There's a whole world of bad security advice going around about traveling in and out of the United States. It's largely because under the Trump Administration there has been an uptick in Customs and Border Protection agents searching the phones and digital devices of travelers at airport checkpoints.
While traveling inside the US border, it's important to know that the TSA isn't supposed to confiscate laptops, search digital devices or demand passwords. The agency's site states: "Should anyone at a TSA checkpoint attempt to confiscate your laptop or gain your passwords or other information, please ask to see a supervisor or screening manager immediately."
But Border Patrol can. That's because it exists in a gray area not exactly protected by the Fourth and Fifth amendments, which ostensibly protect us from unreasonable searches and self-incrimination, they've been doing it for years.
If you've been following the news, you've probably noticed that it's only getting worse when it comes to demanding passwords and searching people's electronic devices. Just last month US citizen Sidd Bikkannavar was detained upon his return from a vacation in Chile. Border agents strong-armed him into turning over his phone's passcode, which was owned by his employer, NASA's Jet Propulsion Laboratory.
No sensible person is going to want to give up her password -- but we have little choice. Yes, you should encrypt your phone, close out of all apps when going across the border, and make sure everything is password-protected.
But if they ask and you refuse to give them your password or pretend you don't know it, they will make life very difficult for you. They'll detain and interrogate you, handcuff you while demanding your password, confiscate your devices for days (or longer) and possibly refuse you entry into the US. Increasingly, border enforcement is copying the contents of devices and keeping them, though CBP isn't supposed to keep that data longer than a week.
Once border agents have your password, we have to wonder, what do they do with it? Where they keep it, how secure it is, and how long they can hang on to it?
The answer to the last question is, probably indefinitely. What's worse, it's anyone's guess who sees your password, or how well it will be secured. It's also fair to assume it can be used again during future border encounters.
When asked, a Customs and Border Protection spokesperson told NextGov that the agency can indeed record and store a password to facilitate digital searches once a device has been detained. "The spokesperson did not say whether the password would be deleted from a traveler's record after the search is over," NextGov wrote.
In fact, according to NextGov, data in the system can be kept for upward of 75 years -- or for the duration of a "law-enforcement matter" or any "other enforcement activities that may become related."
"One of the few laws that would constrain how CBP would collect, keep and disseminate personal information is the Privacy Act of 1974, which regulates how federal agencies treat sensitive personal data. But the Homeland Security Department, CBP's parent agency, exempted TECS from that law since at least 2009."
Sure, the Twitter watercooler of jaded security "cool kids" will say, duh, only stupid people wouldn't change their device passwords after a border search. But most of the people currently being traumatized by border agents are likely focused on other things once they emerge from interrogation. And they're probably not thinking about whether their passwords or PINs are reused across multiple services.
This practice opens up a whole new avenue for abuse by a class of enforcement officers who aren't exactly having a good time in the press with their reputation.
Agents could shake down people they think are attractive, or those they want to humiliate. Those truly lacking a moral compass could then try travelers' passwords on other accounts -- if it worked on a phone or tablet, maybe it'll work on their bank accounts, too. And this isn't pure paranoia: Border agents have been caught condoning, aiding and covering up the wrongdoings of managers for all manner of bad behavior, including harassment.
Painting this trend as anything but dangerous to the individuals most at risk of exploitation -- travelers crossing our borders and everyone they're connected to -- is so flagrantly irresponsible it's inevitable that we're going to learn a painful lesson the hard way.
Really, if anyone is collecting travelers' passwords, it's only a matter of time until we find out if they're being abused, and how. Or maybe a database gets popped by hackers and put online. Or perhaps some negligent idiot will just leave a database of passwords exposed to the entire internet.
Ultimately, we're putting people at risk in the name of reducing risk, which is as pointless as it sounds.
Image: John Moore/Getty Images (Border Patrol check)