810 points by jaarse 1263 days ago | 545 comments on HN
| Moderate positive
Contested
Editorial · v3.7· 2026-02-28 12:24:09 0
Summary Privacy & Surveillance Advocates
Engadget reports on US border authorities' practice of seizing travelers' device data without warrants and retaining it for 15 years in a database accessible to thousands of government officers. The article, citing Senator Ron Wyden's advocacy, criticizes warrantless searches, indefinite data retention, and lack of oversight as violations of privacy and due process rights. The reporting demonstrates strong editorial advocacy for privacy protection and government accountability, though the domain's own surveillance-based ad tracking creates structural tension with this advocacy.
I'm not sure I missed something, the title says "Americans" but I couldn't find an elaboration on exactly _who_ is subject to these searches. The ACLU [0] seems to contend that, at least, US citizens are not subject to these measures.
Is there any significant effort in progress to combat this practice? I see that EFF has some old articles on the topic but I don't see anything current.
"That's when they can plug in the traveler's phone, tablet or PC to a device that copies their information, ...".
would really like to know which "devices" they are talking about. fkn hard to do a full android backup these days.. this world. im tellin ya.
on another note: lets talk about how one would go about keeping ones privacy intact aka having a party in the capitol.
1. will they be able to get into my cryptrooted pinephone / hdd in those 5 days?
2. if not will this only make them more angry and privacy penetrating?
Seems like real solution are phones that by default provided end-to-end-encryption for cloud backups, no local data “travel modes”, secure wipes, multiple logins, etc. — since trying to get countries to uniformly play by same rules seem highly unlikely.
Honestly, as a non-American this scares me. I am absolutely not at all important and a fairly mediocre programmer as well, I don't store compromising data about anyone, never stole code or company data in my life (and never will), etc., you get it. A normal law-abiding citizen.
I still don't want to get my phone taken on an US airport and returned an hour later with God knows how many viruses that even Apple wouldn't be able to detect on my iPhone.
It's not about having something to hide. It's about not liking it when people poke their noses in your business without you being a criminal. And no I don't think installing backdoors on each device "to catch the criminals more easily" is a solution at all.
1. Any malicious person savvy enough to pull off a crime of interest to the Feds is smart enough to provide a wiped or burner phone to DHS/ICE, and they have to know this. So, what is the point in doing this if not to target law abiding citizens.
2. USGOV has a spotty track record of keeping this information secure. A foreign actor is likely to access this info eventually. As one former government official once joked many years ago - concerning Chinese hacking - "Well, its probably more secure in the CCP's data center, so I wouldn't worry."
This is the problem when a non-technical generation makes the rules and regs. Luddites ought not be permitted to ascend the GS ranks.
This happened to me in 2016 crossing into Canada. Borders agents took my phone for no reason, demand I give them the password to unlock it (otherwise they would seize the phone), took it in the back for 45 min before returning it and letting me enter. I think it’s obvious they took all my data.
So now when I travel I just bring my “travel” phone with no sensitive data on it.
As a thought experiment, what would happen if you wrote your own malicious payload to a burner device and handed that over? What if you warned the border agents that your device would deliver malicious code and they plugged it in anyway?
On my last trip back from Europe in June, when I re-entered the US, US Customs & Border Control didn't ask for my passport. No one did. They did wave a webcam connected to a computer in front of my face, and then a moment later, called out my name and said I could enter. Same with everyone coming through the international border area.
I think that's just as weird a development and worthy of "WTH?" as this topic.
It's a great overview of digital privacy and protection laws in the US, how they came about, and what protections they actually offer. The short answer is "very few" and the long answer is "never ever ever turn over your data short of a court order and even then try to fight it."
Then with Third Party Doctrine, most of the few/limited privacy/warrant rules go out the window.
Even if you are a person who will never in your life end up as any kind of person of interest for the government, handing over data in this way could still be quite dangerous.
Phones will often contain data that can facilitate theft and fraud if ending up in the wrong hands. If they're able to copy everything, including private data from all apps that could be quite bad. For example many countries now use apps to login to online banking, with private keys for the login stored in the app. Will that be copied? Will it ever be found out if one of the 3000 government officials with access to this data sold it on darknet markets?
Maybe some months after your travel you suddenly wake up one day to find all your money transferred from your bank account to some account in Nigeria.
This (and similar issues) is the main reason that I donate a non-trivial (10%) part of my earnings to ACLU (and 2 other) organization.
Our rights and freedoms do not come without struggle. And they sure do not last without somebody constantly defending them. And it’s only bravado to assume that we can stand against the might of federal agents as individuals without dedicated organizations fighting for us.
One thing I learned at Defcon 30 was how to break encryption at rest by just storing the encrypted data and wait for a quantum computer to be developed but storing it for 15 years wouldn’t be long enough (average guess of scientists were 50 years in the future).
It makes the NSAs Utah data center to have other applications like parallel reconstruction.
As a European I find it strange how the article and many comments here seem to focus only on it being US citizen's data being hovered up by the boarder control.
No one's private data should be taken without a legitimate cause, no matter their nationality.
Imagine having a knock on your door because you exchanged a few friendly text messages 15 years ago with someone who is being investigated for a crime committed today.
Citizens are suspects. Tourists are terrorists. Everyone is a potential criminal in the land of the free.
I submitted this the other day but it didn't get any traction: the Protecting Data at the Border Act[0] is a thing, but has barely been touched by the relevant Senate committee since it was introduced nearly a year ago. As expected, it's not perfect: it has some carve-outs, and only applies to US citizens (and maybe permanent residents; I forget the exact definition of "U.S. person"). But it would definitely improve things. Maybe something to bug your Senators about.
