SHIELD

Travel

Borders and customs: the routine nobody prepares for

Your real rights, what customs can actually do, and practical preparation to minimise exposure without breaking the law.

Published 15 min read Exposed

Last reviewed:

Customs check at a border post

A corporate lawyer flies back into the United States after a mediation in Mexico City. The officer at the counter asks him to unlock his laptop. He invokes attorney-client privilege. He is told, politely, that privilege does not suspend a border search. He refuses anyway. Two hours later, the machine goes off for “advanced inspection.” He gets it back eleven days later, by mail, with a paper receipt and the unpleasant certainty that the entire drive has been cloned. He was right about the law. It changed nothing.

Angle de lecture

The usual trap

“I know my rights.” That’s the line that comes up in every conversation about crossing borders, and it’s exactly the line that gets you into trouble. Yes, you have rights. But at an international border those rights are not the ones you think, and they vary radically from one jurisdiction to the next. The border zone is a legal space apart, where the ordinary constitutional protections apply with major restrictions — or not at all. The traveller who thinks he can transpose his everyday legal reflexes to a customs post is reading a map that doesn’t match the terrain.

The second reflex, subtler, is just as costly: believing that encryption is enough. “My disk is encrypted, so nobody can read anything.” That’s true against a bag thief in a railway station. It’s false at a border, because there the adversary doesn’t break the encryption — he asks you, sometimes under legal compulsion, to open it yourself. The threat modelMapping of actors, motivations, capabilities and potential impacts against a target. of the border is not technical. It is legal and physical. You, your passport, your right to enter the country, and an officer who controls that right. The balance of power has nothing to do with the strength of your encryption algorithm.

Most professionals who cross a border every month don’t know precisely what an officer can legally demand of their computer or their phone. That ignorance is not trivial. It leads either to surrendering, in a panic, what you were never obliged to surrender, or to refusing on principle and turning a routine check into an eleven-day confiscation. The only preparation worth anything consists of knowing the exact framework of the destination before you’re in the queue — not improvising a legal stance in front of an officer who knows his ground perfectly.

What an officer can really do, jurisdiction by jurisdiction

A customs officer’s power over your devices depends on the country. There is no international standard, and conflating the regimes is the basic mistake. Here is the real terrain for the destinations that matter.

United States — the warrantless border searchSearch of electronic devices at borders by customs or police.. The US framework is one of the most expansive. The border search exception allows CBPSearch of electronic devices at borders by customs or police. (Customs and Border Protection) officers to inspect an electronic device without a warrant, without reasonable suspicion, without prior judicial authorisation. This applies at land, air and sea borders. In concrete terms: an officer can ask you to open your laptop, your phone, your tablet. CBP Directive 3340-049A distinguishes a “basic” search (an officer looks at the device) from an “advanced” search (connecting external equipment to copy and analyse the contents), the latter requiring reasonable suspicion — a low bar. If you refuse, the device can be retained for in-depth inspection, for several days out of your sight, and a full forensicDiscipline analyzing digital traces after an incident to reconstruct what happened. copy of the drive can be made in a back room, in fifteen to forty-five minutes, without your being informed.

The password question. For a US citizen, refusing to unlock cannot be used to bar your entry to the country — you’re home. But it can cost you the confiscation of the device and prolonged questioning. For a non-citizen and non-permanent-resident, the protection is almost non-existent: refusing to cooperate can mean a flat denial of entry, on the spot, with no recourse. The compelled disclosureLegal obligation to provide passwords or decrypt devices under penalty. of a passcode remains an unsettled legal debate in the United States — some federal courts protect a memorised password under the Fifth Amendment privilege against self-incrimination, others don’t, and biometrics (fingerprint, face) are less protected than a passcode. For a foreigner, that debate is largely academic.

United Kingdom — the criminal obligation to decrypt. The British regime is one of the most coercive in the world, and it’s rarely understood by visiting travellers. Schedule 7 of the Terrorism Act 2000 allows any person to be detained and questioned at the border, without grounds, for up to six hours, and to have their documents and devices examined. Above all, Section 49 of the Regulation of Investigatory Powers Act 2000 creates a legal obligation to hand over decryption keys on demand. Refusing to decrypt a device that has been required is a criminal offence, punishable by two years’ imprisonment (five in a terrorism context). This is not a theoretical threat: journalists and activists have been prosecuted under this regime.

China and Russia — broad discretionary power. Chinese and Russian border officers wield very extensive powers. Confiscation possible, documented forced access, copying of the device with no adversarial procedure. In China, the installation of monitoring apps has been observed at certain land crossings. In both countries, assume that any device crossing the border can be inspected and copied — preparation isn’t about protecting the data present, but about not carrying any at all.

Israel and the Gulf — profiling and unlock requests. At Ben Gurion in particular, security profiling is systematic and phone unlocking is frequently demanded, especially for targeted profiles (journalists, links to the territories, certain geopolitical profiles). Several Gulf states practise discretionary device inspection on entry.

