I'm a US citizen and surely not of any interest to the government. I'd like to travel abroad, but I have an admittedly irrational fear of being denied re-entry (or, at the very least, being subjected to considerable unpleasantness upon re-entry) that gives me great pause. (I keep justifying to my wife that we haven't been to all of the US yet but that argument will only go so far.)
I absolutely would not travel with any of my daily-driver devices. I worry having a completely empty phone w/o a SIM or a visible history of use would cause me to be more heavily scrutinized. Same goes for a computer.
I've heard there's an expectation for some returning travelers to divulge passwords for online accounts upon re-entry to the US (at the risk of "unpleasantness").
I worry because I don't have accounts on the common major social networks. For the accounts I do have (basically Facebook, LinkedIn, and a moribund Gmail account I have grudgingly) I wouldn't know the passwords (because I use a password manager and random passwords exclusively). I wouldn't have my password manager or 2FA seeds with me either.
I know I'm a crazy person when it comes to other aspects of my life. Am I a crazy person when it comes to this? (It definitely doesn't help that I've watched various "reality TV" border/customs TV shows...)
FWIW, I've traveled internationally a dozen times to Mexico, China, and Germany (mostly for work). I have no accounts on the common major social networks, including Facebook and LinkedIn. My laptop runs Linux on an encrypted drive (and it's off when I go through customs), my phone used to run Lineage (now CalyxOS) and would be pretty novel to a customs officer.
I was never hassled even a little on re-entry to the US.
On entering foreign customs, I've been forced to give up tools like small screwdrivers and hex keys, but never my daily-drivers. I've been forced to pay customs when I had to carry two separate laptops into a country (30% the cost of the laptop, as if I was carrying this beat-up old workstation to sell it in the country, instead of because it was the only way to connect to that proprietary equipment). I've been quizzed about plans to leave foreign countries when the scope of work and time to implement a project were not well-defined, as if I wanted a flexible fare return trip because I was moving to Mexico, forsaking my family, job, and home.
Neither I nor any of my coworkers have been hassled on re-entry. We're just not that interesting, it's an irrational fear, stop watching "reality" TV.
They can't deny you reentry as a USC. They can only keep your devices if they suspect anything fishy. The vast majority of people will never be asked a question beyond "where did you travel to, why, what is the total if your shopping". I've moved back from living abroad and was barely asked about having 4 trunks of stuff (well, other than "are you a barber? that's a lot of shampoo".
I've heard even if they take your device, they aren't supposed to be doing anything with your cloud applications as that's more of a subpoena thing. IANAL but I've seen this around several times.
Here's some things you can do to increase confidence crossing borders - this includes the foreign ones, where I'd be more worried about problems than US ones:
1) Remove all the git repos from your computer before travel. And SSH key. Re-install at destination, remove again before departing.
2) 1Password travel mode. You can make a vault with logins you're OK being on your device while transiting. has worked well for me for years!
3) E2EE cloud storage. it's super cool that iCloud Drive now can be E2EE but it's pretty difficult to turn iCloud Drive off on devices. ProtonDrive is a good alternative. Keep any files you'll need abroad on ProtonDrive. Remove app before travel. Reinstall at destination. Remove again before departing
4) Yubikeys - some extra account security. Add to all your important accounts. Keep 2 at home, bring 1 along with you while traveling. Get one of those Matador metal bottles with the rubber lid to keep it in so you don't lose it.
I have crossed the MX/US border many times and it's more annoying flying but when driving across I've never even spoken to the MX side either direction and the only thing I've ever been asked on the US side (after passport) do you have any meat or cheese or eggs etc. They seem to get really exercised by a couple of eggs.
Come to think of it I've never had much interaction on the EU/GB/RO/Egypt side either.
The Israelis made my daughter's life hell on departure when traveling with her academically famous and friend of Israel grandfather, so she's quite ferociously negative about ever returning there.
The most annoying so far has been flying back to the US. Kinda faschy a couple of times, mainly concerned with (allowed) food items. 20 yo assholes making you wait for the ok.
We got Global Entry a few years ago and it's a little nerve wracking the first time (did I get everything right?) but it really does cut out a lot of the stress after that. Global Entry and driving across the MX border is often a 5 min process, including the line!
If I was worried about my devices I would encrypt a hard drive and mail it to someplace near the arrival/destination spot. Then carry a bare bones base install over the border loaded with some innocuous stuff. As it is I haul a USB drive with a fully encrypted zfs pool that has innocuously named datasets over borders these days. I am happily no problem at all sure take it thanks. I can go now?
Doesn't solve the steadily cutting digits off the travel mate problem but not much to do in that circumstance anyway.
I sure wish you would travel. US cities have really gotten uninteresting compared to a lot of places in the world. I'd rather go to CDMX than NYC, for instance. Listen to your wife, she's right.
adding... I don't have any social media accounts at all. I have a gmail address, and a couple of migadu domains and that's it. Nobody has ever cared about anything IT ever. Whoops I forgot! I comment occasionally on HN hahaha.
