This directive was issued in January of this year, what is relevance of being posted today?
I love all the instances where it says, we will not do this or infringe in this way... unless it is a matter of national security, which we don't have to disclose to you. So basically, do what you want as long as you write it up properly.
And this part:
5.3 Review and Handling of Passcode-Protected or Encrypted Information
5.3.1 Travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents. If presented with an electronic device that is protected by a passcode, encryption, or other security mechanism, an officer may request the individual's assistance in presenting the electronic device and the information contained therein in a condition that allows inspection of the device and its contents. Passcodes or other means of access may be requested and maintained for the duration of the search if needed to facilitate the examination of an electronic device or information contained on an electronic device, including information on the device that is accessible through software applications present on the device that is being inspected or has been detained, seized, or retained in accordance with this Directive.
I had thought (and Supreme Court ruled) you could not be compelled to unlock an encrypted device, which is why I always powered mined down before crossing. That goes against the obligated to present devices in a condition that allows inspection portion.
> I had thought (and Supreme Court ruled) you could not be compelled to unlock an encrypted device, which is why I always powered mined down before crossing.
Does that apply to non-citizens? If a CBP officer doesn't like you as a non-citizen, like your lack of cooperation during an interview, they could just deny your visa and your entry into the US. If you're a citizen, they can't deny your re-entry. They can delay you for however long and ruin your day and even keep your devices, but you get to go home.
It ONLY applies to citizens. The CBP cannot deny an American citizen entry into the country for any reason. They cannot compel a citizen to unlock their devices. All bets are off for non-citizens, sadly.
>> I had thought (and Supreme Court ruled) you could not be compelled to unlock an encrypted device
>Does that apply to non-citizens? If a CBP officer doesn't like you as a non-citizen, like your lack of cooperation during an interview, they could just deny your visa and your entry into the US.
That's exactly what "you could not be compelled to unlock an encrypted device" means? You won't get sent to the gulag for refusing to, but entry into the US was always conditional with very little room for recourse if the border agent doesn't like you.
You don't "have to", but they can deport you and refuse entry in the future in retaliation. It's a variant of the TSA not being able to "compel" you to a search, but they can refuse you from flying.
I think assuming that the CBP will adhere to the law is based on a pretty outdated mindset. I'd say at least since the current management, but more likely since 9/11...
It's wild, I have worked internationally for a long-time and the rule when going to certain countries was bring a burner device. Going to China essentially meant the device was nuked on return to the States, now it is the same feeling to/from the US.
Governments maintain formal lists of countries for these types of things. I think people would be surprised how many diverse countries are on the formal lists. A number of European countries have been on them for years.
Read the stories about people who actually have this happen. You can usually figure out why they are targeted. That may not be just. But it is.
Customs agents are always given broad discretion and generally care about something.
Most normal folks will never intact with these issues. The last time I travelled internationally, they weren’t even doing secondary customs screening upon return to the US.
Someone should make an app to offload all your data to a personal cloud before going to the airport and then reload it into the phone after going through customs
In the case of Apple, couldn't you reset the phone, sign in to a backup iCloud account, and then repeat the process with your real account once you're clear? Not a fast process, but most people have GBs of personal data so nothing would be quick anyways.
Going to China means your devices are owned when the plane touches down if not before. That’s why you bring a burner device (including laptop and anything else), never log into anything, and throw it in the trash when you leave.
>Going to China means your devices are owned when the plane touches down if not before.
???
Are American made operating systems (Android, iOS, Windows, Mac) so full of 0days that the Chinese are burning them on random travelers? This just feels like either severe paranoia and/or chinese/american psyop, making people think that China has some magic hacking power.
For GDPR reasons alone it's probably not a good idea to take a business phone across certain borders. You run the risk of disclosing customer data to a 3rd party, if only because the customer data in your phone book counts as PII.
So long as only a few countries are doing this, it might seems doable. If everyone starts doing it, international travel becomes rather annoying to say the least. Realistically I think at some point a detente might want to be reached, with everyone agreeing not to search everyone else's electronics.
>For GDPR reasons alone it's probably not a good idea to take a business phone across certain borders. You run the risk of disclosing customer data to a 3rd party, if only because the customer data in your phone book counts as PII.
>China installs malware to spy on you. The US doesn't do this.
Source? Are we talking on random travelers, or targeted individuals? I seriously doubt china is doing the former, and I also seriously doubt the US doesn't engage in the latter.
I believe in politically sensitive areas like Xinjiang it happens to everyone. A past employer gave specific advice regarding Hong Kong as well.
