We all do it. While waiting at border control, boredom hits and we instinctively take out our phones to see what has been happening in the world during our flight. It seems a safe and harmless way to pass the time – but that isn’t always the case.
This is what a former colleague who was queuing to get through border control in a reasonably hostile country told me happened to him: “This huge security guy just leaned over and plucked my phone right out of my hands while another dragged me to one side.”
In a side room, my colleague was asked questions about what he intended to report on while in the country. Meanwhile the contents of the phone - social media accounts, emails, contacts, messaging applications - were searched. The border agents didn’t even need to demand that my colleague unlock his phone as they had snatched it, unlocked, from his hands.
Airports can be digitally risky places for journalists. They provide agencies who may want to gain insight into a journalist’s editorial intent or identify who their sources are a bottle neck through which journalists have little or no choice but to pass. For a period of time, they are in a controlled and captive environment.
For that reason, being prepared for the digital risks posed at airports is a good strategy for the travelling journalist. Here are 10 steps to digitally safer border crossings:
1. Only carry data with you that you need.
The best way to prevent sensitive information from falling into the hands of border agents when travelling is not to take it all.
Purge your phone and your laptop of sensitive data that you don’t need to take with you, uploading it instead to a cloud storage provider so that it does not physically reside on your devices. Once you are through the airport and have a stable internet connection you can re-download any of this data that you need (through an appropriate VPN).
Don’t just remove sensitive documents, but also consider web browsing histories, sensitive contacts and cached credentials.
Bear in mind however that merely deleting files will only stand up to the most cursory of manual inspections. While it is these types of inspection that you are most likely to face, more detailed forensic analyses will be able to recover deleted files. That being said, full disk encryption (more to follow in point 3) will thwart such file recovery.
Given the potential inconveniences involved in taking these steps, you may even consider not taking your day-to-day devices at all, instead choosing to take ready-cleaned ‘loaner’ phones and laptops.
Another strategy that you may adopt is to back it up your phone to iCloud or Google and then factory reset it (without recovering to this backup), creating a ‘clean’ phone prior to travelling. Once you are safely through the airport and at a destination with a steady internet connection, or on your return, you can then restore your phone to the backup (again through an appropriate VPN).
2. Log out of or remove any applications that provide access to sensitive information or that may be controversial.
You can always reinstall these applications when you are safely through the airport and at a place with a steady internet connection.
Remember that the mere presence of certain applications on your phone might cause more scrutiny or questioning if you are stopped. While the likes of Signal or WhatsApp are fairly uncontroversial, for example, their mere presence on your phone might raise the interests of border agents in certain locations.
3. Ensure that full disk encryption (FDE) is enabled on your devices.
If your laptop is taken away and a forensic copy of the disk taken for follow-on analysis, FDE will protect the data it contains. Border agents are unlikely to be savvy to FDE and will more than likely have been provided with a simple-to-use capture machine into which they plug a laptop to generate disk images. Without the appropriate key, whoever undertakes the follow-on analysis will be unable to open any of your files.
For MacBooks, the FDE product built into OSX is FileVault. For Windows10, the built-in FDE product is BitLocker.
4. When transiting the airport, leave your phone and laptop turned off.
Leaving your phone turned off will also protect it from any collection of metadata or attacks that are undertaken using the mobile network infrastructure on site.
Agencies are known to collect identifiers of mobile phones so that they can then track these phones’ movements as they interact with mobile infrastructure throughout the country. Airports provide a convenient point at which to collect these identifiers. It is also not unknown for mobile spyware to be delivered to target devices using mobile infrastructure, so not having your phone turned on in the airport - a location where such agencies know you are going to definitely be present - is a good mitigation.
Having your laptop turned off is a good idea in that it ensures that any FDE you have activated is in place.
5. Disable the ability to unlock your phone using fingerprint and facial recognition and instead use a strong six-digit PIN (at least).
Simply put, it is much easier for a border agent to wave your phone in front of your face, or force you to place your finger on it, than it is to extract a six-digit PIN from you. Furthermore, if your phone is taken away for a more technical and forensic inspection, a six-digit PIN requires expensive specialist equipment and lots of time to crack.
Also, in the case of US citizens, it can be argued that a PIN carries more protection under fifth amendment rights than your face or your fingerprint. The suggestion is that as a PIN is ‘something you know’, it is information that could incriminate you and is therefore within the scope of the amendment. Biometrics such as your fingerprints or your facial features are ‘things that you have’ and are therefore not within the scope of the amendment.
6. Use the most aggressive sleep settings on your devices.
If you do have your unlocked phone taken from you, if you have already set it to lock itself after a very brief period of time then it is going to be more difficult for the border agents to keep it unlocked and examine the contents.
This also means that if you forget to lock your laptop or phone and leave it unattended at any point (regardless of transiting borders), it will only be unprotected for the shortest possible time.
7. Carry your devices in your hand luggage.
Don’t be tempted to place them into any checked luggage which would provide border agents with an opportunity to tamper with or make forensic copies of your devices without your knowledge.
Furthermore, your devices are less likely to be lost or stolen this way.
8. Avoid free USB charging stations like the plague.
Many airports have these and you will no doubt have seen them. Free USB charging stations or kiosks can be used to infect the devices that are plugged into them in an attack known as ‘juice jacking’. While these stations are only meant to provide power to these devices, many of them also make data connections.
I encountered one of these at an airport in East Africa a few years back. I was explaining the perils of these stations to a colleague who, no doubt a little fatigued by my constant cyber-bleating throughout the trip, dared me to try it out.
I plugged a blank iPhone that I had with me into the station. “Do you want to trust this computer?” read the popup on the phone. Absolutely not.
9. Be wary of taking unusual precautions that cannot be innocently explained.
You might, for example, be tempted to place your phone in a faraday bag (a signal blocking bag that prevents a device from interacting with networks). While these can provide useful protection against technical attacks such as those that we mentioned in point four, they could also make you look like a spy.
Avoid taking precautions that may lead to more questioning and potentially even longer detention if stopped.
10. Be tactful, calm, courteous but steadfast if you are stopped and asked to hand over and unlock your devices.
For this final one, you really ought to check with your own organisation as to what their specific policies and standards are. You should be well versed in what their expectations are of you when it comes to handling these situations before travelling.
Experience has shown that getting through these situations successfully is often a case of coming across as having nothing of great interest, and by insinuating that providing access to your devices is hardly worth the effort and follow-on paperwork that the border agents are going to have to go through.
Avoid offering even a general description of the information you hold on your devices or what you believe to be protected. Doing so might suggest that you have something of interest. Do not inadvertently suggest or query what information may be of interest to them in an effort to understand their motivations or a line of questioning.
If interest is shown in your journalistic activities such as content, methods, sources, notes or unpublished material, explain that as a journalist, your news gathering information is legally protected.
If questioning continues, indicate that you cannot provide more information or access to your devices without first consulting your organisation’s legal team. Evidence has shown that this often causes border agencies to back down.
If all else fails and the prospect of long term detention, arrest or harm is presented, be prepared to surrender and unlock your devices.
Gareth Collins is a senior manager for digital risk at INSI member Dow Jones.
Image by AFP