Hacker News new | comments | show | ask | jobs | submit login
What could happen if you refuse to unlock your phone at the US border? (arstechnica.com)
445 points by nkurz 129 days ago | hide | past | web | 477 comments | favorite

Worth remembering: US citizens can play chicken with CBP and lose nothing more than their computer/phone hardware (perhaps having it returned 6 months later). But non-citizens, possibly including LPRs, cannot: if an alien attempts to cross the border with a device they can't unlock "because they don't have the corresponding 2FA token with them" (as one friend suggested they do), they'll be detained, their devices confiscated, and then put on a flight out of the country.

The current best practice for border crossings --- really anywhere in the world --- is simply not to carry anything you're unwilling to unlock for Customs.

This is going to get harder still. CBP will begin asking everyone for Facebook logins. You'll think of 10 different ways to conceal your Facebook doings from CBP, but CBP has advance traveler's manifests from flights and will know that people have profiles --- and, sometimes, what was on those profiles.

> The current best practice for border crossings --- really anywhere in the world --- is simply not to carry anything you're unwilling to unlock for Customs.

Or, to simply stop traveling to countries that refuse to play nice with the rights of foreigners. The whole idea that this sort of thing is even anywhere near acceptable behavior revolts me.

Yeah, I pretty much decided to never travel to the US again the first time I heard you may be compelled to unlock your Facebook profile for the customs.

Not because I have something particular to hide, but as a gay person in a hostile world I have learned to care about my privacy.

Not a huge loss for me, not a huge loss for the US, but it accumulates.

I agree with you.

Asia and Eastern Europe are off the list for me too. China is willing to kidnap people out of Thailand [1]; people being arrested over political tweets [2]; Russia can poison people [3], shoot them [4], or have them accused of fake crimes[5].

I really hope the U.S. never comes close to this and hope I see this trend reversed in my lifetime. But people should be aware that it can happen in a modern society and is already happening in large parts of the world.

[1] http://time.com/4371283/hong-kong-bookseller-china-detention...

[2] http://mashable.com/2016/11/26/zunar-arrested-malaysia/#AHwL...

[3] https://www.nytimes.com/2017/02/06/world/europe/russia-vladi...

[4] http://www.newyorker.com/news/news-desk/the-unaccountable-de...

[5] http://www.dw.com/en/russian-court-finds-alexei-navalny-guil...

>China is willing to kidnap people out of Thailand [1]; people being arrested over political tweets [2]; Russia can poison people [3], shoot them [4], or have them accused of fake crimes[5]. I really hope the U.S. never comes close to this

Well, the US can drone-kill people (including bystanders irrelevant to the primary non-tried target), abduct them from all over the world and transport them with no trial to Guantanamo, allows cops to shoot innocent people (e.g. for walking while black) at a record rate (compared to even developing world dictatorship standards) without much repercussions, and let's not get started with people forced to go to jail with BS accusations and plea deals or stuff like "three strikes" that can put people on life for ...stealing a pizza thrice.

Just because these people are not all local citizens or white, doesn't mean they are not wronged.

And all that's under Obama, so not much hope for those getting better under Trump...

Totally agree.

Starting with "Well," suggests it somehow negates my point though.

I think "Also" would be more appropriate, which kind of acknowledges the problems in other countries I cited while also pointing out very real weaknesses in America's justice system.

This might seem pedantic, but the common reply I see to "this country does bad stuff" reduces to "well this country does bad stuff too!" It's not a productive argument because it tries to deflect attention and normalize the actions in question. Instead, we should be focusing on how to address all of these issues, because they definitely exist.

But... your previous post specifically says "China is willing to kidnap people out of Thailand" and goes on to say "I really hope the U.S. never comes close to this".

Can you explain how exactly the U.S. has yet to "come close to" your list? Your post created the very "us vs them" separation you now claim to disagree with. The child post was fairly clearly just answering that statement

And while we're talking deflection, you are the one who took a thread about the US border and its impact on travellers and made it about civil rights abuses by the rest of the world. Yes, they are all important; no, it is usually not possible to solve them all at once.

I think the implication is that he sees the things the US currently does as less bad than his own list. I'm not weighing in on the validity of his assessment, but I'm pretty sure that's what he meant.

> Can you explain how exactly the U.S. has yet to "come close to" your list?

Show me a similar incident to the Chinese booksellers thing in America. Or anyone being killed because they represented the political opposition. Miles away.

But that's not even my point. My point is: read the links listed; I'm not traveling to those countries; I hope the world becomes less crazy. That's all!

> And while we're talking deflection, you are the one who took a thread about the US border and its impact on travellers and made it about civil rights abuses by the rest of the world

Huh? I posted some links above. People should read them and make up their own mind, in addition to the OP. It's not a "one or the other" kind of thing, not sure why it would be.

>This might seem pedantic, but the common reply I see to "this country does bad stuff" reduces to "well this country does bad stuff too!"

I think it's valid to see things its perspective though, because people who say "we shouldn't turn it into 'yes, but X does this too'" are often using it as an excuse to continue to point fingers only towards one side, and not even the worst acting one...

> the common reply I see to "this country does bad stuff" reduces to "well this country does bad stuff too!"

It's not pedantic if you care about being rational. This act is a common logical fallacy called the "tu quoque fallacy": https://en.wikipedia.org/wiki/Tu_quoque

Why is this a fallacy?

Suppose country A is accused of doing something bad. It's logically irrelevant to that question whether some other country B also has done something bad.

To see it more clearly, take the same fallacy on an individual level. Person A is accused of murdering someone. Is it a valid defense to say "Well, my neighbor Person B also murdered someone, therefore it's OK that I did"? No, of course not. It's totally irrelevant whether someone else -- even the accuser -- has also murdered someone.

Yet making this fallacious counter-accusation is often effective in terms of emotional (i.e. irrational) manipulation of the audience, particularly when they are predisposed against B in some way.


Respect for policemen could also mean: "nothing wrong with what you're doing, keep being trigger happy".

How exactly did Obama stimulate racial fights?

Don't worry, the Republicans are working to fix all the horrible Obama policies, like making sure people can get health care, or keeping firearms out of the hands of people whose mental illnesses are so bad they can't even manage their own day-to-day lives.

I really hope the U.S. never comes close to this and hope I see this trend reversed in my lifetime. But people should be aware that it can happen in a modern society and is already happening in large parts of the world.

The US has kidnapped people from Italy, and assassinated its own child citizens. The US (and most western countries) are already close to this, it's just that most citizens felt they were immune up till now.

This kind of overreach should always be opposed, no matter who it is done to, or where, because once it is acceptable to assassinate people with missiles, kidnap opponents, or record everyone's digital life whenever information crosses the border, all it takes is the wrong sort of people to take power and all the mechanisms are in place to control and oppress entire populations.

It's amazing that with the forces of globalization and Internet we think of the planet as whole and then a new government flips to us vs them mentality reversing peace work of years.

Less humans kill other humans now than ever in the past. I wonder if the media is to blame for the fear mongering?

I agree, globally many important indicators are positive in the long term but we shouldn't be complacent because perception and relative wealth over time can be more important to people than reality.


The recent rise in nationalism after the 2008 crash is eerily similar to post 29. Globalisation has caused discontents, even if they are unjustified and the solutions proposed by demagogues are absurd and damaging, they appeal to some. Re the media, no I don't think so, humans are tribal and not very rational.

The right response to improvement, is to continue to improve. The world ain't perfect yet.

I see you mentioned Eastern Europe but only include Russia. Eastern Europe includes many other countries open to LGBT communities. Don't always believe the news headlines as they tend to exaggerate. Hungary and Romania have done big efforts towards this, still churches have a lot to say but peoples mentality changed, accepting diversity.

>Hungary and Romania have done big efforts towards this, still churches have a lot to say but peoples mentality changed, accepting diversity.

Really? Try talking to locals there not just about gays but also about refugees or even gypsies...

You're mixing up blatant discrimination (the first category) with two very complicated social problems.

People aren't necessarily against refugees, per se, but more against the idea of accepting anyone who declares himself to be a refugee, without checking that he is, in fact, one. Things are made worse by a few "refugee" cases where the "refugees" preferred to move away and live as illegal immigrants in Germany than as legal refugees in Hungary or Romania (a status which includes state aid, as meager as it may be in these countries).

The third point is really complicated and it does include discrimination but also a lack of trust and respect for the others from both sides. A lot of it has to do with the difficulties of integrating a very tight-knit nomadic culture into a modern, sedentary society where property rights are clear and respected.

I wouldn't judge the whole of Eastern Europe or Asia based on one country, there's plenty of safe and welcoming places in both, E. Europe and Asia.

My philosophy is that Facebook provides a window into who I am and what I do, but also who my friends are and what they do. Gaining access to my Facebook account doesn't just tell them about me, it tells them about everyone I know. It lets them harvest the feeds of everyone who's ever friended me and then not stuck me in a 'sees none of my posts' group.

Even if I've never posted anything on FB that they'd find objectionable, it's possible someone I know from the US posted privately ('close friends only', for example) "Man I wish someone would put a bullet in Trump's head", feeling as though it was a safe place to vent. Suddenly they're getting investigated by the secret service, and possibly deported, because I gave up my Facebook login because "I have nothing to hide".

This is ridiculously insidious. For every one person whose Facebook info they get, they get to collect previously inaccessible data on potentially hundreds of people, none of whom agreed to share their data with the government, or even knew that it was happening. With one Facebook login the government can start building profiles on hundreds of people, and with each successive login that net expands.

Call me cynical, but I believe that those concerns are totally unfounded because the "evil government" doesn't need your FB login for that, IMHO they most likely can access that information directly without your consent. I would be really surprised if they really had to do this mass harvesting of profiles based on a series of one-time access to individual profiles of a small fraction of population; They had much more effective ways to do mass harvesting many years ago (as illustrated by various leaks) and probably do them now, having to involve thousands of immigration agents would be simply counterproductive.

I do believe that immigration services look at your account exclusively for their goals of evaluating immigration. They ask you to unlock your account because for them it's objectively simpler to ask that information from you than to get it from the other government agencies that have that information but won't disclose it because formally they shouldn't have it. There's no "the government", it is an amalgamation of many organizations that have conflicting goals and don't coordinate, so it's reasonable to expect that "the government" has some information and at the same time "the government" (i.e. other parts of it) don't have it and need to request it from you or do without.

In one breath you say the government would coordinate sharing fb data, in the other you say they don't. Which one is it?

Where does it look like I am I saying that multiple agencies would coordinate sharing FB data? I feel that the parent post was needlessly worrying about a risk of e.g. border teams using unlocked phones as a routine way to harvest data and hand it over to e.g. NSA or whatever "evil government" snooping agency they'd be worried about, because (a) NSA doesn't need this assistance because they are likely to have better mass collection methods on their own, and (b) they wouldn't coordinate this with a large number of DHS grunts, neither by asking them to gather data nor by providing them with a list of all data that they have. DHS is likely to have a lot of data themselves, but anyway unlocking a phone provides extra information in a simple&practical manner.

I don't want to be one of those people who go on about the fact that they're not on Facebook, but what if they asked me for my Facebook logins and I told them I don't have any social media accounts? (I mean, bar Github if you count that as a social network).

If you are telling the truth you will be fine. But if you do have a facebook account and you lie about it you could be in trouble (it is an offence to lie to federal agents).

What would you do if you have an account but haven't used it for many years, lost your access to the email that you registered it with and don't remember the password. Are you genuinely a liar then?

If you are telling the truth that you haven't used it in many years then you will be fine -- ultimately. Of course, if you've tweeted/posted from it recently that won't work, and you could end up in detention for lying about it. But on the whole it would be better to take the time to delete that account.

Same situation for me. I wonder if I'd get treated like a liar and a criminal for not using a commercial product.

I applied to an interesting research job for a US university a few years back, but only got to the first interview stage. I was going to try again with much more relevant experience in a couple months, but that's now completely out of the question for the next eight years at least. This is what happens when people stop taking democracy seriously.

> Or, to simply stop traveling to countries that refuse to play nice with the rights of foreigners.


i.e. everyone.

I'm a Canadian Citizen. When I enter Canada from abroad, they claim the same rights as the US CBP.


I was detained and aggressively searched at the Canadian border (Montana/Alberta, for about 2 hours) in 1997; not because they thought I was a terrorist, but because they wanted to confirm that I wasn't coming to Canada to work. Friends of mine were turned back at the Canadian border later that same year. Canada has always claimed these rights.

I flew up to Vancouver for a wedding. I'd lived there before and strangely I was aggressively questioned at Canadian Customs.

Why are you here? A wedding. Where are you staying? 2400 Motel out on Kingsway. Oh, a site of known criminal activity.

I rolled my eyes. The bride chose it because it was an X-Files filming location.

I live in Washington and go to Whistler quite often to mountain bike. I've probably crossed the border 25 times in the last few years, and the only thing that the Canadian border patrol seems to care about is that I'm not bringing weapons into Canada. I wonder if they have knowledge that I have a CCW in WA. But in general they are always quite polite about things, which I can't say about crossing the border on the return trip.

What's changed between then and now? Because it seems they now welcome all the workers they can get, refugees or otherwise.

Tagential but is it not absolutely bizzare that at the US/Can border relocating to work is seen as a deadly sin, while broader US policy has brought so many immigrants into the country since JFK? Without saying either side is right or wrong, US Gov policy wholistically appears schizophrenic

If you're on a work visa then you're being upfront about planning to work and have the appropriate visa for it.

If you enter on a tourist visa (or visa waiver, whose conditions are usually the same as tourist visa) they want to be sure you aren't committing visa fraud and planning to work. That's what causes the grilling.

Yes, but why is that a big deal in the first place, vs. being offered a job and paying a small administrative fee to adjust a visa? The siege mentality is part of the problem.

As a German tourist the most annoying thing getting into Canada is to wait in line while all these other nationalities get questioned extensively before being waved through in 20secs. Wear your bright colored gore tex jackets guys!

Sorry if I'm spoiling a joke here, but does a Berghaus gore tex jacket really give you credibility at the border?

Paired with socked sandals ofc...

The Alain Philippon vs CBSA action was never tested in court. Failure to divulge information hasn't been defined as 'hindering' before, so the case would probably have to go to the Supreme Court of Canada for it to be decided. Secondly, even at the border you can choose to remain silent. The most likely worst outcome is you get refused entry if you are not Canadian.

See linked page for advice from actual lawyers.


I've never had a nice experience returning to Canada (either by plane or car) after a trip to the US or Mexico. I get the full "random search" in a secluded room every single time.

Anecdotal, but: I suspect that the CBP have very specific criteria that can flag specific situations. I know someone who would systematically get arrested/interrogated by plain clothes officers if she was returning back to Canada alone. When not alone, no problem. Once, she was on the point of being arrested, when she pointed to her partner, and they stepped back. Although they never wanted to admit why.

After a bit of A/B testing, it seems to have been "older woman traveling alone with a fancy watch" that was flagging her. Without the watch, the problems went away.

CBP is Customs and Border Protection which is the American department for that. Canada has the CBSA - Canadian Border Services Agency. So you wouldn't get harassed by the CBP if you were entering Canada, it would be the CBSA.

sorry yes, I meant the CBSA :)

Same here! When I was on a green card, I got grilled probably 30% of the time going to Canada. We're talking accusations of smuggling a car into the country and harsh questions about exactly what family I was visiting.

Going back to the US (even as a non-citizen!) I usually just got a "Welcome home!".

