Travelers, beware: When you take your gadgets abroad, maintaining the security of the data on your devices is just as important as protecting yourself from muggers. For whatever reason, foreign and domestic governments may have an interest in your personal data, including your social media accounts. This is not just theoretical. Several travelers, including US citizens like Haisam Elsharkawi, were recently pressured into giving officers from the US Customs and Border Protection access to their cellphones at the airport.
Some travelers now face additional privacy risks because of a new regulation that separates them from their computing equipment. This week, the Department of Homeland Security announced that passengers traveling from eight majority-Muslim countries to the United States could not bring devices larger than cellphones onto planes. So computers, tablets and other devices will have to be stowed in checked luggage.
Legally, citizens are not required to unlock their cellphones or share their passwords with US government officials. But rules may vary depending on where you are traveling to and from. And any stopping by a government official can be inconvenient, and even intimidating.
What to do? There’s one thing all the experts agree on: Do not lie to government officials about your passwords or social media accounts. “They’d make your life miserable if they found that out,” said Jeremiah Grossman, the head of security strategy for SentinelOne, a computer security company. But there are methods for safeguarding your cellphones, tablets and computers from invasive searches, all while remaining honest. Here are some of the best tips, based on interviews with security and forensics specialists.
Consider a cheap device
The best way to prevent your information from being searched is to travel with a device that never had any of your data in the first place. It’s a wise idea to invest in a cheap smartphone or computer that you use only abroad: You don’t want your nice equipment to get lost or stolen while traveling, anyway, let alone searched by border agents.
So leave your fancy equipment — along with your photo album, Facebook, Snapchat and Twitter apps — at home. Which devices to buy? Android phones, including the $100 Moto G4 Play that comes unlocked so that it can work with foreign SIM cards. For cheap computers, consider a $550 Acer laptop or a $430 Dell Chromebook.
Disable fingerprint readers
Fingerprint sensors, like the ones found on many Apple and Android smartphones, are a nifty security feature for unlocking your phone quickly. But Jonathan Zdziarski, a security researcher who has taught forensics courses to law enforcement agencies on collecting data from smartphones, said your best bet when traveling was to turn the feature off. That’s because in the US, law enforcement agencies have successfully used warrants to compel people to unlock their cellphones with a fingerprint.
But because of your right to remain silent, it would be tough for the federal government to force you to share your pass word. So disabling your fingerprint sensor when traveling is generally a safer move.
Don’t memorise your passwords
The best way to protect your passwords is to not know them. When resisting a data frisk, it is easier to say you didn’t memorise your password as opposed to refusing to provide it to border agents, Grossman said. Password management apps like 1Password and LastPass can automatically create strong, lengthy passwords for all your online accounts and keep them stored in a vault that is accessible with one master password.
However, Grossman said you are better off traveling without your password management software loaded on your devices so that you won’t be asked to hand over the master password to your vault. You could store a copy of the password vault on a cloud service like Dropbox and get access to your vault of passwords when you reach your travel destination, he said. An alternative to using a password-managing app is to write your passwords down and leave them with someone you trust.
Use two-step verification
In the unlikely event that you are asked to provide a password to your email or social media account, having two-step verification enabled will act as an extra safeguard — assuming that you left your primary cellphone at home.
With two-step verification turned on, whenever you enter your password, you will receive a text message with a one-time code that you must enter before you can log in. Because the message containing the code would be sent to your phone at home, a customs agent wouldn’t be able to log in to your account even if you gave up your password.
Of course, two-step verification could make logging into your accounts difficult for yourself if you left your primary cellphone at home. You could always leave your phone with someone you trust and contact them to ask for codes when you are trying to log in.
Encrypt your devices
Whether you are using a burner device or your own, always make sure to lock down the system with encryption, which scrambles your data so it becomes indecipherable without the right key.
Desktop apps like BitLocker or Apple’s FileVault let you encrypt your hard drive, requiring a pass phrase to decrypt your files. To avoid surrendering this pass phrase, you could jot it down and hand it to a friend and contact that person for the pass phrase after crossing the border.
Back up to the cloud, then wipe before you cross
When you’re traveling, at minimum you will need access to your address book and calendar, and you may also want to take some photos. But this is all sensitive information that border patrol agents could get their hands on. Your best option is to back up your data to a cloud service and then wipe, or erase, all the data from your device before arriving at the border, Zdziarski said.