic regime's lands, connect to a starbucks wifi, initiate syncthing and it will pull your password file from your home server / computer etc.

If you update your password file, it will be synced back to your home server. When you travel again, disable syncthing, delete your password manager.

Or use an ssh script to pull it from your home server.


Could you just bring a device with freshly installed Windows / OSX, and clone the whole disk image over the internet once you're inside U.S. ?


Well, yes. But as tptacek said:

"But non-citizens, possibly including LPRs, cannot: if an alien attempts to cross the border with a device they can't unlock "because they don't have the corresponding 2FA token with them" (as one friend suggested they do), they'll be detained, their devices confiscated, and then put on a flight out of the country."

I'm not a US citizen. I don't have anything in particular I care about the CBP seeing. But, I'd rather they not have all of my 400 passwords. I'd then have to change everything, and also be breaking a bunch of bank terms of service.

I don't think CBP actually wants my bank info. But with all passwords in a manager, they would get it if they had access. However, with no passwords, they may bar entry.


I'm traveling overseas this summer, and I don't plan on having my 1Password database handy when I reenter the country.


So you will be a position of "can't login to that site". How does that square with:

"if an alien attempts to cross the border with a device they can't unlock "because they don't have the corresponding 2FA token with them" (as one friend suggested they do), they'll be detained, their devices confiscated, and then put on a flight out of the country."

I guess they haven't yet started asking for social media passwords, so maybe I'm overthinking this. I'm certainly going to be prepared to unlock any devices. It's the web passwords I'm not sure what to do with.


Well, in tptacek's case, I believe he's a US citizen so they can't deny him entry.


Hmm. What would be the best practice for a foreign national?


> What would be the best practice for a foreign national?

Understand that you may be denied entry to any country but your own. It's a fact of life which you cannot do anything about, so you might as well accept it.

What I do is:

- travel with a machine which is not logged into any of my accounts

- if asked, I can honestly say that I do not know any of my social-media passwords (because they are all of the form mZOH05WaxeAWqI79myMxcx or SWwDmDOkyHCVdX8eOiTLXC1U1psffeXfFgNx6PaZZhp); if that's unacceptable to customs in any country, they can send me back home

- if they press, I can honestly say that my computer back home (not the computer I have with me) has my master password file, and that there is no other copy


None of us know. It's a real problem.


If your password manager doesn't encrypt it's own files on disk, then you're using the wrong password manager.


I'm operating on the assumption they'll ask for the password to that too. That's where the social media passwords are.


Encrypt your password store using gpg and zx2c4's pass! The GUI app qtpass even works on Windows. I've been using it for months and the system is rock solid and has never let me down.

https://www.passwordstore.org/

They can copy your drive all you want, and you have until 2030 to change your passwords.

Alternatively, just store them in a git repo on a server somewhere and access them remotely.


CBP will begin asking everyone for Facebook logins.

I don't understand how this doesn't run afoul of the Fourth Amendment. Surely one's social media qualifies as "papers" or "effects" even though they're digital artifacts and not physical. This just seems _incredibly_ invasive.


> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated...

Your phone is undoubtedly your "effects" (in 1789, touching your phone without your consent would have been a trespass to chattel). But searches incident to a border crossing have always been considered not "unreasonable," because inspecting the flow of things across the border has always been seen as a legitimate government function. Indeed, one of the very first things Congress did in 1789 was to create a customs department in order to perform precisely such inspections.

That said, there is an originalist legal argument to the contrary. The framers understood the border-search exception to exist for purposes of customs enforcement. Customs enforcement has always been about physical, rather than intangible goods: https://www.eff.org/files/2015/11/10/clearcorrect_v_itc_-_op.... So searches of digital content are at least outside one of the key purposes of the border search exception. (Of course, that doesn't help with the other purpose of the exception, which is national security.)


> But searches incident to a border crossing have always been considered not "unreasonable," because inspecting the flow of things across the border has always been seen as a legitimate government function.

...

> So searches of digital content are at least outside one of the key purposes of the border search exception.

Yes. And also, who in their right mind would use a phone and an airline ticket to smuggle at most 32GB (or 64, or whatever) of contraband data into a country? Absolutely no one.


