Safe travels: 7 best practices for protecting data at border crossings

Border forces across the world are increasing the number of devices that they inspect and copy the content from. That can present huge problems if the device is corporate provisioned or a personal device containing company information.

While westerners might assume this is an issue only in authoritarian countries, border officials in many democratic counties can legally seize mobile devices without warrants. The U.S., UK and New Zealand all can and do demand devices from people entering the country and can ask users to unlock their phones (and in some cases passwords to certain accounts) under threat of fines, refusal of entry to the country, or detainment. Not only does that create problems for the people at the border – especially if they refuse – but also for organizations if those devices are linked to corporate networks or data.

“The matter is you’re carrying around your corporate assets with you,” says Rob Smith, research director within Gartner’s Mobile and Client Computing group. “You’re going to give a foreign power, or even the domestic power for that matter, full rights to view it.”

Device seizures put data and networks at risk

Device inspection or seizure isn’t new, but recent years have seen their number increase. In the U.S. the number of devices searched at the border rose by over a third between 2016 and 2017 (the most recent year for which the U.S. Customs and Border Protection [CBP] has posted data). This can create risks for enterprises.

“You never know what you’re going to get no matter what border you go to these days,” says Smith. “Be it the UK, be it the U.S., be it China, someone, sometime is going to ask you to surrender your device. And you’re not going to have a choice. As Europeans, we have a much stronger view about privacy and a much better expectation of what should be. But then when you go to places like China or the U.S., it’s completely thrown out the window, because there are laws today really designed for luggage.”

In 2018, Australian Border Force (ABF) agents in Sydney, Australia seized a software developer’s devices. They reportedly refused to tell him what whether his digital data was being copied and stored or explain the ABF’s data retention policy. In 2017, a NASA engineer was forced to hand over the company-provisioned phone (and its passcode) that contained sensitive information from the agency’s Jet Propulsion Lab. This happened at the Houston airport in the U.S.

At the very minimum, a third party is potentially making a copy of any corporate data on the device without applying the same access controls your company would and giving you no visibility into how and where that information is stored or when it might be deleted. Any regulated data copied could also create possible compliance issues. Commercially sensitive information or intellectual property stored locally on devices could, depending on the country in question, potentially make its way to a domestic rival. If an employee is detained, the chances of having the device returned decrease, potentially meaning two copies of corporate data have been lost.

Having a device with cached passwords, VPNs into your network, or easy to access password managers might make your employees more productive, but it also potentially givers border forces easier access to whatever takes their interest. “If you have a VPN connection back to your network, I would bet you 20 quid in a heartbeat they’re connecting back to your networks to see what access they have. It’s not just about the data on the device; if they have access to your device, they have access to everything that device has access to.”

New border threat: State-sponsored malware

There is also the potential for devices to be compromised. Border control agents in China were recently found to be installing malware on the phones of visitors to the Xinjiang that would harvest calendar entries, phone contacts, call logs, and text messages. It would also scan installed apps and extract usernames for those apps where possible.

While U.S. customs officials have acknowledged searches conducted by CBP do not extend to information that is located ‘solely on remote servers’ – i.e., the cloud – this is unlikely to be much reassurance for many. And just because a border force isn’t actively passing on data to domestic rivals or other government agencies, it doesn’t mean your information is in safe hands.

A 2018 review of CBP processes by the Department of Homeland Security (DHS) found that proper process — including disconnecting devices from networks – was not being followed, while data copied from mobile devices at the border was being insecurely stored on USB drives and was not being deleted. In May 2019, license plate images and traveler images “of less than 100,000 people” collected by the CBP were lost after a subcontractor transferred the images back to its own network, which was then compromised.

“They’re civil servants; they’re not security professionals,” says Smith. “And they’re certainly not thinking about data protection. Data protection and data storage is irrelevant to these organizations because it’s not their assets.”

Best practices for protecting data at borders

Cooperate with authorities

The wellbeing of your employees should be your number one concern. Do not encourage them to resist requests to hand over devices or information. Doing so could result in them being detained. Likewise, they shouldn’t be punished by a company for handing over devices or passwords in the face of possible detainment.