I think the key thing as a traveller isn’t the righteousness of China vs. US. It’s the chilling effect on travel and trade.
We really depend on these devices that have access to vast scopes of personal and other data. That sexy text you got a year ago is still in your text message store and may be a problem in some places.
If we're talking about targeted hacks, are we sure the US doesn't do this? Is US soil off limits for hacks somehow? What plausible exploits could be done when someone is on US soil, but not over the internet, especially on modern phones where the baseband is isolated?
Don't think this is anything new? Have seen various cases from years ago where they searched texts to determine if the person was planning on working or visiting.
They will be disruptive to your life if you, as a U.S. citizen, refuse to unlock your phone on the U.S. border. But it is my understanding they cannot constitutionally mandate you provide a passcode to unlock your phone. But they may confiscate your phone from you.
It's notable in that I've seen an increasing number of companies where employees are essentially given a thin client to connect to a remote server for work, and are sometimes even prohibited from transferring that data out of that environment to the local machine.
Yeah that’s really critical if you use O365, as the encryption terminates in each local jurisdiction and is in cleartext on that front end device. So if you connecting in Germany, you’re hitting a front end in Germany or at least the EU, and so forth.
One easier way to do that is to use a Chromebook Public Session with a VPN, then connect to SaaS or a hosted desktop in your jurisdiction.
We need a constitutional amendment that says "we really mean it" with respect to the 4th and 9th amendments, explicitly including personal digital data and criminalizing general surveillance. With fangs.
The collection act originally was intended to apply to merchandise and merchant ports. The concept was judicially expanded upon in 1925 but wasn't fully ensconced into federal law until 1952.
A friendly reminder that the CBP has decreed itself to have authority within 100 miles of any US border, as that it is its interpretation of "a reasonable distance" from said border.
That basically encompasses two thirds of the population.
The last two years have demonstrated a radical need to curtail that range of authority and shift from it being vaguely specified to a concrete legislative specification.
Even ten miles seems (pardon the pun) borderline excessive. There is no reason CBP can't hand off stuff to local, county, state, or federal domestic law enforcement. We have no shortage whatsoever of law enforcement in this country and they're able to communicate inter-agency better than ever via cell phone, tools like slack/teams, text messages, email, and long distance digital radio systems.
Maybe in the 1950's when all they had were shitty radios given them that sort of range was appropriate. Not anymore.
This is false. It's an old fundraising claim used by the ACLU; they have since set up pages backing away from it (because convincing people in the US that they don't have rights they do in fact have is not good civil liberties advocacy). There's direct SCOTUS precedent on this.
There's a 100 air mile border definition that's material to immigration enforcement (with complicated limitations). It does not determine where searches under the border search exception can occur.
> 5.1.3 An officer may conduct a basic search of an electronic device with or without suspicion,
subject to the requirements and limitations provided herein and applicable law.
> 5.1.4 An officer may perform an advanced search of an electronic device only in instances in
which there is reasonable suspicion of activity in violation of the laws enforced or administered
by CBP or, in the absence of individualized reasonable suspicion when there is a national
security concern.
In this climate, the qualifiers in 5.1.4 should be assumed to apply 100% of the time.
So, if you bring a device, be prepared to either unlock it and hand it over to be mirrored or abandon it and deal with whatever consequences fall out of that decision.
I'm probably never leaving this shithole again but, if I do, I'm coming and going empty-handed.
53 comments:
This directive was issued in January of this year, what is relevance of being posted today?
I love all the instances where it says, we will not do this or infringe in this way... unless it is a matter of national security, which we don't have to disclose to you. So basically, do what you want as long as you write it up properly.
And this part: 5.3 Review and Handling of Passcode-Protected or Encrypted Information 5.3.1 Travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents. If presented with an electronic device that is protected by a passcode, encryption, or other security mechanism, an officer may request the individual's assistance in presenting the electronic device and the information contained therein in a condition that allows inspection of the device and its contents. Passcodes or other means of access may be requested and maintained for the duration of the search if needed to facilitate the examination of an electronic device or information contained on an electronic device, including information on the device that is accessible through software applications present on the device that is being inspected or has been detained, seized, or retained in accordance with this Directive.
I had thought (and Supreme Court ruled) you could not be compelled to unlock an encrypted device, which is why I always powered mined down before crossing. That goes against the obligated to present devices in a condition that allows inspection portion.
> I had thought (and Supreme Court ruled) you could not be compelled to unlock an encrypted device, which is why I always powered mined down before crossing.