I feel obligated to point out that:

1. my phone has a 200GB microSD card in it right now 2. 256GB microSD cards are readily available 3. phones with two microSD cards are available 4. I can easily purchase a 4TB hard drive that is roughly the same size as a pack of cards

It's not terribly relevant, but you're dramatically underestimating the volume of data that can be reasonably stored by media carried on one's person.


1,2,3) I kinda forgot they still make phones with SD slots :). OK, so the storage goes up by 10x, but still, there are multitude of more convenient and more secure ways to move that much data around.

4) Encrypt that drive and ship it. Why would anyone up to no good go to the bother of passing through border security with it on their person?


I'm curious - if one carries a microSD card in one's mouth, will mm-wave or X-ray backscatter airport scanners see it?


"3. phones with two microSD cards are available"

link ? Genuinely curious ...


Johnny Mnemonic.


The international border is a longstanding exception to the Fourth Amendment: searches at borders are per se reasonable. The history of this exception goes all the way back to the founders, so there's probably no battle to be won over whether the exception is valid, only to what the limits of the exception are.


I'm not traveling while carrying Google's, Facebook's nor Yahoo's servers in my baggages. Asking for login information has nothing to do with importing goods. Login and password are not goods. It's invasion of privacy, pure and simple.

Why are the broder patrol not simply asking for login credentials straight out? Why carrying or not a phone has anything to do with asking for credentials? It's absurd.


It's possible (not guaranteed) that it does. There are exceptions in the law for immigration/customs stuff. The way to find out is to sue CBP and have the courts decide, or find existing precedent one way or the other.

Or have Congress pass a law making it illegal or legal. Good luck with that one.


There's case law pushing the border search exception one way or another going back through the 20th century (for instance, it's a mid-1970s case that establishes that you cannot, in fact, be searched simply by dint of being within 100 miles from the border, but rather that the "100 miles" thing is a limit on the government for how far you can get a recent actual border crossing before the government remembers to search you).

Not that there's nothing worth challenging here, but the skeleton of legal principle these searches hang on is pretty strong.


Silly things like laws and constitutions do not apply at the US border. Or anywhere near it.

https://www.aclu.org/know-your-rights-governments-100-mile-b...


There's a statute that carves out the border search exemption:

https://www.aclu.org/other/aclu-factsheet-customs-and-border...

So the argument to be made is that the application of the law or the law itself is not in keeping with the Constitution, not that law doesn't even apply.


oh, some laws definitely still apply! try lying to the border agent if you doubt it!


What if you don't have a Facebook?


I was thinking the same. Most likely: "You don't have facebook? What are you trying to hide?" xD


> This just seems _incredibly_ invasive.

You could leave out the 'seems' and it would improve the comment.


But then the sentence no verb?


/s/seems/is/



We can have a substantive disagreement about whether or not the practice "is" invasive, less so about whether or not it "seems" invasive.


You're absolutely right.


I feel any parent with a teenager who's tried to monitor her Facebook account can see where this is headed.

This policy is incredibly ignorant of how online communities work and where communication is going. The only thing I can see happening is terrorism-minded individuals actually creating and maintaining clean Facebook profiles as a smokescreen. That's an easy win and great distraction as communication moves to non-centralized, encrypted, expiring messages.


This isn't to catch terrorism. Though they'll probably get a few idiot "extremists", this will mostly stop people coming in under false pretenses. It's bizarre how people don't think ahead to their border crossing and are willing to admit they are going to live with their SO, or work as a nanny -- while under a tourism visa.

It'll be very effective at this. Most people aren't going to establish a plausible social media profile after they figure out they're going to the US to live/work/whatever.

"Real" spies and terrorists and whatever can obviously afford to setup enough cover. (Though there is the case of a spy getting discovered because she used her real frequent flier number while traveling under aliases.)

At best, this might put a chilling effect on Facebook and other things like that, which is probably a net win for humanity.


> "Real" spies and terrorists and whatever can obviously afford to setup enough cover.

> It's bizarre how people don't think ahead to their border crossing and are willing to admit they are going to live with their SO, or work as a nanny -- while under a tourism visa.

So we're not catching "real" spies and terrorists; we're catching nannies trying to get paid under the table; do you think maybe we've got bigger fish to fry? This is a bad precedent, and what are we gaining? Nothing.


You're gaining a more efficient CBP, enforcing visa rules and avoiding overstays like they do now, just with higher accuracy. Now if you want to argue that visa classes are silly and the US should just let anyone come in for whatever, fine, but that's a totally different argument.