As an Indian that used to live in Canada for some time, I got the same "Welcome home" with a smile from Canadian immigration. I still miss that as I don't even get that when I actually come home to India.

I had a nightmare of an experience crossing into Canada and am never visiting again.

Ugh. Canadian border crossings used to be so nice.

No, they were not.

I suspect that part of the reason here is a tit-for-tat.

The USA has a long history of being nasty to Canadians on the suspicion of them going there to work. Similar things happening to US visitors to Brazil and several other places.

Having a Dutch passport this never was a problem for me when returning to Canada, even though I was actually working there.

Entering Brazil as a US citizen was an interesting experience. Long pseudo-interrogation, fingerprinting, the whole nine yards. It wasn't until later I learned they basically just decided to do to all US citizens what the US was doing to Brazilians (and certainly others).

Brazil has a weird policy (the "reciprocity" law) that makes them apply to visitors from some countries whatever that country applies to visitors from Brazil. In theory that only applies to what kind of visas are necessary, but often they do so in terms of immigration/customs policy too.

So yeah, a while ago the US started requiring electronic fingerprints from Brazilian visitors (and everyone else I think?) so that's why Brazil started requiring that from US visitors.

I don't think that's weird, I think it's pretty awesome. But I'm biased, since I'm Brazilian :)

I'm not Brazilian and I think it's awesome too. More countries should do this.

I am Brazilian, and I think it's an outdated measure that serves little to no benefit, especially for Brazil itself.

It's fun (in a semi-vengeful way) to submit, say, Americans to the same level of scrutiny they apply to Brazilians. But it also means you're creating artificial barriers against making the country a more popular tourism destination. People in some countries are just not used to having to go throw all these hops to get to visit a country, just because they don't have to; when they learn that they have to go to a consulate in person, in select cities, stand in line for hours, go through an interview, and pay about $150 or so for the right to visit the country, they're quick to change their mind and just pick some other destination that is either easier or that allows you to do all of that online.

The country is basically making it difficult for people to bring you money.

This policy hurts Brazil more than it hurts anyone else.

It does make sense to do this, more countries need to stand up and say if you treat our citizens this way we are going treat yours the same. I mean the travelers interact with border control and the citizens are the only ones who legitimately can bring these complains to their border agencies. Ultimately it comes to be that citizens need to defend non-citizens rights and "reciprocity" policy might be effective because most people only act on their selfish interests.

This policy has been in place for decades with no change. That makes me doubt it effectiveness. I've heard of plenty of USA -> BR travelers being turned away at the border because they didn't realize they needed visas (a common occurrence for people traveling for conferences). Ultimately they understand the reasons and even empathize with the country, but it doesn't change the fact that for them it's easier to just not come.

To me it's more about an ineffective, vain attempt to show power than anything else.

If you're on a work visa you're obviously allowed to work.

If you enter on a tourist visa (or visa waiver, whose conditions are usually the same as tourist visa) they want to be sure you aren't committing visa fraud and planning to work. That's what causes the grilling.

The land borders in the western US were pretty nice.

"Or, to simply stop traveling to countries that refuse to play nice with the rights of foreigners. "

Which countries would those be? As far as I know, every country (or quasi-country, such as the EU) asserts the right to carry out a full inspection of anything crossing its border.

As far as I know, Swiss border police/customs officers (which often operate at random places in the country, not necessarily at the border) are not allowed to check the content of any electronic device without a search warrant.

They can ask you to unlock the phone and show the IMEI number when suspicious of theft, but that's about it.

Source: friend of mine worked there.

With phones without sealed batteries, the IMEI(s) are usually printed on a sticker in the battery compartment. Samsung and Apple engrave the IMEI on the outer casing of sealed devices.

Always know where the manufacturer printed the IMEI, so you don't have to unlock the phone in front of police.

Of course, if you give them the IMEI it facilitates them listening to your phone calls and tracking your location. The 'checking for stolen phones' thing seems totally implausible to me.

It's quite effective, tbh. Stealing phones is still a way to net loads of money if you know a buyer who doesn't give a damn about the source. Hard-reset the phone so it appears clean and off you go.

The only vendor that actively prevents the usage of stolen phones is Apple, because the owner can remote-lock it even if the phone gets wiped via iCloud.

The ideal way would be if network operators cooperated by maintaining a list of "supposedly stolen" IMEI codes and alerted police if a matching phone tries to log in into the network.

None of the carriers cooperate across borders! The phones that can't just be flashed with a new IMEI are rebirthed overseas.

I'm intrigued that you think that requires an IMEI.

It doesn't require it, but it helps. The IMEI gives away information like manufacturer, device model and rev, and persists across changes in SIM.

IMEI is sent when you register to operator's network, so you get that kind of information anyway. Asking for IMEI at the border links person to a physical device so you have a complete set for tracking.

The point is that the problem "Listen to Ms Jane Robert's phone calls" goes from "Of all phones on the network, identify Ms Jane Robert's" to "Ms Jane Roberts has a phone with IMEI xxxx, log all traffic for all SIM identities; prepare implant for LG G5 sold with Vodafone config."

I think this is more an issue of practice than theory. Every country might claim the authority to search phones, but if they never actually use it, there is no concern entering those countries in a practical sense.

And considering that something like 0.01% of travelers into the US are ever affected by this, you could say in a practical sense there is no concern here either. That's basically a rounding error worth away from 0%.

In fact it sounds more like they generally target specific individuals based on their politics or whatever red flag gets thrown on them from the system. That's certainly dangerous in a way, but in essence harmless to the vast majority of us.

It doesn't appear that most countries are using this kind of search as a tool of political harassment or intimidation, while there's enough evidence that the US is for people to be concerned.

> 0.01%

The same could be said about the proportion of innocent people who would be jailed without the presumption of innocence. Yet I still support the presumption of innocence, even though I personally have never needed it. It makes me feel safer and allows me to trust and cooperate with the authorities.

Saying that a breach of due process is ok because it's not very frequent is a really short-sighted position.

"First they came for a few people for their political beliefs, and I did not speak out because I was not one of those people..."

Do you know how that one ended?

Yea, nice. The Government/Law enforcement harassing dissidents at the border is definitely equivalent to the Nazis rounding up and executing political and religious minorities. /s

Not to make light of this issue, it's a serious matter, but don't be ridiculous.

I'm not sure it's ridiculous to suggest that failing to stop law the misuse of law enforcement tools to harass dissidents early invites worse oppression later. These things have a way of ratcheting up until they get significant push back.

Maybe. Seems like the FBI and federal agencies were harassing dissidents a lot worse in the 60s and 70s through COINTELPRO than they are now. I don't know if it's really worse now so much as different with new avenues of harassment into our digital lives. You think dissidents weren't harassed at the border before everyone carried a cell phone?

The post I was replying to was basically a vague reference to creeping fascism/nazism, and then implying that the same is happening in the US and that we're on the brink of descending into nazism. It's stupid sophomoric comparison to make.

Yea we should fight back against this type of legal harassment. Sure it's similar to how nazis once operated. But what does that comparison really provide in this situation other than throwing FUD onto it. Do you really think the US is about to rise into the Fourth Reich? I mean seriously... even if you feel like Trump is the antichrist, this policy undoubtedly came into effect during the Bush/Obama years when laptops and cell phones became ubiquitous.

I think a lot of it is that there's so much more digital paper trail and so much more stuff is done electronically nowadays you can't as easily stop being a thorn in their side (i.e activist for some cause) without them continuing to treat you like one.

In the 1960s you could decide that you'd done enough and move to a new city across the country and get a fairly fresh start. Now any trivial interaction with "the system" would get you red flagged at every subsequent interaction.

The cops "randomly" stop an acquaintance of mine fairly regularly and give him much more crap ever since one of his kids got a misdemeanor speeding ticket (threshold is 20-over which is typical traffic speed in some places) in that vehicle with those plates.

>think the US is about to rise into the Fourth Reich?

Not literally but people have diverse sets of political beliefs. It's not a stretch to imagine individual groups that are for/against something being persecuted. Imagine how civil rights activists or the pro-socialist hippies would be treated today.

Are you able to provide sources for the position you put forth about similar US harassment of political dissidents decades ago?

Obama prosecuted more journalists and whistle blowers than any president in history.

And we're not talking about turning into Nazi Germany. We're talking about why government crimes against their own people, especially for political speech, should never be allowed to happen because they can result in worse outcomes than you would expect.

> And we're not talking about turning into Nazi Germany. We're talking about why government crimes against their own people, especially for political speech, should never be allowed to happen because they can result in worse outcomes than you would expect.

And Germany didn't turn up Nazi overnight. It's always a slippery slope to prosecute people for political purposes. What happens in Canada with it misuse of human rights tribunal and what happens in many other western countries where the social climate currently is that everyone considers to be okay to suppress free speech because someones feelings are hurt. It is not a human right to be able to silence uncomfortable opinions, yet it is exactly what we see in these phenomenon of social justice warriors only there is no justice there to be made. This entitlement and the need to control of others is actually what scares me the most. You see it everywhere, people in uniforms and people in academia specially social sciences.


Read history outside of school, might learn a thing or two.

That's not the point. The point is that when you say "the ends justify the means", you are putting the rule of law below what is personally convenient for you. And if you can do that, then anyone can do that. And when anyone can do that, then you have a clear path towards authoritarianism.

Hah. As a matter of fact, the Nazi movement did get started by harassing political dissidents, not by executing minorities. Although this took the form more akin to the AntiFa riots (the Nazi Brownshirts) than border inspections, but the targeted abuse to political dissidents was the same


They don't even let you into Iran without making you perjure yourself into pretending to be religious. "Atheist" or "none" is not an option on the form and is grounds for deportation or execution (if you're Iranian and renounce Islam).

Iran's reputation for evil is well-deserved.

If you're atheist, agnostic, or nonreligious, and are forced to declare a religion, just say "Unitarian Universalist". Official church doctrine is essentially, "believe whatever you want; spirituality is a deeply personal experience, yet it can be shared with others".

Wonder if they accept Pastafarians?

Show up in your colander and full pirate regalia, write a blog post about your experience, and submit the link to HN.

That may be easy for people who live in other countries, but keep in mind that it's not "simply" for the millions of non-citizens who legally live here.

I was in a position to move the the USA about 10 years ago and decided against it because I foresaw quite a bit of the developments since then. So indeed, that's not simple once you have made that choice. But for some it may be a reason to move back to where they originally hailed from and in my circle of friends this is already happening (and many more people are talking about it and considering it).

This is going to hurt America quite a bit by the time it has run its course.

This is rather naive. All countries in the world assert similar rights to search you and your devices at their borders. This is not by any means unique to the US.

This is also very rare at the US border, as it says in the article. Most countries in the world are far more aggressive about searching you, and even actively demanding bribes to let you in.

I usually agree with you but I question the validity of that approach. Insofar as freedom is compromised in the US, it's likely to have a substantial ripple effect, just as economic upsets do. Were the US ever to devolve into an autocracy, it's not like there is any other country positioned to sweoop in and save the day.

That doesn't leave very many places to go.

The rise of terrorists and other dangerous activists with the "world has no borders" mindset have given rise to the border security policies we are now being exposed to. We should expect more tightening of borders throughout the world as governments' catch up.

The free flow of immigrants has its risks and unless these activists stop poisoning the well then things will continue to be unpleasant.

Solution: No Facebook (which is a solution to so many other problems too), partition and hide what you don't want browsed by some inept CBP agent, and then play your part in their security theatre. It might even be nice if someone could make some programs that offer false home screens for various devices that only open when a given password is input... your CBP "clean slate".

Don't say, "I don't have x,y,z..." accounts... have them, have accounts you never use and hand them over. Have your real identity online not be publically linked to your real identity for the purposes of something as trivial as social media.

It is probably a bad idea to try to fool a federal agent with "false home screens"... but I upvoted nonetheless because of the "No Facebook" part.

A feature I really would want to see from social media is read-only, time limited passwords. You provide this to a 3rd party and they can see everything you do, but change nothing. Upon first activation, you grant 72hrs access and don't have to remember to change the password again. If this activation does not happen within 15 days of first activation, the password is invalidated.

Acknowledging that this is a valid use case has many benefits. Social media provider can check if the password is used from government or corporate IP addresses and block non legitimate access (like, a rouge CBP employee stealing credentials and stalking individuals from his home computer). It would also be possible to keep logs of which information was accessed/consulted by each one time password, which can be used during investigations if some form or another of abuse is reported, etc.

The words "inept CBP agent" get you in trouble here. If you're a citizen, by all means, play chicken! If not: remember, they have vastly more resources than you do. Money buys a lot of forensics techniques --- in fact, governments are better at computer forensics than software developers. They're the ones doing it all the time, and funding all the research.

They don't have to decrypt. They just have to decide you're suspicious enough to confiscate equipment and bar you from entry.

> They just have to decide you're suspicious enough to confiscate equipment and bar you from entry.

That's fine with me. I don't take anything to a foreign country which I'm not willing to lose, and I have no problem turning around & heading back home if the country I wish to visit turns out to have unacceptable rules.

If someday I visit someplace that has an implicit rule, 'all visitors must have Facebook accounts,' then I'll just go back home.

Hold on, once again, because you're oversimplifying the situation here. You might be comfortable being turned back at the US border, but there are plenty of people who aren't in that situation --- they're children, or are coming to take care of their children, &c --- and being turned back at the border can mean it's very difficult to return to the country under any circumstances for years afterwards.

I think you're looking for an argument, but I'm not. It's always been possible for a country to turn a visitor away (talk to folks who've been to Israel and try to travel to an Arab country …), and that does have consequences which one must be prepared for.

I'm certainly not going to claim that 'all your password are belong to us!' is a good or desirable policy, but I am going to claim that anyone who travels between countries must be prepared to deal with the local regime, no matter how ill-conceived its rules may be.

One of the pieces of important advice I am planning on passing on to my children is: Never have children with someone who has citizenship of a country that you don't.

Given that border agents may go as far as cloning hard drive contents, what advantage does an additional partition have? A thorough search may uncover the hidden/encrypted partition, which then becomes another item for which you'd be requested to provide "technical assistance."

They aren't going to inspect the HD partitions at the border. They clone for a later time - at which point, you'd already be admitted and are not obliged to assist them.

"Have your real identity online not be publically linked to your real identity" is actually not so simple, as it requires cooperation of everyone you know. Would your mom, spouse or boss have your "account that you never use" in their social network contacts or your real online identity?

All kinds of advertising companies and spammers have such information obtained from people who share their contact list with some free app, providing a permanent link between your real name (which they entered in their contact list), your real phone number, and various online accounts. Would you be so sure that the gov't agents don't have it? IIRC there were some cases where some agencies simply bought such data from advertising info aggregators.

It's not about keeping secrets at that level, and frankly I'm a lot less sure about my ability to evade advertisers than the CBP. Advertisers are hooked into everything, as therefore so are aggregators. That said, the aggregators and advertisers can be blocked, ignored, and spoofed. Even if you don't, they don't get physical access to your devices, they don't get to clone your HDD and keep a copy!

By contrast, the CBP doesn't have the profit motive or apparatus to keep a "file" on each of us and match that file on the fly with our testimony at the border. You don't need to fool them in some grand way, just the digital equivalent of a false bottom with a safe hidden underneath. Beyond that, share some basic crap and explain you're not that into social media, but share what you have.

They're not going to be shocked that some people have little presence, what's going to get them interested is refusing to unlock something or conveniently forgetting passwords.

--> The current best practice for border crossings --- really anywhere in the world --- is simply not to carry anything you're unwilling to unlock for Customs.