Does that apply to non-citizens? If a CBP officer doesn't like you as a non-citizen, like your lack of cooperation during an interview, they could just deny your visa and your entry into the US. If you're a citizen, they can't deny your re-entry. They can delay you for however long and ruin your day and even keep your devices, but you get to go home.
It ONLY applies to citizens. The CBP cannot deny an American citizen entry into the country for any reason. They cannot compel a citizen to unlock their devices. All bets are off for non-citizens, sadly.
>> I had thought (and Supreme Court ruled) you could not be compelled to unlock an encrypted device
>Does that apply to non-citizens? If a CBP officer doesn't like you as a non-citizen, like your lack of cooperation during an interview, they could just deny your visa and your entry into the US.
That's exactly what "you could not be compelled to unlock an encrypted device" means? You won't get sent to the gulag for refusing to, but entry into the US was always conditional with very little room for recourse if the border agent doesn't like you.
Not really sure what you're arguing, but it's not an answer to my question
You don't "have to", but they can deport you and refuse entry in the future in retaliation. It's a variant of the TSA not being able to "compel" you to a search, but they can refuse you from flying.
I think assuming that the CBP will adhere to the law is based on a pretty outdated mindset. I'd say at least since the current management, but more likely since 9/11...
I think the context is just mass international travel due to the US hosting the World Cup, no?
> what is relevance of being posted today
Not sure about today specifically, but it is pretty relevant with the World Cup starting in 2 weeks
It's wild, I have worked internationally for a long-time and the rule when going to certain countries was bring a burner device. Going to China essentially meant the device was nuked on return to the States, now it is the same feeling to/from the US.
That's exactly what European governments and corporations will have to start doing. Adding the US to the same list as Russia, China, Israel, Iran etc.
The list of countries where you need a burner phone will likely grow longer. Canada, Australia, UK, some developing countries, etc...
Governments maintain formal lists of countries for these types of things. I think people would be surprised how many diverse countries are on the formal lists. A number of European countries have been on them for years.
Australia's been doing this forever.
We have? My international relatives have never been searched to that degree, if at all.
That said, the whole thing is overreach in any democratic society.
Read the stories about people who actually have this happen. You can usually figure out why they are targeted. That may not be just. But it is.
Customs agents are always given broad discretion and generally care about something.
Most normal folks will never intact with these issues. The last time I travelled internationally, they weren’t even doing secondary customs screening upon return to the US.
Someone should make an app to offload all your data to a personal cloud before going to the airport and then reload it into the phone after going through customs
In the case of Apple, couldn't you reset the phone, sign in to a backup iCloud account, and then repeat the process with your real account once you're clear? Not a fast process, but most people have GBs of personal data so nothing would be quick anyways.
All backup apps work, no special requirements. Seedvault for my LiniageOS.
Seedvault doesn't work half of the time.
They don't work well in my experience.
What I want is to get my home screen back exactly as I left it: I've not found anything able to pull it off on Android though.
Ideally it would be an exact flash image of the phone.
Adb backup exists, though I haven't tried it, and Google cloud backup does this. However, if you trust Google, you probably already trust the US.
Unfortunately, I don't know of any other app that does this on an unrooted phone.
>Adb backup exists, though I haven't tried it,
It's very patchy, and many (most?) apps opt out, so it's functionally useless.
Had the same guidance for many years for visiting the US given by the large US firm that employed me
Going to China means your devices are owned when the plane touches down if not before. That’s why you bring a burner device (including laptop and anything else), never log into anything, and throw it in the trash when you leave.
>Going to China means your devices are owned when the plane touches down if not before.
???
Are American made operating systems (Android, iOS, Windows, Mac) so full of 0days that the Chinese are burning them on random travelers? This just feels like either severe paranoia and/or chinese/american psyop, making people think that China has some magic hacking power.
For GDPR reasons alone it's probably not a good idea to take a business phone across certain borders. You run the risk of disclosing customer data to a 3rd party, if only because the customer data in your phone book counts as PII.
So long as only a few countries are doing this, it might seems doable. If everyone starts doing it, international travel becomes rather annoying to say the least. Realistically I think at some point a detente might want to be reached, with everyone agreeing not to search everyone else's electronics.
>For GDPR reasons alone it's probably not a good idea to take a business phone across certain borders. You run the risk of disclosing customer data to a 3rd party, if only because the customer data in your phone book counts as PII.
But "law enforcement" is specifically exempt?
https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
China installs malware to spy on you. The US doesn't do this. Totally different situation.
This also happens in many other countries
>China installs malware to spy on you. The US doesn't do this.