And yes, it's possible that this isn't worth the gains to CBP. But the US is pretty powerful and can force quite a bit of crap on people without getting too hurt. If it stops, it'll most likely be from efforts from e.g. Facebook lobbying against it.

Business travelers have little choice. A lot of migrants have no choice (the benefits of US residency far outweigh the inconvenience for most people) -- we can test this out by looking at how many Mexicans or other Latam folks stay in the US vs, say, Canada over the next few years (confounding that is Canada removing visa requirements for Mexicans). Tourism might be hit a bit, but I'm unconvinced this is a big enough deal for people to rethink their entire vacation plans.


Enforcing visas through violating privacy seems like a good enough argument against this practice to me. What you're also gaining is a precedent to enforce more searches that look through not just your public life, but also the intimate parts that the government really doesn't have much business in analyzing.


Yep you're right and this is the kind of arguments people should be making.


The guy that had this happen to him recently was American and working for NASA AFAIK. If catching overstays is the issue why do this to citizens?


Power grows? I'd like to know what contraband CBP expects to find on electronic devices. At any rate, they can only ask citizens to comply, not force them.


> So we're not catching "real" spies and terrorists; we're catching nannies trying to get paid under the table; do you think maybe we've got bigger fish to fry? This is a bad precedent, and what are we gaining? Nothing.

A country which controls its borders gains … control of its borders. If it's illegal to enter a country as a tourist in order to live with one's girlfriend, well it's illegal to enter that country as a tourist in order to live with one's girlfriend. That doesn't mean the law is right, or good, or desirable, just that if one enters that country as a tourist in order to live with one's girlfriend, one will be breaking that country's law and is liable to be deported.

Although I tend to favour open borders, myself, I think it's perfectly reasonable for the customs police of any country to turn away people trying to enter that country illegally.


That doesn't address the question of balance between the seriousness of the illegality and the invasiveness of the investigatory technique.

It would certainly be feasible to require every vehicle to be fitted with a data/position logger so that a vast number of hitherto undetected breaches of the laws governing the road can be immediately detected and punished - but it's pretty clear that the invasiveness of this is not worth the gains in compliance.


> That doesn't address the question of balance between the seriousness of the illegality and the invasiveness of the investigatory technique.

No, it doesn't, because I addressed the statement, 'What are we gaining? Nothing.'

I don't support the policy at all; I think it's a fundamental human right to encrypt data and not have to give the password to anyone.


The people that voted for Trump get to gain a bunch of thankless, low-pay jobs that will no longer be allocated to illegal aliens. There might be bigger fishes to fry, but given that they never get invited when salmon is on the menu, they are happy to see the sardine cans comming in.

And if they cannot or will not take the nanny jobs for themselves, at least they get to mock the uppity mothers that voted for Hillary and now are forced to dump their careers to take care of their own children.


Rule of Law.


It's so obvious as to hardly bear mentioning, but you can use this to excuse any violation of rights if you want. Sometimes "rule of law" just isn't worth it.


Sure, but you've offered no argument regarding this particular situation.


Sounds more like rule by law.


Sounds like no nation wants undocumented labor because it is very problematic.


Living with your SO under a tourism visa isn't a crime as long as you leave before your visa expires...

And is it the role of CPB to prevent under the table employment? Surely there are better ways to address that issue if it's a concern. Building walls and inspecting social media seems like a political smoke screen for avoiding more effective enforcement measures - requiring farmers/factories/roofing companies to prove their labour is legally allowed to work in the US etc. Or we could acknowledge the reality of immigration (we need workers if we can't afford to pay Americans an adequate wage to pick fields etc).


Right, but many times, especially if you're coming from a "worse" country, the agent is not going to believe you're going to return. So people lie about it, and thus get caught out.

Yes, it is the role of CBP to make sure you're coming under the right visa. It's no different than making sure you're not coming to stay while on a temporary visa.

No whether or not this is important or just silly politics is a different question. Same to the question of is this ethical/right/whatever. But there's zero doubt that this will enable CBP to be more effective. So arguments against it should focus on "yeah, this makes their job easier, but at what cost?" instead of pretending there's zero upside.


So you're saying as someone from a "good" European country (Nordic) I basically have to not worry about any of this?


