Skip to content(if available)orjump to list(if available)

EFF Border Search Pocket Guide

EFF Border Search Pocket Guide

32 comments

·March 21, 2025
Visit

gardnr

Back in 2009, Bruce Schnier described a process to cross borders: https://www.schneier.com/blog/archives/2009/07/laptop_securi...

Etheryte

This is a bad idea for so many plain reasons that I'm not even sure how the author could propose this as an approach. What they're doing is functionally no different form saying "I don't know my password", it just includes a lot of extra steps and some fantasy that the border control guard will be interested in reading a blog post about encryption. Needless to say, don't do this, if you don't want to share your data, it's easier to not take it, back it up and/or transfer it later.

null

[deleted]

Spooky23

The smart move is to use an unsupervised burner iPhone for your travel with a different Apple ID, sign out of iCloud while transiting, don’t have email and text resident on it, and carry a Chromebook if need be.

Use a Yubikey with pin for access to the online accounts.

I advise all of our executives to do this, because you don’t know what’s hiding in your phone that some prick border dude will take issue with. That group text where your buddy talks about how Luigi was right could be interpreted as a threat.

sejje

Yeah, I'm just gonna syncthing it later.

walterbell

Some comments on that 2009 article.

  [1] Step 6 will probably never happen if you show a border guard or customs official an article about encryption. You will not get safely through customs, you’ll end up on a secret list and get hassled every single time you travel for the rest of your life. As the database you’re in ages (and people begin to forget how it was created), you might be simply barred entry into places you want to go.

  [2] This kind of elaborate setup will make you loose your computer at the customs. They will ask you to boot it up… when you’ll not be able to do that, they’ll will not listen to your story and will just keep the computer.

  [3] The solution you propose will just make you look like a dangerous bad guy to the border guards. They want to inspect your laptop, and you propose to tell them that you’re resorting to extreme measures to foil them. Very bad move.

  [4] Putting yourself in a situation where local police are holding you while they try to extort something from your family is what most people try to avoid when travelling!

readthenotes1

No one in, or on the border of, the United States should use a biometric lock.

The police can apparently force you to unlock

E.g., https://proceedings.nyumootcourt.org/2023/11/press-to-unlock...

giantfrog

Fun tip: If you have an iPhone, rapidly pressing the power button five times will force your phone to require a password before Face ID will work again. Turning your device off entirely will also necessitate password reentry.

IncreasePosts

Doesn't help if you're snagged and handcuffed before you can get to the power button!

giantfrog

Right, I'd recommend anyone worried about this to power off their laptop (assuming you've got full disk encryption turned on) and phone before going through security, customs, etc.

m463

for older phone it was power+down a few seconds.

throwaway8iep

Even US citizens have basically no rights at a border. You can be subjected to any search without warrants. And this applies to within 100 miles of a coast or border, which is pretty much every major city.

The real way to minimize risk is to not carry any sensitive data, as in the first item on that pamphlet, and restore from a backup once you get past the screening. This is a little difficult with mobile phones, however.

Quarrel

> Even US citizens have basically no rights at a border.

They have at least one more right than foreigners. They have to let you in. Foreigners can get turned back for almost anything.

I've always felt pretty secure coming home for that basic reason (plus, it is where I am at least somewhat familiar with the legal system and could actually call a lawyer if I had to, my meds are all from local prescriptions etc etc).

But yeah, they can still search the hell out of you, delay you etc, just like anyone else.

dtgriscom

> They have at least one more right than foreigners. They have to let you in.

I don't believe that's true, at least in practice.

null

[deleted]

jsheard

Disabling biometrics the whole time you're in the US is a bit extreme unless you have a target on your back, but most phones have a way to quickly disable biometrics until you next unlock with your PIN. At least learn how to do that just in case the shit unexpectedly hits the fan, on iPhones you press the power button 5 times in a row.

jjulius

>Disabling biometrics the whole time you're in the US is a bit extreme...

How on Earth, in any situation, for any reason, can inputting a PIN instead of using your fingerprint be considered... "extreme"?

Spooky23

My employer requires alphanumeric passcodes. So you can’t do it single handedly.

It’s also pretty moot in a customs environment. If you use your phone, chances are there’s a camera angle on your pin entry, and they have tools to crack numeric passcodes.

jsheard

Disable it if you want, I'm just offering an alternative for people who wouldn't bother taking that precaution because it's inconvenient. You're not going to convince everyone to take the full measure, and a half measure is better than no measure.

giantfrog

I'd argue it's not extreme enough: Use an alphanumeric password or passphrase, as long as you can tolerate, instead of a PIN.

readthenotes1

"unless you have a target on your back"

If you are in, or on the border of, the United States, it's reasonable to assume you have a target on your back.

Otherwise the courts would not have made such ridiculous rulings.

null

[deleted]

userbinator

It must be said that having this document in your possession when crossing the border may itself lead to suspicion.

unethical_ban

It's a travesty this is allowed. I can hide all data encrypted on the internet and remember a simple passphrase to download it. Searching a phone is nothing more than an opportunistic invasion of privacy without cause.

I'd blow my phone away prior to crossing shady borders, and recover access by memorizing my password safe password and writing several backup 2fa codes.

bauruine

Is there a list of countries that may do border controls of your devices and what rights you have and don't have in each? Basically a guide like this for more than the US.

gausswho

What is an ergonomic way to image an unlocked Android (or GrapheneOS) phone, pre and post border crossing, from a secure encrypted backup?

mantiq

TWRP, though the decryption would probably have to occur prior to restoring the image (i.e. outside of twrp)

knowaveragejoe

This seems like a more effective direction to go in, instead of relying on encryption on your device and who knows what sort of legal BS you'd have to go through in order to get around being compelled to unlock said device.

arcmechanica

just carry a reasonably used decoy, they dont ask for all your phones

gausswho

i do, but who knows if they dig deep and i want a solution with little downtime to get to my usual locking down.

ashleyn

Honestly the only thing I can really suggest at this point is have separate devices used when traveling internationally, and be mindful of what you access or put on them. Plausible deniability boot volume works good for laptops. Dunno if any phone supports that.

null

[deleted]