Source? Are we talking on random travelers, or targeted individuals? I seriously doubt china is doing the former, and I also seriously doubt the US doesn't engage in the latter.
There are many well cited examples.
I believe in politically sensitive areas like Xinjiang it happens to everyone. A past employer gave specific advice regarding Hong Kong as well.
I think the key thing as a traveller isn’t the righteousness of China vs. US. It’s the chilling effect on travel and trade.
We really depend on these devices that have access to vast scopes of personal and other data. That sexy text you got a year ago is still in your text message store and may be a problem in some places.
If we're talking about targeted hacks, are we sure the US doesn't do this? Is US soil off limits for hacks somehow? What plausible exploits could be done when someone is on US soil, but not over the internet, especially on modern phones where the baseband is isolated?
Don't think this is anything new? Have seen various cases from years ago where they searched texts to determine if the person was planning on working or visiting.
Edit: the first directive apparently was from 2009: https://www.jdsupra.com/legalnews/new-policy-for-device-sear...
Expanding the scope of it is new.
The legalese is thick but this is a notable point I saw from a quick skim:
5.3.2 "Passcodes or other means of access may not be utilized to access information that is only stored remotely."
They will be disruptive to your life if you, as a U.S. citizen, refuse to unlock your phone on the U.S. border. But it is my understanding they cannot constitutionally mandate you provide a passcode to unlock your phone. But they may confiscate your phone from you.
looks like they can request your passcode to unlock the phone so anything local and/or cached before they disable network connectivity would be there.
That's not notable at all given a lot of content is synced to the device, not even counting temporary and cache files.
It's notable in that I've seen an increasing number of companies where employees are essentially given a thin client to connect to a remote server for work, and are sometimes even prohibited from transferring that data out of that environment to the local machine.
Yeah that’s really critical if you use O365, as the encryption terminates in each local jurisdiction and is in cleartext on that front end device. So if you connecting in Germany, you’re hitting a front end in Germany or at least the EU, and so forth.
One easier way to do that is to use a Chromebook Public Session with a VPN, then connect to SaaS or a hosted desktop in your jurisdiction.
We need a constitutional amendment that says "we really mean it" with respect to the 4th and 9th amendments, explicitly including personal digital data and criminalizing general surveillance. With fangs.
[delayed]
The border search exception was designed by the framers.
The collection act originally was intended to apply to merchandise and merchant ports. The concept was judicially expanded upon in 1925 but wasn't fully ensconced into federal law until 1952.
So hmm this allows 'electronic or digital' information to be examined - so you're fine transporting your information read out on cine film?
Is this not old? Since then they have also required all social media to be public.
what does this mean in practice? is everyone being / going to be forced to unlock the devices during the border crossing
A friendly reminder that the CBP has decreed itself to have authority within 100 miles of any US border, as that it is its interpretation of "a reasonable distance" from said border.
That basically encompasses two thirds of the population.
The last two years have demonstrated a radical need to curtail that range of authority and shift from it being vaguely specified to a concrete legislative specification.
Even ten miles seems (pardon the pun) borderline excessive. There is no reason CBP can't hand off stuff to local, county, state, or federal domestic law enforcement. We have no shortage whatsoever of law enforcement in this country and they're able to communicate inter-agency better than ever via cell phone, tools like slack/teams, text messages, email, and long distance digital radio systems.
Maybe in the 1950's when all they had were shitty radios given them that sort of range was appropriate. Not anymore.
This is false. It's an old fundraising claim used by the ACLU; they have since set up pages backing away from it (because convincing people in the US that they don't have rights they do in fact have is not good civil liberties advocacy). There's direct SCOTUS precedent on this.
There's a 100 air mile border definition that's material to immigration enforcement (with complicated limitations). It does not determine where searches under the border search exception can occur.
More importantly, they count ocean as border.
International airports as well.
> 5.1.3 An officer may conduct a basic search of an electronic device with or without suspicion, subject to the requirements and limitations provided herein and applicable law.
> 5.1.4 An officer may perform an advanced search of an electronic device only in instances in which there is reasonable suspicion of activity in violation of the laws enforced or administered by CBP or, in the absence of individualized reasonable suspicion when there is a national security concern.
In this climate, the qualifiers in 5.1.4 should be assumed to apply 100% of the time.
So, if you bring a device, be prepared to either unlock it and hand it over to be mirrored or abandon it and deal with whatever consequences fall out of that decision.
I'm probably never leaving this shithole again but, if I do, I'm coming and going empty-handed.
that's not your only options, but the ones likely everyone will follow. Guidance does not equal law.