“If you’re ever in a border control situation, surrender all assets, no question asked,” says Smith. “You will not fight them. You do not argue with them. ‘Yes, ma’am. Yes, sir. No, sir’. Always. Politeness and willingness to help go a long way to keep you out of jail.”

Likewise, attempting to trick border guards with secret partitions, vaults or panic modes on phones will likely only invite further investigation. Guards may be trained to recognize particular apps or signs that such things are present on a device and elevate a cursory search into full-blown seizure and detainment.

Use Chromebooks as laptops

When it comes to laptop-like devices, Smith recommends Chromebooks as one of the safest options. Although Google has struggled to be seen as a company that understands the needs of large enterprises, he says there is simply no better alternative for traveling safely. “Chromebooks can be staged in about five minutes. You log out and the Chromebook completely erases itself and resets itself back to factory. When you show up at border control, they have full access to the Chromebook; they have no data, no access to anything. It’s just a brand-new device.”

Provision devices for travel

However, with smartphones, there is no such quick and easy fix. “You have the personal data, you have corporate data, and you have border agents installing malware. All of this is a recipe for disaster. So, no, there is absolutely no silver bullet to stop this at all,” says Smith.

Temporary IT-provisioned devices are common as a replacement for personal devices when travelling abroad. Smith says he has seen clients that have a pool of air-gapped burner phones running only the most necessary apps for use in high-risk countries.

However, neither of these are perfect systems. Unless they are plugged into the company’s travel system, IT will often not have enough notice to supply users with devices. Productivity will also suffer as regular workflows and processes will likely be disrupted due to restricted access. Employees used to mixing personal and corporate on one device will likely find such programs inconvenient or frustrating. Likewise, temporary or separate email accounts for traveling will likely lead to frustration and disruption.

Educate users to cross-border risks

Educating users to the potential data risks that come with traveling can be even more difficult than the usual challenges of security education. Smith recommends having users sign waivers that in very plain language let them know that any personal data they put on devices can and likely will be wiped without notice. Specialized training sessions for regular travelers on potential risks and what to expect at borders – as well as reinforcing the need to inform IT of any device searches and/seizers – may also be valuable.

Deploy technical controls where appropriate

On the technical control side, virtualization, keeping as little information and access on the phone as possible, keeping everything cloud-based, and using unified endpoint management solutions (UEM) is Smith’s best advice for companies with frequent high-risk travelers. Whatever systems and policies a company decides upon, the basics are largely the same: back everything up, remove non-essential accounts and applications, and disable anything that’s cached.

“Lots of UEM tools allow you to do geolocation-based policies so that if you’re leaving your home country, the UEM will automatically remove assets and content that should not be seen outside the country. That’s something that’s an automated control that you could implement as IT and would never even involve the end user.”

Getting buy-in from the CIO or the board should be a relatively easy sell, as you can perform a simple risk analysis. Determine the potential damage of regulated information being compromised or sensitive information being leaked out to a competitor and explain that risk and the value of mitigation through your preferred method.

Take a risk-based approach to device management

Smith also advises taking a risk-based approach and develop policies based on:

• Who is the user and what are their goals?
• What is the device and who owns it?
• What kind of apps, data, content do they need access to, and does any of it fall under compliance laws like GDPR?
• Where in the world are they located and where are they going to?

“These four variables will help you build a correct mobile strategy or policy to be able to say, ‘Okay, this user is going with a corporate iPhone to China. They can do this, but this other user is going with a BYOD Android to China. They can only do this much’,” says Smith. “If you’re just traveling once a year, and you’re going the States on business, the odds of you being picked out by TSA are very small unless you’re a high-profile person with high-profile data. Then the maths don’t play in your favor.”

Assess which data is important

Smith also advises companies to be realistic and assess what data actually matters to them and what is truly sensitive. “Any data that you put on a device that goes through a border or goes overseas could easily be taken away from you. As long as you realize this fact and can accept that no amount of device controls is going to stop a border agent, it allows you to ask yourself about your data: Is this data going to impact your business if it gets out? Yes or no?”