European Union — structurally lower risk. EU customs have the classic powers of physical inspection, but the GDPR applies to public authorities and creates a relative protection. For an intra-EU business traveller, systematic coerced device searches are rare outside a specific judicial investigation. Be careful, though: the “safe” border does not eliminate opportunistic theft, which remains the dominant vector in Europe.

What can really be seized, and how

When we talk about a border search, the default mental image is an officer flicking through your photos for two minutes. The operational reality is broader, and it’s that reality you need to keep in mind to calibrate your preparation.

Any storage device is in scope. Laptop, phone, tablet, smartwatch, USB stick, external drive, memory card. An officer can ask for the whole lot, not just the phone you spontaneously hand over. SD cards forgotten in a camera, the USB stick at the bottom of your bag, the backup drive you bring “just in case”: all of it falls within the perimeter. So the first discipline is to know precisely what media you’re carrying, and to bring only those you need.

The forensic copy is fast and invisible. A bit-for-bit clone of a drive or a phone takes fifteen to thirty minutes with compact equipment now standard in the border services of major countries — the family of forensicDiscipline analyzing digital traces after an incident to reconstruct what happened. tools of the Cellebrite type and their equivalents extracts contacts, messages, location history, deleted-but-recoverable files, and often the session tokens that reopen your online accounts. You see nothing of this operation: the device goes off “for verification” and comes back. Assuming that a device out of your sight for more than ten minutes in a high-risk context has been cloned isn’t paranoia — it’s the reasonable working hypothesis.

The copied content can travel on. Depending on the country, extracted data may be retained, analysed offline for weeks, and shared with partner intelligence agencies. Data that crosses the border once never “comes back”: it’s duplicated. That’s why the defensive strategy is never about recovering the device, but about what it contained at the moment of crossing.

The right approach: you don’t protect what you don’t carry

The pragmatic switch fits in a single sentence. At a border, you cannot be compelled to reveal what the device does not contain. The whole strategy follows from that: instead of hardening the defence of a device full of sensitive data — a defence that legal compulsion or a denial of entry blows straight through — you reduce what there is to see until the search has nothing to act on. It’s the only logic that holds up against an adversary who controls your right to enter.

The clean machine, the queen move. For any high-risk destination (China, Russia, Belarus, certain Gulf states) and for any exposed profile heading to the United States or the United Kingdom, the travel device is a dedicated machine, provisioned for the trip, with no corporate data beyond what the mission strictly requires. What isn’t on the disk can’t be copied, seized or demanded. It’s also the only measure that makes refusal pointless: there is nothing to refuse. This logic of physical separation is detailed in the pre-departure preparation, but the principle is right here: the border is prepared upstream, by subtraction.

Data in transit, not in local storage. If the sensitive files live in a cloud workspace you connect to after the crossing, from the hotel, over a controlled connection, then the device crosses the border empty. You sign the accounts out before the flight, you sign back in at the destination. The search, even an advanced one, finds only an operating system and a few innocuous work documents.

Full encryption, machine powered off — not asleep. Disk encryption remains useful against theft and inspection in your absence, but on one condition only: the machine must be powered off at the crossing, not asleep. An encrypted disk on a powered-off machine is practically unattackable cold. A sleeping machine keeps the key in memory and remains vulnerable to a cold boot attack if the adversary has the time and the hardware. The nuance makes all the difference, and it’s exactly the one nobody applies.

No passwords saved in the browser. An open device whose browser keeps all sessions active and all passwords stored gives access to far more than the device itself: to all your accounts. Disconnecting the browser’s built-in manager and closing cloud sessions before the crossing turns a compromised device into a simple empty terminal.

The travel phone, not just the laptop. People think “clean machine” for the computer and forget the phone, which is in fact the richest medium: messaging, geolocation, photos, contacts, authentication tokens for every account. For a tier 3, a dedicated travel phonePrepaid disposable phone used for a specific purpose then abandoned., with a separate account and the minimum of apps, closes a vector that the clean laptop leaves wide open. The “I’ll take my usual phone, it’s my laptop that matters” reflex is exactly the blind spot of dispositions that are otherwise serious.

Prepare the refusal, don’t improvise it. Decide in advance how far you cooperate, depending on the jurisdiction and your status. A citizen returning home doesn’t have the same margins as a foreigner requesting entry — refusing to decrypt is a fragile right in the United States for a citizen, but a criminal offence in the United Kingdom under Section 49. Never lie to an officer: it’s a separate offence, often more serious than the underlying issue. “I’d rather not answer” is legally safer than a lie, even if it prolongs the check. And document any confiscation: demand a written receipt with the officer’s name, badge number and a description of the equipment — in the United States, CBP is required to provide form CBP-6051D.

What this means in practice

For you, as an individual

Three things before your next border crossing outside your comfort zone. None costs more than a few dozen euros, and an old device is enough for the third.

1. Disconnect cloud accounts and close browser sessions. Before leaving, sign out of the secondary mail accounts, the photo storage, the cloud folders you won’t use on the trip. Clear the passwords saved in the browser and close open sessions. If the device is inspected or lost, it only gives access to the strict minimum, not to your whole digital life.

