This directive was issued in January of this year, what is relevance of being posted today?
I love all the instances where it says, we will not do this or infringe in this way... unless it is a matter of national security, which we don't have to disclose to you. So basically, do what you want as long as you write it up properly.
And this part:
5.3 Review and Handling of Passcode-Protected or Encrypted Information
5.3.1 Travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents. If presented with an electronic device that is protected by a passcode, encryption, or other security mechanism, an officer may request the individual's assistance in presenting the electronic device and the information contained therein in a condition that allows inspection of the device and its contents. Passcodes or other means of access may be requested and maintained for the duration of the search if needed to facilitate the examination of an electronic device or information contained on an electronic device, including information on the device that is accessible through software applications present on the device that is being inspected or has been detained, seized, or retained in accordance with this Directive.
I had thought (and Supreme Court ruled) you could not be compelled to unlock an encrypted device, which is why I always powered mined down before crossing. That goes against the obligated to present devices in a condition that allows inspection portion.
> I had thought (and Supreme Court ruled) you could not be compelled to unlock an encrypted device, which is why I always powered mined down before crossing.
Does that apply to non-citizens? If a CBP officer doesn't like you as a non-citizen, like your lack of cooperation during an interview, they could just deny your visa and your entry into the US. If you're a citizen, they can't deny your re-entry. They can delay you for however long and ruin your day and even keep your devices, but you get to go home.
It ONLY applies to citizens. The CBP cannot deny an American citizen entry into the country for any reason. They cannot compel a citizen to unlock their devices. All bets are off for non-citizens, sadly.
They can't prevent you from entering the country. You do not have an unlimited right to bring items into the country with you, though. They can absolutely prevent you from bringing your phone across the border if you decline to unlock it
Actually, I'm not sure they can compel non-citizens. If you want in, you might have to give them the keys. But if you would rather not enter, would they compel on pain of imprisonment?
>> I had thought (and Supreme Court ruled) you could not be compelled to unlock an encrypted device
>Does that apply to non-citizens? If a CBP officer doesn't like you as a non-citizen, like your lack of cooperation during an interview, they could just deny your visa and your entry into the US.
That's exactly what "you could not be compelled to unlock an encrypted device" means? You won't get sent to the gulag for refusing to, but entry into the US was always conditional with very little room for recourse if the border agent doesn't like you.
You don't "have to", but they can deport you and refuse entry in the future in retaliation. It's a variant of the TSA not being able to "compel" you to a search, but they can refuse you from flying.
The premise (non-citizen) is in the question and doesn't need to be repeated. C'mon, this isn't grade school where you have to answer questions by first restating the question in its entirety.
No, but even in grade school, the teacher would get the student to actually answer the question when it is clearly being evaded. Or maybe put the student's name on the board for wasting everyone's time for being obstinate.
I think assuming that the CBP will adhere to the law is based on a pretty outdated mindset. I'd say at least since the current management, but more likely since 9/11...
I'd even call it a delusional mindset. For context, CBP and ICE were both formed in 2003. Jenn Budd has several books on this topic if you want to understand why a growing number of people want to abolish CBP, ICE, and even the entire DHS, which itself was formed only a year prior in 2002. These are very recent organizations in our nation's history, and if we're fine putting things like the Dpt of Education on the chopping block, why not DHS?
They can't compel you to decrypt anything, and powering down is a good idea.
There are consequences for not decrypting, though: for a U.S. citizen, they can seize your stuff for up to 5 days. For non-citizens, they can elect to not let you in.
Concerning "obligated", I would point out that regulations aren't laws. Governing bodies can say whatever they want, but that doesn't make it so. For instance, the TSA continues to publicly insist that ID (especially "Real" ID) is required to fly within the U.S., but it's not.
"For instance, the TSA continues to publicly insist that ID (especially "Real" ID) is required to fly within the U.S., but it's not."
Explain, please, because you seem to be implying that someone can board a plane from New York to LA without being legally required to show any identification.
Further down, paragraph 5.3.3 says they could detain your phone if they could not bypass the passcode. What are they checking. How many times I read memes making fun of El Leader?
It's wild, I have worked internationally for a long-time and the rule when going to certain countries was bring a burner device. Going to China essentially meant the device was nuked on return to the States, now it is the same feeling to/from the US.
Governments maintain formal lists of countries for these types of things. I think people would be surprised how many diverse countries are on the formal lists. A number of European countries have been on them for years.
I've binge watched enough Australian Border Patrol videos to know that:
1. You don't fuck around with Australian customs agents. Ever.
2. They make every other country look like complete lightweights, Americans and EU included. These guys will fine you AU $500 for half an eaten apple in your bag.
They may fine you for attempting to import a plant, but they won't imprison you in El Salvador for having liked a meme they don't like on US social media.
They're fined because they lied on their declaration forms. Our customs agents are generally pretty fair and reasonable, but they do take their jobs very seriously.
