from Hacker News

How to lock down your phone if you're traveling to the U.S.

by sipofwater on 4/9/25, 10:27 AM with 339 comments

  • by sipofwater on 4/9/25, 10:28 AM

  • by kleiba on 4/9/25, 4:59 PM

    > Before traveling, back up your devices so you don’t lose anything permanently. Then delete anything you’re worried about being misinterpreted or saved by the government. That can include conversations that compromise the privacy of the people on the other end. You might delete messages about politics, contact information for political dissidents, apps that save offline copies of sensitive documents like Google Docs, even your phone’s built-in Notes app.

    Mind you, this is for entering the country that considers itself the freest in the world...

  • by gruez on 4/9/25, 11:26 AM

    "Locking down" is almost always a bad approach when it comes to border crossings. You have very little rights at the border, so keeping your phone locked and refusing to divulge the 20 characters password isn't really an option. Even without the threat of detaining you, they can refuse entry (if you're not a citizen/permanent resident), or seize your $1000 phone/laptop. Far better to wipe your phone and restore from backup after you've crossed the border. The article does make a good point that you should seed your wiped phone with signs of activity so it doesn't look freshly wiped.

  • by jFriedensreich on 4/9/25, 4:57 PM

    Ignoring the US political situation for a moment I want to point out how ridiculous modern phones and apps storage access given to their users is. You used to be able to mount a phone as a full hard drive and have access to all your files, do a real full backup without some encrypted databases that only facebook, google or apple hold the key for. The first tragedy is that we accepted that the US gives no rights to non citizens the second tragedy that no one talks about is that we accepted giving away our own data sovereignty and using devices that make us more vulnerable and effectively digital slaves.

  • by miros_love on 4/9/25, 4:47 PM

    Not sure about CBP specifically, but many countries already use specialized tools to break into phones and silently install backdoors — Cellebrite comes to mind.

    As my favorite blogger puts it: "If the data is important, it's not stored in only one place. If there's no backup, it wasn't important." With that in mind, wiping the device and filling the gallery with high-resolution images of genitals covered in excrement remains one of the more effective passive defense strategies.

    Jokes aside, it's depressing that crossing borders often means giving up fundamental digital privacy — and that we've largely normalized this. The idea that any government agent can dig through your phone without a warrant just because you're crossing a line on a map is dystopian at best.

  • by beloch on 4/9/25, 6:36 PM

    >Don’t just take a wiped phone: If you are especially worried about your data, you may think about wiping your phone or computer entirely before a trip and restoring from a backup later. However, a nearly blank device can create its own problems.

    Wipe your phone. If more people do this before travelling to the U.S. it'll quickly become less "suspicious". This is a privacy issue. I don't have anything to hide, but I also don't like the idea of having the contents of my phone backed up and saved for 15 years. It's just like how there's nothing under my pants that is of interest to the authorities. I just prefer wearing pants.

    Another good tip for travelling to the U.S. is to fly, rather than drive, and to do a TSA pre-check at your point of departure. That way, if the Americans get too paranoid, you're not trapped on foreign soil and subject to their whims. You can just cancel your flight and go home.

    Better yet, don't travel to the U.S. right now unless you absolutely have to. It's not a good time to vacation there. Your country may have travel advisories in effect for the U.S. (mine does). Listen to them.

  • by pretzellogician on 4/9/25, 2:44 PM

    I've often wondered if there's a supported way to have a honeypot passcode, i.e., a secondary passcode that leads to a relatively empty account.

    (Although as per the article, a fully wiped account looks suspicious -- it would need some innocuous apps or apps with no login info, etc.)

  • by incanus77 on 4/9/25, 5:10 PM

    One lesser-known tip for iPhones with FaceID or TouchID: press and hold the lock button and one of the volume buttons until prompted for power options/medical ID/emergency call. You'll then have to enter a passcode in order to use those auth methods again. Having to reveal a passcode can sometimes be considered a higher bar than biometric auth. You can do this even when in it's in your pocket without looking, quite quickly, and there is haptic feedback.

