Can Border Agents Search Your Electronic Devices? It’s Complicated.

This post was updated on July 19, 2017. 

We’ve been getting a lot of questions about when border agents can legally conduct searches of travelers’ electronic devices at international airports and other ports of entry. Unfortunately, the answer isn’t simple.

Read this post in Spanish or in Arabic.

The government has long claimed that Fourth Amendment protections prohibiting warrantless searches don’t apply at the border. The ACLU takes issue with this position generally, especially when it comes to electronic devices like smartphones and laptops. Our smartphones store detailed accounts of our conversations, professional lives, whereabouts, and web-browsing habits. They paint a far more detailed picture of our private lives than, say, a piece of luggage.

The Supreme Court recognized this reality when it ruled in 2014 that the Constitution requires the police to obtain a warrant to search the smartphone of someone under arrest. As the ACLU has argued in various court filings, there’s no reason the Constitution’s safeguards against unwarranted searches shouldn’t also apply when we travel internationally given the ubiquity of these devices, and their ever-growing capacity to track the minutiae of our private lives.

Unfortunately, the government doesn’t agree, and the law on the matter is far from settled. Because of the high-stakes implications of these kinds of searches, and amidst evidence suggesting they’re on the rise, it’s important to understand the landscape so that you can make decisions that are right for you ahead of your travels.

This resource offers a basic snapshot of possible scenarios relating specifically to electronic device searches. For a fuller picture of the many other civil liberties issues that often arise at the border, click here. And if you think your constitutional rights have been violated, tell us what happened by filling out this form

What happens if border agents demand I turn over my device?

The government claims the authority to search all electronic devices at the border, no matter your legal status in the country or whether they have any reason to suspect that you’ve committed a crime. You can state that you don’t consent to such a search, but unfortunately this likely won’t prevent CBP from taking your phone.

If you’ve given Customs and Border Protection agents the password to your device (or if you don’t have one), they might conduct what’s often called a “cursory search” on the spot. They might also download the full contents of your device and save a copy of your data. According to CBP policy from 2009, they are not required to return your device before you leave the airport or other port of entry, and they might choose to send it off for a more thorough “forensic” search. Barring “extenuating circumstances,” they claim the authority to hold onto your device for five days — though “extenuating circumstances” is an undefined term in this context, and this period can be extended by seven-day increments. We’ve received reports of phones being held for weeks or even months.

As a result of this policy, even the most universally recognized private information — like communications with your lawyers — are insufficiently protected at the border. If you possess information that is protected by attorney-client privilege, you should tell the CBP agent you’re interacting with. Unfortunately, all he or she will need to do under agency policy is “seek advice” from a superior prior to the search.

Journalists carrying sensitive information about their work or sources are also insufficiently protected. The CBP directive states that “work related information carried by journalists shall be handled in accordance with any applicable federal law and CBP policy” — but it’s unclear what this means. Journalists who feel their rights have been violated at the border should let us know, and those who have upcoming travel should consult with their organizations’ general counsel offices or press associations.

If you leave the airport or other border checkpoint without your device, make sure you get a receipt, which should include information about your device and contact information allowing you to follow up. If, after the forensic search is conducted, there is no probable cause to believe the device contains evidence of a crime, the government says it will destroy any information it copied within 21 days. Yet there’s a caveat here, too. CBP might retain the notes it took during the search of your device or any questioning while you were at the border.

Do I have to enter a password to unlock my device?

Your legal status in the country may inform what you decide to do if you’re asked for a password to unlock your device.

If you’re a citizen, you can’t be denied entry into the country if you refuse to comply with a request to unlock your device or to provide a password. But you might be detained for longer or have your device seized and not returned to you for weeks or months. The same should be true for those who have previously been admitted to the United States as lawful permanent residents and have maintained their status — their green cards can’t be revoked without a hearing before an immigration judge. If you are not a citizen and are concerned about having your devices searched, you should consult with an immigration lawyer about your particular circumstances before traveling.

Visa holders and tourists from visa waiver countries, however, run the risk of being denied entry if they refuse to provide a password, and they should consider that risk before deciding how to proceed. The Department of Homeland Security is presently considering instituting a policy requiring visitors from certain countries to provide social media passwords in order to secure a visa to travel to the U.S. (The ACLU opposes the proposal.)

Whether you’re a citizen or not, though, we always recommend that you enter the password yourself rather than divulging it to a CBP agent. They still might demand that you share it, but it’s a precaution worth trying to take. If you do hand over your password, it’s likely to end up in a government database, so change it as soon as you have the chance and make sure you no longer use that password for any other account.

What can I do to prepare?

Here are a few precautions you can take in preparation for your trip to ensure things go as smoothly as possible:

  • Travel with as little data and as few devices as possible. The less you’re carrying, the less there is to search. Consider using a travel-only smartphone or laptop that doesn’t contain private or sensitive information. You could also ship your devices to yourself in advance. (Be aware that CBP claims the authority to search international packages so it is best to encrypt any devices that you ship.) Keep in mind that a forensic search of your device will unearth deleted items, metadata, and other files.
     