You have a lot less to prove to CBP than someone coming from a broken country. Your incentives to stay in the US are drastically less than someone from, say Mexico. Other countries do the same thing. A US citizen gets a warm welcome into Mexico. A Guatemalan gets hassled.

There's still random bad luck - as a Canadian I've been theatened deportation for not cancelling my green card despite not using it or living in the US. I've been detained because a CBP agent decided a trade show was work and I wasn't eligible for a B1. (His first words were "you're going miss your flight, I'll make sure of it".) But most of the time they wave me right by.


> Living with your SO under a tourism visa isn't a crime as long as you leave before your visa expires...

No, but it is left entirely up to the agent interviewing you for entry to decide whether he thinks you're likely to leave later when your visa is expiring.


As if it is only illegals that are being paid under the table.


It's not about being _paid_ under the table, it's about entering the country with intent to violate your entry conditions (working without a visa). CBP doesn't have much to say about legal workers not, say, filing taxes.


You're right that this is not (primarily) about catching suspected criminals or people affiliated with terrorist organizations.

I wouldn't be surprised if they had an internal profiling tool that they run similar to https://applymagicsauce.com/.

Kind of similar to what Cambridge Analytica (https://motherboard.vice.com/en_us/article/how-our-likes-hel...) uses to target political campaigns.

You know, the Cambridge Analytica whose board of trustees includes Steve Bannon.

So the question to be asking is why does the US government want a psychological profile of every traveller passing through the border?


genuine question then: why do this on citizens then? what are they expecting to gain? are they just casting a wide net to catch dumb extremists?


A lot of metadata-oriented mass surveillance centers around who is talking to whom. If someone is identified as potentially relevant, for example, for being involved in publishing leaks, spies might be very interested in filling in as much information as possible about that person's contacts and communication methods.


  fb.post.synth.byDate(
    { { 2, 18, 2017 }, "Today I watered the flowers!", { "flowers" , "me" } },
    { { 2, 19, 2017 }, "Watched my favorite show!", { "television" } },
    { { 2, 20, 2017 }, "My kids are so hilarious!", { "children", "bicycles", "outdoors" },
    { { 2, 21, 2017 }, "Frustrated with lawn mower!", { "lawn mower" } 
  )


This, to some extent was already happening. The last time my partner came into the US on a visa waiver (from the EU) before our fiancee visa was approved, her entire PUBLIC facebook wall was printed out and waiting for her in an interrogation room at O'Hare. (This was a few years ago now) -- it was a little eerie b/c her facebook is not under her "real name" - that is not the name on the flight manifest. So it took some digging.

At the time they were mostly concerned with posts where it may have insinuated she was accepting photography or graphic design clients while in the US on a tourist visa which is a big no no, but I could see that switching to political allegiances, etc quite quickly.

She is now an LPR on her way to naturalization and I am a USC. We are going to Turkey in a few weeks and seriously considering leaving phones at home, getting burner phones for our month abroad, and wiping laptops and restoring them from the cloud on either side.

Seems like there could be a market for device upload/wiping/restoration as a service.


The most troubling thing to me is that all of this is device-agnostic. They know you have a Facebook account and they can find it even if it's not in your name. So now when you return to the US they may very well demand that you provide them your Facebook login credentials. If you're not a USC and face getting put right back on a plane to Turkey, will you refuse?


We are discussing in advance. I will refuse any device requests or password requests and ask for a lawyer if detained. She is seeking clarification from an immigration lawyer about what is required from her as a green card holder. She will likely comply with handing over (wiped) devices but would also refuse handing over passwords.


Yep, the story is totally different for non-citizens.

My plan, if this ever comes up, is to refuse to unlock the device, ask for a lawyer if they hold me, and wait it out. I already make sure to power down my device before I hit customs just to be sure they can't compel my fingerprint.

I couldn't advise my wife to do this, though. It's likely that they'd revoke her green card, deport her, and basically wreck our lives. At least she (probably) has nothing to hide....


> US citizens can play chicken with CBP and lose nothing more than their computer/phone hardware

Well they can also be detained, for an indeterminate length of time.

That could put their job at risk ( didn't show up for work for a couple of days with no explanation ), their mortgage, their house...


From the article:

The policy also states that CBP or Immigration and Customs Enforcement "may demand technical assistance, including translation or decryption," citing a federal law, 19 US Code Section 507. A related document says that "officers may seek such assistance with or without individualized suspicion." Refusing to comply with this statute is "guilty of a misdemeanor and subject to a fine of not more than $1,000."

