Go Back   > > >
 
Thread Tools Search this Thread
Old Sep 4, 17, 7:30 pm   #1
Original Poster
  
Join Date: May 2005
Posts: 5,630
Looking for stories of refusal to provide password/PIN

I'm getting ready for an overseas trip and I'm looking for stories of people whom, on returning to the US, were asked for a PIN to their device and refused.

Basically, as a US Citizen I understand that I can refuse to give them the PIN to my devices, and they then have to seize those devices. I'm just wondering if anyone on here has done that, had their devices taken, and did you ever give them back?
JakiChan is offline   Reply With Quote
Old Sep 5, 17, 5:35 am   #2
  
Join Date: Nov 2010
Location: Baltimore, MD USA
Programs: Southwest Rapid Rewards. Tha... that's about it.
Posts: 3,565
Never experienced this myself, but my opinion, based on what I've read here on FlyerTalk is thus:

1) Never put sensitive information directly on your device when you travel. Use cloud storage only. This gives you the option to actually divulge the pin or password for your device without actually compromising your data. Hint: If you use a cloud service, don't put the icon for it prominently on your home screen/desktop. In fact, you can uninstall the app prior to approaching customs (they're easy to uninstall and reinstall later), and their cursory examination of the device will show them nothing. Same goes for social media apps.

2) If at all possible, use throw-away devices when you travel, so you won't lose your primary devices if you're robbed, caught in a disaster, or have devices confiscated or compromised by authorities.

3) If your devices are confiscated by authorities, write them off. When they're returned to you, they will be security compromised and can never be trusted again. Run over them with a truck and recycle the remains.

4) From what I've read here on FT, if you refuse to divulge your pins and passwords, you can expect not only to have your devices confiscated, but to endure threats, coercion, lengthy delays re-entering the country, and extensive retaliatory screening and interviews. Be prepared.
WillCAD is online now   Reply With Quote
Old Sep 5, 17, 1:47 pm   #3
  
Join Date: May 2009
Location: Sunnyvale Trailer Park
Programs: Mahalo Rewards
Posts: 4,249
There was this thread a few months back...may be some other posts around here on the subject too

US citizen and GE member forced to unlock phone at IAH

No personal experience with it thus far though.
84fiero is offline   Reply With Quote
Old Sep 5, 17, 2:27 pm   #4
FlyerTalk Evangelist
  
Join Date: Aug 2010
Location: DCA
Programs: UA US CO AA DL FL
Posts: 31,065
Quote:
Originally Posted by WillCAD View Post
Never experienced this myself, but my opinion, based on what I've read here on FlyerTalk is thus:

1) Never put sensitive information directly on your device when you travel. Use cloud storage only. This gives you the option to actually divulge the pin or password for your device without actually compromising your data. Hint: If you use a cloud service, don't put the icon for it prominently on your home screen/desktop. In fact, you can uninstall the app prior to approaching customs (they're easy to uninstall and reinstall later), and their cursory examination of the device will show them nothing. Same goes for social media apps.

2) If at all possible, use throw-away devices when you travel, so you won't lose your primary devices if you're robbed, caught in a disaster, or have devices confiscated or compromised by authorities.

3) If your devices are confiscated by authorities, write them off. When they're returned to you, they will be security compromised and can never be trusted again. Run over them with a truck and recycle the remains.

4) From what I've read here on FT, if you refuse to divulge your pins and passwords, you can expect not only to have your devices confiscated, but to endure threats, coercion, lengthy delays re-entering the country, and extensive retaliatory screening and interviews. Be prepared.
+1 - Don't obsess about CBP. There are tons of similar risks elsewhere in the world and some of them involve brute force.

Do not store sensitive data on any device. Period.

