See also Andreas Gal's blog post https://medium.com/@andreasgal/no-one-should-have-to-travel-... , the ACLU's press release https://www.aclunc.org/news/aclu-files-complaint-department-... , and the ACLU's formal complaint https://www.aclunc.org/docs/ACLU-NC_2019-03-28_Letter_re._El... .
Non-citizens are in a totally different boat. You can be denied entry for any reason whatsoever. Tread carefully....
I have a feeling that is an empty set.
Best to enter the customs zone with the phone powered off, your device's security is likely better in this state, less likely to be circumvented while you surrender it.
Things like mobile boarding passes and the "Mobile Passport" app encourage and train people to hand their devices over to TSA and CBP personnel. In that later case, unlocked and with an app CBP/DHS controls already installed (with a lengthy ToS no one ever reads).
Best to just wipe any device and restore from backup.
CBP do need reasonable suspicion to hold you belongings or do a forensic search of your computer (Cotterman 2013) - they can't just randomly take things on a whim. The longer they hold it, the higher standard required.
(In Cotterman, it sounds like the Ninth Circuit said reasonable suspicion was required, but also decided on its own - despite it not being argued by the government - that an alert from a CBP database about Cotterman's previous conviction justified a search. Which seems reasonable to me, as a layperson, I thin.)
I don't think that will discourage them to call any whim "reasonable suspicion".
What's the definition of "temporarily" in this case?
As a practical matter, more senior officials at CBP should hopefully know about their limitations and if you request counsel and stay silent then they'd likely release you.
I’ve been kicked out of a border control point in northern Vermont in February in a snowstorm after a four hour interrogation. (They sent the bus without me.)
I’ve been arrested and locked in a room for twelve hours with no food or water or medication.
I’ve been endlessly harassed and interrogated on other entries even when not exercising 5th amendment rights to silence.
In all cases they eventually let me go without charges.
They have to let you enter, but they don’t have to do it quickly or humanely.
They will use every option available to them to punish you for disobeying their commands to unlock, even if you are not legally obligated to do so.
Except the threat to put you on a "mess up with every time they fly" list.
Going to a prison somewhere in the US is 'reentry' I suppose.
Is there evidence of US citizens going to prison for the act of refusing to unlock a device at the border?
Hold shift or some other key combination when you boot and it boots into the 'real' machine, the other OS is just a dummy with generic search history and data.
Wonder if you can sue them after for your property back.
Legal / Official Source please.
...border agents told him he had no constitutional nor any legal protections, and threatened him with criminal charges should he not concede to the search.
...he was eventually allowed to leave with his belongings, the devices still locked, and no charges were pressed."
My goodness! I guess those protections did exit after all! :)
Guidelines:
-Goons can lie to you all they want. Never budge.
-Politely refuse, and remain cordial. Stay strong mentally.
-Make sure your devices are turned off prior to even leaving for the airport.
This is the sick reality we live in.
Customs and Border Patrol operate under a special set of circumstances within ports of entry. You do not have the right to have an attorney present during the interrogation, you can have your personal belongings confiscated, you can be held without charge for up to four hours for any "reasonable" suspicion.
These same rules apply within one hundred miles of the United States border. So if you live near the any ocean, Great Lakes, the Mexican border or Canadian border, you live under a different set of rights than the rest of America.
Also police are allowed to lie about anything they want during interrogations.
Security may ask you to turn them back on, not to search them, but to verify that they are actual working devices, and not a bomb.
But never decrypt. If this results in you missing your flight, so be it.
As far as the security of the data on the device is concerned, a powered-off device is equivalent to a powered-on device that hasn't been unlocked since it was powered on.
It's easy to single out the US but the reality is that most countries have pretty far reaching rules these days. E.g. the UK and Australia are hardly any safer. And forget about China, Russia, or indeed most countries with even less democratic regimes.
The bottom line is that if you are not willing to unlock your device at any of the security checkpoints you will pass on your journey, you should leave it at home or just wipe it preemptively and restore over a secure connection after you arrive. In case it does get unlocked or taken from you, consider the device burned. It may come back to you with all sorts of malware. The people doing this are not thinking you are a terrorist or a child pornographer: you are being targeted and under attack by a hostile entity. Assuming otherwise would be a mistake. Wipe it, sell it on e-bay, never use it again.
