Looking for stories of refusal to provide password/PIN

I'm getting ready for an overseas trip and I'm looking for stories of people whom, on returning to the US, were asked for a PIN to their device and refused.

Basically, as a US Citizen I understand that I can refuse to give them the PIN to my devices, and they then have to seize those devices. I'm just wondering if anyone on here has done that, had their devices taken, and did you ever give them back?

Never experienced this myself, but my opinion, based on what I've read here on FlyerTalk is thus:

1) Never put sensitive information directly on your device when you travel. Use cloud storage only. This gives you the option to actually divulge the pin or password for your device without actually compromising your data. Hint: If you use a cloud service, don't put the icon for it prominently on your home screen/desktop. In fact, you can uninstall the app prior to approaching customs (they're easy to uninstall and reinstall later), and their cursory examination of the device will show them nothing. Same goes for social media apps.

2) If at all possible, use throw-away devices when you travel, so you won't lose your primary devices if you're robbed, caught in a disaster, or have devices confiscated or compromised by authorities.

3) If your devices are confiscated by authorities, write them off. When they're returned to you, they will be security compromised and can never be trusted again. Run over them with a truck and recycle the remains.

4) From what I've read here on FT, if you refuse to divulge your pins and passwords, you can expect not only to have your devices confiscated, but to endure threats, coercion, lengthy delays re-entering the country, and extensive retaliatory screening and interviews. Be prepared.

There was this thread a few months back...may be some other posts around here on the subject too

http://www.flyertalk.com/forum/check...phone-iah.html

No personal experience with it thus far though.

+1 - Don't obsess about CBP. There are tons of similar risks elsewhere in the world and some of them involve brute force.

Do not store sensitive data on any device. Period.

If everything is sensitive, upload it all, wipe your device, delete the password/PIN and let anybody who wants have a look at nothing.

There are situations where this is a BAD IDEA. For example, if you do iCloud backups then those backups are encryped by a key that Apple knows and can be forced to divulge. Therefore your backups aren't safe.

I back up my devices before I go, and assume that if they're lost or stolen I'll just go by new ones when I get home.

This applies if they're taken out of sight. Even if they brought it right back I'd stomp on it right there in the interview room. "Sorry, I trust you as much as I trust the Russian FSB and the Chinese government. Which is: Not at all."

It's amazing how many people trust cloud services when it comes to security. If I was you I wouldn't...

I wasn't talking about Apple or Amazon. And of course, there is nothing that prevents you encrypting your files with TrueCrypt before uploading them.

I was addressing more the choice of device than backup practices. If you're going into a high-risk situation, you should choose low-value items to minimize your loss in the event of theft or disaster.

Actually, I'm not taking a laptop. On this trip, since it's vacation, I'm taking my iPhone and my iPad Pro. And, obviously, with iOS the only two backup options are iCloud or local.

I'm not sure that returning from Japan qualifies as high risk. I'm not going to BlackHat or Russia/China. For a trip like this to be enjoyable I will need my devices to help us get around. I suppose I could buy an iPhone in Japan, but then that seems to defeat the "low-value" part.

Try a free service such as Box.com for files. Run the free version of CCleaner to make sure there aren't files left over in temporary locations.

You can refuse even if you are not US citizen. They just seize device and/or refuse admission.

First off, you must be setting off various suspicions during inspection for them to go down path of seizing device to begin with. And then for them to actually seek a warrant for Apple to access your iCloud data? What are the chances of that when you consider number of people arriving in US daily?

If your data cannot see the light of day, wipe your phone, login to a dummy apple.com account before you cross the border. They can't compel Apple to release content from an account they don't know exist.

I think we may be discussing two different situations here.

From your original post, I believed you were traveling on business and wanted to keep company data secure from the prying eyes of the gubment.

However, since you're taking only an iPhone and iPad Pro, no laptop, it seems more like you're traveling on leisure and want to keep your personal data secure.

In that case, my advice would be much simpler: Don't keep sensitive personal data on your mobile devices at all. There is some sensitive data you will need when traveling - insurance information, emergency contacts, etc - but aside from that, the most of the data you need while traveling is not critically sensitive. Your itinerary, reservation numbers, contact information for the places you will stay and activities in which you might engage, maps, trip photos and notes/journal, all of these data may be private, but they're not life-critical and can be kept on your mobile devices without fear.

Additionally, if you're traveling on leisure to Japan, I doubt you will get heavy scrutiny form US authorities upon your return unless you set off some specific red flag, such as traveling with no luggage, booking last-minute, traveling solo to a destination known for sex trade, or you bungle the routine questions upon re-entry. Granted, I'm going merely on what I've read on FT here, but if you are indeed traveling for leisure to a first-world country like Japan, I doubt that you have much to fear in regard to data security, and require no more than ordinary precautions.

I think you've got more risk of losing your devices to theft or accidents than to CBP confiscation.

Nothing protects you from hackers. I am not particularly worried that CBP or anyone else will bother to obtain a search warrant for my devices.

I am concerned that devices will seized and that CBP will brute force examine them, so the notion of not providing a password/PIN and CBP having at it seems the saner path.

This is true. And there are many things I could do. Not take any data with me, etc. But then I could also just not go on a vacation, right? Why make it suck more?

