Passports, passwords and borders

As more business and leisure travellers take their mobile phones and laptops abroad with them, the issue of personal data privacy has become increasingly controversial. Apart from the invasive questions asked on visa application forms, and the requirement to provide biometric data such as fingerprints, border officials in some countries are now demanding that some visitors disclose passwords for their digital devices before they are allowed entry.

The laws permitting officials to force you to unlock your mobile phone for a digital search differ across the world and are generally quite unclear.

The US has been particularly active in seeking out further data about potential visitors. Just last month it was announced that travellers will now be required to provide much more precise information about their social media activity; while it is clearly stated on the application form that detailing usernames and accounts is optional, it would seem obvious that a failure to do so could result in further investigations being made, both before and after attempted entry into the US.

Even though a visa may have been granted, travellers arriving at the US border are not guaranteed entry into the country. Border authorities are allowed to request passwords for your mobile phone or laptop, and for password-protected apps, and travellers are “obligated” to help the agents search their devices. Refusal to disclose the information could result in you being denied entry into the US and also in your device being seized.

The searches of mobile phones at the US border have led to The American Civil Liberties Union and the Electronic Frontier Foundation, a privacy group, mounting legal action: they argue that the inspections without a warrant could be unconstitutional.

Citizens of some countries will come under greater suspicion than others. Donald Trump’s well-publicised ban on Muslim travellers from Iraq, Syria, Sudan, Iran, Somalia, Libya and Yemen established the foundation and rationale for the latest moves.

Essentially, the US authorities aim to enhance their abilities to identify people associated with terrorist groups; social media provides key information about a person’s activities and contacts, such as membership of groups, and communication with other like-minded people across the world. It would be a mistake, however, to assume that border agents are only interested in links to terrorism, or in people from certain countries believed to pose a threat to the US. It is entirely possible that membership of certain political movements, for example, could lead to concerns.

Importantly, the data that is collected on the visa application will be retained for three years, whether or not the applicant was approved for entry into the US. After this, it will be archived for a further 12 years, where it will remain accessible by national security and law enforcement agencies.

The US is not, of course, the only country carrying out increasingly intrusive investigations into prospective visitors.

In 2017 a Canadian man was arrested at Halifax airport when he refused to disclose his mobile phone password; and in 2019 a lawyer claimed that his laptop and phone were seized when, citing client confidentiality, he declined to hand over his data at the Canadian border.

In 2018 New Zealand was heavily criticised after passing the Customs and Excise Act which allows border officials to force tourists and business travellers to unlock electronic devices such as mobile phones to allow a digital search to be conducted. Those refusing to comply with the request could be fined up to NZ$5,000 (£2,500). Similar legislation has also come into force in Australia: the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 was passed last December.

In the UK, the principles for allowing border searches have been defined in law for much longer. Schedule 7 of the Terrorism Act 2000 allows both the police and immigration officials to demand the disclosure of password information. A prominent case testing the law was seen in 2017, when a director of the controversial campaign group Cage was found guilty of obstructing police after refusing to divulge his phone and laptop passcodes at Heathrow Airport. His appeal against the conviction was refused.

Travellers should certainly assume that other countries around the world will make similar demands, whether or not the legislation in force there stipulates this clearly.

In the Middle East, for example, Israeli border officials were already reportedly asking some travellers in 2012 to log into their email accounts on entry to the country. There has been some debate over the criteria for choosing which individuals to select to be subjected to the digital sweep, with one lawyer claiming that the searches are only applied “selectively” — often targeting political activists, or even based on racial profiling.

The US Department of State mentions both Israel and Saudi Arabia as countries in the Middle East where travellers’ electronic devices may be subject to inspection upon entry, though no such warnings are given about other countries in the region.

Sometimes governments will raise complaints with their counterparts when there are new concerns about the treatment of their citizens. For instance, at the end of May it was reported that Russia had requested an official explanation from China over a reported new policy involving the phones of Russian citizens being randomly seized and searched by Chinese border guards.

When travelling abroad, you should assume that border agents in any country will cite policies allowing them to search your device if that is what they are intent on doing: whether or not their respective laws permit them to demand passwords is a different matter, but if you refuse to comply with such a request you can be denied entry and have your equipment confiscated.

Of course, personal data – banking login info, medical details etc - is an extremely valuable resource: if it gets into the hands of a criminal, it can be worth selling on the Darknet. But as well as that, the business traveller is likely to be carrying confidential information which could be useful to certain nation states. This could be invaluable for companies operating within your sector, but some countries might also be more interested in obtaining your data for cyber espionage purposes: the governments of Iran, China, Russia and North Korea have all been identified as sponsoring extremely well-organised and capable hacker groups for the purpose of stealing propriety information.

In short, it is difficult to assess the likelihood of being stopped at a border and asked to hand over your digital information to immigration officials. The current best practice for all travellers is simply not to take a device with you that you do not want to be searched.

What is evident is that information on this issue is unclear, and both business travellers and tourists are advised to take some basic steps to protect their personal privacy.

  • Take a different phone or laptop that is not used for important personal/business data
  • Store data in the cloud rather than on your device
  • Use different passwords across accounts
  • Use two-factor authentication
  • Back up your data

If you do take the same device:

  • Delete data you do not need to take
  • Close down your social media accounts if you are concerned about any posts or photos that may be stored on them

And finally, never argue with border officials. Hand over your devices and passwords if you are requested to do so. Otherwise, be aware that you might have your equipment confiscated, and possibly be refused entry into the country.