Wessler advises travelers to ensure their operating systems on both laptops and phones are up to date before crossing borders. This is due to the possibility that Customs and Border Protection (CBP) could exploit unpatched vulnerabilities in these devices using tools like Cellebrite or GrayKey, allowing access without the user’s permission. Wessler notes that devices with operating systems that are not current may be particularly susceptible, whereas the latest versions may offer more protection.
American citizens are not legally obligated to disclose passwords for social media accounts or encrypted devices, according to the ACLU’s Wessler. Those who refuse to provide such information might face detention and have their devices confiscated for extended periods, potentially being sent to forensic facilities. However, they are expected to eventually continue on their journey with their privacy more intact. Wessler emphasizes that this protection also extends to green card holders, despite concerning treatment of some foreign permanent residents in certain instances.
Refusing to grant customs officials access can result in prolonged detentions in a CBP facility. Legal rulings in some U.S. states and airports have set limitations on what CBP can do regarding device access, but there remains little assurance that these will be adhered to without direct oversight if an agent has possession of the device.
CBP outlines two types of device searches: a basic search involving manual review, and an advanced search where a device is connected to external equipment for a more thorough examination. The latter requires “reasonable suspicion” of criminal activity. While the agency does not explicitly require individuals to reveal passwords, it indicates that devices must be presented in a way that allows for inspection. If a device cannot be accessed due to encryption or security measures, it might be subject to exclusion, detention, or other actions.
For international visitors to the U.S., the situation is more complex. Those arriving on a visa or from a visa-waiver country may face entry denial if they refuse to provide a passcode or PIN. Wessler suggests that individuals must weigh the importance of entering the country against maintaining their privacy.
To protect sensitive information, vulnerable travelers are advised to minimize the data they carry. Setting up travel devices that contain minimal sensitive data and using unique usernames and passwords for accounts created for these devices can reduce exposure. Some security experts propose creating secondary social media personas for customs interactions while keeping a primary account confidential. However, if CBP agents discover a hidden account linked to a traveler’s identity, it may result in longer detentions or entry denial for noncitizens.