If everything is sensitive, upload it all, wipe your device, delete the password/PIN and let anybody who wants have a look at nothing.
Randyk47 likes this.
Often1 is offline   Reply With Quote
Old Sep 6, 17, 6:24 pm   #5
Original Poster
  
Join Date: May 2005
Posts: 5,630
Quote:
Originally Posted by WillCAD View Post
1) Never put sensitive information directly on your device when you travel. Use cloud storage only. This gives you the option to actually divulge the pin or password for your device without actually compromising your data.
There are situations where this is a BAD IDEA. For example, if you do iCloud backups then those backups are encryped by a key that Apple knows and can be forced to divulge. Therefore your backups aren't safe.

Quote:
Originally Posted by WillCAD View Post
2) If at all possible, use throw-away devices when you travel, so you won't lose your primary devices if you're robbed, caught in a disaster, or have devices confiscated or compromised by authorities.
I back up my devices before I go, and assume that if they're lost or stolen I'll just go by new ones when I get home.

Quote:
Originally Posted by WillCAD View Post
3) If your devices are confiscated by authorities, write them off. When they're returned to you, they will be security compromised and can never be trusted again. Run over them with a truck and recycle the remains.
This applies if they're taken out of sight. Even if they brought it right back I'd stomp on it right there in the interview room. "Sorry, I trust you as much as I trust the Russian FSB and the Chinese government. Which is: Not at all."

Quote:
Originally Posted by Often1 View Post
+1 - Don't obsess about CBP. There are tons of similar risks elsewhere in the world and some of them involve brute force.

Do not store sensitive data on any device. Period.

If everything is sensitive, upload it all, wipe your device, delete the password/PIN and let anybody who wants have a look at nothing.
It's amazing how many people trust cloud services when it comes to security. If I was you I wouldn't...

Last edited by TWA884; Sep 7, 17 at 12:58 am Reason: Merge consecutive posts by the same member; please use the multi-quote function
JakiChan is offline   Reply With Quote
Old Sep 6, 17, 7:28 pm   #6
  
Join Date: Nov 2010
Location: Baltimore, MD USA
Programs: Southwest Rapid Rewards. Tha... that's about it.
Posts: 3,565
Quote:
Originally Posted by JakiChan View Post
There are situations where this is a BAD IDEA. For example, if you do iCloud backups then those backups are encryped by a key that Apple knows and can be forced to divulge. Therefore your backups aren't safe.
I wasn't talking about Apple or Amazon. And of course, there is nothing that prevents you encrypting your files with TrueCrypt before uploading them.

Quote:
Originally Posted by JakiChan View Post
I back up my devices before I go, and assume that if they're lost or stolen I'll just go by new ones when I get home.
I was addressing more the choice of device than backup practices. If you're going into a high-risk situation, you should choose low-value items to minimize your loss in the event of theft or disaster.
WillCAD is online now   Reply With Quote
Old Sep 6, 17, 11:56 pm   #7
Original Poster
  
Join Date: May 2005
Posts: 5,630
Quote:
Originally Posted by WillCAD View Post
I wasn't talking about Apple or Amazon. And of course, there is nothing that prevents you encrypting your files with TrueCrypt before uploading them.
Actually, I'm not taking a laptop. On this trip, since it's vacation, I'm taking my iPhone and my iPad Pro. And, obviously, with iOS the only two backup options are iCloud or local.

Quote:
Originally Posted by WillCAD View Post
I was addressing more the choice of device than backup practices. If you're going into a high-risk situation, you should choose low-value items to minimize your loss in the event of theft or disaster.
I'm not sure that returning from Japan qualifies as high risk. I'm not going to BlackHat or Russia/China. For a trip like this to be enjoyable I will need my devices to help us get around. I suppose I could buy an iPhone in Japan, but then that seems to defeat the "low-value" part.
JakiChan is offline   Reply With Quote
Old Sep 7, 17, 5:36 am   #8
FlyerTalk Evangelist
  
Join Date: Mar 2002
Location: An NPR mind living in a Fox News world
Posts: 11,248
Quote:
Originally Posted by JakiChan View Post
Actually, I'm not taking a laptop. On this trip, since it's vacation, I'm taking my iPhone and my iPad Pro. And, obviously, with iOS the only two backup options are iCloud or local.
Try a free service such as Box.com for files. Run the free version of CCleaner to make sure there aren't files left over in temporary locations.
FliesWay2Much is offline   Reply With Quote
Old Sep 7, 17, 9:30 am   #9
Original Member
  
Join Date: May 1998
Location: New York, NY, USA
Programs: AA 2MM, Hyatt Glob, SPG LTP, Hilton Diamond, National EE
Posts: 10,289
Quote:
Originally Posted by JakiChan View Post
I'm getting ready for an overseas trip and I'm looking for stories of people whom, on returning to the US, were asked for a PIN to their device and refused.

