I‘ll never bring my phone on an international flight again. Neither should you.
As a software developer, my phone and laptop are the tools of my trade. They contain sensitive data, proprietary code, and access to critical infrastructure. So when I was recently detained at the border and forced to unlock my phone, I felt not only violated but fearful for my company‘s security. It was a wake-up call to drastically change how I approach international travel with technology.
I‘m not alone in this jarring experience. In recent years, digital device searches at borders have increased exponentially, as CBP officers and other agents around the world demand access to travelers‘ phones and laptops. In the US, CBP conducted over 33,000 device searches in 2018, nearly a fourfold increase from 2015 (CBP Official Website). And this shows no sign of slowing down.
Source: US Customs and Border Protection
Traveling overseas as a developer often means bringing hardware and data that are critical to your work and your company. Having this sensitive information exposed in a border search could put your job and your business at risk. Yet in most countries, you have very few rights at the border to refuse such a search.
When you‘re entering the US, customs agents have broad authority to search your belongings, including electronic devices, without a warrant or any suspicion of wrongdoing. Your Constitutional protections against unreasonable search and seizure (4th Amendment) and self-incrimination (5th Amendment) largely don‘t apply (ACLU). Agents can detain you indefinitely for refusing to comply, as NASA scientist Sidd Bikkannavar learned when he was detained for refusing to unlock a secure government-issued phone (The Verge).
This "border search exception" to the 4th Amendment has been upheld in court. In 2014, a federal judge ruled that the government‘s interest in maintaining border security outweighed the individual privacy interests of a traveler forced to unlock their devices (United States v. Saboonchi). And in 2021, the 1st Circuit Court of Appeals ruled that advanced device searches, where the contents of a device are copied for analysis, do not require a warrant (Alasaad v. Mayorkas). So we can‘t rely on the courts to protect our digital privacy at the border.
Digital privacy at borders is eroding globally. Canada has similar policies allowing warrantless device searches (CBC). New Zealand customs can demand your passwords and even fine you for noncompliance (NZ Herald). And of course, authoritarian countries like China have few limitations on technology searches and surveillance of travelers.
As a developer traveling with source code, trade secrets, and client data, this growing trend should alarm you. Unlocking your devices for agents exposes not just your personal information, but sensitive intellectual property and confidential data belonging to your company and clients. Once agents copy this data, you have no control over how it may be used or shared.
Even if you‘re not worried about the government‘s use of your data, you should be concerned about the security risk if that data is later compromised. Government agencies are a prime target for hackers. For example, in 2019 a federal contractor was hacked, exposing over 100,000 traveler photos and license plate numbers that CBP had collected (Washington Post). Agencies may also share your data with other governments. The US now routinely shares surveillance data with dozens of foreign agencies (Reuters). All it takes is one breach, in one agency, in one country, to expose your sensitive data to the world.
So what‘s a privacy-conscious developer to do? The most effective solution is simply not to travel internationally with any devices containing sensitive data. Leave your primary phone and laptop at home and bring travel-only devices that you can wipe before and after your trip. Several major companies now prohibit employees from bringing devices to high-risk countries like China (NY Times). If you must bring your primary devices, at least log out of sensitive accounts and remove any proprietary data before travel.
You can also use technical measures to protect your device and data at the border. Full disk encryption, while not foolproof, at least prevents agents from accessing your data without your password. Set a strong passphrase and power down your devices before going through customs, as encryption is most effective when a device is fully powered off.
Some privacy advocates recommend using a "duress password" – a second password that, when entered, only unlocks a limited or alternative version of your device (EFF). That way, you can comply with agents‘ demands to unlock your phone without exposing your true data. However, using such tricks is legally risky, as lying to border agents can be a crime.
Unfortunately, there‘s no perfect solution to this dilemma, short of not traveling with technology at all. That‘s the approach I‘ve resigned myself to for international travel. The peace of mind of knowing my sensitive data can‘t be compromised is worth the inconvenience. And if enough developers take a stand on this issue, perhaps we can pressure governments and courts to strengthen privacy protections at the border.
As technology becomes ever more central to our lives and our work, the privacy of our digital data should be a fundamental right, as inviolable as our physical privacy. For software developers on the front lines of the global economy, protecting the confidentiality of our work is not just a matter of principle but a professional obligation. We need to be leaders in advocating for digital privacy and defending it in practice.
Next time you‘re packing for an international flight, ask yourself if it‘s worth risking your most personal data and your company‘s crown jewels to bring your phone or laptop. I‘ve decided it‘s not. With the sophisticated digital forensics tools available to government agents today, even an unlocked device is an open book. Why volunteer to be digitally strip-searched when you can travel device-free?
In our digital age, privacy is becoming a precious commodity. For those of us in technology, it may also soon become a job requirement. So let‘s start taking it as seriously in practice as we do in principle. Leave your devices and data at home and take one small step for your own privacy. With enough steps, we can make a giant leap for digital privacy rights at the border and beyond.