The point being: if your encrypted network traffic is captured and retained, maybe it can still be brute forced at liesure, and deduplicated for deltas only. Thus, volume is only a temporary issue, and everyone still gets to see everything eventually, and full retrospective records are still enriched, so maybe that's fine for some things, and not for others.
That would be a big story if that is the case.
I will offer a counter-narrative which is more in line with my own experience (from other places than the US):
The people who work at border control in particular in airports are bored.
They are also overstaffed and given extreme discretion over the people they patrol; most of whom are non-citizen and thus have basically no rights at all.
This leads to them doing work for the sake of showing they work, overreacting to the least of resistance and maybe even some games of entertainment.
I will definitely agree bored cops looking for stuff to do cause a lot of problems.
[0] https://www.nbcnews.com/politics/immigration/u-s-officials-m...
I think it is obvious that they profile on overall looks, race, citizen status, place of birth, travel patterns.
What he meant was the prefix for the license plate. Luckily I remembered it. I suspect he grew up in the area, but it was super weird; also, he was probably fairly bored.
she said it was absolutely not common (which i doubt very much) and she was concerned i was coming and going because i want to stay (?!?!?!).
The downside of having big government is that it winds up being staffed with mad-with-power bureaucrats, who will mess your life up just because.
I miss the time when most techies believed in civil liberties and were wary of government. Chickens coming home to roost and all that...
This kind of thuggery seems to be getting more common.
Once the agent has your password and takes the device into their back room for an hour, you have to assume that all data has been offloaded and the device has had an undetectable rootkit added.
This gentleman's expertise is in security and encryption and now he works for Apple, a company that makes products that the US government can't always crack. He was clearly targeted in his encounter because of his current position, based on the questions they were asking. Surreptitious access to his devices is highly desirable to US intelligence services.
Any device that you lose physical control of during these encounters must be presumed to be compromised and should be physically destroyed afterwards.
The password to this freshly wiped device is "Orwell1984". Feel free to have a look, but all you'll find is an app called "Secure Erase Free Space". This SD card I'm carrying separately? No, you can't have the password to that. Yes, I know, you can hold it indefinitely.
Lying in that situation would seem like a very bad idea (I'm not a US national) - I've had a few uncomfortable experiences over the years entering the US and I certainly wouldn't want to do anything that would give cause to escalate things on their side.
He wasn't FORCED to unlock his computer, he was just detained for three hours because he wasn't. Adding technical restrictions won't stop that.
You don't have to specify that you consider customs agents thieves, that's just up to you if you wanna put that lil' spin on it.
(But for real, this seems to me to be a bulletproof way to both make sure TSA can't access data on your device AND make sure you get pulled aside "randomly" for an extra-long questioning session.)
Deniable encryption can actually be very dangerous for people who are detained in places where torture is used. Even if you unlock your device, law enforcement have no proof that you have unlocked your real profile[0]. This is relevant to countries where people can be detained for not unlocking their devices, like Australia.
[0]: https://en.wikipedia.org/wiki/Deniable_encryption#Drawbacks
Aside: don't use TrueCrypt anymore for other reasons.
Also: https://xkcd.com/538/
I wonder about the legality of the CBP punitively confiscating his Global Entry pass.
The risk of travelling there is simply too high now.
Yes, I know (as stated above). By no means am I saying it couldn't. Still, it doesn't excuse Americas practices in any way.
Message? So you read one story and a bunch of HN comments and that is how you decide?
I'd be surprised if anyone who regularly travels to the US hasn't found it to be extremely unpleasant at times. A while back I spent 6 months or so going back and forth from the UK to Houston or Atlanta, and every time I absolutely hated going through immigration. I've travelled to dozens of countries, and literally everywhere I've found the border guards to be friendly - except the US. Every time they behaved like power-hungry bullies, or I saw them behaving that way towards others. One time I travelled with a female colleague who was basically harassed by ridiculous questions from a very angry and loud border guard for no reason at all. He wasn't satisfied until she was in tears.
Another time there was a really long queue after getting off a flight (think it took over an hour to get to the desk), and there was a pregnant woman in the queue who seemed unwell and wanted to sit down - a guard shouted at her to stay in line, refused to get her a chair, and refused to let her jump forward in the queue (despite prompting from willing fellow passengers).
So the reason people don't want to travel to the US? Because it's a fucking horrible experience.
In which regard? Compared to which place?
She was in tears by the end of the experience.
