US border forces are seizing Americans' phone data and storing it for 15 years

Even if you are a person who will never in your life end up as any kind of person of interest for the government, handing over data in this way could still be quite dangerous.<p>Phones will often contain data that can facilitate theft and fraud if ending up in the wrong hands. If they&#x27;re able to copy everything, including private data from all apps that could be quite bad. For example many countries now use apps to login to online banking, with private keys for the login stored in the app. Will that be copied? Will it ever be found out if one of the 3000 government officials with access to this data sold it on darknet markets?<p>Maybe some months after your travel you suddenly wake up one day to find all your money transferred from your bank account to some account in Nigeria.

Terrifying for only 2 reasons:<p>1. Any malicious person savvy enough to pull off a crime of interest to the Feds is smart enough to provide a wiped or burner phone to DHS&#x2F;ICE, and they have to know this. So, what is the point in doing this if not to target law abiding citizens.<p>2. USGOV has a spotty track record of keeping this information secure. A foreign actor is likely to access this info eventually. As one former government official once joked many years ago - concerning Chinese hacking - &quot;Well, its probably more secure in the CCP&#x27;s data center, so I wouldn&#x27;t worry.&quot;<p>This is the problem when a non-technical generation makes the rules and regs. Luddites ought not be permitted to ascend the GS ranks.

Reminder for the folks using iPhones, you can prevent law enforcement from doing this by &quot;pair locking&quot; your device: <a href="https:&#x2F;&#x2F;arkadiyt.com&#x2F;2019&#x2F;10&#x2F;07&#x2F;pair-locking-your-iphone-with-configurator-2&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arkadiyt.com&#x2F;2019&#x2F;10&#x2F;07&#x2F;pair-locking-your-iphone-wit...</a>

On my last trip back from Europe in June, when I re-entered the US, US Customs &amp; Border Control didn&#x27;t ask for my passport. No one did. They did wave a webcam connected to a computer in front of my face, and then a moment later, called out my name and said I could enter. Same with everyone coming through the international border area.<p>I think that&#x27;s just as weird a development and worthy of &quot;WTH?&quot; as this topic.

This happened to me in 2016 crossing into Canada. Borders agents took my phone for no reason, demand I give them the password to unlock it (otherwise they would seize the phone), took it in the back for 45 min before returning it and letting me enter. I think it’s obvious they took all my data.<p>So now when I travel I just bring my “travel” phone with no sensitive data on it.

I&#x27;m not sure I missed something, the title says &quot;Americans&quot; but I couldn&#x27;t find an elaboration on exactly _who_ is subject to these searches. The ACLU [0] seems to contend that, at least, US citizens are not subject to these measures.<p>[0]: <a href="https:&#x2F;&#x2F;www.aclu.org&#x2F;know-your-rights&#x2F;what-do-when-encountering-law-enforcement-airports-and-other-ports-entry-us" rel="nofollow">https:&#x2F;&#x2F;www.aclu.org&#x2F;know-your-rights&#x2F;what-do-when-encounter...</a>

Honestly, as a non-American this scares me. I am absolutely not at all important and a fairly mediocre programmer as well, I don&#x27;t store compromising data about anyone, never stole code or company data in my life (and never will), etc., you get it. A normal law-abiding citizen.<p>I still don&#x27;t want to get my phone taken on an US airport and returned an hour later with God knows how many viruses that even Apple wouldn&#x27;t be able to detect on my iPhone.<p>It&#x27;s not about having something to hide. It&#x27;s about not liking it when people poke their noses in your business without you being a criminal. And no I don&#x27;t think installing backdoors on each device &quot;to catch the criminals more easily&quot; is a solution at all.

&quot;That&#x27;s when they can plug in the traveler&#x27;s phone, tablet or PC to a device that copies their information, ...&quot;. would really like to know which &quot;devices&quot; they are talking about. fkn hard to do a full android backup these days.. this world. im tellin ya.<p>on another note: lets talk about how one would go about keeping ones privacy intact aka having a party in the capitol.<p>1. will they be able to get into my cryptrooted pinephone &#x2F; hdd in those 5 days? 2. if not will this only make them more angry and privacy penetrating?

