Border phone searches are in the news a lot lately. Last month, a French scientist was allegedly blocked from coming to a conference in Houston after U.S. Customs and Border Protection (CBP) found statements against President Donald Trump on his phone. A few days later, Brown University doctor Rasha Alawieh was turned away at the airport after CBP allegedly found pro-Hezbollah images on her phone.

How does CBP have the power to rummage through phones so easily? After all, ordinary police can't just stop you on the street and search your phone without a warrant. But courts have recognized a border exemption to the Fourth Amendment, allowing the government to conduct routine anti-smuggling searches of travelers. Although some lower courts have weighed in on whether that exemption applies to personal electronic files, there's no definitive ruling yet on phone searches at the border.

Until the Supreme Court rules on the issue, CBP officers are mostly limited by the agency's own internal regulations. The regulations allow officers to conduct a "basic search" (flipping through the phone by hand) at their discretion, and require "reasonable suspicion" or a "national security concern" to conduct an "advanced search" with forensic phone hacking software such as Cellebrite. The regulations also restrict officers to searching what's already on the phone, not downloading new data, so phone searches should be conducted in airplane mode or otherwise disconnected from the internet.

Of course, an agency pinky-swearing not to violate your rights is not worth much in the way of practical protection. The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) have both put out guides for protecting electronic privacy at the border. Reason spoke to Sophia Cope, senior staff attorney at the EFF, and Nathan Wessler, deputy director of the ACLU's Speech, Privacy, and Technology Project, about the nitty gritty of defending your data.

There are a few basic tips that people should know but often don't. The U.S. government cannot prevent Americans from reentering the country no matter what. Nor can it compel anyone to give up their passwords. (The cops can force you to open a Face ID or fingerprint lock, though.) And shutting down an iPhone makes it much harder to break into. Other aspects of border privacy require more careful consideration.

The bottom line? Prospective travelers "need to have a plan about how to protect their data, and what they are going to do if they're pulled into secondary inspection and asked to unlock their device," Cope says. "You cannot be in secondary inspection like, oh crap, what am I supposed to be doing? That's the most important thing. The second most important point is that one size doesn't fit all."

Know Your Risk Factors

U.S. citizens have the most power to refuse the government's demands for information. CBP can't stop Americans from coming back to their own country, but it can slow them down and physically separate them from their belongings. If you're an American citizen and you refuse to unlock your phone, CBP may hold you for longer—typically no more than a few hours—and seize your phone for a forensic scan.

"The government cannot compel you to provide or enter the password, but what they will do is say, if you don't give us the password, we're going to hold your phone until we can get into it ourselves," Wessler says.

Visa holders (and travelers from visa-free nationalities) are in a very different boat. CBP agents can decide on the spot whether or not a visitor is really "eligible" to enter the United States, and the agency claims that phone searches are a routine part of that process. The principle of "innocent until proven guilty" is flipped on its head for visitors; refusing to provide information can itself become a reason to deny you entry.

Legal permanent residents are in a gray area. In theory, a valid green card should give you the right to re-enter the country unless an immigration judge takes it away. "Prior to this version of the Trump administration, we would say that generally speaking, green card holders have the same rights as citizens to come back into the country," Cope says, but the Trump administration is now trying to flex its power to revoke green cards for "national security," as in the cases of Mahmoud Khalil and Yunseo Chung.

Beyond immigration status, certain people might attract more government attention. CBP has used the border search exception to help domestic authorities (including even the Food and Drug Administration) look into people they were already investigating. Travel history in certain countries, especially more frequent or longer trips, may also raise red flags.

Professionals who deal with confidential information—such as lawyers, businesspeople, doctors, and journalists—have to consider the security of their work product. The CBP regulations around medical and journalistic data are vague, stating only that they "shall be handled in accordance with any applicable federal law and CBP policy." The regulations similarly state that CBP will treat commercial data "as business confidential information and shall protect that information from unauthorized disclosure."

The protections for attorney-client privilege are a little stronger; CBP officers are required to bring in the agency's lawyers before searching potentially privileged data. However, the regulations also call for pretty intense questioning in the process: "The Officer shall seek clarification, if practicable in writing, from the individual asserting this privilege as to specific files, file types, folders, categories of files, attorney or client names, email addresses, phone numbers, or other particulars that may assist CBP in identifying privileged information."

Protect Your Data

If CBP escalates by seizing a device, then the data they can access is a matter of technical security measures. Users can increase the security of their devices by encrypting their hard drives, for example. (The latest version of the iPhone automatically encrypts its hard drive if idled.) Simply shutting down a device may make it harder to break encryption. Unfortunately, the government's abilities are somewhat unclear.

"The question that is impossible to answer from the outside," Wessler says, "is at any given moment, where are we in the cat-and-mouse game between Cellebrite and similar companies and Google and Apple and their operating systems?"

The best way to protect data is not to have it lying around. After all, "border authorities can only search things that you have on your devices at the border," Wessler adds. The trick is knowing how to make sure that data is actually inaccessible when you're crossing the border, and how to make sure you can get it back once you're done with your journey.

A simple solution is the good old burner phone. It might make sense to keep separate travel and home devices, and it's often possible to switch SIM cards between phones, so that both devices can be reached at the same phone number. The EFF guide for border privacy recommends the Google Chromebook as a good travel device, because the laptop is both cheap and designed to store most data on the cloud rather than locally.

In general, cloud storage is your friend. Services such as Google Drive and iCloud allow users to easily access their data via the internet without storing that data on the physical device itself. Again, CBP only searches devices that have been disconnected from the internet. It's possible to disconnect from cloud storage and delete local copies of the data before a journey, and then connect to cloud storage and download the data again afterwards.

However, there are a few important considerations. Data that is "deleted" from a device may still be there. Alawieh's allegedly incriminating photos, for example, were found in the "Recently Deleted" folder of her phone. (The iPhone keeps deleted photos in the bin for 30 days unless the user manually removes them.) Even clearing out the virtual trash bin "is not a guarantee at all that it will be safe from search, because deleting often means it just goes into unallocated space on the phone," Wessler warns.

The EFF guide includes a technical overview of how to securely delete data. The most dramatic measure is to perform a "factory reset" of your phone before crossing the border. However, crossing the border with an empty device can cause CBP agents to think you are hiding something. If you're a citizen, that suspicion may lead to more of a headache. If you're a visitor, CBP may decide to turn you away.

Be Practical

Some data may have to cross the border with you. "Maybe you won't have internet access, because you're going to be out on an expedition somewhere, and you really need data on your phone," Cope says. "It's not really reasonable for you to put a bunch of data on the cloud and wait there for two hours for it to download. There's lots of different factors that would implicate how people would decide."

On the other hand, making some information available could help to avoid more aggressive scrutiny. For example, journalists might want to delete their conversations with sources while keeping benign family group chats. "As a privacy advocate, I don't like that advice. In an ideal situation, you don't want the government to have access to anything, because even looking at text messages with your mom is a privacy invasion," Cope says. "But it is about a practical decision."

Another consideration is what happens on the other side of the journey. Canada, Britain, Australia, and New Zealand, which all share intelligence with the U.S. government under the Five Eyes program, have different border privacy policies. Under Australian law, travelers do not have to unlock their phones. Canadian authorities, like U.S. authorities, say they will seize a phone if a traveler refuses to unlock it. New Zealand imposes a $5,000 fine for failing to unlock a phone, and Britain considers refusing to unlock a phone for police to be a counterterrorism offense.

American citizens who have done nothing wrong might still hesitate to exercise their rights at the border, simply because of the obstacles that CBP can impose. Sitting in secondary inspection for two hours could cause a traveler to miss a connecting flight, and CBP seizing electronics can impose a major financial burden. Although CBP regulations state that electronics should only be held for five days, the agency has held on to phones for months, according to the ACLU guide.

Electronic search and seizure is especially stressful when the device belongs to someone else. Employers should have a plan for dealing with government searches of company data at the border, and "ideally back up their employees…to give people the right to say, this is my work laptop and I am not authorized to give you access because of the proprietary and confidential information on there," Cope says.

Finally, the government can simply disobey its own rules. In Alawieh's case, and the case of Venezuelans deported under the Alien Enemies Act, the Trump administration got around court orders by moving too fast for the courts to intervene. "We can say what's legal and what's not, but that doesn't seem to be stopping the current government from trying a lot of outrageous things," Wessler says.