Keeping your privacy while crossing the border

When I first wrote my Privacy 101 post, I thought it might be a little overkill for most regular people, but we're about three months into the new regime and I'm now having to update to stricter advice.

It's been widely reported that people returning to the US from international travel are being stopped by CBP and having their devices searched, regardless of whether or not they are citizens or green card holders. I wrote in my previous post that you cannot be compelled to give up your password to your device, but if you go this route, you risk having your device(s) confiscated and being denied entry to the US.

Instead, I will tell you what I plan on doing for my next trip (and I'm happy to note that this Wired article had very similar recommendations). Some disclaimers:

1. I am not a lawyer, and I have not had an opportunity to test this in the real world. This is just advice culled from different sources online, including lawyers and journalists, that I plan on taking.
2. These are loose guidelines meant for regular degular low-profile people who are just trying to gain entry as smoothly as possible. If you are an activist, journalist, or are otherwise a target of the administration, I urge you to look into stronger safeguards and have a lawyer. This is probably not enough.
3. Finally, this advice is intended to only address the issue of coming back into the United States – NOT for traveling to another country where your digital privacy might be violated. That is beyond the scope of this post.

Best practice: Use a dedicated device for international travel and leave your primary devices at home.

The second part (leaving your real devices at home) is more important than the first, primarily because Customs is a liminal space that's not actually inside the US, where your regular rights don't apply and they might just search everything on you.

The real point of the dedicated device is to give you a way to make and receive calls for a temporary period, and that's it. This means no social media or email or anything else. But that's a tall, unrealistic expectation for 2025 – people are going to take photos on their trip with their phone, and they'll want to post those photos while they're vacationing, I get it.

So in this 2025 scenario where you're still a regular person who's just going on vacation but wants to maintain a little privacy, here's the protocol:

1. Use one of your old phones, or a really cheap phone, with a throwaway SIM. The best option is obviously a dumb phone, but I'm assuming no one wants to deal with that.
2. The temporary number from your throwaway SIM is only for people who might need to reach you in an emergency.
3. Do not log into your regular iCloud or Google account on this phone. If you must log into an account to sync photos, use a new, clean account that will only be used for the duration of your trip, and do not keep any sensitive data on it.
4. Do NOT set up biometrics on the phone while you're traveling. That means no FaceID or TouchID. Set up a passcode to your phone (make it as long as you can remember).
5. Use Signal to text message, and go to Signal's settings to force the messages to delete after a certain amount of time, like an hour. (The recent scandal should be a testimony to how secure it can be, as long as you don't accidentally add strangers to your group text like a bobo.)
6. If you have logged into any of your primary cloud accounts while on your trip, back up whatever needs to be backed up, and LOG OUT AND REMOVE DATA before leaving for the airport for your return flight.
7. If you are going to use social media apps while on your trip, DELETE these apps from your phone before leaving for the airport.
8. Power down your phone before you get to CBP.

Rationale: You can do everything right that day and they can still just decide to confiscate your device, and we don't really know the tools available to law enforcement to get into your phone. Maybe they can crack your phone, maybe they can't.

If you travel with a burner phone, then at least it's not your primary device being searched or confiscated, but again, this precaution relies on you leaving your primary devices at home and ensuring you do not leave any of your data on the travel device. No officer, I only use this device to call and text my family. No officer, I am old and washed and have no social media.

The other option: back up your phone and erase everything before transport.

This is being floated as a good enough option, but you still run the risk of CBP just taking your phone. I don't feel great about this, but if you don't have access to a spare device, this is what I'd recommend doing with your primary phone.

1. Before embarking on your trip (meaning when you're still at home) back up all of your current data to the cloud.
2. Erase your phone/restore it to factory settings.
3. Set up your phone as new and log into a new, clean iCloud or Google account, which you will use for the duration of your trip.
4. Follow steps 3-8 above.
5. Restore your phone to your last, pre-travel backup when you get home.

If you must travel with a laptop...

My best advice is that if you have any data on your machine that can get you in trouble (and in today's landscape, that can mean a lot of seemingly innocuous things – photos, downloaded media, bookmarks to websites not approved by the administration like MSNBC probably), leave your laptop at home.

If you're traveling for business and/or otherwise need to keep it on you, my best suggestion would be to back everything up to cloud and log out of your accounts before crossing the border. Clear all history and cache, and delete all sensitive data from your machine and redownload it when you get home.

If your 9-5 job is sending you abroad and you are traveling with their equipment, I strongly feel this is something you should bring up with your cybersecurity team and leadership. They should understand that this is a possibility, and should advise on what employees should do if they are traveling with trade secrets, personally identifiable information or personal health information, or any other sensitive data that can affect the business. If nothing else, corporations should understand that CBP is messing with their money too.

Anyway, I'm hoping this is enough to get each of us home safely from our travels with the least amount of fuss, and I hope you all find this helpful. The problem is, if there's no due process – if a CBP officer can just tell you that you're not a citizen and act accordingly– then it doesn't really matter what kind of precautions you take, unfortunately.