Borders and customs: the situation nobody prepares for

An American attorney crossing back into the US after a trip to Mexico. The CBP agent asks him to unlock his laptop. He refuses, citing attorney-client privilege. They explain that attorney-client privilege doesn’t apply to US Customs. Two hours later, the laptop is confiscated for “extended inspection.” It comes back by mail eleven days later.

The common trap

“I have rights.”

True. But your rights vary dramatically by jurisdiction, and at an international border they are systematically lower than you think. The border is a legally distinct zone: the constitutional protections you’re accustomed to — Fourth Amendment, equivalent EU protections — apply with significant restrictions, or not at all.

The majority of traveling professionals don’t know precisely what a border agent can legally do with their laptop. That ignorance has a cost.

Actual rights by jurisdiction

United States — CBP

The US framework is particularly broad. The “border search exception” allows CBP (Customs and Border Protection) agents to inspect electronic devices without a warrant, without probable cause, and without any prior judicial authorization. This applies at land, air, and sea borders.

What this means practically:

• An agent can ask to review your laptop, phone, tablet, or USB drive.
• If you refuse, the device can be confiscated for “extended inspection.” CBP can legally retain a device for up to 120 days without any judicial process.
• A complete forensic copy of the drive can be made — in a back room, in 15 to 45 minutes — without your knowledge.

The question of whether you can be compelled to unlock is more nuanced. The Fifth Amendment (protection against self-incrimination) may cover disclosure of a memorized password — some federal courts have ruled in that direction. But the legal debate is ongoing, rulings vary by circuit, and for non-citizens and non-permanent residents the protection is nearly nonexistent. In practice: refusing can lead to confiscation, extended questioning, and denial of entry.

United Kingdom — Schedule 7 + RIPA Section 49

The UK regime is among the most coercive in the world.

Schedule 7 of the Terrorism Act 2000 allows border agents to detain and question any person without grounds, for up to 6 hours, and to examine documents and devices. No obligation to justify the request.

RIPA Section 49 creates a legal obligation to provide decryption keys when a notice is served. Refusing to decrypt a demanded device is a criminal offence, punishable by up to 2 years in prison (5 years in terrorism or child protection contexts).

This isn’t hypothetical. Journalists, activists, and professionals have been detained under these provisions.

China

Chinese border agents (customs, state security) have very broad discretionary powers. Device confiscation is possible, forced access is documented. Local apps may be mandatorily installed as a condition of entry in some contexts. (→ see Traveling to China article for full detail)

Russia

Comparable to China on coercive powers. Any device can be inspected, copied, confiscated. Encrypted communications may attract specific attention from services (FSB). For foreign nationals on business travel, risks are real given the current geopolitical context.

Israel — Shin Bet / border control

Israel conducts systematic security profiling at entry, particularly at Ben Gurion airport. People are regularly asked to unlock phones. Forensic copies are made. Targeted profiles include journalists, activists, people with connections to the occupied territories — and occasionally business professionals with certain geopolitical footprints.

European Union

EU customs authorities have standard physical inspection powers. GDPR applies to European public authorities, providing relative protection. In practice, the risk of systematic coercion for business travelers in the EU is low, except in the context of specific judicial investigations.

What can be seized

• Laptops, phones, tablets, USB drives, external hard drives
• Forensic copies can be made without your knowledge — bit-for-bit clones in 15 to 30 minutes with compact equipment (Cellebrite UFED, Magnet AXIOM, and equivalents)
• Temporary or permanent confiscation depending on jurisdiction
• In some countries, content can be shared with partner intelligence agencies

Technical preparation

Clean machine at the border. This is the most effective measure. If the device contains nothing sensitive, nothing can be seized or compromised. For L2 and L3 destinations, use a travel laptop provisioned specifically for the trip.

Full encryption enabled, machine powered off. Not sleep — powered off. An encrypted disk on a powered-off machine is practically unattackable at rest. An encrypted disk on a sleeping machine (RAM active) can be attacked via cold boot attack given sufficient time and hardware. (→ see Disk Encryption article)

Data in transit via cloud, not stored locally. If sensitive files aren’t on the device but are accessible via cloud after clearing the border, there’s nothing to seize. This strategy is particularly effective for destinations where confiscation is probable. Cross the border with an empty device, access files from the hotel via a secured connection.

Recent backup. If the device is confiscated and never returns (or returns months later), you need to be able to keep working. Full backup verified before departure.

Data-only cable for charging. For public charging stations (airports, hotels), use a charge-only cable or a USB data blocker. Never connect to an unknown USB port with a standard sync cable.

Legal preparation

Know your rights in the destination jurisdiction before you arrive. The EFF publishes a detailed guide for US borders. For the UK, Liberty’s guide covers Schedule 7. Read these at home, not in the customs queue.

Have your lawyer’s number accessible without your phone. If the phone is confiscated at the border, you need a number memorized or written on something physical in your passport. One number. That’s all you need.

Never lie to a border agent. It’s a separate offence, often more serious than the underlying issue. “I prefer not to answer that question” is legally safer than lying. It may extend your detention, but it doesn’t expose you to additional criminal charges.

Document any confiscation. If a device is confiscated, request a written receipt with the agent’s name, badge number, and precise description of the seized equipment. In the US, CBP is legally required to provide a receipt (form CBP-6051D).

Common mistakes

• Machine in sleep mode at the border rather than powered off, making disk encryption largely ineffective
• Sensitive data stored locally on the travel device
• No recent backup — if confiscated, total data loss
• Lying to a border agent about device contents
• Using airport Wi-Fi to sync files immediately after clearing customs
• Ignoring local restrictions on encryption equipment (some countries require declarations or licenses for devices with hardware encryption)

• N1 Power off the device (not sleep) before border crossing
• N1 Full backup verified before departure
• N2 Lawyer's contact memorized or on physical medium
• N2 Understand your rights in the target jurisdiction (EFF/Liberty guides)
• N2 Sensitive data in cloud, not local, for higher-risk destinations
• N2 Clean machine (no sensitive data) for US/UK if exposed profile
• N3 Dedicated device with no data for CN/RU/IL
• N3 Specific privilege protection preparation for attorneys/journalists at US or UK border
• N3 Treat any device returned after confiscation as potentially compromised