Basically, as a US Citizen I understand that I can refuse to give them the PIN to my devices, and they then have to seize those devices. I'm just wondering if anyone on here has done that, had their devices taken, and did you ever give them back?
You can refuse even if you are not US citizen. They just seize device and/or refuse admission.

Quote:
Originally Posted by JakiChan View Post
There are situations where this is a BAD IDEA. For example, if you do iCloud backups then those backups are encryped by a key that Apple knows and can be forced to divulge. Therefore your backups aren't safe.
First off, you must be setting off various suspicions during inspection for them to go down path of seizing device to begin with. And then for them to actually seek a warrant for Apple to access your iCloud data? What are the chances of that when you consider number of people arriving in US daily?

If your data cannot see the light of day, wipe your phone, login to a dummy apple.com account before you cross the border. They can't compel Apple to release content from an account they don't know exist.
seawolf is offline   Reply With Quote
Old Sep 7, 17, 9:51 am   #10
  
Join Date: Nov 2010
Location: Baltimore, MD USA
Programs: Southwest Rapid Rewards. Tha... that's about it.
Posts: 3,565
Quote:
Originally Posted by JakiChan View Post
Actually, I'm not taking a laptop. On this trip, since it's vacation, I'm taking my iPhone and my iPad Pro. And, obviously, with iOS the only two backup options are iCloud or local.



I'm not sure that returning from Japan qualifies as high risk. I'm not going to BlackHat or Russia/China. For a trip like this to be enjoyable I will need my devices to help us get around. I suppose I could buy an iPhone in Japan, but then that seems to defeat the "low-value" part.
I think we may be discussing two different situations here.

From your original post, I believed you were traveling on business and wanted to keep company data secure from the prying eyes of the gubment.

However, since you're taking only an iPhone and iPad Pro, no laptop, it seems more like you're traveling on leisure and want to keep your personal data secure.

In that case, my advice would be much simpler: Don't keep sensitive personal data on your mobile devices at all. There is some sensitive data you will need when traveling - insurance information, emergency contacts, etc - but aside from that, the most of the data you need while traveling is not critically sensitive. Your itinerary, reservation numbers, contact information for the places you will stay and activities in which you might engage, maps, trip photos and notes/journal, all of these data may be private, but they're not life-critical and can be kept on your mobile devices without fear.

Additionally, if you're traveling on leisure to Japan, I doubt you will get heavy scrutiny form US authorities upon your return unless you set off some specific red flag, such as traveling with no luggage, booking last-minute, traveling solo to a destination known for sex trade, or you bungle the routine questions upon re-entry. Granted, I'm going merely on what I've read on FT here, but if you are indeed traveling for leisure to a first-world country like Japan, I doubt that you have much to fear in regard to data security, and require no more than ordinary precautions.

I think you've got more risk of losing your devices to theft or accidents than to CBP confiscation.
WillCAD is online now   Reply With Quote
Old Sep 7, 17, 10:07 am   #11
FlyerTalk Evangelist
  
Join Date: Aug 2010
Location: DCA
Programs: UA US CO AA DL FL
Posts: 31,065
Quote:
Originally Posted by JakiChan View Post
There are situations where this is a BAD IDEA. For example, if you do iCloud backups then those backups are encryped by a key that Apple knows and can be forced to divulge. Therefore your backups aren't safe.



I back up my devices before I go, and assume that if they're lost or stolen I'll just go by new ones when I get home.



