Nuala O’Connor, Center for Democracy & Technology:
Not only is the Secretary’s suggested plan an egregious affront to the dignity of our visitors, it would also be a major erosion of privacy rights that puts significant amounts of personal information at risk. It would discourage the use of communications devices and social media accounts when traveling, and, in fact, would likely discourage people from visiting the United States all together. And every American who travels should expect other countries to apply a similar policy to them.
Unlike publicly available social media identifiers, passwords unlock a much deeper world of information, such as chats conducted within social media apps, detailed contact information for people in your network, or financial information. The government should have cause to access this information and should only be able to do so after following legal due process. Also, despite the advice of most cybersecurity experts, many people use the same password across sites and platforms. It’s not hard to envision a social media password being the same one someone uses for their email account, online banking, or healthcare portal.
If passwords are collected at the border, you can only imagine how valuable they would be to a malicious actor. Access to any of the information I mentioned above could lead to financial fraud, blackmail, or exploitation. Even if someone were to change their password after clearing customs, would they remember to do so for all accounts with that password? Would people eventually get complacent and forget to do this? It seems likely that the answer is yes, and when coupled with the U.S. government’s less than stellar track record of securing its data, the threat is greatly magnified.
While the Department of Homeland Security may have a defined use for the information it collects at the border, should the NSA and the FBI also have this information? The reality is that if one agency has your data, every agency has your data. This creates new opportunities for misuse, the messy mixing of data sets, and even more potential for breach.
Ms. O’Connor is correct in outlining the dangers of implementing this policy, but she does not mention that American citizens’ rights are downgraded at the border, as well.
In regard to yielding device passcodes, the American Civil Liberties Union states:
U.S. citizens cannot be denied entry to the United States for refusing to provide passwords or unlock devices, but refusal to do so might lead to delay, lengthy questioning, and/or officers seizing your device for further inspection.
Does Customs and Border Protection go after American citizens for their device passcodes? Yes, they do.