As a European I find it strange how the article and many comments here seem to focus only on it being US citizen&#x27;s data being hovered up by the boarder control.<p>No one&#x27;s private data should be taken without a legitimate cause, no matter their nationality.

Seems like real solution are phones that by default provided end-to-end-encryption for cloud backups, no local data “travel modes”, secure wipes, multiple logins, etc. — since trying to get countries to uniformly play by same rules seem highly unlikely.

Imagine having a knock on your door because you exchanged a few friendly text messages 15 years ago with someone who is being investigated for a crime committed today.<p>Citizens are suspects. Tourists are terrorists. Everyone is a potential criminal in the land of the free.

As a thought experiment, what would happen if you wrote your own malicious payload to a burner device and handed that over? What if you warned the border agents that your device would deliver malicious code and they plugged it in anyway?

This recently happened to me earlier this year. I am a U.S. citizen, coming back to the states from South America. I have not broken any laws nor do I intend to.<p>I put up a fuss and almost missed my flight, but they took both my laptop and cellphone into a back room with about 5-8 other people on my flight. Made me unlock of course.<p>Here is the pamphlet they let me take… saved and documented. They take down hardware addresses and more, and would not allow lawyers on the scene or for me to witness their search. Here are all the pages of the pamphlet:<p><a href="https:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;qNovC83" rel="nofollow">https:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;qNovC83</a><p>As a tech worker and privacy advocate for all I was rightfully not thrilled. I still need to buy new hardware, I had no idea this was the case as far as data storage and 15 years but figured they probably upload malware and all that fun stuff. Neat. I have been a citizen my whole life.<p>Reading through the comments now, I am glad I learned a little. If they pull the stunt again I will happily deny and wait however long and just rebook a flight and maybe hire a lawyer. It’s a gross abuse of power.

Read the book &quot;Habeas Data&quot;<p>It&#x27;s a great overview of digital privacy and protection laws <i>in the US</i>, how they came about, and what protections they actually offer. The short answer is &quot;very few&quot; and the long answer is &quot;never ever ever turn over your data short of a court order and even then try to fight it.&quot;<p>Then with Third Party Doctrine, most of the few&#x2F;limited privacy&#x2F;warrant rules go out the window.<p>Also, I&#x27;m not a lawyer.

This (and similar issues) is the main reason that I donate a non-trivial (10%) part of my earnings to ACLU (and 2 other) organization.<p>Our rights and freedoms do not come without struggle. And they sure do not last without somebody constantly defending them. And it’s only bravado to assume that we can stand against the might of federal agents as individuals without dedicated organizations fighting for us.<p>Please donate to ACLU - as much as you can.

One thing I learned at Defcon 30 was how to break encryption at rest by just storing the encrypted data and wait for a quantum computer to be developed but storing it for 15 years wouldn’t be long enough (average guess of scientists were 50 years in the future).<p>It makes the NSAs Utah data center to have other applications like parallel reconstruction.

I wish the 2nd Amendment folks would care about the 4th Amendment just as much.

US CBP and other national border agencies change target priorities from time to time, which is reflected in the questions they ask you.<p>I recently had a long discussion with CBP about my Canadian passport showing a US birthplace. Under a repealed section of the INA my US nationality lapsed some half a century ago and I suspect a call was made to the Port Manager. Since then my entries have not discussed this point which leads me to suspect their system has been updated.<p>The current question is your plate number (already displayed by the camera). You need written permission from the vehicle owner to cross the border, even if the owner is family.<p>Border officers may also have quotas for more thorough examinations.<p>I remember a lawyer on radio saying that they take &quot;naked&quot; laptops across the border.<p>Most definitely DO NOT cross ANY border with anything that in the most remote possibility would trigger the interest of customs.<p>To sanitise a phone or tablet, fill it with dashcam video, encrypt and factory reset. Then set it up with a fresh Google or Apple ID.<p>Maybe leave your sim card at home.<p>Having repartitioned a tablet, I discovered that there is a massive amount of hardware data in partitions that most people are totally unaware of.

Is there any significant effort in progress to combat this practice? I see that EFF has some old articles on the topic but I don&#x27;t see anything current.

