Nieman Foundation at Harvard
It’s not a bad time for journalists to be exercising a little extra caution.
Last July, Maria Abi-Habib, a Middle East correspondent for The Wall Street Journal and an American citizen, was detained upon her arrival at Los Angeles International Airport and asked for her phones. Abi-Habib refused and was ultimately allowed to leave, but the incident was a troubling reminder that the protection of digital data at the U.S. border is a legal gray area — and under the Trump administration, U.S. Customs and Border Protection agents appear to be increasing what they are asking even American citizens for at the border.
This month, homeland security secretary John Kelly proposed requiring social media logins from foreign visa applicants in a move that organizations like the Electronic Frontier Foundation fear could eventually extend to American citizens as well. In fact, CPB agents demanded eight Muslim Americans’ social media account information and mobile phone passcodes at the border, according to recent complaints filed by the Council on American-Islamic Relations. And in January, U.S. citizen and NASA scientist was detained at the border until he unlocked his phone.
U.S. Senator Ron Wyden announced his intention this week to introduce legislation “that will guarantee that the Fourth Amendment is protected at the border by requiring law enforcement agencies to obtain a warrant before searching devices, and prohibiting the practice of forcing travelers to reveal their online account passwords.”
“We are recommending that people think about their digital privacy at the border before, during, and after travel,” said Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation. That is especially good advice for journalists who may have sensitive information on their devices and in their social media accounts, but who do not have as much legal protection as, for example, attorneys entrusted with client information.
Surrendering a password isn't just about you. By doing so, you potentially compromise everyone you've ever communicate with on that platform
— lex (@lex_is) February 10, 2017
The most foolproof solution for journalists concerned about security is to simply not carry devices across the border with them in the first place. “Not having your stuff is the best solution,” said Bruce Schneier, a security technologist and fellow at Harvard’s Berkman Klein Center for Internet & Society. But he acknowledged “it’s a very hard solution to implement because we live our lives on social media. That’s why this is such a devastating affront.”
Let’s say that, for whatever reason, you’re a U.S. journalist traveling into the country with a device that has a social media account on it. In this less-than-ideal (but very likely) instance, you can take important steps that don’t cost anything and don’t require much technological expertise. (This information is aimed at U.S. citizens, but most of it should apply to non-U.S. citizens as well; the main — and important — difference between the two groups is that a U.S. border agent can’t block a U.S. citizen from entering the U.S. merely because they refuse to unlock their device — though the device may be seized — while non-U.S. citizens can be denied entry and may have little legal recourse.) Consider this a guide for the probably-fine-but-slightly-paranoid among us. (There is plenty of much more advanced travel security information out there for those who need it, although you may already know if you are one of those people; start here.)
These steps are worth taking even if you believe you’d be able to hold your ground when asked to give up a password. “Interrogation at borders — particularly if you’re a member of a more marginalized community, or your immigration status is in question — puts people in a very vulnerable position,” said privacy advocate Lex Gill. “Border agents have extraordinary amounts of power, and the situation can be intimidating, such that people might feel obligated to provide information even when they have a right not to.”
By disclosing your Twitter password, you expose not only private tweets and DMs, but login history as well (date, time, location) #travelsec
— Runa Sandvik (@runasand) February 10, 2017
Even in a situation when there’s no legal obligation to disclose a password, “physical discomfort can make people do a lot of things that they wouldn’t ordinarily do. By the time people are taken aside, they may be tired, they may be separated from traveling companions, they may worry about missing a flight, they might be afraid or anxious, they might have to pee,” Gill said. “So some people will eventually have a point where they’ll disclose on a voluntary basis. This is why it is important for people to evaluate both their legal and ethical obligations before crossing a border, and decide in advance how they want to handle these kinds of requests and these difficult situations. In some cases that might involve thinking through and making a plan for how to politely decline to hand over a password.”
It’s a lot easier to refuse to disclose your social media passwords if you don’t know what they are. “The only way to protect yourself is to not have the information,” said Schneier.
One option is to use a password manager, like KeePass (here’s a guide to using it), that generates long, random, and impossible-to-memorize passwords for all of your different social media accounts.
You can also give a friend (or an attorney) your social media passwords before you travel, then have them change the passwords to something they know and you don’t before you’re scheduled to land. Once you are through security, you can change them again.
A third option is to turn on two-factor authentication for your social media account. (Here’s how to do this for: Facebook, Twitter, and Instagram — but it’s still not available for all Instagram users.) Two-factor authentication means that, in order to get into an account, you need something you know (a password) and something you possess (a device like a phone).
Two-factor authentication won’t help you at the border if the second factor is in your possession (if, say, the code generated by the Twitter app on your phone gets texted to your phone). So you can set it to be texted to the phone number of a friend who isn’t traveling with you — or to an attorney.
Delete password manager or authentication apps (like Google Authenticator) from the devices that you’re traveling with. Sign out of social media, email, and other personal accounts and turn devices off before you go through customs. Make sure that passwords and backup codes aren’t stored on your devices.
Disable everything that your phone allows to access data from the lock screen. It is just attack surface and unauthorised access exposure.
— the grugq (@thegrugq) February 21, 2017
“As a legal matter, while the state of the law is in flux, there is currently less protection against compelled fingerprint unlocking than compelled password disclosure,” the Electronic Frontier Foundation notes. That’s why it recommends that the functionality be turned off at border crossings (as well as in other situations, like protests).
In addition, make sure to enable full-disk encryption on any device you are carrying so that, in the event that it’s seized, the data on it remains unintelligible. (If your device is taken and later returned, you should never use it again.) ArsTechnica’s guide to encryption for phones and laptops is here. Most recent iOS devices are encrypted by default, but check your settings.
Talk with the organization you work for about developing a policy for border crossings so that in the event you are detained and asked for your passwords, you have a prepared response. Again, “it’s not just the technical or legal issue, it’s the human dimension — what’s easy for someone who’s tired, uncomfortable, and scared to say,” Gill said.
This could be something like: “I’m sorry, I can’t give you my password because the policy of [organization] is that I’m actually not allowed to travel across borders with passwords to devices that may contain source information. The general counsel for [organization] has actually reset the password on my device and is the only one who is able to clear it.” Carry business cards with you to make it clear that you are a journalist.
It may seem as if taking these steps is excessively cautious — and in most cases, it will be. “Most of the time, you will go through all the work and nothing will happen,” Schneier said. “There’s no good answer for that. But the time you forget is the time they’re going to do something.”
