Would you hand over your phone to enter the US?

Soon foreign visitors entering the US may have to hand over their smartphone and share social media passwords with border officials. Oliver Pickup investigates the privacy and human rights implications of this new proposed policy

Would you be happy to hand over your smartphone along with the passwords to your social media accounts for forensic inspection by customs agents upon entering a country? A high majority of us would bristle at such a request and feel violated, with good reason.

This hypothetical intrusion could become a reality for visitors to America – and sooner rather than later. More alarmingly, should these ‘extreme vetting’ measures mooted in a speech by John Kelly US Secretary of the Department of Homeland Security (DHS) earlier this year, be approved other countries are likely to follow suit.

In February, Kelly, a former Marine Corps general appointed by Donald Trump last December, told Congress that his department would be considering forcing refugees and visa applicants from seven Muslim-majority countries to hand over their devices and reveal login information for Facebook, Twitter, and so on, as part of security screening. Noncompliant travellers will be refused entry, he warned.

“It applies under certain circumstances, to individuals who may be involved in on the payroll of terrorist organisations,” he explained. “We want to get on their social media, with passwords – what do you do, what do you say? How are you living, who’s sending you money? We can follow the money, so to speak. If they don’t want to cooperate, then you don’t come in.”

In April this stance was hardened, when Gene Hamilton, a senior counsellor to the DHS, indicated in an interview with The Wall Street Journal that visitors to the US from the 38 countries that participate in the visa waiver programme, including the UK, might also be scrutinised at the border. Hamilton said: “If there is any doubt about a person’s intentions coming to the United States, they should have to overcome – really and truly prove to our satisfaction – that they are coming for legitimate reasons.”

Interestingly, obtaining visitors’ passwords was contemplated in private by the DHS when President Trump’s predecessor, Barack Obama, was in office. The policy was rejected in 2011, a former senior official in the department revealed a couple of years ago. By making a public announcement, Secretary Kelly has taken a different approach and alarmed privacy lawyers and human rights organisations.

Privacy concerns

Cynthia Wong, a senior researcher at Human Rights Watch (HRW), says that if the proposal is ratified it would represent “a sweeping threat to human rights”. She tells Raconteur: “Social media accounts are the keys to our digital lives. Demanding passwords would grant access to potentially years’ worth of private communications or membership in private groups. Such an intrusion could expose our most private thoughts, relationships, and political views, as well as information on our purchase histories, health information, and sexual orientation.

“This is an enormous intrusion on privacy and will have a chilling effect on speech and association. People will feel reluctant to join controversial online groups or express unpopular opinions if it may affect their chances of obtaining a visa.

“The proposal could also potentially give access to far more information than what is in our Facebook account. Many websites and mobile applications now allow you to use your Facebook, Google, or Twitter account to log in to their services. Secretary Kelly has given no explanation of what would restrain the government from using credentials to access other kinds of accounts, nor prevent the government from repeatedly checking accounts, or even modifying settings or manipulating our digital lives with this information.”

San Francisco-based Wong believes that the proposal also raises cyber security concerns. “The first rule of online security is: ‘Don’t share your password.’ Even the Federal Bureau of Investigation teaches this in its digital security curriculum that it provides for primary school students,” she notes.

“Implementing Kelly’s proposal would require the creation of a database of social media accounts, passwords, and contact lists. Such a database would become an irresistible target for cyber criminals and foreign intelligence agencies, who would attempt to gain access to it. Given the history of serious data breaches of US systems in recent years, how confident can we be that this data would be kept secure?”

The American Civil Liberties Union (ACLU) is equally concerned about the prospect of this extreme vetting, though similar practices already take place, according to staff attorney Esha Bhandari, who questions the legalities of electronic device searches by the Customs and Border Protection (CBP) officers. She cites the Fourth Amendment of the US Constitution, which provides “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”.

“Unfortunately, since at least 2009 the government has had a policy in place that allows suspiciousness searches to be conducted by CBP officials, which means anyone who is returning to the United States can be asked to turn over their electronic devices,” Bhandari says. “The ACLU believes that doesn’t purport with constitutional requirements and that in fact the government needs to have a warrant before it can do that kind of search.”

Resisting inspection might not be advisable, though, suggests Bhandari. “The practical reality is that what people can do at the border really depends on their immigration status,” she says. “So even though we oppose the policy when we give practical advice for citizens and returning green-card holders, and they can say ‘no’, they do face the risk of being detained for longer – we’re talking a matter of hours, not days.

“And then there is the possibility that the CBP will seize their device. They may run a forensic search, which is essentially a computer strip search. All files, metadata, and even deleted files that the person doesn’t know are still on the device, can be downloaded.”

Bhandari points out that in the last 18 months – even before President Trump’s reign began – there has been “a large jump in the number of devices searched”. Indeed, the latest figures from CBP, released in April, show that the rate of digital border searches for 2017 is on course to quadruple the 2015 figure. In the six months to April almost 15,000 travellers had one of their devices searched at the American border, in 12 months from October 2014, the amount was 8,503, though in 2016 the level reached 19,033.