I submitted this the other day but it didn&#x27;t get any traction: the Protecting Data at the Border Act[0] is a thing, but has barely been touched by the relevant Senate committee since it was introduced nearly a year ago. As expected, it&#x27;s not perfect: it has some carve-outs, and only applies to US citizens (and maybe permanent residents; I forget the exact definition of &quot;U.S. person&quot;). But it would definitely improve things. Maybe something to bug your Senators about.<p><a href="https:&#x2F;&#x2F;www.congress.gov&#x2F;bill&#x2F;117th-congress&#x2F;senate-bill&#x2F;2957" rel="nofollow">https:&#x2F;&#x2F;www.congress.gov&#x2F;bill&#x2F;117th-congress&#x2F;senate-bill&#x2F;295...</a>

Can we request it back later? This sounds like a great publicly-funded backup service if they can get the user experience right. I certainly haven&#x27;t nailed storing my own data for 15 years.

This happened to me, a US citizen, when I was returning to the US from Europe. They stopped me and asked me to hand over my electronics with passwords. I refused and they told me I had to sit in the room by myself until I gave them my electronics. I asked for a lawyer and they told me I am not entitled to a lawyer because I had not fully entered the US yet. After over an hour I finally gave them my electronics and passwords. After CBP gave the electronics back to me I threw them away.

The easiest solution to this persistent storage of private citizen&#x27;s personal data siphoned from their phones or other devices is to carry a burner phone on international trips and weaponize the data that you store on it before you travel. Infect some photos and PDFs with one of those silent exploits that, once it gets into their data center, maps all the drives and wipes them or one that wipes the devices that they are using to siphon all the data at the border crossing. Even sticking them with something like a shitcoin miner would be a win.<p>Or, target the data storage center directly. I guarantee that someone in their custody chain is dumb enough to click a fake email link or visit that hijacked site to download code that wipes their data center drives. You only need to be lucky once to put them back at square one.<p>Or better yet, someone could create a repository of shitty memes that can be downloaded to your burner phone before you travel. Just grab a bunch of &quot;Yo&#x27; Mama&quot; memes and let the agency hacks waste all their time reviewing the same well-worn collection over and over. The more boring the better.

I am planning on travel to Mexico soon. A few days ago my sister in-law sent photos and videos of my nephew in bed with his 7 year old girl friend in the family WhatsApp channel. He is only in his underwear and she is topless and crawling around in her underwear and giving him hugs. She repeatedly does this with my nephew&#x27;s bath-time as well. Out of context it looks creepy and perhaps would be flagged by an AI classifying for exploitation.<p>So if the AI has me marked as a person of interest and they seize my phone at the border, it won&#x27;t be a good day for me. Am I just being paranoid and lacking perspective because I have never been a parent who spends a lot of time with naked children ? Is this so common that I shouldn&#x27;t be concerned ?

Just a reminder any email you have online that is over six months old can be read without a warrant.

I once had my all my devices searched when returning to my home country (Australia). They kept my phone for a few days too. They didn&#x27;t find anything and I wasn&#x27;t charged wth any crime. But you only have to suffer this massive invasion of privacy once to make make sure it never happens again. Now when I return home I wipe all my devices in the time it takes to de-plane, collect bags and get to customs. Easy enough to get back up and running fairly quickly with an iCloud backup once I get home. Looks like I might have to do the same if I ever decide to visit the US again.

I guess the oft-cited advice to travel with a burner phone even applies to the USA. Sad to hear. I hope Wyden is successful in changing this practice, but I very much doubt that it&#x27;ll change.<p>Has anyone that this happen by US border patrol? What are the specifics?

Speaking from an odd angle, I kinda wish there is an alternative universe where the US government would ask me:<p>&quot;Would you like to download your phone backup at 2010&quot;.<p>I&#x27;ve lost a phone back then and lost a lot photos in it.

Wow can’t wait until this data is all exfiltrated and sold on the dark web!

The way US treats the migrants is human rights violation at the border. Now add this to the pile of atrocities committed by the border patrol and ICE. It&#x27;s high time we should consider open border.

What difference does it make if EvilCorp can store the data (phone location data, search data, etc.) on its systems, and then will volunteer to hand over to authorities when requested?<p>Sorry, I meant to say Google.