Are you confident that it's legal for a US citizen to refuse to provide a password when re-entering the country? I'm not familiar with the statute beyond what is mentioned in the article.


There are increasingly two types of law in the USA: felony punishable by no less than x, and misdemeanor punishable by no more than y.

I've taken to sighing and accepting y and just being grateful it's not a felony if I do it. Felonies are bad, you'll lose your rights, you can't vote, they're harder on you in court, and they follow you everywhere.

I'll take misdemeanors for $1000, Alex.


The OP article says this particular law hasn't really been tested in court, nobody's really sure if it's legal or not. One way to find out. I'm up for it. As a US citizen with white skin and money for a lawyer, it's unlikely anything _too_ terrible will happen to me. It is at worst a misdemeanor.


You want to bet on that, with the Trump administration? I'll say an 'ave' for you.


I do, yes. I'm white, I've got some money (and family with more money; for lawyers, I mean), I'm a US citizen. That's within the level of risk I'm willing to take for standing up for freedom. We're not going to fight this stuff without being willing to take any risk at all. That's being a human, doing what's right involves some risk and sacrifice, almost always.


Well, thanks for being willing to take a bullet for the collective good, and I wish you the best of luck with it.


Yet another reason never to sign up for Facebook.


That doesn't necessarily help. Many people have Facebook accounts with names that are not their "real name" as on their ID and plane ticket. If they want to, they'll just claim that you most likely do have an account and you're lying to them, and hold that against you.

If you're a foreigner, there is no way to win this if they are determined to make you lose. US visas as well as the documents for the Visa Waiver program make it clear that even if you do have all that is required, you are not guaranteed entry to the United States. The officer on the border can turn you back on a whim, and you have no legal recourse. Presumably they have some internal controls, but that won't help you in particular.


> Many people have Facebook accounts with names that are not their "real name" as on their ID and plane ticket. If they want to, they'll just claim that you most likely do have an account and you're lying to them, and hold that against you.

There is also a fairly good chance that someone else with your name does have a Facebook account, and I'm not sure how you'd prove that one of them isn't you.

Even worse, someone could create a fake Facebook account with your name and picture, and put some pretty damaging stuff on it. How would you prove to customs that no that really isn't your account, none of the public posts are yours and you really, truly have no way of logging in? It's like Doxing or SWATing taken to the next level, but you could potentially end up in jail.


Yet another reason never to enter the USA.


There's a show on Netflix that follows the Australian immigration cops. They go hard and frequently examine text messages, email, social, etc. for non resident entrants.

If you think this is just the US, you are mistaken.


> They go hard and frequently examine text messages, email, social, etc. for non resident entrants.

Interesting. Do they ever find anything that's actually incriminating?


Normally it's young people entering Australia to work "under the table" and only have a student/tourist visa. They denied entry for this reason very frequently.


You mean they actually find emails saying "good luck with your illegal work in Australia on a tourist visa, lol"?


I got a not-quite-as-bad grilling at the UK CBP, where they required me to log into my banking apps and show them my accounts & balances, as well as transaction histories to determine whether I was currently working remotely (and, therefore, would continue "illegally" working remotely while in the country).


Decade ago they were doing that in the UK. Showing proof of funds when you arrived.

Had one trip to the US where they asked how much money I was carrying. I said none, just a credit card. They asked if I were planning to work there. I said no, I'll pull money from the debit card as I go. They (presumably) acted puzzled about this.


Proof of funds is one of the three things they apparently still require. I had to show proof of funds (~$1000/month), proof of lodging (airbnb itinerary), and proof of leave (an already-booked plane ticket at the end of my stay).


Wait. So if I am a tourist in, let's say, the USA and I keep working remotely on Canadian projects and getting paid in Canadian dollars, do I need a work visa?


Depends on the country. The UK's particularly bad (in my experience and from what I've heard from the digital nomad community) in that they don't like you working remotely at all while visiting, especially if you're staying for any significant amount of time (I'm here for 3 months).

The general rule is "if you make money while in a country, you need a work visa while in that country", but obviously that may be a bit outdated and not take into account remote positions. Many countries can/will fine, blacklist, and deport you if they find out you worked while within the country without a work visa; and it's _those_ people that you need to be able to convince "I'm not taking your jobs away!" to.

