Here’s a travel warning you may not have considered – when you travel between countries you are in a legal grey area between your plane or ship landing and you exiting customs, immigration and quarantine checks. In that grey area, some things which couldn’t normally happen .. can.

In this area, for example, government border guards – in Australia, we call them Australian Border Force officers – can exercise a number of legal powers which domestic law enforcement agencies typically don’t have. One of those powers is to demand that you hand over digital devices, such as mobile phones, USB storage, laptops, smart watches etc.

Where it gets a little murky is whether they can compel you to hand over access credentials (e.g. a PIN, password, or other identifiers).

When asked about this by ABC Brisbane, this was Border Force’s reply:

“Under Section 186 of the Customs Act 1901, Australian Border Force officers have the power to examine all goods at the border, including electronic documents and photos on mobile phones and other personal electronic devices”.
“If an individual refuses to comply with a request for an examination of their electronic device, that device may be held until the ABF is satisfied that the item does not present a risk to the border.”

We should caveat this by noting that just because the Australian Border Force interprets a provision of legislation in a particular way doesn’t mean that’s what that section of the law actually means, or how it would actually be interpreted by a court if challenged.

However, this caveat may not matter much because – whether they can legally compel you to hand over credentials or not – ABF can certainly apply practical compulsion to get those details from you.

As you’ll see below in this story from Reddit recently:

“My partner (F/36/Accountant) and I (M/44/Software Dev) landed in Sydney a couple of days ago, back from a 10 day holiday in Fiji”.

“When we arrived at the bag inspection area, we were asked to empty our pockets so we did this (including our phones). She then asked the standard stuff – did you pack your bags, are you aware of the contents etc. Then she said “you are required to provide the passcodes for your mobile phones””.

“Normally I would have argued at this point, but we were so tired, it was easier just to comply. So we recited our passcodes and she wrote them on a piece of paper”.

“She then summoned another officer who came over and took our phones away, out of sight, to another room. Presumably they hooked them up to some kind of machine to inspect them”.

This is where that distinction between practical and legal compulsion kicks in. Yes, it’s possible (and, I’d argue, likely) that section 186 doesn’t give the ABF any right to compel your credentials from you, but if you were not to comply with their request, a number of likely outcomes would follow:

  • Additional scrutiny, as ABF officers would undoubtedly believe you had something to hide
  • Delay in exiting customs, which could mean missed connecting flights, getting home, etc.
  • Potential seizure of your property and – if ABF could show grounds existed to believe your digital gear contained something of interest – they could seek a warrant to gain access to those devices, a court order requiring you to hand over your credentials, and you could be charged with various offences for failing to comply.

For these reasons, many people simply comply rather than risk delays, inconvenience, loss of property and court proceedings.

There’s also the unknown of what ABF actually do with digital devices that are inspected. Do they flick through your photo album looking for child abuse material? Check to see whether you’re logging into dodgy websites from your browser history? Read your emails?

Facts are, they could do all and any of these things, because the law allows them to, and they don’t need to disclose anything much about what they’ve done, looked at, copied or more.

In fact, such is the concern about this clandestine behaviour that digital rights and safety experts advise that any device handed over to ABF for inspection in this manner should be considered completely compromised and should be wiped and/or binned. As Crikey noted in this article from 2019:

At the very least the process is intrusive. Since there is limited oversight, it can also lead to abuses of power, such as when an officer at the border seized a man’s phone and sent messages from it, all without a warrant or even reasonable suspicion.

The practice is also dangerous from a cybersecurity perspective. Once a device has been taken from a person’s view and accessed, the owner can’t know whether or not it has been compromised. A person can’t be sure that spyware wasn’t planted on their device, even if it’s an unlikely scenario.

This is especially concerning for those who deal with sensitive information, or are high-value targets such as journalists and executives. The only way that these individuals can guarantee their security after a search is to treat the device as if it has been compromised.

What if you’re travelling from Europe where the GDPR applies? You may have a swathe of obligations after such a search, to advise other parties that their information may have been compromised, for example.