How do password managers play into this? I'm likely going to be traveling to the US on business. I'll be bringing a travel phone rather than a normal phone (This is my standard travel practice for any country). I could do the same with a computer.

I don't mind unlocking that. But passwords are a thornier issue. All of my passwords are stored in a password manager. On my computer, these are actually stored in a physical file, so if CBP cloned my hard drive they'd potentially have all my passwords. That would amount to ~400 passwords I'd need to change.

I could make a travel profile for my password manager and only bring in a limited, strictly necessary set of passwords.

But then this raises a further issue: do I keep social media passwords on that list, or leave them off? If I kept them off, I could honestly say "I can't login. I didn't want distracting social media on a business trip". But it might be safer just to have them? I could change the passwords after. I'm not sure of the risks of having CBP log into Facebook.

This is probably not a likely case I have to worry about, but I'd still like to figure out the best practice.

If you're not a citizen, I think this is probably pretty simple: don't carry anything across the border that you would be uncomfortable being forced to unlock. There's nothing you can encrypt with a passphrase that is protected from a border search, unless you're comfortable being sent back home, losing your computer hardware, and not being allowed back to the US at least until the next Presidential administration, probably 10 years, and possibly forever.

The only point I really want to make:

It is a very bad plan to attempt to outsmart CBP with clever encryption strategies. If you want to protect something, don't bring it to a border crossing. CBP's budget is tens of billions of dollars, and they don't have to break your encryption; they just have to fuck up your entry into the country. The math doesn't work out here for nerds.

Say you bring no electronic hardware. Could they make you login to your social media accounts from one of their computers?

Yes, they can.

This is unclear. They can ASK, but as far as I know it's unsettled territory whether this is refusable.You can definitely refuse it as a USC and I would bet, as an LPR. Gets trickier when on any other visa as then your entry is essentially all "discretion"

The problem is that it's pretty much CBP's discretion whether you --- a non-citizen --- are being responsive. There aren't statutes for this stuff.

Any speculation as to what might happen in that situation if your password is non-trivial and not with you?

What about 2-factor? Should i just disable it?

Right. Since they may ask for social media passwords, would that imply making a travel profile for my travel devices that has password access to things like Facebook and a subset of sites I'd need, but not necessarily all 400+ of my logins?

I don't care if they login to my Facebook (well, I think I don't). I just don't want to have them have everything, because then I'd have to change it all.

To be very clear, not planning to use any encryption strategies. And as you mentioned, being unable to access Facebook is not a sensible option. My question is about what to bring, not how to secure it.

It doesn't matter what you have in your password manager. If you're not a US citizen, they can demand your facebook access. If you don't have it, can't unencrypt it, or just feel like telling them to fuck off doesn't matter. You have no legal right to enter the country except with their permission, and they may well tell the person who didn't put their facebook passwords in the password manager to get back on a plane and go home.

US citizens have it better in at least that one regard. They can't keep me from entering the country. They can confiscate my laptop, but if I don't want to give them facebook access, there's not much they can do to stop me. They can of course add me to some list that makes my life miserable every time I fly, but there's no constitutional provision that allows preventing a citizen from entering the country.

So basically, as a non-US citizen, if you don't bring a device that can log into your Facebook account, they might deny you entry? Of course rhey might deny you entry for any reason, and them caring so much about your social media accounts is probably a sign you're on a shitlist somewhere, so maybe it doesn't matter so much.

I wonder, though, if you don't have FB etc. accounts, do they believe you?

I think the only way to interpret this that's even remotely practical to implement is that while they have the right to ask anything of anyone, in practice, it will likely be targeted. If they're asking, they probably already know quite a bit about you, including whether they think you match some social media profile they've red-flagged.

I'm certainly not suggesting that Trump isn't stupid enough to think having CBP attempting to guess whether 800,000 grandmothers every hour are lying about not knowing what Facebook is would be a plan he could seamlessly roll out, but I think any such plan would crater pretty spectacularly.

There's a big factor of subjective evaluation, but it can be quite effective.

A large majority of people do have FB accounts, and even care about their FB accounts as illustrated by their worries about providing access to them.

For most people they wouldn't bother to look, only a tiny fraction of travelers get their devices checked. And if you really don't have FB etc. accounts, they may believe you - I have little reason to doubt that; I feel that if that was their policy then we'd hear about many such cases.

However, if you claim that you don't have a FB account and their automated system (seeded by the information submitted by the airline before your arrival) shows a FB account with your face, then that seems a sure way to get turned back at a border.

So, basically there probably going to be honest people where they would tell the truth, that they don't use thefcnkfacebook but because some scammer has created a fake profile of them would be turned back at the border. Amazing brave new world we live in...

> shows a FB account with your face

Which, amusingly, is a Facebook spammer strategy — clone someone's account, including profile picture. So even if you delete your account, there may be a spammer clone that shows up in CBP's database.

Why is this being accepted as even remotely reasonable? What about 'login with Facebook' sites?

We here know that we should change our password and logout of existing sessions ASAP after being made to do it, but our non-technical family members may not.

"Add TSA as a friend" is borderline reasonable, (pun intended) "give us your password" is not even close.

It also damages public awareness of importance of maintaining secure and private passwords more generally.

> Why is this being accepted as even remotely reasonable?

That it's unreasonable and unacceptable doesn't mean that it's illegal. Despite your and my hopes, not all unreasonable and unacceptable things are illegal.

> What about 'login with Facebook' sites?

Don't do that then.

> We here know that we should change our password and logout of existing sessions ASAP after being made to do it, but our non-technical family members may not.

If you've given access to your account to someone else, you've already lost, whether you log out quickly afterwards or not.

Don't put yourself in a position in which you must log into an account you care about.

You're missing my point entirely:

People do 'login with Facebook'; people will (perhaps grudgingly) log in for them/hand over their password.

You won't, I won't, but people will because they're asked to by the uniformed officer, despite how mad it is.

I'm just amazed at the lack of significant opposition to this, there doesn't even really seem to be any opposition. Here on HN where one might expect it to be most opposed, we're merely discussing how to mitigate the effects (you can't, don't go - or be prepared to be turned around).

I wouldn't pay for my own travel to the USA (while I've been before, and enjoyed my trips, etc.) because I'm not an idiot - and handing over a password is idiotic - and I can't really afford a wasted trip. Sure, sunk cost, whatever - the cost/risk isn't worth it, at least for now until it's shown that they rarely do it, and really it's only x,y,z countries from where I do not hail.

> I'm just amazed at the lack of significant opposition to this

I'm amazed at all the many ways people will give up their rights, and yet folks continue to advocate for their rights to be taken away.

> Here on HN where one might expect it to be most opposed, we're merely discussing how to mitigate the effects (you can't, don't go - or be prepared to be turned around).

I can't change the law, but I can change my behaviour.

> I wouldn't pay for my own travel to the USA (while I've been before, and enjoyed my trips, etc.) because I'm not an idiot - and handing over a password is idiotic - and I can't really afford a wasted trip. Sure, sunk cost, whatever - the cost/risk isn't worth it, at least for now until it's shown that they rarely do it, and really it's only x,y,z countries from where I do not hail.

a) they rarely do it (roughly 4,500 times last year, IIRC)

b) any country might do it, and many do; this is not a U.S.-only thing

> they rarely do it (roughly 4,500 times last year, IIRC)

My mistake, I hadn't heard of this until recently (and clearly didn't read the article properly) and assumed it was a new policy under Trump.

At a rate of around 0.0012%, and assuming it's more targeted than random, my actual chance of being asked is much lower, yes sure, that probably is worth the risk of being turned around.

> My mistake, I hadn't heard of this until recently (and clearly didn't read the article properly) and assumed it was a new policy under Trump.

The really great thing about having a Republican (even if only technically) president is that the news media suddenly rediscover the virtues of small government, and the dangers of an unbalanced power structure (a similar phenomenon holds with Democratic presidents & conservatives). It'd be awesome if people would just be principled, but apparently that is too much to ask.

> At a rate of around 0.0012%, and assuming it's more targeted than random, my actual chance of being asked is much lower, yes sure, that probably is worth the risk of being turned around.

Yes, but I just carry a clean device with no access to my accounts. I can honestly and without deception say that I cannot do what is asked.

> I can honestly and without deception say that I cannot do what is asked.

The general consensus seems to be that you'll be turned around.

Login with gmail/Facebook isn't that awful. They won't get your login credentials and you don't have to set a password. It's kind of like having a super fast "verification email" every time you log in.

Yes, but my point is that a user who has handed over Facebook access has with it handed over 'login with Facebook' access.

What do you think would happen if you don't have facebook?

> If you're not a citizen, I think this is probably pretty simple: don't carry anything across the border that you would be uncomfortable being forced to unlock.

I think this applies whether or not you are a citizen, whether or not you entering the U.S. or another state, and frankly whether we're talking about electronic data or not. If you don't want it searched, examined or confiscated, don't enter a nation state with it!

> It is a very bad plan to attempt to outsmart CBP with clever encryption strategies. If you want to protect something, don't bring it to a border crossing.

Excellent advice. You can't outsmart customs with clever encryption strategies.

But if they can force you unlock your Facebook, can't they force you unlock your Gmail, AWS, Salesforce, internal company archive or some actually classified missile bunker?

If you know something they want to know and they decide to make you reveal it, then you have the choice of going back home or revealing it. Entering the USA is not a right unless you are a citizen.

But you're much more vulnerable if you bring data with you. The first level of protection is making a backup, formatting your devices as new, and restoring once you're on US soil. Better yet is not bringing devices at all. But certainly don't bring secrets with you: bank records, medical records, and military secrets should never be carried with you through customs.

If you're a non-citizen and you choose to go back home, you're probably also choosing not to be admitted back into the US for a long stretch of time, at least without a struggle.

This depends on the particulars of what happened, and it's going to be difficult for most non-experts to navigate, in the same fashion as "determine whether this code is Python or Ruby" is difficult if you've never seen a command line.

Say you're talking to your friendly neighborhood CBP officer and they say this:

"I think you're an immigration risk and, accordingly, I'm issuing an Order for Expedited Removal. You get on the next plane back home." Your passport gets tagged with a 5 year timeout.

However, they could say something like:

"I think you're not eligible for the Visa Waiver Program, because some factors suggest you're an immigration risk. I recommend you withdraw your application for entry into the United States and voluntarily get on the next plane back home." You will not get timed out for 5 years.

Note that the second one is neither a recommendation nor a request.

Disclaimer: IANAL but IA someone who has to have an anomalously-good-for-most-Americans understanding of immigration procedure.

Yes, it's a small but real risk foreigners should consider every time they chose to cross the US border.

It's no small risk. It's forcing you to whistleblow with no protection. Forcing you to do something, that they kill their own citizens for.

> not being allowed back to the US

And potentially any other country that has the "have you been denied access to any country for any reason" rider on its immigration questionaires.

What does the searching of devices at the border have to do with presidential administrations? This policy has been in place for years (from the article).

> But then this raises a further issue: do I keep social media passwords on that list, or leave them off? If I kept them off, I could honestly say "I can't login. I didn't want distracting social media on a business trip".

To go a step further, what if you don't even have a Facebook account? How do you even prove that, if there are other accounts with the same name as you that show up when searching (and the profile picture is not sufficient to rule it out)?

> I'm not sure of the risks of having CBP log into Facebook.

There's a non-zero chance you're going to be detained and grilled if any of your friends have talked about terrorism, drugs, have criminal records, or are on or share a name with someone on a terrorist watch list (and that may extend to their friends or further).

They could also potentially take a copy of your friends list, posts or any other content and do who knows what with it at some point in the future.

I use syncthing.

Mostly for syncing all my music and pictures between phone / laptop and home server.

For your use case, there is a solution with the caveat that your password manager is unavailable on the flight. Simply have a dumb phone on entry with Syncthing and your Password manager installed but no password file. Once you have been allowed entry into the despotic regime's lands, connect to a starbucks wifi, initiate syncthing and it will pull your password file from your home server / computer etc.

If you update your password file, it will be synced back to your home server. When you travel again, disable syncthing, delete your password manager.

Or use an ssh script to pull it from your home server.

Could you just bring a device with freshly installed Windows / OSX, and clone the whole disk image over the internet once you're inside U.S. ?

Well, yes. But as tptacek said:

"But non-citizens, possibly including LPRs, cannot: if an alien attempts to cross the border with a device they can't unlock "because they don't have the corresponding 2FA token with them" (as one friend suggested they do), they'll be detained, their devices confiscated, and then put on a flight out of the country."

I'm not a US citizen. I don't have anything in particular I care about the CBP seeing. But, I'd rather they not have all of my 400 passwords. I'd then have to change everything, and also be breaking a bunch of bank terms of service.

I don't think CBP actually wants my bank info. But with all passwords in a manager, they would get it if they had access. However, with no passwords, they may bar entry.

I'm traveling overseas this summer, and I don't plan on having my 1Password database handy when I reenter the country.

So you will be a position of "can't login to that site". How does that square with:

"if an alien attempts to cross the border with a device they can't unlock "because they don't have the corresponding 2FA token with them" (as one friend suggested they do), they'll be detained, their devices confiscated, and then put on a flight out of the country."

I guess they haven't yet started asking for social media passwords, so maybe I'm overthinking this. I'm certainly going to be prepared to unlock any devices. It's the web passwords I'm not sure what to do with.

Well, in tptacek's case, I believe he's a US citizen so they can't deny him entry.

Hmm. What would be the best practice for a foreign national?

> What would be the best practice for a foreign national?

Understand that you may be denied entry to any country but your own. It's a fact of life which you cannot do anything about, so you might as well accept it.

What I do is:

- travel with a machine which is not logged into any of my accounts

- if asked, I can honestly say that I do not know any of my social-media passwords (because they are all of the form mZOH05WaxeAWqI79myMxcx or SWwDmDOkyHCVdX8eOiTLXC1U1psffeXfFgNx6PaZZhp); if that's unacceptable to customs in any country, they can send me back home

- if they press, I can honestly say that my computer back home (not the computer I have with me) has my master password file, and that there is no other copy

None of us know. It's a real problem.

If your password manager doesn't encrypt it's own files on disk, then you're using the wrong password manager.

I'm operating on the assumption they'll ask for the password to that too. That's where the social media passwords are.

Encrypt your password store using gpg and zx2c4's pass! The GUI app qtpass even works on Windows. I've been using it for months and the system is rock solid and has never let me down.


They can copy your drive all you want, and you have until 2030 to change your passwords.

Alternatively, just store them in a git repo on a server somewhere and access them remotely.

CBP will begin asking everyone for Facebook logins.

I don't understand how this doesn't run afoul of the Fourth Amendment. Surely one's social media qualifies as "papers" or "effects" even though they're digital artifacts and not physical. This just seems _incredibly_ invasive.

> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated...

Your phone is undoubtedly your "effects" (in 1789, touching your phone without your consent would have been a trespass to chattel). But searches incident to a border crossing have always been considered not "unreasonable," because inspecting the flow of things across the border has always been seen as a legitimate government function. Indeed, one of the very first things Congress did in 1789 was to create a customs department in order to perform precisely such inspections.

That said, there is an originalist legal argument to the contrary. The framers understood the border-search exception to exist for purposes of customs enforcement. Customs enforcement has always been about physical, rather than intangible goods: https://www.eff.org/files/2015/11/10/clearcorrect_v_itc_-_op.... So searches of digital content are at least outside one of the key purposes of the border search exception. (Of course, that doesn't help with the other purpose of the exception, which is national security.)