  • by BrandoElFollito on 4/9/25, 3:55 PM

    Also known as "how to visit detention centers".

    The amount of bad advice here is staggering. You are not James Bond or some kind of ninja Seals secret agent.

    You are a nobody attempting to enter a country, and you will be pissing off the border police.

    Have some common sense.

  • by netsharc on 4/9/25, 1:50 PM

    I remember looking at a friend's bookshelves and noticing a travel guide to the Soviet Union. It had a short chapter on what to expect when crossing the border and the fact you might be followed by the security services.

    And what do we have in 2025?

    I don't think it was a Lonely Planet https://www.bbc.com/ahistoryoftheworld/objects/AP5ln7N8TRGkf...

  • by NoTeslaThrow on 4/9/25, 3:43 PM

    FWIW I wiped my phone entering the country and they ushered me right through anyway. Still, I was very concerned about finding texts from other people and getting them in trouble. I think the fear is the point more than the practicality as it stands.

  • by BriggyDwiggs42 on 4/9/25, 4:09 PM

    Wouldn’t the best method just be to buy a second phone prior to your crossing, use it for innocuous things, and leave your real one at home?

  • by cs702 on 4/9/25, 4:59 PM

    It's surreal for me to see such a headline and article on a major US newspaper.

  • by iteratethis on 4/9/25, 8:05 PM

    How about a strategy of malicious compliance?

    Wallpaper is a US flag. Home screen shows Truth Social, X and 4-chan. Smartphone cover displays a roaring eagle.

  • by anotherevan on 4/9/25, 11:41 PM

    > Before travelling, back up your devices so you don’t lose anything permanently.

    Hah! Phones are a PITA to reliably backup and restore. I outlined the pain I had with it in this recentish comment: https://news.ycombinator.com/item?id=42652663

  • by joshdavham on 4/9/25, 3:31 PM

    > Data copied from devices during advanced searches at entry points into the U.S. gets saved for 15 years in a database searchable by thousands of CBP employees without a warrant.

    This is incredibly sketchy. As a non-American (Canadian), I think I’d probably just prefer to be refused entry to the US at that point.

  • by vessenes on 4/9/25, 3:06 PM

    This article is a nice reminder that free speech is awesome.

    Also, it is terribly unhelpful and uninformative.

    Schneier’s blog post on this has tons of useful information in the comments: https://www.schneier.com/blog/archives/2025/04/cell-phone-op...

    The EFF wrote the canonical guide to this in 2017: https://www.eff.org/wp/digital-privacy-us-border-2017. I don’t know if it has been updated, but there is a lot that’s useful there.

    I think the main thing to decide ahead of time is: will you unlock a phone on request, or are you willing to lose the powered-down phone or be denied entry if you refuse? Most of your decisions flow from there.

    If unlocked and it leaves your sight, ALL your messages and photos and documents will be stored forever and are available warrantless in probably every country in the world.

  • by sipofwater on 4/9/25, 10:30 AM

    "Motorola moto g play 2024 Smartphone, Android 14 Operating System, Termux, And cryptsetup: Linux Unified Key Setup (LUKS) Encryption/Decryption And The ext4 Filesystem Without Using root Access, Without Using proot-distro, And Without Using QEMU": https://old.reddit.com/r/MotoG/comments/1jkl0f8/motorola_mot... (old.reddit.com/r/MotoG/comments/1jkl0f8/motorola_moto_g_play_2024_smartphone_android_14/)

  • by aftbit on 4/9/25, 8:09 PM

    I wish Android had a better backup story. If you're using iOS, it's as simple as the article describes. If you use even modern Android on modern Pixel, backup only includes a fraction of what you need to recover. Things like Signal keys, 2FA tokens, and more were not included in my last backup.

    GrapheneOS had an opportunity to do this 1000% better... and they instead ship a kinda broken fork of SeedVault, which they have been intending to replace for a long time now.

  • by xnx on 4/9/25, 2:51 PM

    Isn't it better to factory reset a phone before entering the US and then restore a backup?

  • by elif on 4/9/25, 3:10 PM

    this post is not really practical advice if you want to actually enter the US.

    here's some: mail it

  • by vzaliva on 4/9/25, 4:53 PM

    One thing I would definetely do is to secure my password manager. This would minimise potential exposure in the future in case your phone is backed up in some government database. 1Password have a feature for that: https://support.1password.com/travel-mode/

  • by senderista on 4/9/25, 5:52 PM

    I would love to visit Russia or Iran as a tourist, but I'll probably never be able to do that safely, and if I weren't a US citizen I would feel the same about the US. The US has many beautiful and fascinating things to see and do, but so do lots of other countries that won't throw you in a gulag.

  • by highstep on 4/9/25, 7:33 PM

    Vegas is fun, but not fun enough to justify having to worry about this stuff. My days of visiting the USA are over.

  • by vlod on 4/9/25, 5:02 PM

    Or use the n-1 phone you already have in that junk drawer.

    I have old pixel phone that will work for simple stuff.

  • by JKCalhoun on 4/9/25, 3:03 PM

    > Don’t just take a wiped phone

    Oh, and if I don't have (bring) a phone at all?

  • by wg0 on 4/9/25, 4:50 PM

    Even Arab dictatorships don't search phones on entry. What's happening here?

  • by MikeTheGreat on 4/9/25, 5:24 PM

    I'm seeing a lot of discussion here about how to prepare your phone for a border crossing, which is fascinating.

    I was wondering about a different strategy: what about leaving your phone at home and then buying a new one after you've crossed the border?

    It seems like it wouldn't be any less work than 'clean wipe and full restore post-crossing' and has the advantage that border agents can't search what you don't have.

    If your trip is short and the return policy sufficiently generous, you might even be able to clean wipe the phone and return it before you cross again.

    I'd be curious to hear what people think about something like this.

  • by root_axis on 4/9/25, 5:03 PM

    Too technical and nerve-racking for my loved ones traveling across the border. The solution most people I know (who are not born in the u.s.) have landed on is don't post or share any political articles, memes or reels, especially in DMs. If someone sends you political content, delete the message afterwards. The silver lining is that eschewing that content has some mental health benefits.

    I would imagine that stories, snapchat, and disappearing message features are probably safe, but I tell my loved-ones that it's not exactly clear what type of meta-data might remain on the device even using those features.

  • by admiralrohan on 4/9/25, 5:40 PM

    I watched a vlog on travelling to North Korea and they didn't check his phone.

  • by reassess_blind on 4/10/25, 7:42 AM

    In a similar vein for laptops, Veracrypt offers (offered?) a "Hidden OS" feature that allows an OS to be stored within an encrypted container inside of another encrypted container, with two separate passwords. This allows the outside volumes password to be divulged, which would show a dummy OS and allow for plausible deniability, while the real OS is only accessible with the second password.

    However, this feature doesn't seem to work for Windows 11, or on some modern laptop hardware anymore?

    Is there other software that offers similar functionality?

  • by sipofwater on 4/9/25, 10:20 PM

    "DHS to screen social media of visa applicants for 'antisemitic activity'": https://abcnews.go.com/Politics/dhs-screen-social-media-visa... (abcnews.go.com/Politics/dhs-screen-social-media-visa-applicants-antisemitic-activity/story?id=120642944)

  • by sipofwater on 4/10/25, 8:48 AM

    "One Tech Tip: Protecting your device privacy when crossing borders": https://apnews.com/article/internet-privacy-smartphones-trav... (apnews.com/article/internet-privacy-smartphones-travel-e0a3146ae7966ea0e4157dbfae1f6a81)

  • by Vuska on 4/9/25, 2:45 PM

    The US is hardly the only country where this is the case and locking down your phone is almost entirely pointless (see xkcd #538).

    If you're concerned about having it searched, don't bring your primary phone. Go to a phone shop, buy an old phone, put your SIM card in it, and use that instead.

  • by rob_c on 4/9/25, 6:59 PM

    Again, it's called a burner. If the criminal underworld can master this concept...

