How to legally cross a US (or other) border without surrendering your data and passwords
The combination of 2014’s Supreme Court decision in Riley (which held that the data on your devices was subject to suspicionless border-searches, and suggested that you simply not bring any data you don’t want stored and shared by US government agencies with you when you cross the border) and Trump’s announcement that people entering the USA will be required to give border officers their social media passwords means that a wealth of sensitive data on our devices and in the cloud is now liable to search and retention when we cross into the USA.
On Wired, Andy Greenberg assembles some best-guess advice on the legal and technical strategies you can deploy to maintain the privacy of your sensitive data, based on techniques that security-conscious travelers have arrived at for crossing into authoritarian countries like China and Russia.
The most obvious step is to not carry your data across the border with you in the first place: get a second laptop and phone, load them with a minimal data-set, log out of any services you won’t need on your trip and don’t bring the passwords for them (or a password locker that accesses them) with you, delete all logs of cloud-based chat services. I use POP mail, which means that I don’t keep any mail on a server or in a cloud, so I could leave all my mail archives at home, inaccessible to me and everyone else while I’m outside of the USA or at the border.
Call your lawyer (or a trusted friend with your lawyer’s number) before you cross the border, then call them again when you’re released; if they don’t hear from you, they can take steps to ensure that you have crossed successfully, or send help if you need it.
One thing Greenberg misses is the necessity of completing a US Customs and Immigration Service Form G-28 before you cross the border. This form authorizes an attorney to visit you if you are detained at the border, but it has to be completed and signed in advance of your crossing. It also should be printed on green paper. The current version of the form expires in 2018, so you can complete it now, file it with your attorney or friend, and leave it until next year.
Remove any fingerprint-based authentication before you cross and replace them with PINs. Greenberg’s experts recommend using very strong passwords/PINs to lock your devices. I plan on a different strategy: before my next crossing, I’ll change all of these passwords/PINs to 0000 or aaaaaaaa, so that I can easily convey them to US border officials and they can quickly verify that I have no sensitive data on any of my devices. Once I have successfully crossed, I’ll change these authentication tokens back to strong versions.
Another thing missing from this advice (possibly because it’s viewed as obvious, but I think it bears stating): never, ever lie to border officials. Lots of privacy tools include “plausible deniability” partitions and similar ruses to allow you to login to what appears to be all the data on your device, but using these to attempt to deceive border guards is radioactively illegal and fantastically stupid. I have never – and will never – lie or shade the truth with border officials, because the penalties for lying at the border are generally significantly worse than whatever you’re trying to keep to yourself. In the wake of Riley, and in the current authoritarian climate, the way to keep a government from using a border-crossing as a basis for acquiring your sensitive data without a warrant is to make sure that you do not possess, and cannot access, your data at a border.
https://boingboing.net/2017/02/12/how-to-cross-a-us-or-other-b.html