Lot&#x27;s of people fantasizing about what they&#x27;ll do at the border with weaponizing the data on a burner phone. Let me present a &quot;simpler&quot; and actually realistic option (only for US citizens) on how to handle this:<p>1. Have a reasonable amount of emergency savings (6-8 months of expenses stored).<p>2. Have someone in-country who isn&#x27;t traveling with you who can make sure your bills get paid (financial power of attorney).<p>3. Apply for Global Entry, which pre-clears you for border crossing.<p>4. Turn your phone &#x2F;off&#x2F; when you land (usually a 15-20 minute walk to passport control in most airports). Powering off is important.<p>5. Refuse to provide the password, refuse to unlock. Provide all relevant travel documents and customs declarations, and allow free inspection of your baggage.<p>6. Wait... depends on the agent. Longest I&#x27;ve been detained was 2 days, most of the time they hem and haw for an hour or so and let you go.<p>7. Go on with your life.<p>Step #1 and #2 is in case you get arrested, which will almost guarantee losing your job, at least for right then. Since you can clearly establish no priors and that you aren&#x27;t a flight risk, getting bail and then finding another job should be relatively easy to do within 6-8 months for most of the HN crowd. Also, invest in pre-paid legal.<p>Obviously, this is assuming things go mostly okay and you don&#x27;t get murdered at the airport, however the realistic probability of this occurring is fantastically low (these types of crimes are almost always committed in the US by local law enforcement, not federal law enforcement, as feds undergo much more stringent requirements and aren&#x27;t just your high school bully drunk on power with a gun).<p>Steps #1 and #2 you should be doing anyway, just out of good financial sense. Step #3 you should do anyway if you&#x27;re traveling internationally regularly just to make your life easier when black swan events don&#x27;t happen. And Step #4 you should do EVERY time you are about to let your phone out of your possession, whether involving the government or not, because it prevents most forms of attacks against an encrypted device and disables biometric unlock (which can be coerced&#x2F;forced&#x2F;done when you are dead).<p>The hardest step is honestly #7, because after what I&#x27;ve experienced in my travels (and let me tell you, the US CBP is MUCH MUCH more professional, courteous, and reasonable than many many other countries), nobody really believes you and there are way too many people that are apologists for the powerful. Governments, pretty much universally, suck. The only difference between whether you personally experience the suck or not is whether or not you happen to get randomly selected or fall outside the bounds of what the government expects of you. There is no requirement that you do anything &quot;wrong&quot; in either the moral or legal sense, to end up stuck in the suck. Embrace the suck early if you plan to exercise your rights, because doing so will bring the suck on to you full force, but if you&#x27;re the self-righteous type at least you&#x27;ll get some sense of satisfaction out of it.

I think at this point, if I were to travel internationally, I would not bring my EDC. I&#x27;d buy a cheap phone when I arrived at my destination and just chalk it up to travel expenses. I would tell everyone I&#x27;ll email them my phone number when I get to my destination in case of emergency.<p>I&#x27;d rather that complication than have some &#x27;roid-redneck at the border capturing data that&#x27;s really none of their business.

All way downhill since the patriot act.<p>Don&#x27;t say nobody told you so.

Can I ask how long it takes to &#x27;copy&#x27; someone&#x27;s phone data?<p>The mid-level consumer tech I have access to takes a most of a work day to copy my wife&#x27;s 80GB of iphone 7+ data to a flash drive.<p>Based on this, I doubt they have some sort of magic thing that will just copy everything on your phone as you pass through a checkpoint.<p>Do they hold you until the copy is done?<p>Or do they have some super fast thing that works on every device?<p>Honestly curious.

Treat every phone as a burner.

Unless this sort of thing gets corrected, it will be used in corrupt ways and to enforce tyrannical laws &#x2F; regimes.<p>Did much of the progress in the past that led us to today&#x27;s democratic institutions involve law-breaking, strictly interpreted, of the law of the day? Would too-effective, too-cheap enforcement have prevented that progress? I know little about history, but I suspect so.

Thank God, there are adults in WH now.<p>Enjoy guys, you deserve this!

I often buy a cheap pay-as-you-go phone in my destination country when I travel (mostly because I think something internal is funky with my phone, despite all arrangements being made and plans authorized with my carrier for international travel&#x2F;service, the damn thing never finds signal), I may just start leaving my own phone at home when I do so.

