Jan 15 2018

Citizens: Just say “No” to requests for your passwords

Our article last week on the new DHS policy on demands for passwords to travelers’ electronic devices has prompted extensive discussion on Hacker News and elsewhere.

One theme in the comments is that travelers who are not US citizens could be turned away at the US border or sent back when they arrive at a US airport if they decline to disclose the passwords to their electronic devices, and might also be blacklisted from the US for life.

That’s a legitimate concern for non-US citizens.

We would argue that denial of entry or blacklisting and denial of future entry on the basis of declining to provide passwords would be illegal, but the DHS might well do it anyway, and it could be hard for non-US persons to challenge in court.

It’s not clear that a non-US citizen would have no means of redress in court. As we noted in our earlier article, the Paperwork Reduction Act (44 US Code, Section 3512) provides that:

(a) Notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information that is subject to this chapter if—
(1) the collection of information does not display a valid control number assigned by the Director in accordance with this chapter; or
(2) the agency fails to inform the person who is to respond to the collection of information that such person is not required to respond to the collection of information unless it displays a valid control number.
(b) The protection provided by this section may be raised in the form of a complete defense, bar, or otherwise at any time during the agency administrative process or judicial action applicable thereto.

Denial of entry to the US would certainly seem to be a “penalty” proscribed by the PRA. However, we are unaware of any case law on whether “person” as used in the PRA is limited to US citizens.

More pragmatically, the DHS might claim that the denial of entry was for some other reason, rather than admitting that it was as retaliation for declining to disclose passwords.

Arbitrary or baseless denial of entry to non-US citizens often evades US judicial review.

The clearest precedent for this threat is the case of Dr. Rahinah Ibrahim, whose name was added to the no-fly list by an FBI agent who checked the wrong boxes on a “nomination” form. Ten years of litigation culminated in the first (and to date only) trial in a no-fly case, and a court decision  in Dr. Ibrahim’s favor. The government took Dr. Ibrahim’s name off the no-fly list — but not before putting her name on a different blacklist, for reasons that remain secret, and denying her a visa to return to the US.

So it’s reasonable for non-US persons to fear that even if they have a “right” not to be penalized for refusing to tell the US government their passwords, they could be blacklisted and denied entry to the US then or in the future, withough legal recourse.

What this means, of course, is that it’s up to US citizens to stand up for the rights of all, including the rights of those more likely to be kept out of the US and out of US courts.

US citizens have a clear legal right, explicitly recognized by international human rights treaty,  to leave or return to the US. US citizens can’t be denied the right to enter or leave the US for exercising their right to remain silent once they have completed the approved customs declaration form. And US citizens have a much better chance of being able to challenge any denial of entry or exit or other adverse action in court. It’s up to us.

If travelers submit to these demands — even if they do so “under protest” — their acquiescense will be deemed to have been “voluntary”. Only those who decline to provide passwords are likely to ahve legal standing to challenge the legality of these demands.

If US citizens don’t resist, nobody will. Even if foreigners complain about the actions of US border guards, they may have no way to get their complaints considered by US courts.

If you are a US citizen and US government agents ask for your passwords, just say “No”.

5 thoughts on “Citizens: Just say “No” to requests for your passwords

  1. @Rich_Leyden – We reported on the law denying passports on the basis of allegations of unpaid taxes, and the possibily for court challenges to its enforcement, when it was enacted:


    Other proposals for restictions on eligibility for US passports are pending in Congress:


  2. Pingback: #privacy #surveillance Citizens: Just say “No” to requests for your passwords | Papers, Please! – Defending Sanity in the Uppity Down World

  3. Recently – (in December) – upon returning to the USA after living abroad for a long period, I was stopped by CBP for secondary screening. The CBP officer mentioned an “incident with the Peace Corps” and that the information leading to my screening came from the Cambodian government. I have no idea what the officer was referring to and I have no idea why the Cambodian government wanted them to search me. It’s possibly a case of mistaken identity or a false accusation. I’m not certain. I lived there for several years and I was never in trouble with the law or arrested or even detained or questioned. I was also able to exit and enter Cambodia freely and had done both more than once regionally in the month leading up to this incident at the San Francisco airport. If I had actually done something wrong there one would think that they would have arrested me when given multiple opportunities to do so and they didn’t.

    The CBP officer asked me for the passwords to my phone and laptop. I declined to give them to him and so he had my electronics detained so they could presumably hack them to take a look. After seizing my electronics (and refusing to elaborate further on what was causing this issue) they let me catch my connecting flight.

    Now, about 6 weeks later, a DHS agent has called me and told me that they were ready to return my electronics via FedEx (at my expense) and he made no mention of any pending charges (I didn’t expect any as there was nothing illegal on the devices) or any ongoing investigation, nor did he indicate whether they successfully got to the data on my devices or if they retained a copy of it if they did succeed.

    In preparing to leave the USA again I had to get a new passport because mine had water damage. It is the first and only passport I had owned previously. They gave me a new passport but it’s only valid for 1 year (“limited validity”) and the letter they sent with it indicated that it was because I had had MULTIPLE lost or stolen US passports. Except that I haven’t had any lost or stolen passports. Just one damaged passport and I included a detailed statement regarding how it got damaged as well as submitting the actual passport with my application. My concern is that this is some further punishment for an “incident with the Peace Corps” that, to my knowledge, never took place. The Peace Corps is under the umbrella of the State Dept. and I believe the State Dept. has access to some of the same databases as the CBP does like IBIS and so whatever the CBP officer was talking about could have influenced their treatment of my passport application despite the fact that it’s not true.

    Not only is it not true: It hasn’t been established factually in any court, American or Cambodian. And America has been highly critical of the authoritarian nature of the Cambodian gov’t and their use of the courts to harass and intimidate people for political reasons … And yet they’re just going to take the word of that government when it comes to one of their citizens and begin treating them as criminal suspects or second class citizens with restricted travel privileges? It’s Kafkaesque to say the least. The border search was bad enough and if it turns out that my passport troubles are related to the same information and I can’t get them to relent I don’t know what I’ll do as I primarily live and work overseas and a limited validity passport will preclude my being able to obtain work visas or permits in most countries because it expires so quickly. It will also mean that I can’t use the passport for anything other than returning to the USA in 6 months or so since most countries require 6 months validity minimum for entry for any reason, even tourism.

    I wish I could afford legal representation for this but I can’t. I suppose I could start by doing FOIA requests with the CBP and with the State Department to establish what exactly they have written down about me so I know what it is I’m disputing because aside from that offhand remark at the very start of my CBP encounter they aren’t likely to be very forthcoming about it.

Leave a Reply

Your email address will not be published. Required fields are marked *