by David Kim

Travelers entering the United States are facing intensifying scrutiny—not just of their luggage but of their smartphones, laptops, and other digital devices—as border agents increasingly conduct warrantless searches, sometimes copying personal data for further analysis. Civil liberties groups and legal experts argue these practices erode constitutional privacy protections, yet courts have largely upheld the government’s expansive authority at borders.

The issue has drawn fresh scrutiny amid a spike in reported searches. According to U.S. Customs and Border Protection (“CBP”), agents inspected devices belonging to more than 47,000 travelers in 2024—out of 420 million border crossers—a 60% jump from the prior year. Officials defend the searches as vital to national security, but critics call them arbitrary, invasive, and insufficiently regulated.

Who Is Targeted—and Why?

CBP describes its searches as “risk-based,” targeting travelers suspected of ties to terrorism, espionage, or other crimes. But internal documents reveal agents wield wide discretion: they may inspect devices if a traveler seems “nervous,” has visited certain countries, or fits vague “intelligence indicators.”

Journalists, activists, and travelers of Muslim or Middle Eastern descent report disproportionate scrutiny. “It’s digital profiling,” said Hina Shamsi, director of the American Civil Liberties Union National Security Project. “Unchecked authority paired with biased enforcement breeds systemic discrimination.”

Notably, U.S. citizens must be admitted into the country. However, some jurisdictions permit the CBP to cooperate with the FBI or local police in connection with domestic investigations, meaning your devices could still face searches unrelated to border security.

Protecting Your Digital Privacy
at the U.S. Border

In an era when smartphones and laptops chronicle our lives with intimate detail, crossing the U.S. border poses a unique challenge to personal privacy. Government agents can inspect smartphones, laptops, and tablets with minimal oversight—but robust encryption and careful data management can shield sensitive information from unwarranted scrutiny.

Encryption: First Line of Defense

Encryption scrambles data so that only someone with the correct password can decipher it. At the border, where warrantless searches are permitted, encryption is the most effective way to protect personal and professional information. Without encryption, a device’s contents lie vulnerable to anyone with the right tools—no password required. Remember to fully power off devices before reaching the border. Sleep or hibernate modes leave encryption keys in volatile memory, making them vulnerable to cold-boot attacks.

Screen Locks vs. Full-Disk Encryption

Screen locks (PINs, patterns, biometrics) prevent casual access but do not encrypt data. Forensic tools can bypass them. Many assume a screen-lock password secures their device. It doesn’t. While a lock offers a basic barrier—far better than nothing—without encryption, experts can easily bypass it. To maximize protection, set your device to lock automatically after inactivity, require a password at startup, and disable biometric unlocks like fingerprints, which lack the legal and technical robustness of a memorized passphrase. On devices without encryption support, a screen lock is at least some defense, but it’s no match for sophisticated forensic tools.

The most reliable safeguard is full-disk encryption, which scrambles an entire device’s contents. Unlike encrypting individual files, this method leaves no gaps. Many modern devices enable it by default, though strengthening your password enhances its efficacy. As of now, built-in options include:

Android: Available on some devices since Android 4.4 (2013), mandatory with Google apps since Android 6.0 (2015).

iOS: Standard on iPhones since the 3GS, all iPads, and iPod Touches from the third generation.

Windows: BitLocker exists in select editions since Vista (2007), with broader device encryption since Windows 8.1 (2013). Users can opt out of Microsoft storing decryption keys—a step worth taking—or use third-party tools like VeraCrypt if BitLocker isn’t available.

macOS: FileVault 2 has secured Macs since OS X Lion (2011).

Linux: Most distributions have offered dm-crypt since the mid-2000s.

Activating encryption can take hours as data rewrites itself in encrypted form. Plan ahead, perhaps overnight with the device plugged in. Your encryption password may differ from your login code and is often required only at power-on—a detail varying by system. On iOS, the two are one and the same.

Choosing a Strong Password

A strong password is essential in order for encryption to be effective. Weak ones—dictionary words, predictable patterns or substitutions (e.g., P@ssw0rd), or anything with fewer than12 characters—crumble under brute-force attacks, i.e., where computers churn through trillions of guesses. Use the Diceware technique (i.e., dice and list of randomly selected words) or some other method of generating a random multi-word passphrase (e.g., crystal-marble-bicycle-trust). Avoid published phrases—song lyrics or book quotes—which are easily guessed by algorithms. Forgetting an encryption password means permanent data loss. Back up critical files and consider storing passwords securely—but never carry them while traveling.