Tip for travelers to Australia/New Zealand: If you have something that is stated on the declaration form, just answer yes. Provided it's not some totally illegal substance, they'll inspect the items and if it's not allowed past the border it'll be seized without penalty. Someone will correct me if I'm wrong, but I believe in some few cases, you can even pick it up on your return.
If it's something like large amounts of cash, goods, alcohol or cigarettes, you may have to pay a tax or import fee and answer a few questions. Just don't be a dimwit.
Yes, it's a basic function of any customs and quarantine organisation. Australian Border Force don't care if you have memes mocking our PM or DJT. Inspection of electronic devices only happens when there's evidence of a crime.
Read the stories about people who actually have this happen. You can usually figure out why they are targeted. That may not be just. But it is.
Customs agents are always given broad discretion and generally care about something.
Most normal folks will never intact with these issues. The last time I travelled internationally, they weren’t even doing secondary customs screening upon return to the US.
Someone should make an app to offload all your data to a personal cloud before going to the airport and then reload it into the phone after going through customs
In the case of Apple, couldn't you reset the phone, sign in to a backup iCloud account, and then repeat the process with your real account once you're clear? Not a fast process, but most people have GBs of personal data so nothing would be quick anyways.
In theory that could work (although I have never owned an iPhone) but usually there is stuff that doesn't backup (specially settings for apps, logged accounts, etc.) and it becomes tedious to have to sign in manually.
Ideally we should be able to just snapshot everything and then restore from that state. Kind of like EC2 or Digital Ocean
It's impossible to log in with just a password, you need to okay it on an Apple device. If ICE has that Apple device and a person who knows the password they can do the same.
Also they'll detain you for having a suspicious burner phone and interrogate you about your social media etc.
Google cloud backup has never done this for me. It seems like it'll restore a whole lot of stuff, but details like getting my Nova Launcher screen back (version pinned to before it was sold - alternatives just aren't good enough yet) or a bunch of the little logins and details has never done it for me.
Going to China means your devices are owned when the plane touches down if not before. That’s why you bring a burner device (including laptop and anything else), never log into anything, and throw it in the trash when you leave.
>Going to China means your devices are owned when the plane touches down if not before.
???
Are American made operating systems (Android, iOS, Windows, Mac) so full of 0days that the Chinese are burning them on random travelers? This just feels like either severe paranoia and/or chinese/american psyop, making people think that China has some magic hacking power.
I wouldn't say your devices are owned, but you should expect being monitored and your communications being recorded.
You could make an argument about the security of the modem of your devices, as that was often a target due to it not being particularly secure and it having wide access to your device, but I believe that started changing some years ago when this started being a more widely reported issue.
Protections at the U.S. border and within the U.S. are actually pretty good. Much of Europe isn't as good. Hell, the British will throw you in jail for refusing to unlock.
For GDPR reasons alone it's probably not a good idea to take a business phone across certain borders. You run the risk of disclosing customer data to a 3rd party, if only because the customer data in your phone book counts as PII.
So long as only a few countries are doing this, it might seems doable. If everyone starts doing it, international travel becomes rather annoying to say the least. Realistically I think at some point a detente might want to be reached, with everyone agreeing not to search everyone else's electronics.
>For GDPR reasons alone it's probably not a good idea to take a business phone across certain borders. You run the risk of disclosing customer data to a 3rd party, if only because the customer data in your phone book counts as PII.
Law enforcement refers to EU member states law enforcement and processing by them in their context. But even in the EU controller needs legal basis to disclose personal data to law enforcement inside the EU. Normally that is handled by local law, but it's not carte blanche, that law still needs to take e.g. rights granted by EU Charter in account.
Search by border officers may very well be GDPR breach for that controller if there was data of EU data subjects, but I don't think there is currently any case law around it.
>China installs malware to spy on you. The US doesn't do this.
Source? Are we talking on random travelers, or targeted individuals? I seriously doubt china is doing the former, and I also seriously doubt the US doesn't engage in the latter.
I believe in politically sensitive areas like Xinjiang it happens to everyone. A past employer gave specific advice regarding Hong Kong as well.
I think the key thing as a traveller isn’t the righteousness of China vs. US. It’s the chilling effect on travel and trade.
We really depend on these devices that have access to vast scopes of personal and other data. That sexy text you got a year ago is still in your text message store and may be a problem in some places.
If we're talking about targeted hacks, are we sure the US doesn't do this? Is US soil off limits for hacks somehow? What plausible exploits could be done when someone is on US soil, but not over the internet, especially on modern phones where the baseband is isolated?
Don't think this is anything new? Have seen various cases from years ago where they searched texts to determine if the person was planning on working or visiting.
They will be disruptive to your life if you, as a U.S. citizen, refuse to unlock your phone on the U.S. border. But it is my understanding they cannot constitutionally mandate you provide a passcode to unlock your phone. But they may confiscate your phone from you.
