Anyone who has traveled internationally knows that uncomfortable feeling when you go through customs. As you hand over your passport, and other documentation, you are at the mercy of the border agent. Will they let you in? Did you fill everything out correctly? For many of us, that twinge of discomfort passes quickly as they hand back our passport. But for some, there are even more questions and sometimes a secondary screening. For those who experience this, their sense of vulnerability is unquestionably heightened.
Based on remarks by the Homeland Security Secretary John Kelly, the U.S. government is considering taking advantage of this fraught interaction to collect social media account passwords of non-citizens entering the country. In the past, there were proposals to make it optional for visitors to share their social media identifier information on certain visa applications, but this proposal is light-years beyond that. Secretary Kelly did not suggest that providing passwords would be optional, and even if they were, can you imagine saying no to a customs agent’s request? That is far easier said than done, especially if you are hoping to seek asylum or need to visit a sick relative.
Not only is the Secretary’s suggested plan an egregious affront to the dignity of our visitors, it would also be a major erosion of privacy rights
Not only is the Secretary’s suggested plan an egregious affront to the dignity of our visitors, it would also be a major erosion of privacy rights that puts significant amounts of personal information at risk. It would discourage the use of communications devices and social media accounts when traveling, and, in fact, would likely discourage people from visiting the United States all together. And every American who travels should expect other countries to apply a similar policy to them. This is why the Center for Democracy & Technology spearheaded a coalition of human rights and civil liberties organizations, trade associations, and experts in security, technology, and law to oppose Secretary Kelly’s dangerous proposal.
As the coalition said in their letter to Secretary Kelly, the first rule of personal cybersecurity is “don’t share your password.” If the Secretary gets his way, I believe it will create serious harm to all visitors’ personal security. Here’s why.
- Passwords are the keys to your personal kingdom. Unlike publicly available social media identifiers, passwords unlock a much deeper world of information, such as chats conducted within social media apps, detailed contact information for people in your network, or financial information. The government should have cause to access this information and should only be able to do so after following legal due process. Also, despite the advice of most cybersecurity experts, many people use the same password across sites and platforms. It’s not hard to envision a social media password being the same one someone uses for their email account, online banking, or healthcare portal.
- Stored passwords are an incredible target. If passwords are collected at the border, you can only imagine how valuable they would be to a malicious actor. Access to any of the information I mentioned above could lead to financial fraud, blackmail, or exploitation. Even if someone were to change their password after clearing customs, would they remember to do so for all accounts with that password? Would people eventually get complacent and forget to do this? It seems likely that the answer is yes, and when coupled with the U.S. government’s less than stellar track record of securing its data, the threat is greatly magnified.
- Data easily flows between agencies. While the Department of Homeland Security may have a defined use for the information it collects at the border, should the NSA and the FBI and also have this information? The reality is that if one agency has your data, every agency has your data. This creates new opportunities for misuse, the messy mixing of data sets, and even more potential for breach.
I understand the important need to keep our country safe, and I also recognize that having access to all the communications of everyone visiting the country could help in identifying patterns and networks. But this is a country that places great value on privacy and the ability to communicate without pervasive government surveillance. How can a nation that is so proud of our freedoms of association, of religion, and of speech put forth a proposal that so greatly devalues these freedoms for visitors? This does not reflect the best of who we are as a country or the rights to which we are entitled as citizens.
Collecting passwords of non-citizens entering the United States is clearly a search that far exceeds an appropriate level of screening at entry. It exploits people at one of their most vulnerable moments and creates a broader personal security risk. The government cannot have access to people’s passwords simply because they cross the border. Full stop.