The Myth of Deletion

Deleting a file doesn’t erase it. It merely marks the space as reusable, leaving data recoverable until overwritten—sometimes years later. Border agents, using forensic tools, can recover emails, texts, uninstalled app trace, and phone and laptop log usage—GPS histories, Wi-Fi connections that are often invisible to users but extractable by experts.

Secure deletion overwrites data to make recovery impossible. Most devices lack built-in options, but tools exist, though their use may flag suspicion at the border—especially for noncitizens carrying blank devices. Wiping is irreversible, so back up essentials first.

Factory Resets: On encrypted smartphones, a reset often purges data effectively, though some models leave traces unless overwritten. Check with manufacturers. Removable SD cards need separate wiping.

Hard Drives: Laptops can overwrite their drives or USB media via low-level formatting—not the quick kind. You must reinstall the operating system.

Individual Files: Tools like BleachBit target specific files, but fragments may linger. Wiping free space—via Windows’ Cipher or BleachBit—obscures past deletions, though references might persist.

Flash media (e.g., SSDs, USBs, SD cards) complicates matters. Overwriting multiple times or expert advice may help, but encryption remains the surer bet—rendering data gibberish without the key.

Note that forensic examiners can detect wiping attempts. You must weigh the risks of data exposure versus suspicion.

Cloud Storage: A Double-Edged Sword

Cloud storage flips the privacy equation at the border. While U.S. laws provide weaker protections for online data, it’s safer there than on a physical device in your possession at the border—agents can’t seize what isn’t present. There are several options: Microsoft OneDrive, Apple iCloud, Google Drive, or third-party services like SpiderOak, which encrypts data client-side before upload, ensuring “zero knowledge” for providers.

Pre-travel cloud strategy is as follows: (1) sync devices to the cloud, (2) perform a factory reset before reaching the border, and (3) restore afterwards.

Cloud backups prevent data loss if a device is confiscated. Moving sensitive files online before travel keeps them off your hardware. However, deleting local copies doesn’t guarantee erasure—forensic tools might still find traces.

Governments can subpoena cloud data, and hackers can breach it. Most services decrypt data on their servers, but client-side encryption counters this. For ultimate control, host your own cloud with tools like OwnCloud on a home server—use HTTPS to secure transfers, though it lacks the robust defenses of commercial providers.

Border agents wield broad powers, but technology can help level the playing field: (1) encrypt everything, (2) minimize carried data (cloud storage, wiping), (3) power off devices before reaching border.

The Constitutional Gray Zone at America’s Borders

Government agents at U.S. borders wield expansive authority, surpassing that of police officers within the nation’s interior. This authority is typically exercised over travelers entering the country, but they can also apply to those departing. Nevertheless, the border is not a legal vacuum. The First, Fourth, Fifth, and Fourteenth Amendments safeguards against governmental overreach, particularly regarding digital privacy.

The Fourth Amendment: Balancing Digital Privacy and Border Authority

The Fourth Amendment protects Americans from “unreasonable searches and seizures,” generally requiring that law enforcement secure a warrant supported by probable cause. At the border, however, the Supreme Court has recognized an exception that permits warrantless searches to enforce immigration and customs laws.

Routine inspections—like those of luggage—may be performed without any suspicion of criminal conduct, while nonroutine searches, such as strip searches or forensic examinations of devices, require “reasonable suspicion,” i.e., specific, articulable facts indicating criminal activity.

Smartphones and laptops complicate this framework. The governing law is in flux and is still developing. In United States v. Cotterman, 709 F.3d 952 (9th Cir. 2013), the U.S. Court of Appeals for the Ninth Circuit ruled that forensic searches of digital devices require reasonable suspicion but that manual reviews do not. In Riley v. California, 573 U.S. 373 (2014), the Supreme Court rejected warrantless cellphone searches incident to arrest. While no appellate court has definitively extended Riley’s reasoning to border searches as of March 2025, legal experts increasingly contend its logic should govern this context.

In Alasaad v. Mayorkas, 988 F.3d 8 (1st Cir. 2021), the U.S. Court of Appeals for the First Circuit stated:

We join the Eleventh Circuit in holding that advanced searches of electronic devices at the border do not require a warrant or probable cause. United States v. Vergara, 884 F.3d 1309, 1311-12 (11th Cir. 2018). We also join the Ninth and Eleventh Circuits in holding that basic border searches of electronic devices are routine searches that may be performed without reasonable suspicion. United States v. Cano, 934 F.3d 1002, 1016 (9th Cir. 2019), petition for cert. filed (Jan. 29, 2021) (No. 20-1043); United States v. Touset, 890 F.3d 1227, 1233 (11th Cir. 2018).