> But searches incident to a border crossing have always been considered not "unreasonable," because inspecting the flow of things across the border has always been seen as a legitimate government function.


> So searches of digital content are at least outside one of the key purposes of the border search exception.

Yes. And also, who in their right mind would use a phone and an airline ticket to smuggle at most 32GB (or 64, or whatever) of contraband data into a country? Absolutely no one.

I feel obligated to point out that:

1. my phone has a 200GB microSD card in it right now 2. 256GB microSD cards are readily available 3. phones with two microSD cards are available 4. I can easily purchase a 4TB hard drive that is roughly the same size as a pack of cards

It's not terribly relevant, but you're dramatically underestimating the volume of data that can be reasonably stored by media carried on one's person.

1,2,3) I kinda forgot they still make phones with SD slots :). OK, so the storage goes up by 10x, but still, there are multitude of more convenient and more secure ways to move that much data around.

4) Encrypt that drive and ship it. Why would anyone up to no good go to the bother of passing through border security with it on their person?

I'm curious - if one carries a microSD card in one's mouth, will mm-wave or X-ray backscatter airport scanners see it?

"3. phones with two microSD cards are available"

link ? Genuinely curious ...

Johnny Mnemonic.

The international border is a longstanding exception to the Fourth Amendment: searches at borders are per se reasonable. The history of this exception goes all the way back to the founders, so there's probably no battle to be won over whether the exception is valid, only to what the limits of the exception are.

I'm not traveling while carrying Google's, Facebook's nor Yahoo's servers in my baggages. Asking for login information has nothing to do with importing goods. Login and password are not goods. It's invasion of privacy, pure and simple.

Why are the broder patrol not simply asking for login credentials straight out? Why carrying or not a phone has anything to do with asking for credentials? It's absurd.

It's possible (not guaranteed) that it does. There are exceptions in the law for immigration/customs stuff. The way to find out is to sue CBP and have the courts decide, or find existing precedent one way or the other.

Or have Congress pass a law making it illegal or legal. Good luck with that one.

There's case law pushing the border search exception one way or another going back through the 20th century (for instance, it's a mid-1970s case that establishes that you cannot, in fact, be searched simply by dint of being within 100 miles from the border, but rather that the "100 miles" thing is a limit on the government for how far you can get a recent actual border crossing before the government remembers to search you).

Not that there's nothing worth challenging here, but the skeleton of legal principle these searches hang on is pretty strong.

Silly things like laws and constitutions do not apply at the US border. Or anywhere near it.


There's a statute that carves out the border search exemption:


So the argument to be made is that the application of the law or the law itself is not in keeping with the Constitution, not that law doesn't even apply.

oh, some laws definitely still apply! try lying to the border agent if you doubt it!

What if you don't have a Facebook?

I was thinking the same. Most likely: "You don't have facebook? What are you trying to hide?" xD

> This just seems _incredibly_ invasive.

You could leave out the 'seems' and it would improve the comment.

But then the sentence no verb?


We can have a substantive disagreement about whether or not the practice "is" invasive, less so about whether or not it "seems" invasive.

You're absolutely right.

I feel any parent with a teenager who's tried to monitor her Facebook account can see where this is headed.

This policy is incredibly ignorant of how online communities work and where communication is going. The only thing I can see happening is terrorism-minded individuals actually creating and maintaining clean Facebook profiles as a smokescreen. That's an easy win and great distraction as communication moves to non-centralized, encrypted, expiring messages.

This isn't to catch terrorism. Though they'll probably get a few idiot "extremists", this will mostly stop people coming in under false pretenses. It's bizarre how people don't think ahead to their border crossing and are willing to admit they are going to live with their SO, or work as a nanny -- while under a tourism visa.

It'll be very effective at this. Most people aren't going to establish a plausible social media profile after they figure out they're going to the US to live/work/whatever.

"Real" spies and terrorists and whatever can obviously afford to setup enough cover. (Though there is the case of a spy getting discovered because she used her real frequent flier number while traveling under aliases.)

At best, this might put a chilling effect on Facebook and other things like that, which is probably a net win for humanity.

> "Real" spies and terrorists and whatever can obviously afford to setup enough cover.

> It's bizarre how people don't think ahead to their border crossing and are willing to admit they are going to live with their SO, or work as a nanny -- while under a tourism visa.

So we're not catching "real" spies and terrorists; we're catching nannies trying to get paid under the table; do you think maybe we've got bigger fish to fry? This is a bad precedent, and what are we gaining? Nothing.

You're gaining a more efficient CBP, enforcing visa rules and avoiding overstays like they do now, just with higher accuracy. Now if you want to argue that visa classes are silly and the US should just let anyone come in for whatever, fine, but that's a totally different argument.

And yes, it's possible that this isn't worth the gains to CBP. But the US is pretty powerful and can force quite a bit of crap on people without getting too hurt. If it stops, it'll most likely be from efforts from e.g. Facebook lobbying against it.

Business travelers have little choice. A lot of migrants have no choice (the benefits of US residency far outweigh the inconvenience for most people) -- we can test this out by looking at how many Mexicans or other Latam folks stay in the US vs, say, Canada over the next few years (confounding that is Canada removing visa requirements for Mexicans). Tourism might be hit a bit, but I'm unconvinced this is a big enough deal for people to rethink their entire vacation plans.

Enforcing visas through violating privacy seems like a good enough argument against this practice to me. What you're also gaining is a precedent to enforce more searches that look through not just your public life, but also the intimate parts that the government really doesn't have much business in analyzing.

Yep you're right and this is the kind of arguments people should be making.

The guy that had this happen to him recently was American and working for NASA AFAIK. If catching overstays is the issue why do this to citizens?

Power grows? I'd like to know what contraband CBP expects to find on electronic devices. At any rate, they can only ask citizens to comply, not force them.

> So we're not catching "real" spies and terrorists; we're catching nannies trying to get paid under the table; do you think maybe we've got bigger fish to fry? This is a bad precedent, and what are we gaining? Nothing.

A country which controls its borders gains … control of its borders. If it's illegal to enter a country as a tourist in order to live with one's girlfriend, well it's illegal to enter that country as a tourist in order to live with one's girlfriend. That doesn't mean the law is right, or good, or desirable, just that if one enters that country as a tourist in order to live with one's girlfriend, one will be breaking that country's law and is liable to be deported.

Although I tend to favour open borders, myself, I think it's perfectly reasonable for the customs police of any country to turn away people trying to enter that country illegally.

That doesn't address the question of balance between the seriousness of the illegality and the invasiveness of the investigatory technique.

It would certainly be feasible to require every vehicle to be fitted with a data/position logger so that a vast number of hitherto undetected breaches of the laws governing the road can be immediately detected and punished - but it's pretty clear that the invasiveness of this is not worth the gains in compliance.

> That doesn't address the question of balance between the seriousness of the illegality and the invasiveness of the investigatory technique.

No, it doesn't, because I addressed the statement, 'What are we gaining? Nothing.'

I don't support the policy at all; I think it's a fundamental human right to encrypt data and not have to give the password to anyone.

The people that voted for Trump get to gain a bunch of thankless, low-pay jobs that will no longer be allocated to illegal aliens. There might be bigger fishes to fry, but given that they never get invited when salmon is on the menu, they are happy to see the sardine cans comming in.

And if they cannot or will not take the nanny jobs for themselves, at least they get to mock the uppity mothers that voted for Hillary and now are forced to dump their careers to take care of their own children.

Rule of Law.

It's so obvious as to hardly bear mentioning, but you can use this to excuse any violation of rights if you want. Sometimes "rule of law" just isn't worth it.

Sure, but you've offered no argument regarding this particular situation.

Sounds more like rule by law.

Sounds like no nation wants undocumented labor because it is very problematic.

Living with your SO under a tourism visa isn't a crime as long as you leave before your visa expires...

And is it the role of CPB to prevent under the table employment? Surely there are better ways to address that issue if it's a concern. Building walls and inspecting social media seems like a political smoke screen for avoiding more effective enforcement measures - requiring farmers/factories/roofing companies to prove their labour is legally allowed to work in the US etc. Or we could acknowledge the reality of immigration (we need workers if we can't afford to pay Americans an adequate wage to pick fields etc).

Right, but many times, especially if you're coming from a "worse" country, the agent is not going to believe you're going to return. So people lie about it, and thus get caught out.

Yes, it is the role of CBP to make sure you're coming under the right visa. It's no different than making sure you're not coming to stay while on a temporary visa.

No whether or not this is important or just silly politics is a different question. Same to the question of is this ethical/right/whatever. But there's zero doubt that this will enable CBP to be more effective. So arguments against it should focus on "yeah, this makes their job easier, but at what cost?" instead of pretending there's zero upside.

So you're saying as someone from a "good" European country (Nordic) I basically have to not worry about any of this?

You have a lot less to prove to CBP than someone coming from a broken country. Your incentives to stay in the US are drastically less than someone from, say Mexico. Other countries do the same thing. A US citizen gets a warm welcome into Mexico. A Guatemalan gets hassled.

There's still random bad luck - as a Canadian I've been theatened deportation for not cancelling my green card despite not using it or living in the US. I've been detained because a CBP agent decided a trade show was work and I wasn't eligible for a B1. (His first words were "you're going miss your flight, I'll make sure of it".) But most of the time they wave me right by.

> Living with your SO under a tourism visa isn't a crime as long as you leave before your visa expires...

No, but it is left entirely up to the agent interviewing you for entry to decide whether he thinks you're likely to leave later when your visa is expiring.

As if it is only illegals that are being paid under the table.

It's not about being _paid_ under the table, it's about entering the country with intent to violate your entry conditions (working without a visa). CBP doesn't have much to say about legal workers not, say, filing taxes.

You're right that this is not (primarily) about catching suspected criminals or people affiliated with terrorist organizations.

I wouldn't be surprised if they had an internal profiling tool that they run similar to https://applymagicsauce.com/.

Kind of similar to what Cambridge Analytica (https://motherboard.vice.com/en_us/article/how-our-likes-hel...) uses to target political campaigns.

You know, the Cambridge Analytica whose board of trustees includes Steve Bannon.

So the question to be asking is why does the US government want a psychological profile of every traveller passing through the border?

genuine question then: why do this on citizens then? what are they expecting to gain? are they just casting a wide net to catch dumb extremists?

A lot of metadata-oriented mass surveillance centers around who is talking to whom. If someone is identified as potentially relevant, for example, for being involved in publishing leaks, spies might be very interested in filling in as much information as possible about that person's contacts and communication methods.

    { { 2, 18, 2017 }, "Today I watered the flowers!", { "flowers" , "me" } },
    { { 2, 19, 2017 }, "Watched my favorite show!", { "television" } },
    { { 2, 20, 2017 }, "My kids are so hilarious!", { "children", "bicycles", "outdoors" },
    { { 2, 21, 2017 }, "Frustrated with lawn mower!", { "lawn mower" } 

This, to some extent was already happening. The last time my partner came into the US on a visa waiver (from the EU) before our fiancee visa was approved, her entire PUBLIC facebook wall was printed out and waiting for her in an interrogation room at O'Hare. (This was a few years ago now) -- it was a little eerie b/c her facebook is not under her "real name" - that is not the name on the flight manifest. So it took some digging.

At the time they were mostly concerned with posts where it may have insinuated she was accepting photography or graphic design clients while in the US on a tourist visa which is a big no no, but I could see that switching to political allegiances, etc quite quickly.

She is now an LPR on her way to naturalization and I am a USC. We are going to Turkey in a few weeks and seriously considering leaving phones at home, getting burner phones for our month abroad, and wiping laptops and restoring them from the cloud on either side.

Seems like there could be a market for device upload/wiping/restoration as a service.

The most troubling thing to me is that all of this is device-agnostic. They know you have a Facebook account and they can find it even if it's not in your name. So now when you return to the US they may very well demand that you provide them your Facebook login credentials. If you're not a USC and face getting put right back on a plane to Turkey, will you refuse?

We are discussing in advance. I will refuse any device requests or password requests and ask for a lawyer if detained. She is seeking clarification from an immigration lawyer about what is required from her as a green card holder. She will likely comply with handing over (wiped) devices but would also refuse handing over passwords.

Yep, the story is totally different for non-citizens.

My plan, if this ever comes up, is to refuse to unlock the device, ask for a lawyer if they hold me, and wait it out. I already make sure to power down my device before I hit customs just to be sure they can't compel my fingerprint.

I couldn't advise my wife to do this, though. It's likely that they'd revoke her green card, deport her, and basically wreck our lives. At least she (probably) has nothing to hide....

> US citizens can play chicken with CBP and lose nothing more than their computer/phone hardware

Well they can also be detained, for an indeterminate length of time.

That could put their job at risk ( didn't show up for work for a couple of days with no explanation ), their mortgage, their house...

From the article:

The policy also states that CBP or Immigration and Customs Enforcement "may demand technical assistance, including translation or decryption," citing a federal law, 19 US Code Section 507. A related document says that "officers may seek such assistance with or without individualized suspicion." Refusing to comply with this statute is "guilty of a misdemeanor and subject to a fine of not more than $1,000."

Are you confident that it's legal for a US citizen to refuse to provide a password when re-entering the country? I'm not familiar with the statute beyond what is mentioned in the article.

There are increasingly two types of law in the USA: felony punishable by no less than x, and misdemeanor punishable by no more than y.

I've taken to sighing and accepting y and just being grateful it's not a felony if I do it. Felonies are bad, you'll lose your rights, you can't vote, they're harder on you in court, and they follow you everywhere.

I'll take misdemeanors for $1000, Alex.

The OP article says this particular law hasn't really been tested in court, nobody's really sure if it's legal or not. One way to find out. I'm up for it. As a US citizen with white skin and money for a lawyer, it's unlikely anything _too_ terrible will happen to me. It is at worst a misdemeanor.

You want to bet on that, with the Trump administration? I'll say an 'ave' for you.

I do, yes. I'm white, I've got some money (and family with more money; for lawyers, I mean), I'm a US citizen. That's within the level of risk I'm willing to take for standing up for freedom. We're not going to fight this stuff without being willing to take any risk at all. That's being a human, doing what's right involves some risk and sacrifice, almost always.

Well, thanks for being willing to take a bullet for the collective good, and I wish you the best of luck with it.

Yet another reason never to sign up for Facebook.

That doesn't necessarily help. Many people have Facebook accounts with names that are not their "real name" as on their ID and plane ticket. If they want to, they'll just claim that you most likely do have an account and you're lying to them, and hold that against you.

If you're a foreigner, there is no way to win this if they are determined to make you lose. US visas as well as the documents for the Visa Waiver program make it clear that even if you do have all that is required, you are not guaranteed entry to the United States. The officer on the border can turn you back on a whim, and you have no legal recourse. Presumably they have some internal controls, but that won't help you in particular.

> Many people have Facebook accounts with names that are not their "real name" as on their ID and plane ticket. If they want to, they'll just claim that you most likely do have an account and you're lying to them, and hold that against you.

There is also a fairly good chance that someone else with your name does have a Facebook account, and I'm not sure how you'd prove that one of them isn't you.

Even worse, someone could create a fake Facebook account with your name and picture, and put some pretty damaging stuff on it. How would you prove to customs that no that really isn't your account, none of the public posts are yours and you really, truly have no way of logging in? It's like Doxing or SWATing taken to the next level, but you could potentially end up in jail.

Yet another reason never to enter the USA.

There's a show on Netflix that follows the Australian immigration cops. They go hard and frequently examine text messages, email, social, etc. for non resident entrants.