The real question is, can you put something on your phone that will root their workstation &amp; plant a worm on it?

Zuckerberg is illegally interfering with elections in Washington state and elsewhere. Honestly this is mor concerning. As we&#x27;ve learned over the past year, there&#x27;s no recourse for private infringement of human rights. At least with the government you have someone to complain to

Do they do this with laptops too? If not, the laziness of assuming everything is on the phone is amusing.

I’d really I like to know how they store data from a wide variety of sources for 15 years.<p>Mobile device file systems, etc, have changed a lot during that time. 15 years ago Blackberries were the big mobile thing.<p>Can you easily store data from a 2007 Blackberry on the same disk as an iPhone 14?

Uh, ok, sure, don&#x27;t cross borders with devices with unencrypted sensitive data on them, got it.

I wonder how much trouble I would get in if I broke my phone in half before handing it over to the agents. I can&#x27;t imagine it would go over well, especially with the damaged lithium ion battery and broken glass involved.

The reasons stuff like this happens is because there are no punitive repercussions such as jail time for the officials that oversee the programs. All that happens is a judge eventually strikes it down. This needs to change.

The border is often a lawless section of most countries - specially the US.<p>People can get detained, deported and humiliated for no reason and with no resource. Specially foreigners trying to go through.

This is tangential to the content of the article but this site&#x27;s data protection consent pop-up (not sure if this is EU-only) is actually an own-goal when it comes to EU GDPR compliance:<p>If you can revoke consent for &quot;legitimate interest&quot;, it&#x27;s not legitimate interest. Legitimate interest is a legal basis for collecting and processing data <i>without</i> explicit consent (i.e. it&#x27;s an alternative mechanism to explicit consent and you can merely inform the user of it, not ask them to consent to it). If you can opt out, it&#x27;s not legitimate interest. And if it&#x27;s not actually legitimate interest, you have to make it an opt-in option like the other consent prompts, not an opt-out (tho at least this site doesn&#x27;t make you select them individually).<p>I&#x27;m not sure what marketing firm convinced publishers they could use &quot;legitimate consent opt-outs&quot; as a fallback for the consent many people probably don&#x27;t opt in to, but their advice is flat out wrong at best and illegal at worst. They&#x27;d be better of not providing a detailed consent popup than doing this because the former at least allows them to claim ignorance whereas this clearly demonstrates an attempt to circumvent consent requirements. Not to mention the current state of the law explicitly requires them to provide both &quot;opt in to all&quot; and &quot;opt out of all&quot; options without additional clicks and dark pattern shenanigans (i.e. they have to be equally prominent and the same color and design).<p>Also if you find these popups annoying keep in mind that there&#x27;s literally no legal requirement to have a consent popup under the EU GDPR. You don&#x27;t even need one if you use cookies. The only reason these sites need them is because they use third party embeds, resources and scripts that set non-essential (e.g. tracking) cookies or want to record&#x2F;process user data (e.g. for targeted ads). It&#x27;s the death pains of a failing business model that&#x27;s making this annoying for you, not the law.

Always travel with two mobiles. Hand over the one you don&#x27;t use. Don&#x27;t use the one you hand over. It will carry a virus when you get it back.

we need to end this useless security theater. only a matter of time until a bad actor gets ahold of this massive database and sells it off to the highest bidder

Hope they have fun getting into the iOS 6 iPhone 4S I carry around, security by obscurity XD<p>(And no, it&#x27;s not my main phone, Pixel 5a with GrapheneOS is my daily driver)

Does anybody know the legality of this for other countries&#x27; border forces? Is there a list anywhere?

This is half of why I don&#x27;t take my personal phone with me when travelling. I bring a burner, instead.

I wonder if I&#x27;d get arrested for bringing a wiped phone with me with just a phone number on it.

They are going to be sorely disappointed with the 30 dpi picture of my cat from my flip phone.

Lawless in the name of security… this is what an authoritarian regime would use.

This a clear and bold violation of the fourth amendment. Let the lawsuits begin!

