Theres another case, though. Some people have no choice but to be "difficult". Consider, for example, a lawyer from an international firm travelling with company devices, which have on them privileged information that can under no circumstances be disclosed. These kinds of people have no choice but to be "difficult".
When I worked for a large company and had to cross an international border that was considered risky (e.g. China) we were issued a special phone and laptop just for that trip. They were wiped after each use. If one was especially paranoid it doesn't seem unreasonable to destroy the devices after use.
This way we could consent to search because the devices were blank. It's highly inconvenient and I hope the US doesn't turn into a high risk border.
> These kinds of people have no choice but to be "difficult"
Then they don't get in. Things like company secrets or client-lawyer confidentiality just doesn't apply here. You have a choice to give all that up and enter, or just return.
The solution as others pointed out is not to travel with the data, but that's just cumbersome. You can always just use whatever cloud service you want, and delete the local copies, downloading the encrypted info again when you have entered the country.
Luckily most places have 2FA so giving them the password to Facebook or Gmail is "only" equivalent to logging in so they can look around then and there. They can't look around once you have passed the border, and they can't sabotage you by setting a new password unless they keep your device or actually change the 2FA settings. I think that's pretty rare.
I honestly don't think they need/use/keep passwords after I pass through. They may want to look in rare cases, but I actually think it's more of a "control question". If you don't have a normal set of social media accounts you are not normal or you are hiding something. If you aren't willing to show it, you are hiding something. What you are hiding doesn't matter. They use it as a "tell" to see if you need to be investigated further.
These questions have always existed. They ask you what your business is entering the country etc, but they are as interested in whether you are sweating as they are in what you respond. Same here. They don't need to see your family photos they need to see you give up your privacy like a "normal person"
A process that I've heard some financial people developing (highly secret/proprietary/potentially valuable) software use when traveling is:
1. Store confidential data on company servers or a secure/trusted/audited cloud service.
2. Protect that data with two factor authentication, ideally with an ephemeral/rotating factor.
3. Incorporate a duress code into one of the auth factors (e.g. "add one to the google authenticator result when logging in or you get fake data/get permanently locked out until you human-authenticate to regain access"), ideally both.
This is far from perfect, but reasonably secure and not terribly inconvenient in practice. Additional layers of protection can be added to the duress process, like defaulting to under-duress behavior until a certain timeframe (i.e. you're being searched at the airport and not during your appointment time slot), or when from an unrecognized network location. Like all duress-code-based responses, it is vulnerable to humanity (e.g. torture/intimidation).
I'm not trying to be facetious but what if they do ask and you say "sorry I don't have any cloud services" or more realistic "what are cloud services?"
I'm no digital security expert and I haven't ever, and don't ever want to, travel to the US but if I was to travel there any devices I took would be blank. All data I needed would be in the cloud. How are they going to know?
Those people don't carry that data with them, if they're competent or have competent IT staff. They have already configured VPNs with 2FA, burner laptops and mobile devices, or simply mail the devices via registered post to the hotel and have them picked up there. Device moving through the mail system don't get seen by the border grunts.
Most people, I think, don’t follow strict digital security/hygiene policies, nor understand them. That includes me, even though I try to be good. (I will not give specific details because two of my three memorable errors are currently covered by NDAs, and the third is personal).
Right, but they don't need to investigate most people. They need to investigate people who are motivated enough to... well, I'm not sure what. Cross borders while possessing illegal data? But anyway, the people who are motivated enough to do it can easily circumvent it. The only people harmed are innocents.
“Need” for what end? If there is political will to be “tough on crime”, or to reduce immigration and get away with it by saying you’re really only being tough on crime, you can probably find something on anyone simply because laws are too broad. Likewise if you care about performing economic espionage, you don’t need to worry that you’re mostly getting low-hanging fruit.
These are checks you can perform on everyone, after all.