Implementing Kelly’s proposal would require the creation of a database of social media accounts, passwords, and contact lists. Such a database would become an irresistible target for cyber criminals

The CBP states that it is their officers’ “mission to protect the American people and enforce the nation’s laws in this digital age” which has led to “the increase of electronic device searches”. Bhandari argues that the “general lack of transparency around this issue” is what is truly worrying, and adds: “Even when the government releases these aggregate numbers, it doesn’t necessarily tell us what the reasons were behind those searches, or at least the purported reasons for the increase. What are the nationalities, the racial and ethnic backgrounds, of the people being searched? Are minority groups being targeted? This is causing confusion.”

Little wonder that in March – following reports that in the previous month customs agents had seized and demanded the PIN for the smartphone of a NASA employee and US citizen, and also denied two Moroccan Canadians entry into the country, after rifling through their phones – a ‘coalition’ of human rights, civil liberties organisations, and trade associations, including HRW and ACLU, set up a petition, entitled ‘Fly not spy’, and wrote an open letter to Secretary Kelly in a bid to halt the process. It urged him to “reject any proposal to require anyone to provide log in information to their online accounts as a condition of entry into the United States”.

‘Demanding log in information is a direct assault on fundamental rights,’ it read, ‘and would weaken, rather than promote, national security … This intensive examination of travellers’ digital lives jeopardises the security of the United States and its citizens and others abroad.’

President Trump’s tightening of American border control has certainly had a negative impact on tourism. Travel intelligence company ForwardKeys discovered a 6.5 per cent drop in inbound flight bookings in the eight days following the imposition in January of an executive order to block entry for citizens of seven Muslim countries. And the ‘Trump slump’ is likely to deepen if Kelly’s policy is approved.

Cheapflights published a poll a month after President Trump took office that revealed almost a third of Britons (29 per cent) said they will not now consider holidaying in America, and flight searches to the country have dropped by 13 per cent overall. “That these measures could be extended to visitors from the 38 countries that participate in the visa waiver programme is potentially very damaging to the US tourism industry,” Andrew Shelton, the global flight comparison website’s managing director, explains.

“UK travellers contribute nearly $5 billion a year to the US economy – and last year New York was the most searched-for destination in the world by Britons using Cheapflights – but if a third of them have been put off holidaying in the US because of President Trump’s controversial actions, and the government persists in this unwelcoming vein, then the estimated cost would exceed $1.5 billion.”

Can Kelly’s proposals be halted before they become law?

“We have not seen any language yet,” says the ACLU’s Bhandari, “but there was a document [Notice of Information Collection Under Office of Management and Budget (OMB) Emergency Review: Supplemental Questions for Visa Applicants] published in the Federal Register on May 4, which appears to be a version of the discussed extreme-vetting measures.”

The notice asks for social media handles or identifiers used in the past five years, though it’s unclear whether passwords will be demanded. Crucially, the notice has been posted by the Department of State, which processes all visas through its consulates, rather than the DHS. The indication is that the government wants this passed quickly, and there is a shortened period of time for comment, with all submissions required by 18 May. In theory, this won’t need to go through Congress. However, senators can still play a part, as evidenced in April when Senator Wyden introduced The Protecting Data at the Border Act to impose heightened requirements for device searches; now border agents must obtain a warrant before searching Americans’ phones.

Demanding log in information is a direct assault on fundamental rights

Torontonian James Donaldson, CEO of information technology security company Copperhead, is not surprised that these measures are close to being enforced. “This is what happens when nations move in to the 21st century,” he says. “The flow of data does not check for borders, and it is only a matter of time until a policy like this is enacted. Hiding encrypted files or refusing to unlock passwords will only exasperate an already stressful situation.”

Whatever happens, precautions can be taken by travellers to limit the data stored on their devices. “I advise to back up all necessary data, wipe devices clean, and then travel over the border,” says Donaldson.

Likewise, Ryan Lackey, a Seattle-based founder of a stealth security startup, uses a locked-down Chromebook and an iPhone which synchronises with a non-sensitive Apple account when he flies. “The basic principle is: don’t transport anything across a border, where you might be subjected to search, with anything you’re unwilling to have searched,” he tells Raconteur. “That includes physical objects, laptops, phone, and online accounts.”

Lackey encourages journalists with privileged source material, or lawyers with client records, et cetera, to encrypt sensitive data securely, upload it to a cloud service – which can be accessed once in the country – and wipe the computers and phones being taken across the border.

The new normal

To limit the effectiveness of these extreme-vetting border searches, this annoyingly time-consuming procedure is likely to become the norm across the globe, if Kelly’s proposals are sanctioned.

“It’s a big concern that the US model can be adopted by other countries, and this might become a condition of international travel,” says Bhandari. “Just think about what that would do to freedom of expression. Many human rights activists who live in repressive countries use social media as a liberating tool, to organise and discuss ideas. If every government starts demanding and collecting that information and surveilling social media activity, that’s going to have a really chilling effect on people’s ability to organise, to speak freely, to criticise their governments. That would be a huge loss for human rights.”

She adds: “It’s critical that we push back on these policies when we see them in the United States, not only because it impacts travellers to the United States, but because this could really have a significant and damaging impact across the world.”