Safe travels: 7 best practices for protecting data at border crossings

Border agents are requesting access to devices and the data on them with no regard to your organization's security policies. Here's how to protect that data and your employees.

Border forces across the world are increasing the number of devices that they inspect and copy the content from. That can present huge problems if the device is corporate provisioned or a personal device containing company information.

While westerners might assume this is an issue only in authoritarian countries, border officials in many democratic counties can legally seize mobile devices without warrants. The U.S., UK and New Zealand all can and do demand devices from people entering the country and can ask users to unlock their phones (and in some cases passwords to certain accounts) under threat of fines, refusal of entry to the country, or detainment. Not only does that create problems for the people at the border – especially if they refuse – but also for organizations if those devices are linked to corporate networks or data.

“The matter is you're carrying around your corporate assets with you,” says Rob Smith, research director within Gartner's Mobile and Client Computing group. “You're going to give a foreign power, or even the domestic power for that matter, full rights to view it.”

Device seizures put data and networks at risk

Device inspection or seizure isn’t new, but recent years have seen their number increase. In the U.S. the number of devices searched at the border rose by over a third between 2016 and 2017 (the most recent year for which the U.S. Customs and Border Protection [CBP] has posted data). This can create risks for enterprises.

“You never know what you're going to get no matter what border you go to these days,” says Smith. “Be it the UK, be it the U.S., be it China, someone, sometime is going to ask you to surrender your device. And you're not going to have a choice. As Europeans, we have a much stronger view about privacy and a much better expectation of what should be. But then when you go to places like China or the U.S., it's completely thrown out the window, because there are laws today really designed for luggage.”

In 2018, Australian Border Force (ABF) agents in Sydney, Australia seized a software developer’s devices. They reportedly refused to tell him what whether his digital data was being copied and stored or explain the ABF’s data retention policy. In 2017, a NASA engineer was forced to hand over the company-provisioned phone (and its passcode) that contained sensitive information from the agency’s Jet Propulsion Lab. This happened at the Houston airport in the U.S.

At the very minimum, a third party is potentially making a copy of any corporate data on the device without applying the same access controls your company would and giving you no visibility into how and where that information is stored or when it might be deleted. Any regulated data copied could also create possible compliance issues. Commercially sensitive information or intellectual property stored locally on devices could, depending on the country in question, potentially make its way to a domestic rival. If an employee is detained, the chances of having the device returned decrease, potentially meaning two copies of corporate data have been lost.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!