As a US citizen you cannot be denied entry into the united states. Your thought process around this does appear to be highly irrational and likely based on movies and television. This fear absolutely should not keep you from enjoying international travel.
We are much less interesting in this regard than you might think. In short, no one cares or has time to care.
If you ever start working with sensitive information then you might be forced to deal with rather banal hacking attempts with some regularity, but that's probably the extent of it.
Probably, but it is a reality that whatever illusion of protection from search and seizure US citizens benefit from is thrown out the window when you try and renter the country. That’s how federal agencies have caught many criminals without a search warrant.
In the 1970s, when I cut my hair about every five months, I was one of two US or Canadian citizens asked to step out of the bus on the way into Canada from New York state. The other guy had even longer hair. The Canadian border police asked me to open my suitcase, asked me about a bag of tea (Earl Gray) and didn't blink at the IRA newspaper I had picked up for laughs at Port Authority in NYC.
On the way back into the US at Detroit, a bored agent gave me about five minutes of grief about whether I was in fact a US citizen. He pointed out that neither drivers license nor draft card proved my citizenship. I shrugged, and he waved me through.
Since then, I haven't been hassled, though to be sure I've looked a good deal less scruffy.
I don't know where you're getting your information, but there is absolutely not an expectation to divulge passwords for online accounts upon re-entry to the US.
> The first digital security rule of traveling is to leave your usual personal devices at home. Go on your trip with “burner” travel devices instead.
I thought it was just easier to do this for Israel. An Israeli company snail-mailed the phone to me before I left, and I mailed it back to them when I returned. You don't have to worry that the phone will work in that country.
It might be different if I were traveling on business or crossing a lot of borders.
I didn't do this, but I should have:
> Just as you shouldn’t bring your usual devices, you also shouldn’t bring your usual accounts. Make sure you’re logged out of any personal or work accounts which contain sensitive information. If you need to access particular services, use travel accounts you’ve created for your trip. Make sure the passwords to your travel accounts are different from the passwords to your regular accounts, and check if your password manager has a travel mode which lets you access only particular account credentials while traveling.
Israel is definitely not typical, and is known to deny people entry more often than most countries (at least most "allied with the West", "free" countries), and also known to specifically ask for access to email and social media at the border sometimes.
So that does seem like one to especially log out of any personal accounts for.
But then... if they realize they don't have access to your usual personal accounts, they may deny you entry for THAT, so....
Can we also tackle the general problem, by considering the snooping to be a diplomatic problem of the locale that does it?
A lot of travel is discretionary, such as vacations. Academic and trade conferences can often choose where they're located. Business can often choose where they do business or expand.
A public interest Web site could publish a trustworthy database of incidents and report card grades of different locales, covering more concerns than the US State Dept. does.
Say, ExampleCon 2024 is announced to be in sunny Barlandia, and a bunch of members respond that they don't feel safe attending, because the database says that Barlandia Customs often clones the devices of visitors without apparent justifiable cause, and some alarming specific incidents. Some respond privately; some publicly announce not traveling to Barlandia, and why.
When planning ExampleCon 2025, organizers consider the convention center in Footopia but have learned to check the database, and find that Footopia has a totalitarian attitude towards privacy&security, as well as elevated incidence of harassment of LGBTQ+ and certain ethnic/racial identities. They don't tell the membership that Footopia was considered, but when they announce the choice of Bazland, they also link its favorable status page on the database Web site.
Meanwhile, the Blortcity government is taking note of this, and embarks on a intense campaign to make their status page numbers look great. A side effect -- besides their consequently growing tourism industry, and increasing tax base from new residents -- is that a lot of abusive/hostile behaviors are stopped for everyone living and visiting there.
Serious question, are there locales with a consistently good track record on this? I have only seen news stories of when it goes wrong and it's difficult to calibrate %s for each region. Like the US is often good for rule of law, but there are a lot of notable counter examples. In this article, around the UK, it's difficult to get a sense of how often this sort of thing is happening especially relative to other western places.
I suspect that virtually every country does this sort of thing regularly and the incentives to stop have got to be much more severe than tourism and conference hostings, there is just too long of a road from that to domestic voter outrage to actually endanger lawmakers jobs. We have to get people to care about it through arguing I think.
This seems like an unreasonably difficult project. If you're already aware that reviews on, e.g. Yelp and Amazon are difficult to police and discern the authentic ones, wait until you have positive and negative reports on literally your global state-level threat actors in action. You will be shut down in any less-than-free nation, and you will be under attack by astroturfing and misinformation campaigns like you wouldn't believe.
Now how would you defend against that sort of thing and build a trustworthy database, when your very premise depends entirely on verbal descriptions and hearsay claims with no evidence available or required?
Good point; if you have impact against sketchiness, you draw fire from the sketchy upon yourself.
Maybe assemble some trustworthy network of local journalists who can get accurate info, and who can tell you when they cannot get accurate info? And when a place is too hostile to find trustworthy journalists, that alone might make that place a no-go? (You'd still be subject to high-touch compromise in some cases, but maybe not the current problem of automated LLM-powered botnet deluges.)