If you think this is just the US, you are mistaken.

> They go hard and frequently examine text messages, email, social, etc. for non resident entrants.

Interesting. Do they ever find anything that's actually incriminating?

Normally it's young people entering Australia to work "under the table" and only have a student/tourist visa. They denied entry for this reason very frequently.

You mean they actually find emails saying "good luck with your illegal work in Australia on a tourist visa, lol"?

I got a not-quite-as-bad grilling at the UK CBP, where they required me to log into my banking apps and show them my accounts & balances, as well as transaction histories to determine whether I was currently working remotely (and, therefore, would continue "illegally" working remotely while in the country).

Decade ago they were doing that in the UK. Showing proof of funds when you arrived.

Had one trip to the US where they asked how much money I was carrying. I said none, just a credit card. They asked if I were planning to work there. I said no, I'll pull money from the debit card as I go. They (presumably) acted puzzled about this.

Proof of funds is one of the three things they apparently still require. I had to show proof of funds (~$1000/month), proof of lodging (airbnb itinerary), and proof of leave (an already-booked plane ticket at the end of my stay).

Wait. So if I am a tourist in, let's say, the USA and I keep working remotely on Canadian projects and getting paid in Canadian dollars, do I need a work visa?

Depends on the country. The UK's particularly bad (in my experience and from what I've heard from the digital nomad community) in that they don't like you working remotely at all while visiting, especially if you're staying for any significant amount of time (I'm here for 3 months).

The general rule is "if you make money while in a country, you need a work visa while in that country", but obviously that may be a bit outdated and not take into account remote positions. Many countries can/will fine, blacklist, and deport you if they find out you worked while within the country without a work visa; and it's _those_ people that you need to be able to convince "I'm not taking your jobs away!" to.

I'm a US citizen so I haven't looked into it from your POV, but I do know that a trip to Canada, for example, allows working remotely as long as:

* you work for an American company with no Canadian offices or branches[1],

* you are paid in American dollars, and

* that payment is deposited into an American bank account.

Again, depends on the country you're visiting (and possibly the country you're a resident of), so I'd double check before working on a trip just to be safe.

[1] If your company has branches where you're going, the safest bet is to get them to help arrange the trip. A have a family member that travels a lot on business and has been denied entry to countries while on business trips specifically to train the local branch, because even then it's a delicate situation.

No, but a text saying "we'll see you at work 8am on Monday" as you are entering Australia is probably good enough reason to be denied entry if you have a tourist visa.

It probably is, yes. Does that actually happen on this TV show?

(Not sure why I get downvotes but no clear answers to simple yes/no questions.)

Yes, this exact scenario occurs quite frequently on this Netflix show. It's almost invariably a 20-something working as a server at a restaurant.

USA is a surveillance state. Here in UK we are much more progressive and respecting of peoples' privacy /s.

USA, Australia, UK, Canada (other comment branch). Sounds like the Five Eyes?

Canada requires this too. I'm sure other countries do as well.

That's unworkable. OK, maybe Facebook. But going without social media is no longer workable. Too much depends on it: family, friends, education, work, etc.

However, what is workable is keeping your social media clean. Compartmentalize anything questionable, anything potentially embarrassing etc, using pseudonyms. And compartmentalize those pseudonyms on separate hardware, and avoid linkage through IP address, activities, interests, friends, etc.

Edit: It's cool to hear from itshoptx and gravypod that it's possible to go without mainstream social media.

I would respectfully have to disagree with you concerning social media.

- I've been in IT 20 years and have no social media

- I meet my friends in person, since they're all local, save 2, and we prefer to talk or text

- I've never had a potential employer bat and eye or even care that I have zero internet presence. In fact, many have said they prefer it because I'm not distracted whilst at work. Besides, I enjoy being something of an anachronism where this is concerned. Granted, my stance is my own and I encourage others to do what works for them. I have considered that when I travel I may be harassed because the powers that be will assume I am lying since everyone else seems to have social media accounts.

Your method also only works if you have a small social circle or don't go out much. Good luck planning a big party or trip without a Whatsapp/Telegram/Facebook group chat..

You understand that society did just fine for thousands of years without these things right? Maybe if you are 20 the social norms have changed so drastically that calling someone is unthinkable but I rather doubt that. Certainly for my generation and above ('84) it's not required.

We used to have to call[1] several people to organize a gathering/outing, in the distant past of 15 years ago. If someone wasn't home you just had to try again later and/or leave a message, which they would only hear when they got home. Maybe every now and then someone would miss something because of this, though not often. Shockingly, it worked just fine.

[1] from our homes, obviously, since that's where the phone is, unless you were one of the rare high school students carrying a cellphone that had a usable amount of minutes on it, and even then cell call quality was (is...) so crap that you'd prefer your home phone.

While I generally agree with your sentiment, FWIW I'm a 25-year-old and I haven't answered a non-work phone call in several years. If friends/family want to contact me, they can send an IM or leave a voicemail and hope I call voicemail in the next week or two.

I haven't even had the sound/vibrate on my phone turned on for about a year now (which, honestly, is probably the most liberating decision I've made since then), as there's nothing in my life that can't wait however long it is until I check my phone next.

I am pushing 40 and everything is planned on Facebook now. That's the main reason I have an FB account, to keep up with events. The secondary reason is to keep up with conversations people are having on there, at the events they're planning on there.

My social circle is decidedly non-techy, too.

I don't think there is a generalizable rule.

In the past most people never went outside the 20 mile radius where they were born. keeping up with friends around the globe is a lot easier using social media

Social norms have drastically changed, but not to that degree.

I'm only 32. I live in a different city than I grew up in which was a different city than I went to school in. I don't use any social media sites (tried google+ but none of my close friends helped it so I left quickly). It's never been an issue. My friends from all three cities made it to my wedding and no one has an issue texting me when a group camping trip is being. planned. It's perfectly workable unless you feel the need to see what everyone is doing everyday, which never appealed to me.

Unless you call hacker news social media then you can definitely do it. I do it. I just call or text the people I care about when I'm thinking of them.

Nothing is needed from social media.

Yes, I love giving in to chilling effects that modify my behavior out of fear of consequences!

Or perhaps a government shouldn't be party to my social life?

> chilling effects that modify my behavior

I never modified my behavior. I just don't like the layout/UX of facebook/twitter.

> out of fear of consequences

This isn't being done for any specific reason, it's just a side effect of my dislike of their UI, management, and moderation.

> Or perhaps a government shouldn't be party to my social life?

If I'm texting, the government has it. I don't know what you are on about.

I don't like it either. But it's irresponsible to counsel people in ways that set them up for suffering. Protesting should be a conscious choice.

A fun prank: Create realistic facebook profiles for people you hate, and send links to CBP right before they travel.

> A fun prank: Create realistic facebook profiles for people you hate, and send links to CBP right before they travel.

During the Chinese cultural revolution in the 1960s, anyone could anonymously post the names of "people they hated" as suspected counter-revolutionaries on public bulletin boards. A "fun prank," maybe, except that many of those reported were executed. [1]

This was contemporary with humans traveling into space. We're not out of the woods today—if anything, technology has raised the stakes.

[1] https://books.google.com/books?id=AfIydrsE6aMC&pg=PA163&lpg=...

it is illegal to create a profile for someone else, i.e. to impersonate someone: http://blogs.findlaw.com/blotter/2011/11/fake-facebook-profi...

> The current best practice for border crossings --- really anywhere in the world --- is simply not to carry anything you're unwilling to unlock for Customs

We're in a temporary blind spot with CBP et al not asking for iCloud, Gmail, et cetera passwords.

Makes me wonder what the best options are for cheap phones and laptops that can be used while traveling.

Also, does having saved passwords in a computer (for servers, email, GitHub, etc.) mean that CBP could use those passwords to search computers inside the United States? Or is their search power limited to information actually stored on the machine's hard drive.

Put your passwords in a password safe like Keepass, and keep that somewhere in the cloud, PGP-encrypted as an extra layer of security, with a private key that is encrypted as well. Create a special private key for this purpose alone. Download that file when you entered the US and decrypt it.

When exiting, you might wipe the disk if you want to be sure they won't search it when you leave.

Or don't go to USA. Other countries need to develop their conferences and ecosystems.

If your phone is logged in to email or Facebook, they can download the total contents and history of your accounts.

There doesn't seem to be much difference between making you unlock your phone (and thus all the services it's connected to) and just making you sign into your social/cloud accounts at a kiosk. Are they doing that yet? If not, they will soon, barring a successful and crystal-clear court ruling in the meantime. I guess it's time to start re-thinking having persistent available-anywhere remote access to any of our own data. That's going to suck.

If they have the password they can search it...

> But non-citizens, possibly including LPRs, cannot: if an alien attempts to cross the border with a device they can't unlock "because they don't have the corresponding 2FA token with them" (as one friend suggested they do), they'll be detained, their devices confiscated, and then put on a flight out of the country.

Wouldn't an OK mitigation be to give the device to a US citizen for the border crossing? The US citizen could legitimately say it's not mine, it's my friend's and I don't know their password. The alien would have no item to be unlocked.

If you were traveling with said friend (you being the foreign national and friend being the US citizen), CBP would just make you unlock your own phone. This is not like a logic game you can outwit.

> If you were traveling with said friend (you being the foreign national and friend being the US citizen), CBP would just make you unlock your own phone. This is not like a logic game you can outwit.

It's not a logic game, you're just adding hurdles to the search which make it less likely, and leaning on the legal privileges of the citizen. To do what you propose, CBP would have to flag the citizen for search and connect them to the foreign national before they pass immigration and customs. If they manage to do that, the foreign national needs to comply. If compliance is not an option for them, this idea won't work.

> CBP will begin asking everyone for Facebook logins

If they asked me I would answer, honestly, "I've no idea what my password is, it's always logged in on my computer".

And you will be blocked from further entry into the US

It gets worse, because if you're coming to the US hoping for permanent status, anything you do to slip stuff past a search that CBP does is potentially grounds for revocation of status later.

The question is where is the line?

Say I have sensitive or proprietary information on my laptop that is in an encrypted drive. Do I have to unlock my laptop, or do I have to unlock each encrypted file itself?

There isn't a line. You have to do what they say you have to do, or else [consequences as above]. Your sensitive or proprietary information is not an obligation on them.

The one possible exception might be if you're carrying information that requires a US security clearance to view. I'd normally expect that to come with an ID card that causes CBP to ignore you, but these are not normal times and you could end up in a fight between conflicting "security" services.

(The worst case of that I'm aware of was https://en.wikipedia.org/wiki/Arms-to-Iraq )

So maybe Facebook add a feature to "delete" your account, to later have it restored? Similar to erasing your phone and restoring it later?

Facebook already does this when you delete your account

So the logical thing is to at that point delete your facebook profile forever and never make another one and little of value is lost

What are they going to do if you say you don't have a facebook account? (True in my case.) Seems difficult to verify.

Nothing. But if you do have a Facebook account, and you're not a citizen, you should bank on them knowing that you're lying about that. Further: saying something will conflict with automated information gathering they'll have done beforehand will put you in a different bracket of suspicion. Most people will just tell them, most people will just unlock. They're going to be interested mostly in the oddballs (for better or worse).

A cool idea might be to have a device-image that you can load on your phone for in-country and one for out-country, and a method for selecting from your in-country image the only stuff you want to copy to the out-country... like contacts, certain apps, certain passwords/bank/passport etc...

Also, whats an LPR?

If you can recover your data at the border, and you're not a citizen, you should be prepared to do so. There's no clever trick that scales to ordinary people that protects data from CBP. That's the think people need to be clear on: it's inconvenient, but they need to not only not be carrying sensitive encrypted data at the border, but also not carrying any indication that they have it, or have any such indication attached to their name.

An LPR is a green-card holder, a lawful permanent resident.

There is also the combo of fde + factory reset of your device after landing.

Yes it is inconvenient, but far less so than a total compromise of your credentials.

As an aside, you can have facebook logins, without having facebook installed on your phone, and you can make your profile unsearchable.

Facebook really needs to step up and add an anti border guard feature. Maybe a travel password that provides a hygenic profile.

> The current best practice for border crossings --- really anywhere in the world --- is simply not to carry anything you're unwilling to unlock for Customs.

This seems like a perfect use case for TrueCrypt hidden volumes or similar: https://www.howtogeek.com/109210/the-htg-guide-to-hiding-you...

I thought so, too. But the advice I've seen, quite strongly, is that you do not want to lie to federal officials about anything, ever. Even if you're just using a hidden volume on principle rather than hiding some terrible wrongdoing, the moment you say "No, I don't have any other hidden files on here" or "There, you have access to all my files now" you've committed a federal crime. If they spot the slightest evidence showing that you've lied (which, heck, might not mean much more than finding TrueCrypt installed), they'll throw the book at you.

> the moment you say "No, I don't have any other hidden files on here" or "There, you have access to all my files now" you've committed a federal crime.

So then you don't say those things. This covers the much more common (I'd imagine) case where a traveler is asked to turn on his device and enter the password, but possibly not the case where the traveler is being grilled/interrogated on the contents of his device.

But plausible deniability is one of the purported features of TrueCrypt hidden volumes. How would you prove someone had an encrypted hidden volume on his device?

If you're a US citizen, go ahead and try to outsmart them with TrueCrypt. My guess is most of the time you'll succeed. But if you're an alien --- and, especially, if you're a brown-skinned alien --- don't have TrueCrypt on your laptop.

You can make an encrypted backup of your machine and store it in some innocuous place in the cloud, or have it Fedexed to wherever you're staying. There's just no good reason to play games with TrueCrypt at the border.

Just so we're clear, I think the right strategy for anyone who could reasonably expect to be targeted (journalists, certain types of researchers, people with funny names, those who've sent mean tweets about the POTUS, ...) is to avoid carrying sensitive data when crossing borders.

What I think all US citizens should do is use whole disk encryption (but everyone should do that), and refuse to comply with requests to provide their passwords, even at the risk of missing flights / losing equipment / spending a day in a room talking to unfriendly people. Frankly, this is just an egregious and pointless violation of our 4th amendment rights.

What if one doesn't have a Facebook and is unwilling to give up email for work/NDA reasons?

As above: You have to do what they say you have to do, or else [arbitrary consequences]. Your sensitive or proprietary information is not an obligation on them.

That will be difficult to do for those of us without Facebook profiles!

Another option is decoy operating systems

what happen if you dont own a facebook account?

How is this not in violation of international law, especially the International Covenant on Civil and Political Rights [1] article 17, which would apply to US citizens as well as non-US citizens?

No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

Maybe even article 9 if the law does not clearly establish what is allowable.

Everyone has the right to liberty and security of person. No one shall be subjected to arbitrary arrest or detention. No one shall be deprived of his liberty except on such grounds and in accordance with such procedure as are established by law.

EDIT: Turns out the US did not really ratify this treaty. [2] So no human rights in the US, or at least not all of them enforceable in court. There may of course be similar rights from other laws or treaties.

[1] http://www.ohchr.org/EN/ProfessionalInterest/Pages/CCPR.aspx

[2] https://en.wikipedia.org/wiki/International_Covenant_on_Civi...

The respect that USA shows for international laws is more or less on pair with the value of human rights in Guantanamo.

No offense, but I don't put much weight on international law. In order for a law to have impact, someone has to enforce it. Who will enforce international laws? The UN?

In this case it would be every country that ratified the treaty itself. This kind of international treaty just becomes more or less national law. But I just read that the US did not really ratify this one, it ratified it and added five reservations, five understandings, and four declarations. So this one has probably not much effect in the US. But usually you can just go to national courts if you see a violation of international law like this.

