Citizens: Just say “No” to requests for your passwords
Our article last week on the new DHS policy on demands for passwords to travelers’ electronic devices has prompted extensive discussion on Hacker News and elsewhere.
One theme in the comments is that travelers who are not US citizens could be turned away at the US border or sent back when they arrive at a US airport if they decline to disclose the passwords to their electronic devices, and might also be blacklisted from the US for life.
That’s a legitimate concern for non-US citizens.
We would argue that denial of entry or blacklisting and denial of future entry on the basis of declining to provide passwords would be illegal, but the DHS might well do it anyway, and it could be hard for non-US persons to challenge in court.
It’s not clear that a non-US citizen would have no means of redress in court. As we noted in our earlier article, the Paperwork Reduction Act (44 US Code, Section 3512) provides that:
(a) Notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information that is subject to this chapter if—(1) the collection of information does not display a valid control number assigned by the Director in accordance with this chapter; or(2) the agency fails to inform the person who is to respond to the collection of information that such person is not required to respond to the collection of information unless it displays a valid control number.(b) The protection provided by this section may be raised in the form of a complete defense, bar, or otherwise at any time during the agency administrative process or judicial action applicable thereto.
Denial of entry to the US would certainly seem to be a “penalty” proscribed by the PRA. However, we are unaware of any case law on whether “person” as used in the PRA is limited to US citizens.
More pragmatically, the DHS might claim that the denial of entry was for some other reason, rather than admitting that it was as retaliation for declining to disclose passwords.
Arbitrary or baseless denial of entry to non-US citizens often evades US judicial review.
The clearest precedent for this threat is the case of Dr. Rahinah Ibrahim, whose name was added to the no-fly list by an FBI agent who checked the wrong boxes on a “nomination” form. Ten years of litigation culminated in the first (and to date only) trial in a no-fly case, and a court decision in Dr. Ibrahim’s favor. The government took Dr. Ibrahim’s name off the no-fly list — but not before putting her name on a different blacklist, for reasons that remain secret, and denying her a visa to return to the US.
So it’s reasonable for non-US persons to fear that even if they have a “right” not to be penalized for refusing to tell the US government their passwords, they could be blacklisted and denied entry to the US then or in the future, withough legal recourse.
What this means, of course, is that it’s up to US citizens to stand up for the rights of all, including the rights of those more likely to be kept out of the US and out of US courts.
US citizens have a clear legal right, explicitly recognized by international human rights treaty, to leave or return to the US. US citizens can’t be denied the right to enter or leave the US for exercising their right to remain silent once they have completed the approved customs declaration form. And US citizens have a much better chance of being able to challenge any denial of entry or exit or other adverse action in court. It’s up to us.
If travelers submit to these demands — even if they do so “under protest” — their acquiescense will be deemed to have been “voluntary”. Only those who decline to provide passwords are likely to ahve legal standing to challenge the legality of these demands.
If US citizens don’t resist, nobody will. Even if foreigners complain about the actions of US border guards, they may have no way to get their complaints considered by US courts.
If you are a US citizen and US government agents ask for your passwords, just say “No”.