  • Encrypt devices with strong and unique passwords and shut them down when crossing the border. A good resource on how to do so can be found here.
     
  • Store sensitive data in a secure cloud-storage account. Disable any apps that connect to cloud-based accounts where you store sensitive communications or files, and don’t keep a copy of cloud-stored data in your physical possession. In July 2017, Customs and Border Protection publicly stated it is against policy for border agents to search cloud-stored data on electronic devices. This means that any search of an electronic device at the border should not extend to data that is only accessible via the internet — such as email or social media messages and posts that are stored on remote servers.
     
  • Upload sensitive photos on your camera to your password-protected laptop or a cloud-storage account. Digital cameras don’t offer encrypted storage, so you should consider backing up your photos and deleting them from your camera and reformatting the camera's memory card.
  • Turn on airplane mode for all of your electronic devices before crossing a border checkpoint. CBP stated in July 2017 that its policy does not permit searches of cloud-stored data that is accessible from electronic devices through the internet. Keeping your devices in airplane mode will help ensure compliance with this policy.  

Until the Supreme Court weighs in on the constitutional limits of the government’s powers at the border, questions about the government’s authority to conduct these kinds of searches aren’t likely to be settled. Lower courts have issued conflicting rulings on whether individualized suspicion should be a condition for such a search. The Ninth Circuit, which covers several western states, for example, requires at least reasonable suspicion for a “forensic” search of a seized device, but has not imposed limits on “cursory” on-the-spot searches.

It is crucial that more courts weigh in, given that device searches at the border seem to be on the rise. News reports indicate that in 2016, almost 24,000 electronic devices were searched, a huge jump from the nearly 5,000 devices that were searched in 2015. The pace of searches continues to accelerate, with the Department of Homeland Security reportedly conducting 5,000 device searches in February 2017 alone.

With border officials increasingly exercising authorities that haven’t been sufficiently considered by the courts, the urgency for clear protections mounts. In the meantime, travelers should take the precautions they feel are right for them.

Add a comment (142)
Read the Terms of Use

Anonymous

Not a bad idea. I have a whole separate Apple and Google ID's as well as separate social media accounts and none of my real accounts use my real name my secondary google and apple. I use the secondary one for public comments, games etc in the hopes that my privacy can be preserved on my actual accounts.
This is easiest to do if your alternate ID is on a separate device like an iPad.
Back up your phone to the cloud and wipe it. Then restore it with the secondary stuff from your iPad.
When you cross the boarder there will be a history there of stuff.
Once across the boarder you download the backed up phone image from the cloud and restore your phone.
This is still not a guarantee they won't hold your phone or do a deep search to find the real you, but it's unlikely as you've given them something innocuous.
I keep these things separate for the sake of client confidentiality as well as the fact that I dislike the wholesale markets selling my personal profile.
Note that when I travel into the USA as a non-citizen I'd have no rights and could be turned away and banned for refusing to cooperate. If I were a citizen I might just encrypt everything and refuse my passwords then deal with the consequences.

Scott Weil

Thank you for letting us know Customs and Border Patrol policies. These policies need to be tested by the Judiciary branch, as I believe the self imposed policies violate our protection against unwarranted search and seizure. I also would like to see CBP directors and individual agents prosecuted for violating citizens' rights. They claim they are just following orders, but there must be consequences for their actions, as there were at Nuremberg and for the many Republican operatives who went to prison during Watergate.

Anonymous

That's called a Bivens Action. And yes you file them against the individual agents. Although I've seen some that were filed against "Customs and Border Patrol" in the past and the plaintiff eventually won anyway. Problem is they take 6-9 years to win.

B Watson

If they can demand access to your phone, and your phone automatically signs in to your cloud/web accounts, doesn't that give them access to your remote storage also? What prevents them from demanding access to your social media (e.g., Facebook) account, even if you don't have a phone or other equipment on your person?

It seems that the only way to cross borders is to carry a not-smart-phone that only makes voice calls, and leave all electronics at home. But if they are authorized to inspect your accounts, regardless of device, then that isn't secure either.

Anonymous

I would think simply denying you social media accounts would do the trick. maybe... poss locking down your twitter or facebook might help as well.

Anonymous

If you're a citizen, you can simply refuse to provide access. Just make sure that your info is not public and able to be located using Google or other search engines (Google yourself to see).

Anonymous

Also, believe it or not, not everyone uses Facebook! :P

Anonymous

Our devices should allow me to set a "wipe clean" code. If that code is ever entered at the lock screen, then the device would destroy its encryption key and essentially be wiped clean. If someone forces a person to unlock their device, that person could enter the wipe clean code and everything is gone. This would have to happen without an "are you sure?" prompt.

Raoul Obsterik

iOS devices (iPhone, iPad, iPod Touch) have an option that will wipe clean the device by destroying the encryption key if the passcode is entered incorrectly 10 times.

Anonymous

If entering an incorrect password ten times will destroy the encryption key, then perhaps that is the way to wipe a phone clean. It will look suspicious to the border agent, but what can they do besides question you?

Pages

Stay Informed