Yes, any treaties or laws ratified by congress have the full legal weight as any national law. They must be upheld by our nation; otherwise, it's unconstitutional.

Yes, but then you're asking countries to police themselves. If following the law is not in the countries best interest, they won't do it unless someone else forces them to.

I think the American mindset in regards to the law and the state itself, especially that set forth by the founding fathers, is that the people are those who make laws and enforce them, so this mindset asks for a revolt to the state as a reply to such acts.

The US can easily claim it's not "arbitrary" because they've been selected by their systems for complete roto-rooter inspection, and it's not "unlawful" because the US laws could allow it.

If software identifies you as potential criminal or terrorist at the border, the following search is not "arbitrary" by any means. The state should not be transparent about the exact reasons why you were chosen (e.g. the social media post or phone call), apart from pointing out the law based on which they are acting.

Only if the software or procedures do a reasonable job at selecting people. It is hard to tell from the outside whether this is the case but the cases that became publicly known at least suggest that the system is not flawless and also seems to pick people with opinions or doing things the US disapproves but which are not illegal.

How much information must be provided is certainly debatable. Article 9 continues as follows.

Anyone who is arrested shall be informed, at the time of arrest, of the reasons for his arrest and shall be promptly informed of any charges against him.

So what are reasons? You are in violation of US law? You are in violation of US law X? You are in violation of US law X because you did Y? You are in violation of US law X because you did Y and we know because of Z? How much reason is enough reason?

Actually, if you are only detained for some time, then there re probably no charges. Unfortunately my understanding of law has a lot to be desired. How much inference is allowed without charges?

And thinking about it again, nobody, as far as I can tell, heavily complains about your bags getting searched, for security or customs. So it seems indeed more of a matter of degree what kind of search is acceptable.

On the other hand getting your bags searched is about imminent dangers and crimes, downing the airplane, smuggling illegal things, evading taxes. Inspecting your digital life seems hard to justify from that perspective unless you think people are regularly posting on Facebook that they are about to cross the border with a bag full of drugs hidden so well that they can not be found.


> I am astonished by your entitlement.

That's a breach of HN's civility rule. Personal abuse is not allowed in comments here, so please don't post like this.

I would be kind of okay with this if I could just turn around. We think you are a risk, either show us your phone - and we may or may not allow you to enter after looking at it - or take the next airplane home. It would be nice, if you would tell me this before I waste my time and money to go on the flight so that I can decide in advance if I am willing to find out how looking at my phone will influence your assessment of me. But I certainly see how telling this in advance would be problematic or undesirable.

But once you start to arrest me, I really want to know why you are doing this and I surely think that I am entitled to get this information. You don't have to tell me which undersea cables you tapped to get your information but just telling me that you think I am violating an unspecified law certainly doesn't cut it.

I am still a human not found guilty by any court and you need good reasons to take away my freedom, citizen or not. And you owe me an explanation so that I can take appropriate measures to resolve the situation.

The country you're travelling to doesn't owe you anything. In some areas of the world, border guards will shoot or rob you.

If you don't take part in any shit that annoys the powers that be, you will most likely never be approached by border guards at all. I really think that as citizens of the western world we are in no position to argue that travelling between countries is bad or cumbersome for us.

Edit: To answer your reply, it is not a human right to be allowed to go into a certain country.

Every country owes you basic human rights. Sure, even basic human rights are just a concept humans invented and you can certainly have a country that just says no, we believe the idea of basic human rights is wrong. That would certainly be a very nice place to live. I on the other hand would certainly refrain from visiting it.

Rights are only as strong as your ability to assert them.

So I should probably bring guns and explosives to the airport to lend some weight to my rights in case somebody has a differing opinion. That could turn out quite interesting...

And now I am left wondering if comments like this make it harder to get through the airport. How humorless and paranoid is the system?

Well there are few penalties for ignoring international law, so while I share your love of the concept I have to recognize that without teeth international law isn't going to protect you from a bad government, wherever that happens to be. A few people have been prosecuted in the International Criminal Court, but I don't think that's a serious deterrent to most international actors.

Requiring the government to justify human rights abuses isn't entitlement. It is common sense.

If all that counts is the safety of your citizens, why would anyone ever be allowed to enter a country, unless they were there to perform a life-saving operation or a similar good?


Haha. Terrorism bla bla.

Anyone noticed that the first two example cases are actually political activists being targeted.

- the first is some Chelsea Manning advocate - the second is some pot legalization activist

There you have it for what actually are these rarely used rules used for.

I would not go that far. What is points out is that the database being used is lumping all people of interest together regardless of their level of threat or type. Lazy or nefarious, who knows. More than likely those who created the system never would have guess how easily people would get on it.

This happened to me crossing into Canada and to be honest I really wasn't expecting it. I had tons of very private pictures and messages on there stretching back years. I really didn't want to turn over my password so that 3 border agents could look through all that stuff in some back room, but at the same time I knew there wasn't anything illegal on there. Anyway, I was with my partner and didn't want to ruin her vacation as well so we just turned over our passwords (under threat of detention if we didn't).

In any case, if you find yourself in this unfortunate situation (you shouldn't - you should travel with an empty phone when crossing the border, or at least wipe it before crossing then do a restore over icloud later), here's something you can do: Before going in (if you have an iphone), make sure you have a strong alphanumeric passcode. Enable auto-wipe on 10 incorrect passcode attempts. Then, turn the phone off. If CBP then asks to turn your phone on and wants your password, appear eager to comply, but give them an incorrect one, and when that doesn't work, admit that you had just changed it a few days ago to something more secure and that you may have forgotten it, but don't worry, you always just use the thumbprint to unlock the phone anyway and volunteer to open it that way. Always appears helpful. The phone still won't unlock because iphone requires passcode entry after restart. If they ask why you turned the phone off, just say that's what you normally do when entering border control. Unless you're under some kind of serious suspicion of some kind at this time, they're unlikely to detain you for forgetting your phone password, and even if so, it's locked with a strong passcode so there's no much they can do anyway.

Recognizing when people are lying is an important part of CBP's job. They're trained specifically to do it. It's unlikely that you're better at lying than they are at noticing that you're lie. Lying to them will end poorly.

> Recognizing when people are lying is an important part of CBP's job. They're trained specifically to do it.

That's true. However, the evidence that people who are trained to recognize lying do any better at it than random people off the street is -- putting things mildly -- not strong.

If they notice you're lying, it will be because you contradicted something they already knew or because you were bad at lying, not because they were trained to recognize it.

They're not actually very good at this. Keep your responses to the shortest simplest truth. Your goal is to be boring and unremarkable as everyone else.

Anything more frustrates and angers them.

You raise a really good point. CBP deals with people lying to them every second of every day. If you think a "oops! I must have forgotten the password" will work, you're in for a rude surprise.

Or instead of going through a bunch of effort in order to risk pissing off border agents with shenanigans, you can buy a dirt-cheap Android phone for travel. Bonus: then you don't have to worry about it being stolen, lost, or broken, either. It'd be a sensible move even without the border search risk.

Incidentally, is this limited to phones? Are they only searching these accounts because they're authed to the phone they make you unlock? Or are they saying "oh, OK, so you're traveling without a phone. Please step over to this kiosk and log into your Facebook account" as well?

When I'm traveling (which is often), I NEED my "good" phone. Maybe a cheap Android phone would be feasible for occasional recreational travel, but this is not a solution for many.

Better to have easily restorable backups and just wipe & configure as a "new" device (not connected to cloud services) before entry. Restore from backup when you get home.

This is actually pretty painless these days. Sad that it's necessary.

do you have a dirt-cheap android to recommend?

Moto G4 Play if you want something that's not totally disposable but is also sort-of an OK phone, by cheap Android phone standards. ~$130, which is pretty cheap for someone from the US on HN, most likely. You'd be sad to lose it but not that sad.

If you want an Android smartphone that's really cheap go to Wal-Mart. Unlocked Android phones south of $60.

If you can do without a smartphone you can get a dumb or feature phone for ~$10-$30.

There might even be better deals on Aliexpress or somewhere similar if you shop around.

Nice, that's pretty much what I had identified too. I had been focusing on the full Moto G4, which is like $200, hadn't realized the G4 Play could be had for $130 no contract.

I would call neither _dirt cheap_ for _my_ budget, but that is what I had arrived at as the cheapest possible that is still usable too. "Dirt" cheap, not for me, or probably most Americans, but what can you do.

(FWIW, I think it's no longer possible to get a dumbphone that will work on AT&T for $10-$30, now that AT&T turned off 2G and requires 3G even for voice. More like $60-$80 at the very lowest end that will work on AT&T. Don't know about internationally. :( )

Moto G4

A Moto E 2013 is still pretty usable... Using one right now.

Honestly -- do not lie to border agents. Do not do anything illegal or even with a smell of dishonesty while talking to agents on foreign soil, or even to agents of your own country.

Travel with a safe, clean device, if you travel with a device at all. If it is your employer's device, cooperate and then tell your employer's lawyers what happened.

Stay safe, especially if you're a minority of any kind.

Sorry that happened to you, but that is just not good advice. Trying to fool them at all isn't advisable, and your suggested scheme involves multiple levels of deception - lying both about what you did and what your intent was, trying to appear eager to help when you're not. Most normal people are not such skilled liars, whereas border agents are always on the lookout for deception.

Also "just say that's what you normally do when entering border control" goes against the image you're trying to create.

What happens if you try to mail or ship a smartphone across the border, as opposed to carry it with you when you are crossing the border? I'm wondering if you could ship your regular phone ahead, and use a burner while you are traveling.

If that works, that could be an interesting business opportunity. Set up a series of phone exchange stations near major airports, where outgoing travelers can swap their smartphone for a burner. You ship the smartphone to your station near their destination, and when they arrive they can turn in the burner and retrieve their smartphone.

You could also add in a temporary backup/restore service for laptops. A traveller could bring their laptop to your station when they are preparing to leave, and you do a backup of all user data and then delete it from the laptop.

While they are in transit, you send the data to your exchange station nearest their destination. When the traveller brings their laptop in, the user data gets restored.

Thing in transit are not invulnerable to tampering; see the story of NSA intercepting Cisco networking hardware and implanting beacons. [1]

[1] https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa...

Creating a business with the purpose of circumventing border control is unlikely to be appreciated or permitted by authorities in any country.

Probably better off just leaving your smartphone at home and buying a device at your destination.

The purpose of the business will be transferring people's digital devices securely, NOT circumventing border control.

But I think any company does this as their main business would get on the CBP's hot list.

These discussions tend to focus on all the inane ways to subvert the border guards.

The real question we should be asking is how to make this a big enough issue that it gets mainstream attention and action.

We shouldn't try to figure out how to continue down the fascist path but how to change it's direction.

I agree that fighting fascism is a bigger overall concern, but I think there's a time for these practical concerns as well. Especially given that it most affects non-US citizens, who may or may not be able to have an impact on the larger issue.

This practice should be banned on the premise that any digital data that could enter the country physically on that device could just as easily cross the border and enter on any internet connection. Searching the device does nothing to prevent anything from entering the country, which is the primary role of the CBP agents - to control the flow of people and physical items. Not data.

If the CBP then claims that it's a useful tool/practice because they can identify bad people who shouldn't be allowed in, they should be asked to provide stats on how many people were denied entrance after their devices were checked. My guess is that number is statistically meaningless, probably in the <1% range for people who actually unlock a device.

One of the only exceptions I can think of is cases like this one: http://cyb3rcrim3.blogspot.com/2016/04/the-laptop-child-porn... where there is already a legitimate investigation going on and a person is suspected of serious criminal activity and they don't have enough for a warrant. In these cases, the CBP uses the rules regarding border re-entry to their favor to compel a search of a device because they have at least some sort of reasonable suspicion that a device may contain data for which the mere possession of is highly illegal. Other than that, I'm hard-pressed to think of any cases where the mere possession of data would be a felony unless they suspect you of having classified information without the appropriate clearance.

Well, at 4444 times a year it doesn't seem that rare of an occurrence.

But, hey, what's new? The US has imprisoned innocent people, and tortured them multiple times a day for years and years. This is public information, and no one gives a shit. The US government really doesn't care about anyone who is not a US citizen. (And sadly, western countries mostly just let the US do whatever they want)

A women is being locked up for 8 years because she checked the wrong box on her voting form, and it is pretty common that unarmed black people get shot by cops without serious consequences.

I understand that people are upset about the possibility of having to unlock their phones, but there are far more serious indications that the US is not the great country it wants be. A lot of common sense and decency it missing in the US - and not just in the Trump administration.

>"Ars spoke with several legal experts, and contacted CBP itself (which did not provide anything beyond previously-published policies)."

In other words the CBP were completely unhelpful and simply referred them to published legalese online rather than clarifying that legalese. It really feels like the culture of DHS and CBP views the people they are supposed to serving as adversaries.

I don't understand America's fascination with snooping through peoples shit.

Neither do most Americans. It's the authoritarians in charge of this shit show that have the fascination.

Yet they vote for those exact authoritarians. Quite fascinating actually.

But why people let them do it?

Because our political system has been taken over by entrenched authoritarian conservatives who have rigged the game such that it is very hard to remove them.

That combined with the fact that the majority of Americans are struggling these days financially, and you have a situation where people care, but they care more about putting food on their table for their family and keeping a roof over their heads, so that stays at the top of their priority list and they don't have time to be active enough to do something about this.

The simple way to avoid this for me, is to skip avoidable US trips for now. I would have loved to attend strangeloop, but I will wait for better opportunities.

If my work requires me to travel there, I will simply ask to have electronic material provided in the US, and download whatever tools I need once inside the US.

I would advise anyone traveling to have versioned working tools stored online anyhow.

If some CBP knuckle-dragger wants me to unlock my phone so he can browse through it looking for whatever as I stand there watching while asking me insipid questions, that's not a huge deal.

The real problem here is downloading of data from the phone. Once that data is off-loaded, the government can make it a part of their "Seven-degrees-of-Kevin-Bacon-Osama-Bin-Laden edition" game, stored forever, perpetually looking for "connections" no matter how remote. That's a scary and slippery slope to surveillance state hell. I don't think such practices are commonplace, not yet?

Has anyone here ever been in a situation where the CBP confiscated their phone/laptop or downloaded data electronically from it?

I was crossing into Canada and 3 agents demanded my phone and password (as well as my SO) under threat of detention. They took the phones in the back for 45 minutes before they came out. Asked questions about a conversation I had about marijuana with a friend months ago, basically accusing me of being a drug dealer when even in the most wild reading of that conversation, that cannot possibly be the case. Anyway, who knows what happened in that 45 minutes, probably our data is still sitting deep in some Canadian government server somewhere.

Cheap Android phone. Temporary, cheap SIM (or none—you can get one where you're going) with a different number from your real one. Only way to go. Bonus that it's 100% reasonable to do this because you don't want to risk having your main phone stolen/lost, too, so it's not even a weird (suspicious) thing to do.

Eventually, this might be seen as non-suspicious. Maybe. I hope so. It's quite prudent.

BUT for now it's also something only a very, very small percentage of the population would consider doing and then actually do. Border agents would know this, empirically. So if you're doing something that's highly unusual for the general population then you are, unfortunately, doing something weird and suspicious.

TL;DR: it doesn't matter that it's reasonable; it's still fringe and, sadly therefore, suspicious

The government has everything you put on Facebook already. And everything you backed up to Apple or Google photos. And your emails.