Personally, I don't have the stomach for taking on state actors as adversaries (too lawless and scary), but this is the kind of thing someone who feels nigh-invincible could undertake to "change the world" in a positive and selfless way.
I don't understand the point of traveling with clean burner devices and keeping your data encrypted in the cloud. Yes, it protects for threats where the devices are stolen or compromised when out of sight, but not for cases where government authorities are targeting you, as described in the article. What happens when govt. goons tell you to write down a list of your cloud accounts (email, storage etc.) and their corresponding security credentials and threaten you to not leave any out? Or, when you are asked to log in to your cloud accounts with the threat actors hovering around you? How many of us would refuse and/or roll the dice on not revealing certain accounts and risk them being discovered later (along with implications of not having revealed them earlier when specifically told to do so)?
Wouldn't it be more rational and reasonable (for everyday folk, not journalists, activists, dissidents, etc.) to never travel with or keep on cloud storage any data that they would rather authorities never, ever see, if at all they have such data?I think the vast variety of business and personal data does not fall into this category.
Note that, in principle, I am all for privacy and resisting govt. intrusions into private lives by crafting appropriate legal frameworks and strong technical mechanisms. In practice, as an average Joe, I don't know how much I should resist if/when I am personally targeted and threatened with dire consequences while traveling in a foreign country. It is easy to think that in such a situation, my priority would be to get out of that situation asap and folding completely may be seen as the fastest way to achieve that.
> What happens when govt. goons tell you to write down a list of your cloud accounts (email, storage etc.) and their corresponding security credentials and threaten you to not leave any out?
That's why you uninstall all apps and delete your browsing history. They have no way to know how accounts you have, or where they are. Unless you leave those traces on your devices.
If you're super paranoid about it, you can create a few cloud accounts and seed them with innocuous or otherwise fake data. That way you have something to provide, but it's nothing of interest.
> They have no way to know how accounts you have, or where they are.
Hahahahahahaha. Data brokers are happy to sell them a list of all your accounts, cell-phone location history, your credit card purchases going back 10 years, and much more.
> What happens when govt. goons tell you to write down a list of your cloud accounts (email, storage etc.) and their corresponding security credentials and threaten you to not leave any out?
Since I have no such accounts, nor social media accounts, I wonder what would happen if I were ever asked for them?
Sounds excessive. Probably the only country I would bring burner devices to would be China. Even that idk, I'd have to research and make sure I'm not just a victim of media fear mongering.
Who's the target audience for this article? I've been to I think 16 countries, I think i only talked to a cop once, that was at a traffic check point.
These suggestions seem inconvenient. I guess like a lot of security there’s a trade-off to be made between risk, impact & the cost of mitigation. If you travel frequently, need to work while in transit, you’re going somewhere with unreliable internet, or just don’t consider yourself a likely target then you’re not going to bother with most of this.
>takes your phone or laptop to another room, the safe bet is to consider that device compromised if it’s brought back later, and to immediately procure new devices in-region, if possible
Isn't an easy solution to this is to have your "laptop" just have a generic OS install, but have your real machine a bootable USB or SD?
I read once that those traveling overseas should always copy and paste in passwords rather than typing - basically assuming that your machine has been compromised with a software or hardware keylogger.
Or even better: don't bring any devices with you, buy a phone at the airport when you land, buy a cheap laptop at an electronics store if you need one. Depending on the phone you plan to buy, you can also bring an hdmi adapter and a bluetooth portable keyboard and plug in your phone to your hotels tv if you need a full desktop.
Then when you leave, make sure to wipe your devices, and leave them in country.
For extra security, rent an EC2 instance (in the region you are traveling to), and use that with an SSH socks proxy or set up VPN software on it.
I read "post vacation photos while on vacation" as "signaling I'm not at home and a good target for burglary". I tend not to tell anybody that I've taken a trip until I've returned home.
Posting vacation photos to social media when you're actually on vacation is a bad idea. You're signaling to people you're not at your residence or job, which is bad security anyway.
Save all the cute pictures to post when you get home.
"Travel" shouldn't be considered a special risk. I had my laptop stolen on a San Francisco BART train.
It is possible to set up Apple devices so they're bricks in anyone else's hands. If you're not satisfied with your level of security for travel, why are you comfortable taking your device out of a locked safe?
I don't dare take my real smartphone or laptop with me when I fly domestically in the US. I certainly wouldn't take them with me when flying internationally, either.
I absolutely would not travel with any of my daily-driver devices. I worry having a completely empty phone w/o a SIM or a visible history of use would cause me to be more heavily scrutinized. Same goes for a computer.
I've heard there's an expectation for some returning travelers to divulge passwords for online accounts upon re-entry to the US (at the risk of "unpleasantness").
I worry because I don't have accounts on the common major social networks. For the accounts I do have (basically Facebook, LinkedIn, and a moribund Gmail account I have grudgingly) I wouldn't know the passwords (because I use a password manager and random passwords exclusively). I wouldn't have my password manager or 2FA seeds with me either.
I know I'm a crazy person when it comes to other aspects of my life. Am I a crazy person when it comes to this? (It definitely doesn't help that I've watched various "reality TV" border/customs TV shows...)