It's notable in that I've seen an increasing number of companies where employees are essentially given a thin client to connect to a remote server for work, and are sometimes even prohibited from transferring that data out of that environment to the local machine.
Yeah that’s really critical if you use O365, as the encryption terminates in each local jurisdiction and is in cleartext on that front end device. So if you connecting in Germany, you’re hitting a front end in Germany or at least the EU, and so forth.
One easier way to do that is to use a Chromebook Public Session with a VPN, then connect to SaaS or a hosted desktop in your jurisdiction.
We need a constitutional amendment that says "we really mean it" with respect to the 4th and 9th amendments, explicitly including personal digital data and criminalizing general surveillance. With fangs.
We really need a concept of tenancy in a digital context.
Your personal papers are perfectly safe and subject the fourth amendment protections in your rented apartment. But most digital materials are considered to have been shared with a third-party if you store them on Google Drive.
My feeling about this stuff personally is that the biggest issue is that stuff that happens in electronic devices is different in a modern sense than what anyone intended in the past. If you could figure out a way to make my personal property as it exists on a foam or another device, the same as the personal property that’s in my desk at home or the trunk of my car then technology would be able to solve a lot of these problems. I think the custom thing is a more nuance conversation. I don’t understand the theory of it enough, but intuitively it seems ridiculous that a CBP officer has the ability to legally go through 30 years of my pictures in my Apple album because I happen to be crossing a border.
The collection act originally was intended to apply to merchandise and merchant ports. The concept was judicially expanded upon in 1925 but wasn't fully ensconced into federal law until 1952.
At actual border crossings, the practice at the time of the framers was that warrantless searches/inspections at border crossings were normal and permissible.
When you enter Tibet, Chinese Border Patrol (heh!) will go through your photo album looking for images of the Dalai Lama. If you have a picture of yourself wearing a "Free Tibet" t shirt they will delete it. That's about it.
A friendly reminder that the CBP has decreed itself to have authority within 100 miles of any US border, as that it is its interpretation of "a reasonable distance" from said border.
That basically encompasses two thirds of the population.
The last two years have demonstrated a radical need to curtail that range of authority and shift from it being vaguely specified to a concrete legislative specification.
Even ten miles seems (pardon the pun) borderline excessive. There is no reason CBP can't hand off stuff to local, county, state, or federal domestic law enforcement. We have no shortage whatsoever of law enforcement in this country and they're able to communicate inter-agency better than ever via cell phone, tools like slack/teams, text messages, email, and long distance digital radio systems.
Maybe in the 1950's when all they had were shitty radios given them that sort of range was appropriate. Not anymore.
This is false. It's an old fundraising claim used by the ACLU; they have since set up pages backing away from it (because convincing people in the US that they don't have rights they do in fact have is not good civil liberties advocacy). There's direct SCOTUS precedent on this.
There's a 100 air mile border definition that's material to immigration enforcement (with complicated limitations). It does not determine where searches under the border search exception can occur.
Nobody disputes that border searches are constitutional at the functional equivalents of the border; if you fly in from Canada and land in Tulsa, Tulsa includes a de jure international border.
The dispute (it's not really a dispute, there's a line of SCOTUS precedent explicitly about this question) is whether a 25-100 mile zone extends outwards the airport customs gates. No.
> 5.1.3 An officer may conduct a basic search of an electronic device with or without suspicion,
subject to the requirements and limitations provided herein and applicable law.
> 5.1.4 An officer may perform an advanced search of an electronic device only in instances in
which there is reasonable suspicion of activity in violation of the laws enforced or administered
by CBP or, in the absence of individualized reasonable suspicion when there is a national
security concern.
In this climate, the qualifiers in 5.1.4 should be assumed to apply 100% of the time.
So, if you bring a device, be prepared to either unlock it and hand it over to be mirrored or abandon it and deal with whatever consequences fall out of that decision.
I'm probably never leaving this shithole again but, if I do, I'm coming and going empty-handed.
I love all the instances where it says, we will not do this or infringe in this way... unless it is a matter of national security, which we don't have to disclose to you. So basically, do what you want as long as you write it up properly.
And this part: 5.3 Review and Handling of Passcode-Protected or Encrypted Information 5.3.1 Travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents. If presented with an electronic device that is protected by a passcode, encryption, or other security mechanism, an officer may request the individual's assistance in presenting the electronic device and the information contained therein in a condition that allows inspection of the device and its contents. Passcodes or other means of access may be requested and maintained for the duration of the search if needed to facilitate the examination of an electronic device or information contained on an electronic device, including information on the device that is accessible through software applications present on the device that is being inspected or has been detained, seized, or retained in accordance with this Directive.
I had thought (and Supreme Court ruled) you could not be compelled to unlock an encrypted device, which is why I always powered mined down before crossing. That goes against the obligated to present devices in a condition that allows inspection portion.
reply