Posted by sipofwater 4/9/2025
Too old phone? Suspicious. Too empty phone? Suspicious...
The US, along with Canada, Australia, Germany and a few others have been asking people at the border to unlock their phones.
Wallpaper is a US flag. Home screen shows Truth Social, X and 4-chan. Smartphone cover displays a roaring eagle.
Hah! Phones are a PITA to reliably backup and restore. I outlined the pain I had with it in this recentish comment: https://news.ycombinator.com/item?id=42652663
This is incredibly sketchy. As a non-American (Canadian), I think I’d probably just prefer to be refused entry to the US at that point.
Canada ending their intelligence sharing with the US would be a big win for citizens in the US and Canada. They basically rely on sharing records with a government with a very hostile and notoriously flawed justice system (that in practice results in quite racist results) and then using it to judge US citizens, which favors other immigrants from countries with weak or less flawed criminal systems or ones that do not share information with Canada.
Also, it is terribly unhelpful and uninformative.
Schneier’s blog post on this has tons of useful information in the comments: https://www.schneier.com/blog/archives/2025/04/cell-phone-op...
The EFF wrote the canonical guide to this in 2017: https://www.eff.org/wp/digital-privacy-us-border-2017. I don’t know if it has been updated, but there is a lot that’s useful there.
I think the main thing to decide ahead of time is: will you unlock a phone on request, or are you willing to lose the powered-down phone or be denied entry if you refuse? Most of your decisions flow from there.
If unlocked and it leaves your sight, ALL your messages and photos and documents will be stored forever and are available warrantless in probably every country in the world.
I wonder what could happen to citizens who weren’t born in the US
Given what we’ve seen recently. Could it be possible they would refer these people to the state department to revoke their citizenships?
But next week it could all be different.
It seems like they are claiming that “not saying you intended to protest” is essentially lying on the initial visa application, thus fraud and grounds for revocation of residence and deportation
So, if CBP confiscated someone’s laptop or phone (because they don’t want to unlock it), then break into it, and find social media posts against genocide, and/or against the Trump administration… given how they’ve acted, who knows what they’d do
https://www.reddit.com/r/UnitedNations/comments/1jw8gyv/all_...
Insofar as the current regime has little or no respect for the rule of law, particularly due process, I can imagine them revoking someone's passport. The Secretary of State could certify that you have engaged in activities abroad that are opposed to U.S. foreign policy. On paper, the conditions for revocation are rather narrow. In practice with an adverse administration and a largely captured judicial branch, who knows? Either way, personally I don't care. No warrant - no looksies.
GrapheneOS had an opportunity to do this 1000% better... and they instead ship a kinda broken fork of SeedVault, which they have been intending to replace for a long time now.
This is an issue I face- I have a collection of thermal cameras that use apps to control them- after every install onto a phone, they then reach out t oa server to authenticate.
Here's the issue- though I have a few older phones- these apps are 32 bit ones, so no modern phone after Android 13 will run them. And they are all now not on the app store anymore,as they all came out about around 2016. i did use a APK extractor to pull the APKs to store them - but the native backup functionality wouldn't capture that authorization in the future, I might rob myself of my ability to use some extremely expensive, and long-term invested capable hardware, by backing up and restoring-
I suspect a full image would solve this problem, but I don't think one can do that outside of things like TWRP- but that requires unlocking the bootloader, and if you do that it wipes your device- AND is more vulnerable to Custom's usage of Cellebrite and etc, to my undertanding.
I don't have this issue with laptops ,as I can fully image them and wipe and restore ahavend have a perfect replica/ no issues. But my thermal cameras do not run off of PC and th eform factor wouldn't work if they did
Apple Pay cards and so forth, anything with 2FA codes, in Sweden we use "BankID" which is largely using a private key in secure storage and a pin to "sign" and "identify" people, you would be destroying those things in an unrecoverable way.
Also, restoring a phone takes a seriously long time (8-10hrs?) and some things might not restore. Music you might have saved for example.
Also, your restore process might be using the internet (which is also an issue), but if it's not: then you're bringing your backups with you most likely, so they're forfeit.
2FA is a pain to recover, but it shouldn't that _that_ long to restore a backup unless you don't have decent internet access. All of my important data and apps usually take maybe 2 hours to get back (including flashing the OS), 3 if you include 2FA recovery.
Local backups is kind of an interesting risk/reward situation. My phone usually spends most of its time downloading apps from Google Play when recovering, the data recovery itself is very quick. Just backing up the APKs (which do not contain anything interesting) would probably cut down my backup recovery time to less than half an hour. Of course, my pictures and music are all stored in self-hosted cloud services, if you care to keep a local copy then things will take longer.
1) We're talking about people who are most likely going to be using 4/5G and Hotel Wifi. The US anyway is far behind on bandwidth, I get symmetrical 1G for "free" in Sweden, last time I was in the US it was $60/mo for 60MBit.
2) Phones have as much as 1TiB of storage, even at the speed of storage that'll take a hot minute.
Getting the 2FA codes set up while not having access to those 2FA codes is going to be interesting.
It all depends on the security pyramid you have, and how much risk are you okay with. I store all my passwords in Dropbox .kdbx file, but I need these always in case of emergency, even from a different device. So I must not enable 2FA on Dropbox. The password to it (and the .kdbx file) lives only in my memory. I hope not to get hit in the head.
If you're trying to protect your data, probably better to set up a secondary, plaubile profile, and restore from backup after crossing the border. Or to take a burner phone and buy a completely new one inside the US after crossing.