I'm a US citizen so I haven't looked into it from your POV, but I do know that a trip to Canada, for example, allows working remotely as long as:

* you work for an American company with no Canadian offices or branches[1],

* you are paid in American dollars, and

* that payment is deposited into an American bank account.

Again, depends on the country you're visiting (and possibly the country you're a resident of), so I'd double check before working on a trip just to be safe.

[1] If your company has branches where you're going, the safest bet is to get them to help arrange the trip. A have a family member that travels a lot on business and has been denied entry to countries while on business trips specifically to train the local branch, because even then it's a delicate situation.


No, but a text saying "we'll see you at work 8am on Monday" as you are entering Australia is probably good enough reason to be denied entry if you have a tourist visa.


It probably is, yes. Does that actually happen on this TV show?

(Not sure why I get downvotes but no clear answers to simple yes/no questions.)


Yes, this exact scenario occurs quite frequently on this Netflix show. It's almost invariably a 20-something working as a server at a restaurant.


USA is a surveillance state. Here in UK we are much more progressive and respecting of peoples' privacy /s.


USA, Australia, UK, Canada (other comment branch). Sounds like the Five Eyes?


Canada requires this too. I'm sure other countries do as well.


That's unworkable. OK, maybe Facebook. But going without social media is no longer workable. Too much depends on it: family, friends, education, work, etc.

However, what is workable is keeping your social media clean. Compartmentalize anything questionable, anything potentially embarrassing etc, using pseudonyms. And compartmentalize those pseudonyms on separate hardware, and avoid linkage through IP address, activities, interests, friends, etc.

Edit: It's cool to hear from itshoptx and gravypod that it's possible to go without mainstream social media.


I would respectfully have to disagree with you concerning social media.

- I've been in IT 20 years and have no social media

- I meet my friends in person, since they're all local, save 2, and we prefer to talk or text

- I've never had a potential employer bat and eye or even care that I have zero internet presence. In fact, many have said they prefer it because I'm not distracted whilst at work. Besides, I enjoy being something of an anachronism where this is concerned. Granted, my stance is my own and I encourage others to do what works for them. I have considered that when I travel I may be harassed because the powers that be will assume I am lying since everyone else seems to have social media accounts.


Your method also only works if you have a small social circle or don't go out much. Good luck planning a big party or trip without a Whatsapp/Telegram/Facebook group chat..


You understand that society did just fine for thousands of years without these things right? Maybe if you are 20 the social norms have changed so drastically that calling someone is unthinkable but I rather doubt that. Certainly for my generation and above ('84) it's not required.


We used to have to call[1] several people to organize a gathering/outing, in the distant past of 15 years ago. If someone wasn't home you just had to try again later and/or leave a message, which they would only hear when they got home. Maybe every now and then someone would miss something because of this, though not often. Shockingly, it worked just fine.

[1] from our homes, obviously, since that's where the phone is, unless you were one of the rare high school students carrying a cellphone that had a usable amount of minutes on it, and even then cell call quality was (is...) so crap that you'd prefer your home phone.


While I generally agree with your sentiment, FWIW I'm a 25-year-old and I haven't answered a non-work phone call in several years. If friends/family want to contact me, they can send an IM or leave a voicemail and hope I call voicemail in the next week or two.

I haven't even had the sound/vibrate on my phone turned on for about a year now (which, honestly, is probably the most liberating decision I've made since then), as there's nothing in my life that can't wait however long it is until I check my phone next.


I am pushing 40 and everything is planned on Facebook now. That's the main reason I have an FB account, to keep up with events. The secondary reason is to keep up with conversations people are having on there, at the events they're planning on there.

My social circle is decidedly non-techy, too.

I don't think there is a generalizable rule.


In the past most people never went outside the 20 mile radius where they were born. keeping up with friends around the globe is a lot easier using social media


Social norms have drastically changed, but not to that degree.


I'm only 32. I live in a different city than I grew up in which was a different city than I went to school in. I don't use any social media sites (tried google+ but none of my close friends helped it so I left quickly). It's never been an issue. My friends from all three cities made it to my wedding and no one has an issue texting me when a group camping trip is being. planned. It's perfectly workable unless you feel the need to see what everyone is doing everyday, which never appealed to me.


Unless you call hacker news social media then you can definitely do it. I do it. I just call or text the people I care about when I'm thinking of them.

