British travellers to the United States face the uncomfortable choice of handing over personal information, including social media passwords and mobile phone contacts, or running the risk of being denied entry to the country, under a new “extreme vetting” policy being considered by the Trump administration.
Tourists from the UK and other US allies including Germany and France, could be forced to reveal personal data, as well as disclose financial information and face detailed ideological questioning, according to Trump administration officials quoted by the Wall Street Journal. While US citizens have established rights against unlawful searches at the border, the extent to which foreign travellers can resist requests to hand over personal information is unclear.
The US customs and border patrol told the Guardian: “All international travellers arriving to the US are subject to US Customs and Border Protection (CBP) inspection. This inspection may include electronic devices such as computers, disks, drives, tapes, mobile phones and other communication devices, cameras, music and other media players and any other electronic or digital devices.
“Keeping America safe and enforcing our nation’s laws in an increasingly digital world depends on our ability to lawfully examine all materials entering the US,” it added. The CBP said it strives to process arriving travellers as efficiently and securely as possible while ensuring compliance with laws and regulations governing the international arrival process. It did not answer specific questions about social media accounts and devices.
The UK Foreign Office declined to provide any advice to British travellers, referring the Guardian only to its general foreign travel advice page for the US, which contains no information on digital privacy at the border.
The Electronic Frontier Foundation, a US nonprofit which campaigns for digital civil rights, advises travellers: “Border agents cannot deny a US citizen admission to the country. However, if a foreign visitor declines, an agent may deny them entry.
The group’s digital privacy guide continues: “If a foreign visitor refuses a border agent’s demand to unlock their digital device, provide the device password, or provide social media information, and the agent responds by denying entry, the foreign visitor may have little legal recourse.”
Nate Wessler, a staff attorney with the American Civil Liberties Union, explained: “A lot of the difficulties here come from the burden of proof. For US citizens, they have an absolute right to enter; for permanent residents, the burden is on the government to prove they have become inadmissable for entry.
But for visa holders, the burden is on the traveler to show that they are admissible to the US. That means there’s a risk that if someone is asked for a device and refuses, the agent may deem that refusal a failure to meet that burden of proof.”
Mitigation efforts may help limit the exposure of individual travellers. The EFF recommends travellers minimise the data they carry across the border, by not carrying non-essential devices, deleting sensitive information before travelling, and shifting some data to cloud services. Changing any passwords after they have been handed over, and securely resetting devices after they have been accessed and potentially compromised by CBP, can also prevent long-term data insecurity. Wessler adds: “The best protections will be practical ones rather than legal ones, and travellers should think about how much data and what devices they’re carrying with them.”
More complex mitigation efforts have similarly been proposed by information security experts. A passenger could before travelling change passwords to random, impossible to memorise, strings, and not install a password manager on any devices crossing the border. Additionally, turning on two-factor authentication on social media accounts prevents them being accessed with the password alone.
However, the discretion that border agents have over whether to allow foreign citizens entry to the US, particularly those without permanent residency, makes any such effort risky. If mitigation attempts are seen as suspicious in themselves, they may be cited as a reason to delay or deny entry.
Some may find that risk worth taking, however. In January, Susan Hall, head of technology and intellectual property team partner at law firm Clarke Willmott, advised the firm’s lawyers not to comply with requests for social media information. Hall told the Guardian: “Given the degree of discretion given to US Border forces by relevant legislation, it appears to me quite clear that all options – choosing a burner phone, using heavy encryption with the password only being supplied after the traveller has entered the US, and changed prior to leaving and so forth – risk creating a catch-22 situation in which any attempt to mitigate the effects of the procedures are likely to be interpreted as ‘probable cause’ for searching.
“In the short to medium term, I think the answer is going to be avoiding all but absolutely essential travel to the United States,” Hall added. “I’m aware of at least one conference on cyber security and ethical hacking which switched to Toronto at short notice because of these concerns.”
One specific action foreign travellers can take before flying is to fill in a US Citizenship and Immigration Services form G-28, which allows a traveller to nominate an attorney to represent them if they are detained. Without the form, it can be difficult for travellers to access legal representation while held at the border.