How can you avoid all of these pitfalls? There’s a few options:

  • Don’t travel overseas. Thanks to COVID, this isn’t a huge loss at the moment – given many can’t travel anyway – but still, Australians love travel, and it’s bound to get easier sooner rather than later.
  • Don’t travel with any unnecessary digital devices. If you don’t want laptops / tablets / mobiles inspected, don’t take them with you.
  • If you do take a digital device, take a mobile phone to keep in touch, take photos, use maps, and so on, and take some steps before you cross the border, such as:
    1. Upload all the things you want to keep to a storage service (e.g. Google Photos, Drive, etc) or a NAS that you keep at home.
    2. Wipe all content from the phone. Most have a “secure wipe” option which will remove any traces.
    3. Set the phone up with basic information only so you can (for example) make and receive calls, send an SMS to a loved one, or read the news while in transit. Don’t sign into any accounts (e.g. Google, iCloud, or the like) so that, if you do have to hand your phone over at the border, there’s precisely “nothing to see here”.
    4. If you’re worried about what might’ve been done to your phone when crossing the border, secure wipe it again when you get home, and set it up again.

Yes, these are extreme steps, but for some travelers who have perfectly legal and reasonable interests, it may be an exceptionally wise idea.

You might think that encrypting information is sufficient protection, but really it isn’t; if you can be reasonably expected to have the means of access – such as a password, fingerprint or PIN – you can potentially be forced to give that over such that encryption is rendered useless.

The only way to deny access to information on a device (or accessible from a device) is to ensure there’s no information on it in the first place, and that nothing can be accessed from it.

Do bear in mind though. If you cross the border, are asked to hand over your device and all you hand over is a mobile phone that looks and feels like a burner (or one that’s been deliberately wiped clean of anything), you do risk arousing suspicion … so it does pay to think carefully about how you’ll conduct yourself in these circumstances.

Traveler beware!

    7 Comments
    newest
    oldest
    Inline Feedbacks
    View all comments
    Lukearse

    Ah “Face Unlock” Border Force favourite workaround!!

    regalen

    This used to happen to me frequently, it got so bad as I came in and out of the country that my employer would send my my devices via DHL to and from whatever country I was going to. Whilst crossing the border, I had nothing but a basic nokia handset. Highly frustrating as all those hours in transit are wasted when I could be working, or entertaining myself.

    JeniSkunk

    In terms of point 4 in avoiding pitfalls, you actually have to be ready and willing to secure wipe any device BEFORE it can be ‘removed from your person for inspection’, before crossing ANY border, not just overseas back to AU. And there should be a point 5. Arrange in advance with someone trusted and contactable back home, to update the passwords on your major cloud based services (google MS, Apple, Amazon, etc), set up your devices for minimal use in advance of traveling for use in transit, and only give the passwords to you on contacting them with an… Read more »

    Michael Brown

    And then you risk being charged with obstruction.

    John

    Wrong, they can’t “demand” you hand over passwords. They can ask, sure and you can tell them to fuck off. Section 186 of the customs act gives them the right to examine anything at the border, but it says nothing whatsoever about you having to assist them in that endeavour.They have zero legal right to “demand” it. They could keep it for a 14 days to “examine” it, but modern phones’ security is virtually unbreakable, so whether they would bother is debateable. Unless you are on some list of super criminals. So it’s probably mostly bluff. Oh, and if they… Read more »

    Chris Rowland

    You are correct, John. Just because ABF interprets s. 186 as allowing them to demand passwords/PINs etc, doesn’t mean that this is what the law actually requires. You could refuse, and if they had reasonable grounds (amongst other things) they could seek a warrant to seize the device, compel you to hand over access credentials etc, and take other action. However, I don’t think refusing to give a PIN or password is an offence per se, but it would likely lead to you being delayed at the border, your property being removed and – if they could prove that you… Read more »

    JeniSkunk

    Such law approved fishing expeditions are a very good reason on top of the COVID situation, to never travel overseas. The LEOs can legally get away with treating you as a criminal, no matter how law abiding you might be. Their legally being able to take your phone, and/or your computer, and access them without you being able to be present, means as soon as they do that, you HAVE to treat your personal property as now being deliberately infected, maliciously damaged, and only fit for immediate, completely destructive, physical and electronic disposal. So if you are insane enough to… Read more »