I need to prioritize phones with SD cards way more. This is ridiculous.

there should be an unlock code, that if entered, wipes and writes over all dram bits with random data, including the OS and a big fuck you to gov types that want this data

Did some thinking about this- Here&#x27;s something no one has every ...thought of it seems-<p>Right now, from a steganography standpoint, there&#x27;s no real way to be secure from this sort of thing. US Customs, or another country , from a tech standpoint. Yes, the cloud, though not everyone will have resources to access enough space online to keep their data secure - or be able to properly make a usable copy or image of their device that includes every aspect of their device, for a complete , fully restore later<p>-Why aren&#x27;t there more plausible deniable, or just, stealthy encryption options? It appears, there&#x27;s nearly NONE today for these advanced used cases.<p>Veracrypt is known for it&#x27;s hidden features -but those are ...dangerously approaching obsolescence. Their Hidden OS option- ONLY works if you&#x27;ve formatted your system to MBR, not UEFI- otherwise you can&#x27;t use the Hidden OS option. Are you telling me for every laptop you buy form here on out, you&#x27;ll format it to the old MBR standard to use the Hidden OS option for your personal laptop that you want to take on a trip- or need to?<p>And sure, you can just put important data in Hidden Volumes as a fallback- but then you come to a common fight today in the tech world of system vs file level encryption. And sure, just hiding what is most crucial, is perhaps better form a standpoint of sneaking by- but is it truly now impossible to hide everything else that&#x27;s not as important, by default? Furthermore, you have to wipe traces of the material&#x27;s location where it was BEFORE you copied it into the hidden volume. Did you also eliminate all traces? Windows Shellbags are a thing, that nearly no one knows will be a smoking gun..<p>Veracrypt doesn&#x27;t work on Mac or Linux with it&#x27;s Hidden OS option, just volumes.<p>There was a really promising advanced system being built - here, and it was even presented at a blackhat conference i think <a href="https:&#x2F;&#x2F;portswigger.net&#x2F;daily-swig&#x2F;russian-doll-steganography-allows-users-to-mask-covert-drives" rel="nofollow">https:&#x2F;&#x2F;portswigger.net&#x2F;daily-swig&#x2F;russian-doll-steganograph...</a><p><a href="https:&#x2F;&#x2F;i.blackhat.com&#x2F;eu-18&#x2F;Thu-Dec-6&#x2F;eu-18-Schaub-Perfectly-Deniable-Steganographic-Disk-Encryption.pdf" rel="nofollow">https:&#x2F;&#x2F;i.blackhat.com&#x2F;eu-18&#x2F;Thu-Dec-6&#x2F;eu-18-Schaub-Perfectl...</a><p>But i&#x27;ve heard nothing since- and right now, all your data will be at risk from your computers ,phones ,and tablets, when you go through Customs- even if it&#x27;s encrypted, they&#x27;ll hang on to it, and image and copy the data. If you refuse to provide encryption passwords, they&#x27;ll potentially keep it and not return it to you in all cases. This is where the deniable systems would come into play- where you&#x27;d be okay, if they just unlock it. Now if they plug it in and image it regardless, you&#x27;re at risk because theoretically they could be running exploits on your device(they won&#x27;t let you watch them imaging it so you can&#x27;tverify that ever)<p>-encrypted data will be unreadable here, but it&#x27;s not as good as if they can&#x27;t tell it&#x27;s hidden, from a imaging point when they plug in a Cellebrite or Greykey device and have it run it&#x27;s exploits to get everything.<p>And i do not see the Forensic Security community often giving recommendations on what it takes to get around this, i think this leads to the public being at the mercy of officials-<p>This will become very destructive also, as this will become a precedent. Imagine Southern States checking devices like to look for evidence of abortion information-searches, for example. Imagine Abortion getting federally banned, and then customs checking for mentions of abortion .<p>- Technical solutions aren&#x27;t a full solution, as the EFF loves to hamper on- but it appears everyone has given up with efforts to even provide them. I suppose if you want to stand a chance, you need to go become a expert on disks, and forensic techniques , in order to then even have a chance at experimenting on how to get around that- and if that sort of privacy ,security, and plausible deniability cannot be brought to the masses at large, the way Signal did for encrypted communications, ...

How is this constitutional?<p>If it is, why the hell hasn&#x27;t the broken constitution been fixed?<p>This is fascism.

they can also search your anal cavity if they want to. #endborders