If there's something else they're interested in, don't carry it over the border.

I don't know any of my passwords except for my password manager. If I leave my password DB at home, and mail a physical copy to my destination, what can happen? I'll be absolutely unable to access any account.

Then you shouldn't expect to be let into any country. Take the flight back and return when you can actually unlock your phone.

This might actually be the preferred choice for some people who wish to attempt travel, but are unwilling to sacrifice personal private.

And? The target country doesn't lose anything through this if some entitled internet privacy advocates without big business stop travelling to it. Everyone who is serious about coming actually handles immigration/border tax like an adult.

Nobody cares about your private life unless you are trying to affect others negatively.

Wrong: The target country loses money.

Wrong: Everyone who is serious about travelling can make their own choices about tradeoffs. That's what being an adult is all about.

Correction: "Nobody cares about your private life unless you are trying to affect others negatively, OR if they can use that information for personal gains, even if at a loss to you."

I'm done fixing your mistakes. Cheers.

"some people who wish to attempt travel, but are unwilling to sacrifice personal private."

If people value their privacy higher than the economic benefit from their travels, the economic impact of them not proceeding is most likely minimal.

The state and its agents don't use information for personal gains, their job and passion concerns society as a whole, and they want to make sure that no bad guys come in.

Worth noting that the DHS has the authority to take your device, copy the contents, and share any information they found on a case-by-case basis. It seems likely that the standard practice will be to simply copy the content wholesale and use it for importing into a system for analysis/flagging/later sharing and completing the network identity. Effectively, handing over your phone completes the picture in terms of network analysis. They have your facial/physical identity, all your communications, your photos, downloads...etc. This seems to also apply to laptops as well and it's likely that they can also just copy all that over as well without discretion. Make no mistake, the authority is far-reaching and completely unchecked.


" While CBP Officers are responsible for the examination of electronic devices, only Supervisors may authorize the copying of the contents of an electronic device.54 Where an electronic device is to be detained or seized by CBP, a CBP Supervisor must approve of the detention or seizure, and the CBP Officer must provide a completed CF 6051D or S, respectively, to the traveler.55 Where a traveler claims that the contents of the electronic device contain attorney-client or other privileged material, the CBP Officer must consult with the local Associate/Assistant Chief Counsel or United States Attorney’s Office before conducting the examination.56 CBP Supervisors may authorize the sharing of the traveler’s information for assistance or other law enforcement purpose on a case-by-case basis "

This part is deeply troubling:

"ICE has various safeguards in place to protect electronic devices that are detained or seized, or information from a device that is detained during a border search.

ICE stores all electronic devices, or information thereof, in locked cabinets and rooms and maintains a chain of custody using appropriate ICE forms and systems.

If a copy of information is made from the electronic device to allow the traveler to leave the port of entry with his device, the first copy is known as the “gold copy.” The chain of custody stays with the original or gold copy so that it may be used as evidence in court, if necessary. A new chain of custody form is issued to follow any additional copy of the data that is made; such forms are tracked by ICE Special Agents in the appropriate ICE systems. By policy, ICE’s review of detained information is to be completed in a reasonable time and, if the original device has been detained by ICE, the ICE Special Agent must provide a chain of custody form to the traveler as a receipt.

Special Agents must factor in the time necessary for any assistance that may be required when determining “reasonable time.”

Once the border search is completed, the detained device will either be seized or returned to the traveler and any copy of the data from the device will be retained for law enforcement purposes and in accordance with the established retention periods for any system of records in which it is stored or destroyed "

What if I simply reset my Android phone to factory settings just before exiting the plane? Can they force me to log in to my Android account in order to get to my FB?

And what if my battery is dead or my phone stops working? Can they force me to log in to their own Android phone?

What if I don't carry any phone at all, can they simply force me to log in to an empty phone? (Assuming everyone has an Android or Apple phone or is going to spend couple days in detention.)

What if I have my phone set to wipe itself after 10 incorrect login attempts, and I "accidentally" get my password wrong 10 times while trying to unlock it for them?

Are you willing to be blacklisted from entering the US for 10 years and sent back (assuming you aren't a US citizen). If you are, they might just detain you a while.

Can you just send your phone or laptop through fedex, or some other post service, and just don't travel with anything with a password.

Even better, do a cloud backup and wipe out your phone or laptop, and restore a backup when you are out?

Or am I missing something?

Are there any Android distributions that can boot to a different environment depending on what code is entered at boot time? And said partitions are hidden from each other (i.e. once booted, the other partition is impossible to detect)? This was described in Cory Doctorow's "Little Brother" novel, and on the face of it seems like a reasonable proposition - any major flaws in such a plan?

Is it worth it to clear those devices and restore from cloud backup after crossing?

I think so. But you want to do it in such a way that there's no "restore" button you could push on your phone once you're compelled to log in to any accounts that are clearly associated with the phone.

One way to do this would be to back your phone up, encrypt it, and stash the file somewhere else, then scrub the phone and back that up so that you could, if under questioning by CBP, perform a plausible restore.

What if they ask you for your Google account(s)? Google is social media! Google Plus!?

Create a plausible decoy account. I've literally created dozens of gmail accounts, for other purposes, might as well have one for this.

This is exactly what I was thinking too. I have my old phone I wouldn't mind using for travel. I'd just keep that one mostly empty and swap the SIM card when traveling. Alternatively a backup could work as long as you place it somewhere online or hide it well so they can't ask for that to be decrypted at the border as well.

No. First, as others noted, it creates suspicion.

Second, you can't trust devices after authorities have messed with them. Maybe they're backdoored.

Best option is to carry only inexpensive devices, containing no sensitive information. If they're searched, just throw them away later.

Easier said than done if you travel regularly. Work takes me on the road a few dozen times/year. Not all of that travel is international, but I do rely on having easy access to my personal devices to maintain sanity with that lifestyle.

Even cheap throwaway devices become expensive over time.

Since the chance of search is on the order of what, .0012% though? According to the article. If we're going down the backdoor rabbit hole, we need to abandon smart devices entirely. Not feasible.

You mean if you want to look like you have something to hide? Yeah, that might help...

If you're already detained with your phone being searched, there's not a lot more they can do after encountering a wiped phone.

But if you want to be clever about it, just wipe the phone and create a separate account with your most important contacts and stuff. Nobody's going to interrogate you for having insufficient apps.

But I do have something to hide. My personal information. This something I want to hide. Pretending like I'm an open book only encourages the bastards, no?

Yes, but so does a super-clean phone, I'd guess.

Maybe its for the best. This gives me a reason to buy a Nokia 3310 or its new version http://venturebeat.com/2017/02/13/hmd-global-will-launch-the...

Ive got a trick. As a lawyer i keep a note on my laptop deacribing how it is encrypted (linux, home dirctories + trucrypt archives for important stuff) and that content is subject to attorney-client privacy rules. Ive been asked to unlock several times. I say "sure thing, but ill need some sort of court order so i dont get sued." Faced with a reasonable person willing to unlock, they have never pushed the matter. For my phone, phones cannot be trusted. Dont do anything you want to keep private on a phone. Buy a netbook.

I would suggest saying something like "sure thing, but i use this device to talk to my lawyer and i should ask him first if it is ok." They wont want the hassle of dealing with this perfectly reasonable request. (Don't fib. Have a lawyer first. All you need to do is email one a couple times for that statement to he true.)

Does that only work if your a US citizen? If your not then bye bye visa?

Canadian, so no visa req for visits. Special temp visa for lawyer work, issued at boarder crossing. They dont get mad. The trick is to be reasonable. They know it will be difficult to get an order/warrant to search a lawyer's machine. Lawyer-client confidentiality is one of the few things that trumps even terrorism.

Well, you have a status that could go away if the CBP officer gets grumpy. At least you don't have a living in the USA to protect.

As a client although, is that ok? Also this guy worked for NASA, and knowing many big corps that kind of policy would apply in some indirect way with work devices. But it didn't seem to matter for him.

Nasa isnt a law firm. Lawyer communications are treated by different rules, rules above things like classifications.

The idea that our constitutional rights end at the border is such a travesty, contrary to everything our forefathers fought for, that alone is worthy of renewed revolution.

Happily, to counterbalance that, US jurisdiction is often assumed to cover the farthest reaches of the planet.

That's patently false. Good luck enforcing US business law in Norway.

Funny - we seem to have no problem with drones killing an alarming number of civilians with no declaration of war... I guess that's under patent law?

Actually, I have had US business law thrown at me. It didn't stick, of course, but that was much to the throwers surprise, apparently.

But then, I'm not in Norway. I'm in Denmark :)

RIAA/MPAA believe otherwise

They also end 100 miles in from the border. [1]

[1] https://www.aclu.org/other/constitution-100-mile-border-zone

Even worse when you consider what percentage of the US population lives within 100 miles of the border, which is where the 4th amendment apparently does not apply -- about 2/3rds of the US population!


It is indeed unacceptable.

contrary to everything our forefathers fought for

Ummm... the fact that you lose certain rights when crossing an international border came from the founding fathers. It's nothing new.

One thing I have thought about. I have dozens of profiles which are just test accounts for social media, to hook up to applications I've been building.

I've been thinking recently to just close all the accounts, including email.

This will leave me in a state where I have pretty much no social accounts, just 1 email account which is used for friends/family.

Are there any cases of individuals giving up their phone and it being a wasteland of information? I personally do not use facebook, google-plus, twitter, linkedin or anything else. I literally do not have an opinion, nor do I care to share it!

Edit: Do they also check when email accounts have been created? How could they know, unless they checked in with the provider? I'm thinking of closing my main account, requesting data be deleted and starting afresh!

I've wondered the same. What if you just opt out of 90% of everything? What are the implications of not using social media?

I don't have any social media accounts. Last year I crossed the border for the first time in 20 years (to Canada and back) and wasn't asked for anything.

It might be the case that having no online presence reduces your chances of being flagged. Fewer obvious associations, fewer chances for "Six Degrees of Kevin Bacon" to occur, less chance of some algorithm picking you out of the crowd.

There were some scare pieces a few years ago that somehow not having social media accounts would make one suspect when going to apply for another job, since background checks wouldn't reveal any online presence and that must mean that you're socially defective somehow. It seems like it was probably just a way to goad stragglers into adoption.

The upside of not using social media is better relationships and better mental health.

Nothing really. I don't have twitter, my linkedin is just like my online profile page, i haven't log on to facebook for years. The most "social" apps on my phone are probably yelp, google map and email. Honest I don't feel anything different.

Are visitors being turned away because they can't provide passwords for social media accounts? Using a local password safe (KeePass2, etc.) should be a great excuse, but I'm not sure what happens next.

It bothers me that the US is providing a terrible example of how to treat visitors.

This is my thought as well. I have a Facebook account, but have no idea what the password is since it's generated...and without my phone/laptop, would have no way to retrieve it.

If you think the US is the only country doing this you are sorely mistaken.

The question I have in mind is "do they have the right to confiscate your device or to disappear with it?". What if I told them "I'm going to unlock it, but I'm the driver. Ask me all that you want to see, and I'll take you to that app?".

Accounts I've read of this, no you do not get to drive, at all.

They will take it into a back room, do things you won't get to see, and you may get it back when they're done with you, or they may keep it (example: [1]).

If you're a security researcher, or property paranoid, you can then dispose of the device in some way, because you have no idea what they did to it, the device firmware, baseband, etc. Probably nothing, right? But the time and effort it'd take to vet it all is prohibitive.

[1] https://www.cnet.com/news/researcher-detained-at-u-s-border-...

And do you get to claim compensation for the equipment that is now untrustworthy and you therefore need to replace?

They would probably take your device and copy entire contents via usb, search with software for select phrases not scroll through your timelines individually. They're not going to consider you scrolling around and not giving up password as an adequate search.

What if they told you "we're going to detain you until you do what we want?"

If you're a citizen they cannot. A citizen cannot be refused entry.

They can keep your stuff, however. And if you're merely a permanent resident you can be refused entry.

My wife and I have cancelled a proposed trip to NYC this summer. The States just seems so dark, unwelcoming and aggressive that for a short break it hardly seems worth it.

> The short answer is: your device probably will be seized (or "detained" in CBP parlance), and you might be kept in physical detention—although no one seems to be sure exactly for how long.

This is a precarious situation to be in an I'm surprised if this does not violate some provision of the law. Worse, there have been conflicting judgments on similar cases [0, 1].

On a side note, can law itself be unbiased due to the nature of the cases heard in courts? A situation X regarding certain law LX might be heard 1000 times and would be more clear in contrast to a situation Y concerning with law LY as it went to court just 3 times. Can one computationally figure out laws which are unclear based on the number of times they are references in court judgments or some other similar parameters?

[0] https://arstechnica.com/tech-policy/2013/12/judge-wont-let-s...

[1] https://arstechnica.com/tech-policy/2015/05/warrantless-airp...

No human activity is 'unbiased'.

This article [1] suggested to reset your phone to a blank slate before you hit customs and then reinstall after you're in. Not sure if that's going to help but I like the idea of the subtle middle finger.

[1] https://medium.freecodecamp.com/ill-never-bring-my-phone-on-...

Question: what would happen if you are asked to unlock your device and you refuse on the grounds that it contains classified material?

Presumably they wouldn't just shrug and say 'OK, then' - but neither could they (if the classifying authority was one they cared about - say, NATO) just say 'Tough luck, now unlock it!', right?

You would need appropriate credentials and material/systems would have to be marked appropriately. I would think saying 'phone contains classified material' and then not having documentation really just gives them probable cause to get really nasty.

It seems like that would only work if you actually have the appropriate security clearance. And they're probably OK with letting people with clearances get through with less screening.

-You'd obviously need to be able to provide proof of your clearance* (though I suppose your passport and a database lookup would do) - but I wonder what would be the next step then; getting hold of an official with the required clearance to match the documents in your laptop? (Which, in the case of higher/compartmentalised clearances may not even be possible)

At some point you just need to start trusting people.

*) I wouldn't recommend leaving docs leaked by Ed Snowden on the laptop just to be able to rightfully claim there's classified material on it...

If you do have classified material about which the USA has an interest in protecting you'll probably be on a G-* or NATO visa. Rather different entry experience.

Can they ask me to turn over my gmail username and password, even though I don't have a phone or computer on me?

Have there been any incidences of people who signed up for CBP's Global Entry program having trouble?

Many of the complaints here are a (justified) fear that privacy invasion occurs as a side-effect of a clumsy and poorly thought-out attempt to prevent something illegal[1]. So if I go ahead and sign up for the background check + interiew to let them see I don't have ill intentions, would this reduce the likelyhood of collateral privacy invasion when actually crossing the border?

I've been considering this for convenience reasons but am curious if it might help in this instance.


[1]: There is also the issue of restricting freedom and declaring people "illegal" when that runs against the spirit of this country, but I'm not focusing on that here.

> Have there been any incidences of people who signed up for CBP's Global Entry program having trouble?

Yes. The ArsTechnica article we're discussing here fails to mention it, but Sidd Bikkannavar is enrolled in Global Entry:

"Seemingly, Bikkannavar’s reentry into the country should not have raised any flags. Not only is he a natural-born US citizen, but he’s also enrolled in Global Entry — a program through CBP that allows individuals who have undergone background checks to have expedited entry into the country. He hasn’t visited the countries listed in the immigration ban and he has worked at JPL — a major center at a US federal agency — for 10 years." - http://www.theverge.com/2017/2/12/14583124/nasa-sidd-bikkann...