We have both received many pat downs in Chinese airports that didn't bother either of us.
Only explanation I have for the level of examination is maybe because I was a young minority returning from a random latin american country solo(?)
Even though I have an essentially absolute right to re-enter the country, my hardware apparently does not, at least without potentially being detained for an extended period.
So, burner phone and pre-wiped laptop if I need it, all powered down. If I need any files while away, store them in a secure Box or other account before crossing borders.
At this point, it seems like just a necessary evil extra expense in time and money, and a good idea for other countries, although it sadly seems that the US is now the fast follower of Russia, China, etc, in terms of repressive practices.
So, in a strict legal sense, demanding to unlock a device does not violate the 5th.
https://www.aclunc.org/docs/ACLU-NC_2019-03-28_Letter_re._El...
> CBP must ensure that its officers comply with the U.S. Constitution. Even at the border, the search of an electronic device is governed by the Fourth Amendment. To satisfy Ninth Circuit and Supreme Court law concerning electronic searches, any such search should be based on a warrant and be limited in scope to information relevant to the agency’s legitimate purpose in conducting the search. The attempted unconstitutional search of Dr. Gal’s devices illustrates that CBP’s policies do not in fact include the requirements necessary to safeguard the constitutional rights of people at the border
https://en.wikipedia.org/wiki/Border_search_exception
> This balance at international borders means that routine searches are "reasonable" there, and therefore do not violate the Fourth Amendment's proscription against "unreasonable searches and seizures".
According to Wikipedia, there is currently a circuit split* on whether phone searches at the border require individualized suspicion, or can be conducted routinely, without falling foul of the 4th amendment.
* (two sets of appeals courts have ruled in contradictory ways; these splits can be resolved by SCOTUS if they choose)
https://en.wikipedia.org/wiki/United_States_v._Martinez-Fuer...
SCOTUS is, for good and ill, the last word on what's Constitutional, until it changes its mind.
This isn't true and has never been backed up by a court ruling, including at the Supreme Court. Currently there is no legal foundation to the premise that any rights for US citizens are suspended just because you're at the border (typically people refer to the premise as also including N miles inside of the border, eg 100 or 300 miles).
Right now what you have is a few government agencies attempting to write over the Constitution, without anything to actually support their doing so. They go out of their way to avoid an actual court confrontation with their fake / invented 'laws,' knowing that they'll lose.
> If a Customs agent asks you to power up the laptop and access content with your passwords, please comply with this request. [...] Travelers should notify their supervisor and corporate security at their first opportunity.
since the RealID act was passed, and im too lazy to wait at the DMV for a compliant license, I just take my passport with me for ID on domestic flights. This once cost me 30 minutes with the TSA, again, explaining why I was using a passport for a domestic flight. I refused search, refused to cooperate, and was let on the plane.
security theater was fun 15 years ago but this shit show has gotten a little old. the oxycodone epidemic kills more americans than terrorism. Hell, lightning kills more americans than Al Qaeda.
shoes and belts off, shuffling through the checkpoints like juden at dachau, is degrading.
I don't know enough about Estonia to suggest they would try this, but they do seem progressive in this regard. I would vote for Netherlands, Belgium, or Portugal just because I like being in those countries.
Things like this don't even remotely threaten US dominance in tech, because: 1) the US allows a lot of legal immigration; 2) US tech wages are far beyond anything you can make in those other locations 3) the US as a singular integrated market that is the world's largest economy, makes it impossible to compete with unless you're China, due to inherent scaling benefits 4) nowhere other than China has the capital markets to support competing with the US start-up scene properly and 5) the actual context - Andreas was let go after three hours, with his devices - isn't close to being bad enough to matter, in fact it barely registers these days (increasingly the era of domestic surveillence and censorship all around the world, from the UK to South Korea) as a very mild inconvenience on human rights, and doesn't impact ~99.999% of travelers to the US.
US dominance in tech - outside of China - has only increased since 9/11, not decreased. That's despite non-stop issues of this sort, the Patriot Act, NSA spying, and so on. A rogue border search, or a hundred of them, won't dent that. That's the reality.
Or maybe a function that you can activate that makes the phone appear bricked until the power button is pushed 20 times in a row. You could activate this before going through customs.