    The CBP’s current policy (Directive No. 3340-049A, updated in 2018) permits “basic” manual searches without any suspicion while requiring reasonable suspicion only for “advanced” forensic searches. Reports from travelers and advocacy groups indicate inconsistent enforcement of CBP’s 2017 “no-cloud” policy instructing agents to disable internet connectivity during searches to avoid accessing remote data.

The First Amendment: Safeguarding Speech and Press Freedoms

Border searches of digital devices jeopardize First Amendment rights in four distinct ways. First, they threaten anonymous speech by linking travelers’ verified identities to pseudonymous online personas. Second, they expose private affiliations, revealing membership in political or advocacy groups. Third, they infringe on the freedom to acquire information, unveiling reading habits and media preferences. Fourth, they endanger press freedom, potentially compromising journalists’ confidential sources and unpublished work.

Courts have historically demanded rigorous scrutiny when law enforcement targets expressive materials, such as bookstore records or journalistic notes. Critics anticipate that escalating digital intrusions may prompt future courts to increase these protections, especially as the volume and sensitivity of digital data continues to grow.

The Fifth Amendment: Resisting Compelled Decryption

The Fifth Amendment protects against compelled self-incrimination, but its application to electronic device access is unsettled. Some courts view compelled password disclosure as testimonial, exposing “the contents of the mind,” and thus protected. For instance, in In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011, 670 F.3d 1335 (11th Cir. 2012), the U.S. Court of Appeals for the Eleventh Circuit had this to say on the issue:

In short, we conclude that Doe would certainly use the contents of his mind to incriminate himself or lead the Government to evidence that would incriminate him if he complied with the district court’s order [to decrypt hard drives]. Moreover, the Government has failed to show any basis, let alone shown a basis with reasonable particularity, for its belief that encrypted files exist on the drives, that Doe has access to those files, or that he is capable of decrypting the files. The ‘foregone conclusion’ doctrine does not apply under these facts.

The Fifth Amendment protects Doe’s refusal to decrypt and produce the contents of the media devices because the act of decryption and production would be testimonial, and because the Government cannot show that the ‘foregone conclusion’ doctrine applies.

In contrast, biometric unlocks, like fingerprints, often receive less protection because they are deemed non-testimonial by some courts. However, this distinction has faced increasing judicial skepticism in recent years, with some courts beginning to question whether biometric unlocks should receive stronger protections given their functional equivalence to passwords in securing devices.

Travelers refusing to unlock devices face risks. U.S. citizens cannot be denied entry but may be subject to detention or device seizure. Lawful permanent residents face complex residency questions. Foreign visitors may be barred outright.

Federal Policies: Adapting to Digital Realities

CBP and U.S. Immigration and Customs Enforcement operate under controversial policies. CBP’s 2009 directive permitted suspicionless device searches, offering few safeguards for privileged materials like attorney-client communications or journalistic work. By 2018, CBP refined its stance, requiring reasonable suspicion for advanced searches while maintaining suspicionless basic searches.

Social media scrutiny intensified in 2016, when CBP began asking foreign Visa Waiver Program travelers to voluntarily disclose social media identifiers. Proposals for mandatory password disclosure have surfaced, amplifying privacy concerns. These developments occur against the backdrop of stalled congressional efforts like the Protecting Data at the Border Act (introduced 2021), which sought to require warrants for electronic device searches but failed to advance.

Conclusion

Legal scholars highlight the clash between sovereignty and civil liberties at the U.S. border. “The border isn’t an exception to the Constitution—it’s where safeguards matter most, given the lack of oversight,” said Stephen Vladeck, a constitutional law professor at the University of Texas at Austin School of Law

As travel rebounds post-pandemic and electronic device searches climb, advocates warn of an escalating crisis. “Absent judicial or congressional action,” Vladeck said, “we’re entrenching a dangerous precedent: that privacy ends at the border.” The ongoing tension between security imperatives and digital privacy rights shows no signs of abating, with courts, policymakers, and travelers all grappling with how to apply centuries-old constitutional principles to modern technological realities.  

Sources: eff.org, cited cases

Subscribe today

Already a subscriber? Login