Good catch. Thanks!

There are probably thousands of instances similar to this (not necessarily having to hand over your device) where US citizens are at the mercy of law enforcement simply because we don't know what are rights are, and because often law enforcement either doesn't know or doesn't care.

Civil rights often tend to be only as useful as our knowledge of what exactly they are.

When you arrive at the border, it might be too late to get privacy-conscious and refuse to unlock your stuff. Unless you're using non-American devices and social media, your data probably gets inspected anyway when you apply for a visa, and might be monitored at other times as well.

It empowers the border agent to assess risk of a traveller right on the spot without consulting other agencies or even getting read access to those types of databases.

This means I have to install a blank Custom ROM before I travel to the land of the free™

Was wondering what happens if they find posts on social media criticizing the current administration? Trump often used to highlight the fact that the thousands of CBP agents has supported/endorsed him.

Personally i like to travel with a burn phone that only has the contacts i need in case something happens to me and dont bring laptop because m usually not traveling internationally for work.

So worst case I'm out a thousand bucks and one phone? Sounds like it's worth the trouble.

They can detain you or your device even if you do unlock it. So better just not to unlock it.

Reset to factory then unlock...

Same result as if you refused to open a securely locked briefcase?

I know right? Phone lock screens could conceal bombs or invasive species.

Or - gasp! - the phone could be full of dank memes that CBP doesn't approve of.

You're right, digital content can never be harmful. All the bomb blueprints are always on paper.


We've banned this account for conducting religious flamewars on HN. No one is allowed to do this here, and we warned you repeatedly.

We detached this subthread from https://news.ycombinator.com/item?id=13661540 and marked it off-topic.

> If the Ukrainians start to run from Russia the reception will quite different - case in point - the armenias during the genocide.

The whole western world sat and watched two decades of persecution that Armenians suffered which ended up becoming a genocide, even Russia who declared herself the protector of Ottoman Orthodox christians didn't move a finger. And those who managed to flee the country were not always welcome. See e.g. the autobiographical movie Mayrig.

... the whole western world was largely just dandy with oppression and genocide if it wasn't European-looking. Look at what Belgium did to the Congo, or what the UK did to China. Slavery had been verboten for a long while, but killing funny-looking or poor people wasn't so bad if it was out of sight.

Also, in 1915 when the Armenian genocide started, the western world was already locked in a bitter war with the Ottoman Empire. Did you want the infantry sent against Ottoman positions to be carrying banners saying "Okay, now we really mean it!"? Then after the war you had the major players exhausted, denuded of men, materials, and war chest.

Finally, there wasn't really a concept of a 'world cop' like there is in the Pax Americana... but even with the Pax Americana, there's plenty of places it ignores (eg see the five-year Second Congo War, ended this century, 5 million dead).

This picture that you're painting skips an incredible amount of context.

The persecution of the armenian started in 1880s, and it continued until 1915 came around.

The Congo Free State (= Belgian atrocities) started in the 1880s as well.

The Ottoman Empire was a world power up until the first world war - suggesting that other world powers should go to war against them because of how they treat people in their own sphere of influence is completely missing the context of the times.

Hell, it's even missing the context of the current times - how many western nations intervened in the annexing and oppression of the Crimean peninsula by Russia? What is the World Cop doing about the clear oppression of Tibetans by China? What is anyone doing about the plight of North Koreans under their murderous dictatorship? What about the Khmer Rouge in the 70s, where the World Cop actually backed the people doing the genocide?

Context is important.

They were definitely welcome in Bulgaria and the Balkans

in Syria as well

not to nitpick, but so far Ukrainians have been running from Ukraine to Russia - 2.6 mil since 2014 (https://en.wikipedia.org/wiki/Ukrainians_in_Russia)

Are you sure those are actual Ukrainians, and not just ethnical Russians with Ukrainian citizenship? Eastern Ukraine has a huge Russian minority.

>Are you sure those are actual Ukrainians, and not just ethnical Russians with Ukrainian citizenship?

Ans who said those aren't actual Ukrainians? Ukraine has been multi-ethnic for centuries...

>Eastern Ukraine has a huge Russian minority.

And has had for centuries, but it's seldom mentioned in stories about "Russia invading Crimea".

It's as if e.g. Baja California had 60% population of US ethnicity, Mexico's government was toppled to bring a coalition of anti-US parties in power (including actual neo-nazis, swastikas and all), and the US getting in Baja California to protect their citizens and their national interests and been called for it (not to mention that its somehow forgiven to do worse in Iraq and elsewhere, with actual deadly invasions, but Russia is called for intervening next to its borders and with Russian ethnicity population living there).

It's as if e.g. Baja California had 60% population

It's not 'as if' and you're regurgitating Russian propaganda and shallow whataboutism. The key issue is Russia invaded and annexed a piece of a sovereign country, a country whose territorial integrity it was bound to respect not just by international norms but a relatively recent treaty. It just isn't comparable.

>It's not 'as if'

Actually it is just like that. What part did you find unlike that? The "sovereignty"? Mexico, which I used as my example, is also sovereign. And the rest of the things are all true: Ukraine is directly in Russia's borders, it has areas with large ethnic Russian population, and it's legitimate government was toppled. Even the part about bona fide neo-nazis being part of the power coalition is true.

>and you're regurgitating Russian propaganda

No, I'm rather not force-fed with BS west propaganda for the events. (And I'm not Russian either, so it's not like I have a horse in the race. I just can't stand hypocrisy).

Russia is a 1000 pound bear, mostly minding its own business and border interests, and is blamed by a 10,000 pound King Kong who rampages all over the globe.

(USSR yes, it did pull the same kind of shit all around the globe too. But not today's minor player Russia).

>and shallow whataboutism.

Those that bring on "whataboutism" are the ones that are OK with one side doing all kinds of crap (even 10.000 miles away from it's borders, where it has no business to be, and with thousands of dead and total mayhem caused by its actions) but only criticize the other side for doing 1/100 as much -- and are quick to shout against whataboutism when that is pointed out to them.

It's like a murderer calling out a guy that merely slapped an annoying person -- and when called on it, he complains about "whataboutitsm".

it's legitimate government was toppled. Even the part about bona fide neo-nazis being part of the power coalition is true.

This is inaccurate and you can read pretty much any reporting that isn't from RT at the time that confirms that it is not.

No, I'm rather not force-fed with BS west propaganda for the events. (And I'm not Russian either, so it's not like I have a horse in the race. I just can't stand hypocrisy).

It's not hypocrisy. You are simply deeply misinformed and equating reliable sources and unreliable ones.

And I'm not Russian either

I am, if it helps you believe me. You have no idea what you're talking about. I don't think you can find a serious analyst of these issues, of any political leaning or ideological stripe who will not tell you this was aggression. It's killing people as we type. I get the desire to be a clear-eyed critic of the US but what you're doing is providing excuses for immoral things. You should reconsider doing that, I'll leave it at that.

"This is inaccurate <neo nazis being part of a government>"

if RT is not trustworthy, google "azov battalion" and click on images. more about its people and their role in government:


If America invaded Mexico I could get your point, but they didn't (so far, with Trump at the helm all bets are off).

Oh, and Ukraine is not within Russia's borders. The USSR died a while ago.

>If America invaded Mexico I could get your point, but they didn't (so far, with Trump at the helm all bets are off).

That's an analogy of something the US could do that it would be similar to the Crimea situation.

In real life they did much worse (just in the past 10-15 years): they invaded 2 countries (and bombed 8 or so), bombed them, occupied them, created hell-holes of fundamentalism and mayhem where functional states once stood -- and they did that 6000+ miles away from their borders, where they have no place to be, and no ethnic Americans to protect there to justify their actions.

>Oh, and Ukraine is not within Russia's borders. The USSR died a while ago.

Not sure if you even know the region. The two countries share miles upon miles of borders. Except if you took "within" to mean "surrounded" -- I mean "right there in their border".

Within means 'within'. Bordering on and sharing a border would be the right way to describe it. So no, Ukraine is not 'within' Russia by any definition just like Canada is not 'within' the USA and Germany is not 'within' the Netherlands.

and Crimea has a huge Russian majority, i guess that's why it fell off so easily.

i wish Ukrainians would be more inclusive and stop separating Ukrainians into "real" ones and ethnic "others", whose only link to Ukraine is the Ukrainian passport.

Here's what I want to know: what happens if I just spike my phone on the ground?

Congrats, you've established probable cause and likely done nothing but break your screen and mess up the phone casing.

That's a paddlin' (detention).

That means you just scored a touchdown! Congrats.

US Customs will sing you a song called "Punch you in the face." It's a classic.

This was comedy gold and you know it.

> 4,444 cellphones and 320 other electronic devices were inspected in 2015

And recently I'm hearing about this -- it largely went ignored during the previous administration but now it's a major concern, articles on HN, my Facebook feed, Reddit, ...

I had read about it on HN multiple times during the Obama administration too. As well as heard about it from the ACLU and EFF, as well as other places.

A HN post from 2014, with 258 upvotes, linking to an ACLU notice from 2014. https://news.ycombinator.com/item?id=6993995

That's just the first HN post I found, there were multiple other front-page HN posts over the past few years.

An EFF alert from 2013: https://www.eff.org/deeplinks/2013/08/unjustified-detention-...

A Mother Jones article from 2014: http://www.motherjones.com/politics/2014/06/how-fourth-amend...

The Committee to Protect Journalists in 2014: https://cpj.org/blog/2014/10/for-journalists-coming-into-us-...

If you're trying to make the point that there are _some_ people that are Democratic Party partisans and ignore civil and human rights violations from Democrats -- yes, there are, I agree, and it can be infuriating. But it's not everyone, it's not the ACLU, it's not the EFF, and it's not even representative of what stories got posted to and upvoted on HN during the Obama administration. Many of us have been paying attention to this issue unhappily for years.

I am hoping the upsurge in resistance to Trump means that more people have been activated to oppose much the same things when a future Democratic or "more reasonable" Republican administration tries them too.

Looks like I was wrong. Good thing to be wrong on.

If _you_ weren't paying attention to this issue until now, you'd have to ask yourself why not. :) Many of us have been.

The ACLU was fighting this under Obama, and some of the many millions of dollars they gathered from Trump opponents will be used to fight this and other causes under POTUS 46.

Good. We should care about this regardless if we like the administration or not.

If your border crossing strategy involves a wiped/clean/factorydefaults device, always, always, always put a zip bomb[1] in place.

Name it something helpful like "do_not_open_this_file.zip".

They can't say you didn't warn them ...

[1] https://en.wikipedia.org/wiki/Zip_bomb

And then get held for hours just to spite you? That doesn't seem worth it to me.

If the device is wiped anyway, why the zip bomb? Just to be rude?

You might think that's funny but the authority has plenty of power to fuck with you at their discretion. You just gave them probable cause to hold you for 24 hours by destroying potentially terrorist documents. Not quite 'dead right' level but certainly 'dumb right'.

In a world where thousands of people annually travel to some "freedom fighter" camps in order to get combat training, I very much agree that it is necessary to intensively screen travelers who return to their country of origin once they fit a certain heuristic.

As one single returnee who is not caught might actually cause dozens or hundreds of citizen deaths, there shouldn't be a screening exception for smartphones or computers.

We can all argue that the current heuristics / profiling methods are not good enough, but as an EU citizen I'd be glad if my government would actually be as straightforward about screening travellers as USCBP is. If travelers - citizens or not - want to return after learning to kill or taking part in some sort of criminal activities, or even announcing their support for such criminal activities in social media, they should be held accountable for their actions upon returning by strict border controls.

Why limit it to international travel? People can learn how to kill without leaving the country. We need random checkpoints set up on major highways (and occasionally on minor roads, just to ensure you can't reliably bypass them) to stop and search people to ensure they aren't up to anything nefarious.

Actually, it needs to go ever further. You can get up to a lot of trouble without even leaving your home. The police should conduct random searches of people's dwellings in order to combat this.

A lot of bad stuff is handled online, so of course we also need to search people's online activity as it happens. Since encryption gets in the way of this, we need to outlaw it, or at least mandate key escrow so the security services can observe the traffic.

Agreed. At the very least, we should be checking the Facebook account of anyone traveling to a state with a Planned Parenthood clinic in case there's evidence that they're a Fundamentalist Christian.

Ridiculous arguments don't foster rational debate. We know their are training camps abroad. We know there are no training camps within our borders. What if space aliens are controlling our leaders brains?

> We know there are no training camps within our borders

You're probably talking about US but for EU it might not be true, FWIW:


Though it might also be just Airsoft venues


> We know there are no training camps within our borders.

No training camps here:


What's ridiculous about them? We've seen plenty of home-grown terrorism. I'm not sure if searching social media profiles would ever have prevented an attack in the US, for example, whereas internal checkpoints and random house searches certainly could have.

> whereas internal checkpoints and random house searches certainly could have.

I upvoted your original comment because I am pretty sure it was meant as sarcasm. I certainly hope I am still correct on that assessment.

There was a time, not long ago, certainly within my memory and the memories of many others - when we as a country (the USA as well as other countries) looked down upon such activities as being wholly un-American and against our values. We looked on in fear and concern as we heard about what went on in Eastern European countries behind the Iron Curtain - where people risked their lives and freedom braving bullets and who-knows-what-else attempting to cross that divide.

Some even made it. And we cheered when the wall fell.


You are correct. The whole comment was intended as a reductio ad absurdum. I understand that sarcasm is tough to detect, though, so I can see why you might be worried!

I am serious that internal checkpoints and random house searches could have prevented past terrorist attacks, and would probably prevent future ones. I don't, however, think it's a worthwhile tradeoff, not even close.


We were attacked on 9/11, and our government succeeded in convincing many of us that the rights we were taking for granted were in fact making us vulnerable to an existential enemy within, and needed to be incrementally deconstructed in light of the "new normal."

Maybe no training camps of the Islamic extremist variety but there are for sure right wing militia groups operating training camps on American soil

I think this type of argument only comes from egocentric people. Nobody cares about what you are doing, and you will most likely not be screened. If you are arguing online about civil rights you are not exactly the type of person they are trying to catch at the border.

In my country of origin there is no way to train with military weapons. People travel to other places and learn it there, all while being indoctrinated to perform acts of terrorism.

When IT-driven heuristics determine that you fit that profile, society is better off when you are intensively screened and searched upon reentry.

I bet people can train with trucks in your country, right? We've seen that those can be potent weapons.

Why does your argument not apply to the other scenarios I listed? If I'm unlikely to be screened at the border, then surely I'm unlikely to be screened at an internal checkpoint, or to have my house searched. I'm not likely to suffer from government key escrow.

The only thing that's ridiculous is making arguments for border searches that apply just as well inside the country, and then crying foul when I point that out.

These kinds of searches are also needed within the country, but the profiling heuristics can be implemented much better at centralized border crossings.

As I said, your profile obviously does not fit that of a terrorist, and I can tell that from two comments on hacker news.

If someone with a criminal record travels a wartorn country for 8 weeks they better be thoroughly searched when they come back and monitored afterwards.

Actual trained terrorists with experience at an organized training camp aren't going to have any actionable material on a laptop or cell phone. You have to be able to identify the dangerous citizens by other means.

Based on the practical anti-terrorism experience of the agencies involved it seems that a lot of people are actually bringing actionable material with themselves.

The procedures performed by border agents give different puzzle pieces of the whole picture. When researching crime rings you always need to look at communication pathways, much of that information is stored on the smartphones. Why not pick it up when people are actually bringing it with them?

False. It happens more often than you believe.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact