Site icon Sophos News

Border guards force US citizen to unlock his NASA-owned work phone

Sidd Bikkannavar, an engineer with NASA, flew out of the US on January 15, when Barack Obama was still the president.

He flew back on January 30, a week into the administration of  Donald Trump and four days after the issuance of an executive order restricting travel from seven predominantly Muslim countries.

Judging by what Bikkannavar told The Verge, he also flew back into a whole new experience at the airport, where he claims to have been detained by US Customs and Border Patrol (CBP) and pressured to hand over his NASA-issued phone and the PIN to get into it – even though it could have contained sensitive information relating to his employment at the space agency.

Should this have happened? Bikkannavar is, after all, a natural-born US citizen. He’s also enrolled in the CBP’s Global Entry program, which allows expedited clearance for pre-approved, low-risk travelers upon arrival in the US.

Perhaps the timing of his detention had nothing to do with who was sitting in the Oval Office or the “extreme vetting” of foreigners that Trump has vowed. We only know his side of the story, since the CBP isn’t in the habit of putting out press releases about whatever possibly reasonable suspicions they might have about a traveler that would lead agents to detain that traveler.

In other words, this might not have been news at all a month ago. It could have been some random CBP detention and search of a phone. But in the current political climate the story feels much more weighty.

His Facebook update about the incident had been shared more than 2,000 times as of the Verge’s writeup. A tweet from a friend who shared Bikkannavar’s experience was also shared more than 9,000 times as of Monday evening.

At any rate, according to Bikkannavar’s account, this is what happened.

He arrived in Houston early Tuesday morning on January 31. After his passport was scanned, he was detained by CBP, who escorted him to a back room and told him to wait. A handful of other people were in the room.

After 40 minutes, an officer called his name, then led Bikkannavar into an interview room, where he explained that the CBP needed to search his possessions to ensure he wasn’t bringing anything dangerous into the country.

The officer presented Bikkannavar with a document titled “Inspection of Electronic Devices” and explained that CBP had authority to search his phone.

Bikkannavar didn’t want to hand over the phone. It is, technically, the property of NASA. He even showed the officer the JPL barcode on the back of phone.

I was cautiously telling him I wasn’t allowed to give it out, because I didn’t want to seem like I was not cooperating. I told him I’m not really allowed to give the passcode; I have to protect access.

The CBP wasn’t dissuaded. The officer insisted the CBP had the authority to search the device.

Bikkannavar wasn’t allowed to leave until he gave CBP his passcode. The document the officer gave to Bikkannavar had listed a series of consequences for failure to offer information that would allow CBP to copy the contents of the device, and Bikkannavar had no interest in exploring those consequences, he said.

It mentioned detention and seizure.

Ultimately, he handed over the phone and passcode. The officer left with the device and returned after 30 minutes.

Eventually, Bikkannavar was given back his phone. He immediately turned it off, since he knew he’d have to hand it over to the Jet Propulsion Lab (JPL) IT department, which would check what data had been copied and whatever might have been installed on the phone.

The JPL was none too happy about the incident. As it is, NASA employees are obligated to protect all work-related information.

Did the US government have the authority to search his phone?

There’s no clear answer, according to Orin S Kerr, a research professor of law at George Washington University. Writing in the Washington Post, Kerr said that courts have disagreed on what the standard is for computer searches at the border. In some, but not all, cases, the courts have decided that CBP requires reasonable suspicion to use a Cellebrite Physical Analyzer to search a phone’s contents.

What’s also unclear is whether the CBP had the authority to compel Bikkannavar to give up his passcode… or whether he could be detained until he did. From Kerr’s article:

Imagine the agents said, “If you want to go home today, tell us your passcode and we’ll release you right away. Otherwise, you’re going to be here a while.”

Does that put so much pressure on a person that it coerces him or her to disclose the passcode? I’m skeptical of that, given the pretty high bar of the voluntariness cases. But it’s an argument.

What would/should YOU do?

Besides slicing and dicing the legal nuances of the case, there’s the question of how to protect yourself from being forced to divulge your most personal details – or even the work-related information on your phone that you’re obligated to protect – in such a situation.

Wired recently published a guide to getting past customs with your digital privacy intact, and it’s well worth a read.

One thing to note is there’s no silver bullet. For example, if you set up two-factor authentication on your phone so that your online accounts require a temporary passcode that’s texted to you, then remove your Sim card (perhaps mailing it to your destination) so that you can’t get at the SMS messages, you might plead inability to unlock with the CBP.

But just how well will that go over with the agents? As Wired notes, it could easily spike their suspicions and lead to lengthy detention and intense grilling.

If you have suggestions on how to avoid having your privacy invaded at the border, and how to do it without unintentionally baiting the border guards, please do share in the comments section below.


Exit mobile version