Nothing is needed from social media.


Yes, I love giving in to chilling effects that modify my behavior out of fear of consequences!

Or perhaps a government shouldn't be party to my social life?


> chilling effects that modify my behavior

I never modified my behavior. I just don't like the layout/UX of facebook/twitter.

> out of fear of consequences

This isn't being done for any specific reason, it's just a side effect of my dislike of their UI, management, and moderation.

> Or perhaps a government shouldn't be party to my social life?

If I'm texting, the government has it. I don't know what you are on about.


I don't like it either. But it's irresponsible to counsel people in ways that set them up for suffering. Protesting should be a conscious choice.


A fun prank: Create realistic facebook profiles for people you hate, and send links to CBP right before they travel.


> A fun prank: Create realistic facebook profiles for people you hate, and send links to CBP right before they travel.

During the Chinese cultural revolution in the 1960s, anyone could anonymously post the names of "people they hated" as suspected counter-revolutionaries on public bulletin boards. A "fun prank," maybe, except that many of those reported were executed. [1]

This was contemporary with humans traveling into space. We're not out of the woods today—if anything, technology has raised the stakes.

[1] https://books.google.com/books?id=AfIydrsE6aMC&pg=PA163&lpg=...


it is illegal to create a profile for someone else, i.e. to impersonate someone: http://blogs.findlaw.com/blotter/2011/11/fake-facebook-profi...


> The current best practice for border crossings --- really anywhere in the world --- is simply not to carry anything you're unwilling to unlock for Customs

We're in a temporary blind spot with CBP et al not asking for iCloud, Gmail, et cetera passwords.


Makes me wonder what the best options are for cheap phones and laptops that can be used while traveling.

Also, does having saved passwords in a computer (for servers, email, GitHub, etc.) mean that CBP could use those passwords to search computers inside the United States? Or is their search power limited to information actually stored on the machine's hard drive.


Put your passwords in a password safe like Keepass, and keep that somewhere in the cloud, PGP-encrypted as an extra layer of security, with a private key that is encrypted as well. Create a special private key for this purpose alone. Download that file when you entered the US and decrypt it.

When exiting, you might wipe the disk if you want to be sure they won't search it when you leave.


Or don't go to USA. Other countries need to develop their conferences and ecosystems.


If your phone is logged in to email or Facebook, they can download the total contents and history of your accounts.


There doesn't seem to be much difference between making you unlock your phone (and thus all the services it's connected to) and just making you sign into your social/cloud accounts at a kiosk. Are they doing that yet? If not, they will soon, barring a successful and crystal-clear court ruling in the meantime. I guess it's time to start re-thinking having persistent available-anywhere remote access to any of our own data. That's going to suck.


If they have the password they can search it...


> But non-citizens, possibly including LPRs, cannot: if an alien attempts to cross the border with a device they can't unlock "because they don't have the corresponding 2FA token with them" (as one friend suggested they do), they'll be detained, their devices confiscated, and then put on a flight out of the country.

Wouldn't an OK mitigation be to give the device to a US citizen for the border crossing? The US citizen could legitimately say it's not mine, it's my friend's and I don't know their password. The alien would have no item to be unlocked.


If you were traveling with said friend (you being the foreign national and friend being the US citizen), CBP would just make you unlock your own phone. This is not like a logic game you can outwit.


> If you were traveling with said friend (you being the foreign national and friend being the US citizen), CBP would just make you unlock your own phone. This is not like a logic game you can outwit.

It's not a logic game, you're just adding hurdles to the search which make it less likely, and leaning on the legal privileges of the citizen. To do what you propose, CBP would have to flag the citizen for search and connect them to the foreign national before they pass immigration and customs. If they manage to do that, the foreign national needs to comply. If compliance is not an option for them, this idea won't work.


> CBP will begin asking everyone for Facebook logins

If they asked me I would answer, honestly, "I've no idea what my password is, it's always logged in on my computer".


And you will be blocked from further entry into the US


It gets worse, because if you're coming to the US hoping for permanent status, anything you do to slip stuff past a search that CBP does is potentially grounds for revocation of status later.


The question is where is the line?

Say I have sensitive or proprietary information on my laptop that is in an encrypted drive. Do I have to unlock my laptop, or do I have to unlock each encrypted file itself?


There isn't a line. You have to do what they say you have to do, or else [consequences as above]. Your sensitive or proprietary information is not an obligation on them.

