Skip to main content

Keeping your data safe and private while you travel across borders is a lot of work

One interesting byproduct of a shift in the U.S. executive branch's stance on border safety is seeing people actually concerned about their privacy and data safety when they need to cross those borders. No matter where you stand on the current administration's ideas and potential policy changes (and this isn't the place to argue those) you should be able to understand that they will have an effect on how your information is treated by three-letter agencies in the U.S. anytime you move in or out of the country.

This has some smart people — very smart infosec type people — talking about why you need to be concerned and what you can do about it. It's fascinating to read even if you think it's all hogwash and we should freely share everything with any government agent.

Experts tell us to cross borders and leave no trace behind, much like when hiking or camping. This is how James Bond must feel.

Two pieces in particular I really enjoyed come from information security researcher the grugq (conveniently compiled by Microsoft engineer Mohamed Mansour) and forensic scientist and penetration tester Jonathan Zdziarski.

As you would expect from the grugq, the information is laid out as fact, leaves no room for any alternatives and is direct to the point. It's also undeniably true. That's probably the reason I read anything and everything with his name on it. It's a refreshing no-bullshit look at what's going on and what can be done to protect our right to privacy when we encounter it. His series of short tweets tell you in no uncertain terms how you should travel if you are going to be crossing a U.S. border and don't want anyone else having access to any of your private information without your consent. Bam, boom. There you have it.

Zdziarski expands and explains why and how as he tells you the things you need to do to keep any errant eyeballs away from your personal information. The measures are extreme, and a few extra words about why it's beneficial to follow his advice are appreciated. Again, this isn't surprising. Zdziarski has a knack for making the extreme seem reasonable when it actually is a reasonable response. Zdziarski is a reassuring voice for the times when you need a reassuring voice to help understand the scope of a situation and advice on how to react.

We all need to think of how we can use this information, and if we need to follow any of the advice.

The two resources read very differently and are from two very different people, yet they echo the same basic ideas. Throwaway accounts and even devices, that live completely separated from your vital information and always assumed to be compromised and hacked. Essentially, the only way to be sure you aren't giving away more than you need to give away is to become a virtual ghost at any border crossing. This is completely James Bond level stuff, and while it may be saddening to think we need to worry about it, knowing that we really can exist with no digital footprint is fascinating. Make sure you take a few minutes and read both.

There is a lot of room here for further discussion. Ways we can use the tools and services available to us for Android and Chrome to lock away the data we give so freely to Google if we need to suddenly hide it from anyone else need to be explored. Let's face it — using the digital devices we love from any company doesn't lend itself towards anything resembling privacy. We're OK with sharing everything with a company we trust and never consider how any of it can be used "against" us. It's given me plenty to think about and I hope it gives you plenty to think about, too.

I expect we'll be circling back to this a time or two as we move forward.

Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

28 Comments
  • Glad I don't venture out there often. This day in age, it's pretty much impossible to use technology and not share more about yourself than what you may be comfortable with. But if you want to get those services and integration, you have to pay, (to an extent at least), with your data. Flicked via the BlackBerry keyboard on my Nexus 5X
  • Thank you for sharing this flavour of content! Growing awareness, demand and more consumer friendly privacy/security technologies are helping many of us with the ability to express ourselves, create and speak with more of a unique genuine voice.
  • "...penetration tester..." No doubt it's a serious topic. Still, what I really want to know is whether you laughed when you wrote those words.
  • I laugh when I read it, but for different reasons. Most people who actually refer to *themselves* as a 'penetration tester' are somewhere between "I know how to use MetaSploit' and 'I run Kali Linux, ph34r m3'. ...heh.
  • Glad I am not the only person here with the brain of a 13 year old. When I read that, first thing I thought of is a business card with that title.
  • Our security folks just say "pen test"
  • I was going to say that anyone who really understand the subject calls it "pen testing." Saying penetration tester indicates one isn't involved with the subject.
  • I'm not sure how this administration is any different than the last or the one before that re: this topic. The US courts decided on numerous cases that customs can search electronic devices and hard drives with or without individual suspicion. Its the same with Canada, UK, Australia, etc etc etc. This is not a new issue.
  • That's exactly right. I know that Jerry is making good points here. That said, the outright Paranoia going on that we are in Fascist state is a bit much. Hate to say it but we're been here along time now well before this adminstration. Glad I have an extra Gmail account. Wipe and load under that and nothing will be there. Leave any sensitive files in an encrypted cloud account and load a clean install of your PC OS. Pain in the behind, YES. Being safe, priceless.
  • 2 western countries are seriously considering forcing travelers to provide account passwords or be denied entry. That's a bit different and gets people talking about this sort of thing more — both to help people protect their privacy and to show how ineffective these sorts of measures are because it's very easy to get around them.
  • one of the contractors I work with told me the story about his acquaintance from Tijuana. the guy's been working in San Diego (weekends at home ) for years and last week at the check point,they pulled him for a additional screening. they took his phone , went through his Social Network posts, looking if he had negative posts or shares about Trump and his administration. Since he did have them (Facebook) he was denied entry and his work visa was revoked. It may be an anecdote, but considering that many permanent residents were sent home from LAX even after the Court Order was in place, it only shows that some CBP officials are taking liberty to act as they see it fit, knowing that they won't be held accountable.
  • Isn't this overkill? Why is that account and device anymore suspect if it's on one side of the border or the other. If you want to lead a paranoid free life, shouldn't you have a burner phone for every network/account combo regardless of where you are? Am I missing something?
  • Doing things like requiring people to turn over all their accounts and passwords at the border is how you make people feel safe without having to actually do anything. Since San Bernardino, a lot of people think you can stop a terrorist if you get access to their facebook or twitter account. You have to remember that you probably know more about technology than most other people (and most government officials) just because you use the internet and have accounts at blogs that talk about this stuff.
  • Eh, all it is is a way for the gooberment, (not government ), to scapegoat into actually doing their jobs like they are suppose to. Half of these departments do a crappy job at their followups when they suspect something. It is sad, but very true. Out of all the problems that have occurred within the United States this past year (2016) most of these people that committed acts of violence against people and police had very checkered past or had even been investigated at some level of detail by the FBI or local police departments, etc. Who's fault is that?Facebook or the surrounding gooberment entities that didn't take their job or do their job more seriously?
  • Correct my legal logic here. There have already been discussions on here about fingerprints vs pass codes to unlock a phone. The US government can't currently compel you to provide a password or code to unlock the phone without a warrant. If you're a US citizen returning home after visiting abroad, how can they compel you to provide social media accounts? If you're not a US citizen, I can see that being an upcoming point of contention.
  • http://www.theverge.com/2017/2/12/14583124/nasa-sidd-bikkannavar-detained-cbp-phone-search-trump-travel-ban
  • Thanks for that info. Looks like I better do some more digging before my trip to Canada in a few months. Ug.
  • there was a congressional investigation which concluded that indiscriminate surveillance of US Citizens did not and won't prevent any attack. data overload does one think effectively - overwhelms the system so you can get nothing out of it.
  • I've travelled between borders around Europe and never had to give out passwords, or my own personal devices, ever. I guess this will change with Brexit.
  • Looking at the kind of exit "our" prime minister is pushing for, yes it will change. Kind of moot in the UK though since it's been ruled that no private citizen should be entitled to any privacy anyway.
  • It disturbs me that articles such as these even need to be written. Are we really falling that quickly towards a 1984esque dystopian nation? I understand that this is more on the extreme side of privacy security and that not all that many of us will need to go through the procedures explained in the articles but the fact that articles such as these need to be written in the first place just shakes me to no end.
  • All this presupposes that you will take your own device abroad. What is the downside to buying both a device and a local SIM upon arrival, and not connecting it to your existing accounts?
  • That's what I would do if I were someone likely to be profiled and asked to give my passwords at the border. Buy something while I'm overseas, use it, wipe it and give it to some lucky kid on the way to the airport before I fly home.
  • It seems like the smart play.
  • So is this likely to happen to all and sundry, or random select people, or those that may arouse suspicion?
  • ...and then you'll be detained as suspicious because you aren't carrying a phone with accounts they can view to deem you as uninteresting. hmmm.
  • Thanks for this. I'll be traveling to Saudi Arabia in April. Really hope I don't get too much headache coming back.
  • Certainly is food for thought. Seems they routinely snoop in our phones now without us even knowing about it! Welcome to the brave new world... Grab a dumb phone to go abroad seems the secure path...