I’ve been kindly invited to be a regular/irregular contributor to Slaw, and I’m delighted to take them up on this offer.
Even before the change in government in the United States, I’m often asked — by other lawyers, the media and other folks — about whether you can be required to surrender your electronic devices and passcodes to unlock them on demand by border agents. This question has become a bit more acute as the media is increasingly reporting about individuals being not only required to surrender their devices and their passcodes, but also their social media credentials to border authorities. The Privacy Commissioner of Canada has an information sheet on privacy at the border and has recently initiated an investigation into the practices by Canada Border Service Agency.
For some clarity on the state of the law in Canada, I had been hoping that a case out of Nova Scotia would provide some insight (an individual returning to Canada refused to unlock his smartphone and was charged with obstruction) , but the case did not go to trial.
I have to note that this post is not about crossing the border for most people. This is about crossing the border as a lawyer. But there are hopefully some useful insights for non-lawyers.
Lawyers, I think, have arguments that are not available to laypeople. We also have duties regarding the contents of our devices that laypeople do not have.
Here are my thoughts, which are intended to prompt discussion and should not be taken as legal advice. I am not qualified to comment the laws of ANY OTHER COUNTRY.
I travel a lot and I’ve had the following script kicking around my head for some time, just in case someone asks me for my device or any credentials at the border:
“I am sorry, but I cannot unlock my device or provide you with access to its contents. I am a lawyer. My device contains information that is subject to solicitor-client (or attorney-client) privilege.The privilege belongs to the clients and I am not lawfully able to waive the privilege or to provide any third party with access to these materials unless I am ordered to do so by a court of competent jurisdiction. I am happy to answer your questions, but I am not able to reveal any privileged information orally. If you insist on inspecting my device, you should know that it is powered off, protected by a password and is encrypted. Before cooperating in any way, I will need to contact the law society of Nova Scotia to get their input. I would suggest that you or your supervisor contact the senior [crown prosecutor / US District Attorney ] for this region. And my tailor tells me I wear a size ‘medium’ handcuff.”
I haven’t been referred to secondary inspection in some time, so this script has been unused thus far.
Given all that has happened recently, I’m planning to change my practices to avoid even having any data that may be at risk.
The next time I travel internationally, I plan to not take my regular work laptop. I plan to only bring a fresh computer with the minimum suite of remote access software. The device itself will be encrypted. I will not have any files locally saved on the device. I also plan to factory reset my smart phone so that it is essentially a brand new phone as I cross through customs. Only once I am through customs will I install my usual apps, including work email and my social stuff. All my photos and documents on the device are synched to various cloud services, so I can easily wipe it on my way back and repeat the procedure for returning to Canada without losing any vacation pictures.
For some time, all of my devices have been encrypted and I use two-factor authentication on all of my apps that support the additional safeguard. They are not connected to my phone number for texted codes (since anyone with the phone will also be able to request the codes). Because I can’t access my accounts without the second factor and I don’t want to carry that with me where it could be accessed by a customs agent, I plan to leave the backup codes with my secretary with instructions to only give me the 2FA backup codes if I’m calling from a friend’s phone number or the phone number of the hotel I’ll be staying at.
I am not sure that this is a full solution and I think it is unfortunate to have to resort to such measures to protect our clients’ confidences.
As I mentioned, this is intended to prompt discussion and I’d be grateful for any additions or critique in the comments below.