The one possible exception might be if you're carrying information that requires a US security clearance to view. I'd normally expect that to come with an ID card that causes CBP to ignore you, but these are not normal times and you could end up in a fight between conflicting "security" services.

(The worst case of that I'm aware of was https://en.wikipedia.org/wiki/Arms-to-Iraq )


So maybe Facebook add a feature to "delete" your account, to later have it restored? Similar to erasing your phone and restoring it later?


Facebook already does this when you delete your account


So the logical thing is to at that point delete your facebook profile forever and never make another one and little of value is lost


What are they going to do if you say you don't have a facebook account? (True in my case.) Seems difficult to verify.


Nothing. But if you do have a Facebook account, and you're not a citizen, you should bank on them knowing that you're lying about that. Further: saying something will conflict with automated information gathering they'll have done beforehand will put you in a different bracket of suspicion. Most people will just tell them, most people will just unlock. They're going to be interested mostly in the oddballs (for better or worse).


A cool idea might be to have a device-image that you can load on your phone for in-country and one for out-country, and a method for selecting from your in-country image the only stuff you want to copy to the out-country... like contacts, certain apps, certain passwords/bank/passport etc...

Also, whats an LPR?


If you can recover your data at the border, and you're not a citizen, you should be prepared to do so. There's no clever trick that scales to ordinary people that protects data from CBP. That's the think people need to be clear on: it's inconvenient, but they need to not only not be carrying sensitive encrypted data at the border, but also not carrying any indication that they have it, or have any such indication attached to their name.

An LPR is a green-card holder, a lawful permanent resident.


There is also the combo of fde + factory reset of your device after landing.

Yes it is inconvenient, but far less so than a total compromise of your credentials.


As an aside, you can have facebook logins, without having facebook installed on your phone, and you can make your profile unsearchable.


Facebook really needs to step up and add an anti border guard feature. Maybe a travel password that provides a hygenic profile.


> The current best practice for border crossings --- really anywhere in the world --- is simply not to carry anything you're unwilling to unlock for Customs.

This seems like a perfect use case for TrueCrypt hidden volumes or similar: https://www.howtogeek.com/109210/the-htg-guide-to-hiding-you...


I thought so, too. But the advice I've seen, quite strongly, is that you do not want to lie to federal officials about anything, ever. Even if you're just using a hidden volume on principle rather than hiding some terrible wrongdoing, the moment you say "No, I don't have any other hidden files on here" or "There, you have access to all my files now" you've committed a federal crime. If they spot the slightest evidence showing that you've lied (which, heck, might not mean much more than finding TrueCrypt installed), they'll throw the book at you.


> the moment you say "No, I don't have any other hidden files on here" or "There, you have access to all my files now" you've committed a federal crime.

So then you don't say those things. This covers the much more common (I'd imagine) case where a traveler is asked to turn on his device and enter the password, but possibly not the case where the traveler is being grilled/interrogated on the contents of his device.

But plausible deniability is one of the purported features of TrueCrypt hidden volumes. How would you prove someone had an encrypted hidden volume on his device?


If you're a US citizen, go ahead and try to outsmart them with TrueCrypt. My guess is most of the time you'll succeed. But if you're an alien --- and, especially, if you're a brown-skinned alien --- don't have TrueCrypt on your laptop.

You can make an encrypted backup of your machine and store it in some innocuous place in the cloud, or have it Fedexed to wherever you're staying. There's just no good reason to play games with TrueCrypt at the border.


Just so we're clear, I think the right strategy for anyone who could reasonably expect to be targeted (journalists, certain types of researchers, people with funny names, those who've sent mean tweets about the POTUS, ...) is to avoid carrying sensitive data when crossing borders.

What I think all US citizens should do is use whole disk encryption (but everyone should do that), and refuse to comply with requests to provide their passwords, even at the risk of missing flights / losing equipment / spending a day in a room talking to unfriendly people. Frankly, this is just an egregious and pointless violation of our 4th amendment rights.


What if one doesn't have a Facebook and is unwilling to give up email for work/NDA reasons?


As above: You have to do what they say you have to do, or else [arbitrary consequences]. Your sensitive or proprietary information is not an obligation on them.


That will be difficult to do for those of us without Facebook profiles!


Another option is decoy operating systems


what happen if you dont own a facebook account?


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: