Earlier this week, Homeland Security Secretary John Kelly told Congress the Trump administration may soon require that visitors to the United States provide their social media passwords and internet activity history to DHS agents before entering the country.
In response to a question from Congressman Higgins about what DHS will do to make sure visa applicants don’t mean harm to the United States, Kelly said:
[I]f they come in…we want to say for instance, ‘What sites do you visit? And give us your passwords.’
So that we can see what they do on the internet. And this might be a week, might be a month. They may wait some time for us to vet. If they don’t want to give us that information then they don’t come. We may look at their—we want to get on their social media with passwords. What do you do? What do you say? If they don’t want to cooperate, then they don’t come in.
There’s other things like that. So these are the things we’re thinking about. No one should take this as this is what we’re going to do right now. But over there, we can ask them for this kind of information. And if they truly want to come to America they’ll cooperate. If not, you know, next in line.
It appears as if Secretary Kelly was talking about demanding social media passwords and internet history records during the visa application process, but there are reasons to fear the Trump administration could extend these surveillance demands to other groups—even US citizens and legal permanent residents.
Since Trump’s inauguration, people including US citizens have taken to social media to complain about civil liberties violations at borders. The Council on American Islamic Relations (CAIR) of Florida recently filed complaints with DHS over allegations that Customs Border Protection (CBP) agents demanded cell phone passwords, confiscated devices, and asked political and religious questions of at least ten US citizens at the border. In one case, a US citizen said CBP agents physically attacked him when he refused to give them his cell phone password. A Canadian citizen was denied entry to the United States after he told CBP agents he prayed five times a day, according to CAIR.
Meanwhile, a complaint filed by the Center for Constitutional Rights (CCR) contains affidavits and declarations from dozens of immigrants and their attorneys alleging shocking CBP abuses. Slate reports:
According to these testimonials, CBP officers violated immigrants’ rights, contravened multiple court orders, and acted with reckless disregard to the law. The declarations and affidavits allege that elderly immigrants were denied access to food, that lawful immigrants were forced to sign forms they didn’t understand, and that infants were held for no reason. Multiple people were allegedly deported after judges had forbidden such deportations, and others were allegedly denied access to counsel after judges had required that such access be granted.
In the face of these attacks on our basic rights, the ACLU will continue to fight back in the courts and in Congress alongside allied organizations like CAIR and CCR. But as of today, few courts have addressed the legal standard under the Fourth Amendment that applies to searches of electronic devices at the border, and we are aware of no opinions regarding social media inquiries at the border. The ACLU will litigate these cases aggressively, but systemic reforms often take time, and in the interim a lot of people may very well see their rights violated.
So what should you do if you are crossing a US border and agents demand your phone, computer, or passwords? Some practical steps to secure your information may help.
Disclaimer: This is not legal advice; you should consult an attorney about your particular situation, and you should carry an attorney’s contact information with you that you can provide to CBP agents if they seek your passwords. Further, by offering the following technological tips, the ACLU is in no way saying we think warrantless government searches are legal or appropriate. We continue to believe they are improper, but our opinion on the matter clearly doesn’t mean improper searches won’t occur. These are harm reduction tips to help you protect yourself in a constantly changing legal and regulatory environment. Our dispensing them shouldn’t be confused with approval of the government’s search policies, or a view that such government conduct is normal or appropriate.
- Wipe your phone and computer and restore them to factory settings before you travel. This is obviously an extreme measure, but may be the best defense against warrantless border searches of your devices.
- Alternatively, encrypt your computer and your smartphone, and use strong passwords. Shut down your devices before arriving at the border checkpoint (do not just put the devices to sleep). If you encrypt your devices and use strong passwords, it will be more difficult for agents to read your information if you refuse to give them your passwords. If you’re not a US citizen and you can’t risk getting turned away from the border for refusing to hand over your passwords, and you don’t want to completely wipe your devices, see below.
- Ship your devices to yourself before getting on the plane. But keep in mind that customs agents may search international packages and anything inside that they deem suspicious, so this is not a guaranteed way to protect your privacy. Make sure the devices are powered down before packaging them.
- If you don’t want to risk bringing your primary devices, you may want to consider buying cheap(er) devices to use when you travel internationally. For example, instead of bringing your iPhone and primary laptop, you could purchase a used, cheap smartphone and a Chromebook to use when you’re traveling. (If you use Tails with the Chromebook you’ll be even more secure.) You can wipe these devices before crossing borders, and you won’t have to worry about backing up lots of information because they won’t contain much to begin with.
- Change all your social media passwords to randomly generated strings, and bring them with you on a piece of paper. If you decide you need to, turn over the paper when asked for your passwords. Then, as soon as you’ve crossed the border, change the passwords again. This will minimize the window of time during which the accounts can be accessed. Note that this is potentially problematic if the social media service in question offers ways to set up other access to the account once in (e.g.”API keys” or “authenticator tokens” or whatever), because those keys can be used for future access. Social media platforms should provide users with an easy way to see and review all of those keys and to cancel them at will.
No matter what you chose to do, make sure the passwords protecting your phone and computer are robust. To learn how to create strong passwords, read this guide by the Intercept’s Micah Lee.
If CBP agents demand your social media or device passwords at the border, please let us know.
And finally, speak out against policies that violate civil rights and civil liberties. Call your representatives in Congress and tell them you oppose policies that infringe on people’s rights to privacy, religious and political expression, intellectual freedom, and freedom of movement. We may be able to implement some technological workarounds to rights violations like these, but ultimately we need to make sure our nation’s policies reflect our values. Demanding people turn over their social media identifiers and passwords at the border is an attack on our basic rights.
You might not want to share your political views with CBP agents at the border, but you should definitely share them with your elected representatives. Make sure they hear your voice so we can stop proposals like Secretary Kelly’s in their tracks.