    If you engage in stupidity online and it comes back to bite you because you wear it on your arm, my advice is don't go crying about it, unless you didn't believe enough in what you're saying to follow your words through with actions.

  • by OutOfHere on 4/10/25, 1:49 AM

    Instead of just shutting down your phone, reboot it and enter the wrong password twice. With any luck, this will erase the memory remnant imprint of the actual password. After doing this, you can then shut it down if you want.

  • by arnonejoe on 4/9/25, 5:35 PM

    I think this article is factually incorrect on one point. You cannot be detained for not providing the contents to your phone. That is absurd.

  • by Havoc on 4/9/25, 12:31 PM

    I'm just not going to go to the US frankly.

    Only reason I would is tourism, and I like my vacations harassment & risk of detainment free

  • by NikkiA on 4/11/25, 1:59 PM

    No; If you're forced to go to the US, take a burner phone.

  • by basisword on 4/9/25, 4:38 PM

    Almost everyone reading this doesn't need to worry about this. And if you are one of the few that do need to worry - just don't travel to the US for now.

  • by LWIRVoltage on 4/9/25, 9:09 PM

    Does obtaining Global Entry minimize the chance of them deciding to harass a citizen crossing the border, I wonder? It is at the cost of your biometric - but data on your devices might be worth more, and as I note elsewhere in this thread, you can image a computer and back it up fully, but not a phone without some data loss, unfortunately. [ TWRP possibly can do it right perhaps, but it requires unlocking the bootloader (which wipes the phone), and once bootloader is unlocked, it's more vulnerable to Cellebrite and company, to my understanding, ]

    seeing the latest (leaked?) Cellebrite info from 2024 Summer- BFU State[Before First Unlock state] after posting on, modernimoPuxelsiPhones on the latest OS, and graphene devices see moto be the hardest to get into.

    Anyway- , with computers - this was a solved problem from a technical standpoint- Yes I'm talking Truecrypt then, and today Veracrypt. The Hidden Container feature is impressive- but the Hidden OS feature allows for a truly hidden OS behind the scenes that can't be found at all. However, there's a unfortunate weakness that makes this hard to use today- it's limited to MBR , not UEFI [GPT]systems- so unless you like your computer not being able to have more than 2 Tb - and only 4 partitions (so good luck If you do a lot of stuff from dualbooting to other whatnot) We need a Veracrypt Hidden OS equivalent for UEFI systems that's truly undetectable.(That also will work for Linux and maybemeMac not just Windows as Veracrypt currently does - you can only make the Hidden Volumes on the non Windows versions of VC) There was one project to do it - and there were articles and a black hat presentation on 'Russian Doll Steganogrpahy" for a OS- but it didn't go anywhere from what I can tell, and everyone is now wide open .... Unless you have a MBR system. I also think I've heard UEFI is more easily secured than MBR in general and for the foreseeable future...

    https://portswigger.net/daily-swig/russian-doll-steganograph...

    https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Schaub-Perfectl...

  • by fragmede on 4/9/25, 7:17 PM

    What the fuck happened to the first amendment?

  • by mvieira38 on 4/9/25, 12:56 PM

    Why even go to the US if you're fearing it that much

  • by mediumsmart on 4/9/25, 12:40 PM

    I lock it down in the living room and then head for the airport. I didn’t even have to read the article to know.

  • by NoImmatureAdHom on 4/9/25, 4:53 PM

    The situation at the U.S. border re phone privacy is exceptionally good. In most countries this isn't a live issue because you have no such rights and everyone would laugh at you for asserting them. There are exceptions, perhaps Germany? In Britain they'll throw you in prison for refusing to give them your phone password, and if you do they'll throw you in prison for the wrongthink tweets they find on your phone.

    Should Americans be subject to search-for-no-reason at their own border? No, and I hope that as these border issues work their way through the legal system this will get sorted out. Please note that the CBP can say whatever they want about you having to give them a phone password, but you don't have to. They might keep your phone for a while and fuck around with it.