This applies if they're taken out of sight. Even if they brought it right back I'd stomp on it right there in the interview room. "Sorry, I trust you as much as I trust the Russian FSB and the Chinese government. Which is: Not at all."



It's amazing how many people trust cloud services when it comes to security. If I was you I wouldn't...
Nothing protects you from hackers. I am not particularly worried that CBP or anyone else will bother to obtain a search warrant for my devices.

I am concerned that devices will seized and that CBP will brute force examine them, so the notion of not providing a password/PIN and CBP having at it seems the saner path.
Often1 is offline   Reply With Quote
Old Sep 9, 17, 12:54 pm   #12
Original Poster
  
Join Date: May 2005
Posts: 5,630
Quote:
Originally Posted by WillCAD View Post
However, since you're taking only an iPhone and iPad Pro, no laptop, it seems more like you're traveling on leisure and want to keep your personal data secure.
This is true. And there are many things I could do. Not take any data with me, etc. But then I could also just not go on a vacation, right? Why make it suck more?

Again, I'm not concerned about the security of the data on the device, even in the hands of the government. I know enough about the platforms that I use to know that I'm likely not worth the effort of a brute force attack. If iOS 11 is out before I fly then I'll likely have a "cop mode" option, otherwise I just reboot the devices before I get off the plane. Boom, no touch ID and I won't divulge a PIN. They wanna bruit force it then sure, but guess what, unlikely.

I was more looking the experiences of people who were even asked for a PIN, and what happened when they said no. If the CBP steals my device (and it's theft) fine - I suspect my iPhone 8 will already be on order. Might even be waiting for me at home.

I see all this "wipe your device" advice, and while I know a lot of the folks who suggest it (friends at the EFF) I also know it's mostly unreasonable, like the "master cleanse". I've secured my data, I'm just more wondering how likely I am to lose my device.
JakiChan is offline   Reply With Quote
Old Sep 13, 17, 12:40 pm   #13
FlyerTalk Evangelist
  
Join Date: Mar 2008
Location: DFW
Posts: 12,722
Seems some others aren't too crazy about handing over their phones and other electronics so government can go pawing around in them.

https://finance.yahoo.com/news/lawsu...-politics.html

Quote:
A federal lawsuit filed Wednesday claims the U.S. government's growing practice of searching laptops and cellphones at the border is unconstitutional because electronic devices now carry troves of private personal and business information. The government has vociferously defended its searches as critical to protecting the homeland
Quote:
Searches, however, are becoming more frequent.

In the 2015 fiscal year, Customs and Border Protection searched the electronic devices of 8,503 international travelers. The number rose to 19,033 the next year. In the first half of the current fiscal year, there were 14,993 searches.
​​​​​​​
Boggie Dog is offline   Reply With Quote
Old Sep 20, 17, 7:34 am   #14
  
Join Date: Jan 2009
Location: LAS
Programs: Hilton Diamond, Hyatt Platinum, IHG Spire Ambassador
Posts: 2,231
Quote:
Originally Posted by JakiChan View Post

Basically, as a US Citizen I understand that I can refuse to give them the PIN to my devices, and they then have to seize those devices.
The bold part of your understanding is inaccurate.

1. They can search any unlocked device at the border at any time for any reason or for no reason.

2. If the device is locked, they can ask any passenger for the password, at any time, for any reason, or for no reason at all. If the passenger unlocks the device, then see Step 1, above.

3. If you, as a US citizen, refuse to give them the PIN, they can't and won't just seize the device willy-nilly without a really good reason to believe there is evidence of criminality on the device. In the Ninth Circuit specifically (California, Arizona, Nevada, Washington, Hawaii, Oregon) they are prohibited from seizing a device to perform an off site forensic search unless they have "reasonable suspicion," which is a legal standard close to "probable cause."

See the Ninth Circuit's decision in US v. Cotterman:

https://en.wikipedia.org/wiki/United...s_v._Cotterman


This is the trend in the law and how other circuits would probably rule on such cases, and I believe it is CBP's practice in all circuits, not just the ninth circuit, that they don't seize devices and waste the time of CBP geeks to try to break into those devices unless they have a really good reason to believe there's something bad and significant on the device.

