Here’s a travel warning you may not have considered – when you travel between countries you are in a legal grey area between your plane or ship landing and you exiting customs, immigration and quarantine checks. In that grey area, some things which couldn’t normally happen .. can.
In this area, for example, government border guards – in Australia, we call them Australian Border Force officers – can exercise a number of legal powers which domestic law enforcement agencies typically don’t have. One of those powers is to demand that you hand over digital devices, such as mobile phones, USB storage, laptops, smart watches etc.
Where it gets a little murky is whether they can compel you to hand over access credentials (e.g. a PIN, password, or other identifiers).
“Under Section 186 of the Customs Act 1901, Australian Border Force officers have the power to examine all goods at the border, including electronic documents and photos on mobile phones and other personal electronic devices”.
“If an individual refuses to comply with a request for an examination of their electronic device, that device may be held until the ABF is satisfied that the item does not present a risk to the border.”
We should caveat this by noting that just because the Australian Border Force interprets a provision of legislation in a particular way doesn’t mean that’s what that section of the law actually means, or how it would actually be interpreted by a court if challenged.
However, this caveat may not matter much because – whether they can legally compel you to hand over credentials or not – ABF can certainly apply practical compulsion to get those details from you.
As you’ll see below in this story from Reddit recently:
“My partner (F/36/Accountant) and I (M/44/Software Dev) landed in Sydney a couple of days ago, back from a 10 day holiday in Fiji”.
“When we arrived at the bag inspection area, we were asked to empty our pockets so we did this (including our phones). She then asked the standard stuff – did you pack your bags, are you aware of the contents etc. Then she said “you are required to provide the passcodes for your mobile phones””.
“Normally I would have argued at this point, but we were so tired, it was easier just to comply. So we recited our passcodes and she wrote them on a piece of paper”.
“She then summoned another officer who came over and took our phones away, out of sight, to another room. Presumably they hooked them up to some kind of machine to inspect them”.
This is where that distinction between practical and legal compulsion kicks in. Yes, it’s possible (and, I’d argue, likely) that section 186 doesn’t give the ABF any right to compel your credentials from you, but if you were not to comply with their request, a number of likely outcomes would follow:
- Additional scrutiny, as ABF officers would undoubtedly believe you had something to hide
- Delay in exiting customs, which could mean missed connecting flights, getting home, etc.
- Potential seizure of your property and – if ABF could show grounds existed to believe your digital gear contained something of interest – they could seek a warrant to gain access to those devices, a court order requiring you to hand over your credentials, and you could be charged with various offences for failing to comply.
For these reasons, many people simply comply rather than risk delays, inconvenience, loss of property and court proceedings.
There’s also the unknown of what ABF actually do with digital devices that are inspected. Do they flick through your photo album looking for child abuse material? Check to see whether you’re logging into dodgy websites from your browser history? Read your emails?
Facts are, they could do all and any of these things, because the law allows them to, and they don’t need to disclose anything much about what they’ve done, looked at, copied or more.
In fact, such is the concern about this clandestine behaviour that digital rights and safety experts advise that any device handed over to ABF for inspection in this manner should be considered completely compromised and should be wiped and/or binned. As Crikey noted in this article from 2019:
At the very least the process is intrusive. Since there is limited oversight, it can also lead to abuses of power, such as when an officer at the border seized a man’s phone and sent messages from it, all without a warrant or even reasonable suspicion.
The practice is also dangerous from a cybersecurity perspective. Once a device has been taken from a person’s view and accessed, the owner can’t know whether or not it has been compromised. A person can’t be sure that spyware wasn’t planted on their device, even if it’s an unlikely scenario.
This is especially concerning for those who deal with sensitive information, or are high-value targets such as journalists and executives. The only way that these individuals can guarantee their security after a search is to treat the device as if it has been compromised.
What if you’re travelling from Europe where the GDPR applies? You may have a swathe of obligations after such a search, to advise other parties that their information may have been compromised, for example.
How can you avoid all of these pitfalls? There’s a few options:
- Don’t travel overseas. Thanks to COVID, this isn’t a huge loss at the moment – given many can’t travel anyway – but still, Australians love travel, and it’s bound to get easier sooner rather than later.
- Don’t travel with any unnecessary digital devices. If you don’t want laptops / tablets / mobiles inspected, don’t take them with you.
- If you do take a digital device, take a mobile phone to keep in touch, take photos, use maps, and so on, and take some steps before you cross the border, such as:
- Upload all the things you want to keep to a storage service (e.g. Google Photos, Drive, etc) or a NAS that you keep at home.
- Wipe all content from the phone. Most have a “secure wipe” option which will remove any traces.
- Set the phone up with basic information only so you can (for example) make and receive calls, send an SMS to a loved one, or read the news while in transit. Don’t sign into any accounts (e.g. Google, iCloud, or the like) so that, if you do have to hand your phone over at the border, there’s precisely “nothing to see here”.
- If you’re worried about what might’ve been done to your phone when crossing the border, secure wipe it again when you get home, and set it up again.
Yes, these are extreme steps, but for some travelers who have perfectly legal and reasonable interests, it may be an exceptionally wise idea.
You might think that encrypting information is sufficient protection, but really it isn’t; if you can be reasonably expected to have the means of access – such as a password, fingerprint or PIN – you can potentially be forced to give that over such that encryption is rendered useless.
The only way to deny access to information on a device (or accessible from a device) is to ensure there’s no information on it in the first place, and that nothing can be accessed from it.
Do bear in mind though. If you cross the border, are asked to hand over your device and all you hand over is a mobile phone that looks and feels like a burner (or one that’s been deliberately wiped clean of anything), you do risk arousing suspicion … so it does pay to think carefully about how you’ll conduct yourself in these circumstances.