If you _really_ care about this, travel without your phone, and travel with a minimal-account wiped laptop that runs, has some apps, and has zero work or personal data on it. Stick some steam games on it at most. Then get a burner phone once you're in the country you need to be in, let people you need to talk to know what your new temporary number is, and restore your data from a secure source that you can access using your laptop. Then when you leave, "burn" the phone and properly wipe your laptop again.
Also, why is it legal for them to lie to me when I can't lie to them?
Also your second argument could be applied to absolutely anything. You can always find something that deserves more attention.
Save everything to the cloud, or use a burner device like a It’s not worth the hassle.
(And yes, I’ve read that this antagonizes border security to a certain extent, if they believe you’ve done just this.)
We did got past all of those (!)
Ps. I live in Turkey
What if unlocking the device requires a security key that I do not have with me?
My intuition is that they'd still treat that as though I was impeding their search, but I wonder legally if it changes anything.
They want entrance, just grant it to a sandboxed environment.
The lack of transparency on the reasons for detention are the real problem. Josef K never found out the charge made against him either.
(edit -spelling)
> Ex-Mozilla CTO
Has no more or less rights than anyone else.
> Techie says he was grilled for three hours
Clearly click bait 'grilled for three hours'. Not questioned but 'grilled'.
> "There I quickly found myself surrounded by three armed agents wearing bullet proof vests."
So what? Of course they were armed. Of course they had bullet proof vests. The sole purpose of using words like that (by a writer) is to get the goat of anyone reading and have them all up in arms about INJUSTICE of one type or another.
> They started to question me aggressively regarding my trip, my current employment, and my past work for Mozilla
What do you think? They should act like the concierge at the Four Seasons? Of course they are going to be aggressive. That's law enforcement attitude and there is a purpose for doing so.
> Given the devices were emblazoned with big red stickers reading "PROPERTY OF APPLE. PROPRIETARY," and he had signed confidentially agreements with Cupertino, Gal said he asked for permission to call his bosses and/or a lawyer to see if he would get into trouble by handing over access.
This is total BS. You don't need your bosses agreement when a request is made from Law Enforcement at least not because you signed some NDA etc. Fine that he attempted and asked. But the reason is weak.
> and threatened him with criminal charges should he not concede to the search
Cops are allowed to lie. Not sure what the story is with border agents but possibly the same. That is how they often get info.
> "My past work on encryption and online privacy is well documented, and so is my disapproval of the Trump administration and my history of significant campaign contributions to Democratic candidates,"
He is living in fantasy land here if he thinks there is some list of people that are being targeted for that reason. Not that it could happen but highly unlikely. It would take an entire Nixonian operation to pull that off. I think more likely since he came from a former communist state his thinking goes to this type of paranoia.
> Now, Gal has enlisted the help of the ACLU to probe into the brouhaha, and determine whether his civil rights were violated.
Yes everyone is looking either for more internet fame or a payout. Not sure why he needs to save the world and belabor the issue. Just move on and don't waste time.
> "Furthermore, CBP’s policies lack protections for First Amendment rights by allowing interrogation and device searches that may be based on a traveler’s political beliefs, activism, nation of origin, or identity."
Sounds like typical ACLU behavior for more publicity to aid fund raising (story on 60 Minutes):
https://www.cbs.com/shows/60_minutes/video/cm_lFZDERHcELSPw2...
ACLU got into high gear over Trump and sends out letters literally trying to raise money (I received one) clearly mentioning in so many words to take Trump down. Not the same organization that it used to be. On the 60 Minutes story iirc a former head of ACLU was interviewed and bothered by the current behavior.
I don't think most of those countries need a reasonable suspicion to demand password nor to do track how often they do it. https://www.newstatesman.com/law/2013/08/welcome-britain-bor...
"Apple employee gets mildly harassed at airport because of proprietary confidentially agreements" with
"A terrible, terrible tragedy, non US-citizen travellers agree" as a byline.
The main thing of interest here would be that maybe Mozilla should employ better hiring practices.
As you phrased your comment, it is entirely opaque to me what you intend to convey.
Also, Gal didn't make any sort of moral stand, he was simply defending his proprietary employer's interest. It's not the most sympathetic story.
So, in the end, the article only left me wondering how people who climb the ladder inside Mozilla, ostensibly an open and free environment, can easily end up at Apple, which revels in closed and proprietary environments. Maybe Mozilla should introduce some of the values they claim to hold into the hiring and promotion process.
Sorry for any confusion.