Officers definitely need the approval of a front line supervisor, and perhaps other higher ups at the port of entry, before seizing a locked electronic device to have it searched. They can't get that approval without a very good reason.

4. CBP officers can, however, threaten to seize any device from any passenger at any time, for any reason, in order to coerce the passenger to answer questions or to trick the passenger into unlocking the device. "Unlock the phone now or we will seize your phone and keep it for weeks/months" can be a pretty effective threat, even if it's an empty threat. "Unlock the phone or we will keep you here until you do" also seems to be a favored threat. These are bluffs though. If you're going to refuse to unlock your devices, you need to be prepared to call them on these bluffs. If you're a U.S. citizen, they won't hold you more than a few hours before letting you go.


5. I'm a U.S. citizen, and I have personally refused to give them the PIN to my phone. I landed in Chicago two years ago, returning from a vacation to Afghanistan. They asked my why I went there, what I did there, etc. I told them more or less that it was none of their business but they were free to search my bags.

The officer took out my phone and said "Could you enter the PIN?" I said "I could, but I won't." He said "Fine, We'll seize it." I said "OK."

An hour later they let me go, with the phone, computer, etc. The seizure threat was a bluff.

Years earlier (pre-Cotterman), I landed in Las Vegas from a flight to Cuba. The officer told me he was seizing my devices because I wouldn't answer questions and even handed me some kind of notice of seizure literature. Back then I was naive and inexperienced with such matters, so I started answering questions. They didn't seize my devices. I suspect that this too, was a bluff.

6. I've been through seven other secondary inspections in which I refuse to answer questions, always with a phone and laptop in my luggage, and they never turned on my devices or asked for a password. They always search everything else in my bags and usually set aside the electronics and treat them like Kryptonite.

I remember at one point even mentioning as they let me go, "I'm surprised you didn't turn on my computer/phone" and the officer said "Oh we don't touch that stuff here." Maybe it's a different story for foreigners sent to "immigration secondary," with officers routinely checking their phones to find evidence that they intend to overstay their welcomes. But for an American sent to "baggage secondary," the chance they are going to turn on your phone or seize it is exceptionally low.
studentff and Yoshi212 like this.

Last edited by jphripjah; Sep 20, 17 at 8:10 am
jphripjah is offline   Reply With Quote
Old Sep 20, 17, 11:26 am   #15
  
Join Date: Dec 2009
Location: New York, NY
Programs: UA, SPG, Hyatt (Lifetime Diamond downgraded to Explorist)
Posts: 5,246
jphripjah summed it up rather well. Especially that as US citizens we have far more protection and should use this instead of just going with the flow to appease a gov't agency.

Post 9/11 but before the Trusted Travel Programs were created and the general public were allowed to apply to be members I got hassled a lot at TSA checkpoints & CBP. Each time at CBP I was threatened with seizure of my laptop, tablet and/or phone. Having two phones was a big trigger for them which is idiotic as more people carried a work & private phone at those times. When I was still in college I had one CBP agent threatened to take my laptop and that sometimes they come back blank and he was sure I wouldn't want that to happen to a research paper I was working on. This just made me roll my eyes at him which of course didn't help things but he didn't seem to know about backups nor jump drives. Pure intimidation tactic. I now remove all fingerprint recognition for my devices when going through a border checkpoint. Last time a CBP agent wanted to take my iPad when I refused to unlock it. When he said he was taking it I told him I would need to talk to his supervisor about maintaining the integrity of chain of custody as it had information on it that another gov't agency would not be ok with anyone else seeing and would/could be considered a violation of federal law. They reverse position very quickly.

One last thought, I am about to upgrade my iPhone am shying away from the iPhone X because of the facial recognition shift. I do like the fingerprint access and know that the passcode option is still available but it's too easy for this to be abused at this day & time.
Yoshi212 is online now   Reply With Quote
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Thread Tools
Search Thread
Go to Top
Forum Jump
Contact Us - FlyerTalk - Archive - Top