EFF Publishes New Guide to Mitigating Digital Privacy Risks at US Border

If you care about solicitor-client privilege, travel to the US and use computing technology, then read this:

By its own admission, US border protection conducted five-times as many electronic media searches in a single year—4,764 in 2015 to 23,877 in 2016.

Yup. That’s 500% more cause for anyone travelling to the US to be concerned. Should Canadian lawyers be cautious too? Yes.

America’s digital rights sentinel, Electronic Frontier Foundation, just released its 2017 reboot to its guide for mitigating risks to digital privacy when travelling to the US. The newly minted guide (last revised in 2011) is titled “Digital Privacy at the US Border”. The EFF’s March 9 press release reads:

Increasingly frequent and invasive searches at the U.S. border have raised questions for those of us who want to protect the private data on our computers, phones, and other digital devices. A new guide released today by the Electronic Frontier Foundation (EFF) gives travelers the facts they need in order to prepare for border crossings while protecting their digital information.

The 50-page guide’s first paragraph gives a heads-up to lawyers explicitly:

Moreover, people in many professions, such as lawyers and journalists, have a heightened need to keep their electronic information confidential.


The guide is structured in three parts:

  • Part 1 deals with the risk assessment factors (relating to both you, personally, and to your data and devices) and corresponding potential actions
  • Part 2 canvasses the law, policy and rights regarding privacy at the border
  • Part 3 talks technology specifics, issues and suggestions (for example using a wiped Chromebook during travel and adding cloud-service credentials once you have crossed over).

I found the guide particularly timely, especially after the webinar I helped host and wrote about a couple weeks ago on the impact of Trump’s immigration-related executive orders. During that session, Canadian lawyers raised many questions about their own device protection.

The guide is not written as a panacea to our concerns, but it nonetheless has useful information for Canadian lawyers, and does offer positive, concrete guidance for a couple tortuous questions.

A few scattershot observations:

  1. The guide seems to confirm that merely refusing to comply with CBP orders might be the wrong way to go, at least if you (as a foreign traveller) want to assure future travel privileges and/or don’t want them to take your devices away indefinitely.
  2. The guide talks about the orders CBP policy does allow, which includes unlocking devices and identifying social media account handles, but does not yet include providing password credentials to social media accounts and/or cloud services.
  3. Absolutely minimize any data on the device itself and log out of apps (email, cloud storage, etc.) that connect automatically for any person using your unlocked phone.
  4. Ideally, use a blank slate laptop that is simply not used to store personal or work files. If you can connect remotely to a computing and file environment with (e.g. using Citrix), then permission the device when you’re clear.
  5. A nice idea seems to be to have a robust firm-policy that requires you to travel with a clean, non-logged in device to protect all client information, and even better if you have been shut out from firm file access. In the event the US takes it to another level (requiring travelers to reveal actual passwords to cloud services), this other level would be to have the IT department shutout the travelling lawyer, disabling password access to Exchange and other cloud data, and be re-permissioned only with due diligence at the IT-side when the lawyer is safely state-side. Apparently, a policy that the traveler has no control over is easier for the CBP to accept than naked refusal to comply.
  6. If and when the conversation with the CBP officer drifts to your devices and digital presence, do not let implied consent be a spectre in the conversation:
    • Politely ask if the request is an “order” per se, and decline to give consent to anything less.
    • If the request is an “order” ask the CBP politely to withdraw the order due to the solicitor-client nature of your documents/emails/etc.
    • If the order persists, make clear it is under protest only that you comply.
    • Try and get names and IDs of officers involved.

— Nate Russell is a liaison lawyer with Courthouse Libraries BC. Find him on Twitter @nrusse.



Comments are closed.