Again, I'm not concerned about the security of the data on the device, even in the hands of the government. I know enough about the platforms that I use to know that I'm likely not worth the effort of a brute force attack. If iOS 11 is out before I fly then I'll likely have a "cop mode" option, otherwise I just reboot the devices before I get off the plane. Boom, no touch ID and I won't divulge a PIN. They wanna bruit force it then sure, but guess what, unlikely.

I was more looking the experiences of people who were even asked for a PIN, and what happened when they said no. If the CBP steals my device (and it's theft) fine - I suspect my iPhone 8 will already be on order. Might even be waiting for me at home.

I see all this "wipe your device" advice, and while I know a lot of the folks who suggest it (friends at the EFF) I also know it's mostly unreasonable, like the "master cleanse". I've secured my data, I'm just more wondering how likely I am to lose my device.

Seems some others aren't too crazy about handing over their phones and other electronics so government can go pawing around in them.

https://finance.yahoo.com/news/lawsu...-politics.html

The bold part of your understanding is inaccurate.

1. They can search any unlocked device at the border at any time for any reason or for no reason.

2. If the device is locked, they can ask any passenger for the password, at any time, for any reason, or for no reason at all. If the passenger unlocks the device, then see Step 1, above.

3. If you, as a US citizen, refuse to give them the PIN, they can't and won't just seize the device willy-nilly without a really good reason to believe there is evidence of criminality on the device. In the Ninth Circuit specifically (California, Arizona, Nevada, Washington, Hawaii, Oregon) they are prohibited from seizing a device to perform an off site forensic search unless they have "reasonable suspicion," which is a legal standard close to "probable cause."

See the Ninth Circuit's decision in US v. Cotterman:

https://en.wikipedia.org/wiki/United...s_v._Cotterman


This is the trend in the law and how other circuits would probably rule on such cases, and I believe it is CBP's practice in all circuits, not just the ninth circuit, that they don't seize devices and waste the time of CBP geeks to try to break into those devices unless they have a really good reason to believe there's something bad and significant on the device.

Officers definitely need the approval of a front line supervisor, and perhaps other higher ups at the port of entry, before seizing a locked electronic device to have it searched. They can't get that approval without a very good reason.

4. CBP officers can, however, threaten to seize any device from any passenger at any time, for any reason, in order to coerce the passenger to answer questions or to trick the passenger into unlocking the device. "Unlock the phone now or we will seize your phone and keep it for weeks/months" can be a pretty effective threat, even if it's an empty threat. "Unlock the phone or we will keep you here until you do" also seems to be a favored threat. These are bluffs though. If you're going to refuse to unlock your devices, you need to be prepared to call them on these bluffs. If you're a U.S. citizen, they won't hold you more than a few hours before letting you go.


5. I'm a U.S. citizen, and I have personally refused to give them the PIN to my phone. I landed in Chicago two years ago, returning from a vacation to Afghanistan. They asked my why I went there, what I did there, etc. I told them more or less that it was none of their business but they were free to search my bags.

The officer took out my phone and said "Could you enter the PIN?" I said "I could, but I won't." He said "Fine, We'll seize it." I said "OK."

An hour later they let me go, with the phone, computer, etc. The seizure threat was a bluff.

Years earlier (pre-Cotterman), I landed in Las Vegas from a flight to Cuba. The officer told me he was seizing my devices because I wouldn't answer questions and even handed me some kind of notice of seizure literature. Back then I was naive and inexperienced with such matters, so I started answering questions. They didn't seize my devices. I suspect that this too, was a bluff.

6. I've been through seven other secondary inspections in which I refuse to answer questions, always with a phone and laptop in my luggage, and they never turned on my devices or asked for a password. They always search everything else in my bags and usually set aside the electronics and treat them like Kryptonite.

I remember at one point even mentioning as they let me go, "I'm surprised you didn't turn on my computer/phone" and the officer said "Oh we don't touch that stuff here." Maybe it's a different story for foreigners sent to "immigration secondary," with officers routinely checking their phones to find evidence that they intend to overstay their welcomes. But for an American sent to "baggage secondary," the chance they are going to turn on your phone or seize it is exceptionally low.

jphripjah summed it up rather well. Especially that as US citizens we have far more protection and should use this instead of just going with the flow to appease a gov't agency.

Post 9/11 but before the Trusted Travel Programs were created and the general public were allowed to apply to be members I got hassled a lot at TSA checkpoints & CBP. Each time at CBP I was threatened with seizure of my laptop, tablet and/or phone. Having two phones was a big trigger for them which is idiotic as more people carried a work & private phone at those times. When I was still in college I had one CBP agent threatened to take my laptop and that sometimes they come back blank and he was sure I wouldn't want that to happen to a research paper I was working on. This just made me roll my eyes at him which of course didn't help things but he didn't seem to know about backups nor jump drives. Pure intimidation tactic. I now remove all fingerprint recognition for my devices when going through a border checkpoint. Last time a CBP agent wanted to take my iPad when I refused to unlock it. When he said he was taking it I told him I would need to talk to his supervisor about maintaining the integrity of chain of custody as it had information on it that another gov't agency would not be ok with anyone else seeing and would/could be considered a violation of federal law. They reverse position very quickly.

One last thought, I am about to upgrade my iPhone am shying away from the iPhone X because of the facial recognition shift. I do like the fingerprint access and know that the passcode option is still available but it's too easy for this to be abused at this day & time.