2. Power the device off completely before the crossing — not asleep. When you present your passport, the laptop and phone are off. An encrypted disk on a powered-off machine really protects your data; asleep, the encryption becomes largely decorative. This single, free gesture is worth more than most of the “tricks” you’ll be sold.

3. Write a contact number on a physical medium. If the phone is confiscated, you need a number memorised or written on a slip of paper tucked into your passport — a relative, a lawyer, your carrier to block the lineIntegrated reprogrammable SIM card supporting multiple carrier profiles.. A single number accessible without any device is enough to avoid being completely cut off.

For you, the CISO / IT director / executive

The border is not an individual traveller’s problem. It’s a policy, and it’s steered by destination.

1. Travel policy by country tier. Classify destinations into three levels and attach a hardware disposition to each. Tier 1 (EU, Canada, Japan, Switzerland): a hardened usual machine is enough. Tier 2 (United States, United Kingdom, Israel): surface reduction, minimised data, a refusal plan based on the employee’s status. Tier 3 (China, Russia, Belarus, certain Gulf states): a dedicated blank laptop, a travel phone, no corporate VPNEncrypted tunnel between your device and a server, masking your IP and traffic from your ISP. access on site. Direct consequence: an employee no longer decides their own exposure level alone — the destination determines the hardware, and the hardware is supplied by IT, not improvised the night before.

2. Mandatory pre-departure security briefing for tier 3. No trip to a tier 3 country leaves without a formal briefing: what the local border officer can do, what you carry and above all what you don’t carry, who to contact in case of confiscation, the return protocol. Direct consequence: you turn tacit knowledge — the kind only seasoned travellers have — into a traced, auditable procedure, integrable into your ISO 27001International standard for information security management systems. corpus.

3. The return is part of the border disposition. A tier 3 device that plugs straight back into the network on return cancels out the entire upstream precaution. Every tier 3 trip opens a return ticket — isolation, forensicDiscipline analyzing digital traces after an incident to reconstruct what happened. scan, re-image — before departure even happens. Direct consequence: the potential incident responseStructured process for managing a security incident: detection, containment, eradication, recovery. is budgeted and planned in pre-departure, not discovered in panic when a device comes back after eleven days in customs.

Mistakes we see all the time

  • A machine asleep at the border rather than powered off, which makes disk encryption largely ineffective at the exact moment it would count.
  • Sensitive data stored locally on the travel device, when it could have stayed in a cloud workspace accessible only after the crossing.
  • Lying to a border officer about the contents of the device or the reason for the trip — a separate offence, often heavier than what you were trying to hide.
  • Conflating legal regimes: believing that refusal protects you everywhere (false for a foreigner in the United Kingdom, where it’s a criminal offence) or that US citizens’ rights apply to a non-citizen.
  • No recent backup before departure: if the device is confiscated and comes back months later — or never — it’s a clean loss of all the work in progress.
  • Reconnecting on return, without isolation, a device that stayed out of sight in the customs of a high-risk country, reintroducing a possible compromise straight onto the corporate network.
  • Invoking a professional privilege you assume is automatic: at US customs, the protection of privileged data must be activated through a specific procedure, before the crossing, not announced at the counter.

Actionable checklist

  • N1 Device powered off (not asleep) at the moment of border crossing
  • N1 Full backup verified before departure (completed, not just started)
  • N1 Cloud accounts disconnected and browser sessions closed before the flight
  • N1 Passwords not saved in the travel device's browser
  • N1 Contact number (relative, lawyer, carrier) written on a physical medium
  • N2 Rights of the destination jurisdiction understood cold, before the queue
  • N2 Sensitive data in the cloud, not local, for high-risk destinations
  • N2 Cooperation/refusal plan decided by status (citizen vs foreigner) and country
  • N2 Ask for a written receipt in case of confiscation (name, badge, form CBP-6051D in the US)
  • N3 Dedicated blank laptop and travel phone for any tier 3 country (CN, RU, BY, Gulf)
  • N3 No corporate VPN access provisioned on the tier 3 travel device
  • N3 Formal pre-departure security briefing for tier 3 trips
  • N3 Return procedure opened before departure (isolation, forensic scan, re-image)
  • N3 Treat any device recovered after advanced inspection as compromised

Going further

The EFF guide on digital privacy at the US border remains the most detailed and best-maintained reference for understanding what CBP can and cannot do, citizen or not. CBP Directive 3340-049A is the source text that distinguishes basic from advanced searches — reading it avoids a lot of myths. For the United Kingdom, Section 49 of RIPA is the text that turns a refusal to decrypt into a criminal offence: worth knowing before any business trip across the Channel.

This article covers only the crossing itself. Building a clean travel device and calibrating by threat level belong to the pre-departure preparation; the Chinese case, with its specific interception ecosystem, is handled in Travelling to China; and the most neglected phase — the return of a device that stayed out of your control — is the subject of the return-from-mission procedure. The border is just one link; it’s the whole chain that protects you.

Sources and further reading

Related articles