This recently happened to me earlier this year. I am a U.S. citizen, coming back to the states from South America. I have not broken any laws nor do I intend to.
I put up a fuss and almost missed my flight, but they took both my laptop and cellphone into a back room with about 5-8 other people on my flight. Made me unlock of course.
Here is the pamphlet they let me take… saved and documented. They take down hardware addresses and more, and would not allow lawyers on the scene or for me to witness their search. Here are all the pages of the pamphlet:
As a tech worker and privacy advocate for all I was rightfully not thrilled. I still need to buy new hardware, I had no idea this was the case as far as data storage and 15 years but figured they probably upload malware and all that fun stuff. Neat. I have been a citizen my whole life.
Reading through the comments now, I am glad I learned a little. If they pull the stunt again I will happily deny and wait however long and just rebook a flight and maybe hire a lawyer. It’s a gross abuse of power.
US CBP and other national border agencies change target priorities from time to time, which is reflected in the questions they ask you.
I recently had a long discussion with CBP about my Canadian passport showing a US birthplace. Under a repealed section of the INA my US nationality lapsed some half a century ago and I suspect a call was made to the Port Manager. Since then my entries have not discussed this point which leads me to suspect their system has been updated.
The current question is your plate number (already displayed by the camera). You need written permission from the vehicle owner to cross the border, even if the owner is family.
Border officers may also have quotas for more thorough examinations.
I remember a lawyer on radio saying that they take "naked" laptops across the border.
Most definitely DO NOT cross ANY border with anything that in the most remote possibility would trigger the interest of customs.
To sanitise a phone or tablet, fill it with dashcam video, encrypt and factory reset. Then set it up with a fresh Google or Apple ID.
Maybe leave your sim card at home.
Having repartitioned a tablet, I discovered that there is a massive amount of hardware data in partitions that most people are totally unaware of.
Of course the official response is what you would expect:
“CBP officials declined, however, to answer questions about how many Americans’ phone records are in the database, how many searches have been run or how long the practice has gone on, saying it has made no additional statistics available “due to law enforcement sensitivities and national security implications.””
I mean, that's great and all, but IIRC this Supreme Court has been instituting a policy of Absolute Immunity related to immigration issues via Egbert v. Boule. If one has absolute immunity, the law simply isn't a concern for federal border security.
From what I understand, the border is a sort of wild west in terms of citizens rights and lack there of. As usual with those seeking power and greed, boundary conditions that are not clearly defined are optimized around for their goals. Where do your rights begin and end as a US citizen? That's ignoring all the giant carve aways in your rights when it comes to reentry.
Much of it's quite silly in the era of technology and current society scales anyways where most the nonsense they could be concerned about being on your personal phone in terms of data can be conducted right inside the border without ever leaving. So the excuses for cloning phones and archiving data outside of another loophole that let's them spy on US citizens are pretty limited. Anything on your phone they could be concerned about can be archived, encrypted, and tucked away somewhere on the internet that's far less tracable. So what information do you really need? Outside of the really stupid criminals (who will eventually learn to be more sophisticated and evade these approaches), what do you expect to catch?
Also, I'm sure the US isn't the only country that does this. So if you travel internationally at all, you're essentially boned when it comes to personal privacy.
They will get a $5 wrench and beat you until you give it up yourself, per XKCD https://xkcd.com/538/
In other words: this isn't a technical challenge, either you comply and give them your private stuff, or you're not going anywhere. Maybe you can con them into giving a 'public' part of the phone and pretending that's all there is, but again, that's social engineering and not a technical challenge.
The elephant in the room in this case is that at a most basic level a State is an entity that maintains a (near) monopoly of violence in a given area. Being a normal law-abiding citizen just means that you are currently functioning in an area where the State's goals somewhat coincide with you living with some degree of freedom and comfort. Or at least they have no current incentive to mess with your life. But the whole system of laws we see as normal is just an abstraction that masks the balance of power which is in itself not that different from gang warfare at a higher scale.
When you are disturbed by having your phone searched, what is happening is that the balance has shifted a bit against your favor, and you subconsciously realize that your position is not as safe as it once was. But it was never truly safe, just stable in a certain point and time. The fact that you are not a criminal is irrelevant, because respecting or not respecting the law is very relative. The mental separation between the criminal and the law-abider is fictional in that both are just on a spectrum of usefulness and loyalty to the State.
>Any malicious person savvy enough to pull off a crime of interest...and they have to know this.
You'd be amazed at how many dumb things smart criminals/people can do. Maintaining proper OpSec is hard. It only takes one mistake to give the LEOs a string to pull to unravel the whole sweater.
Everything else, I tend to feel the same way as you. Just wanted to mention the OpSec part
I just just reading this Bloomberg story about a Chinese spy who was busted. It’s mind boggling how sloppy even state backed malicious agents are at information security.
No because if it's standard, they will ask you to disable travel mode and download all the data. You can say no, but you can't refuse and cross the border.
>>So, what is the point in doing this if not to target law abiding citizens.
It's the old rule known to governments all over the world - there is no such thing as an innocent citizen, there is only a citizen who you haven't investigated enough. Call me cynical but storing ALL of your digital data allows the agencies to basically find something, anything, that will allow them to further blackmail you into complying. Even the most innocent person will have something that can be misconstrued as criminal, from jokes about tax evasion to pictures of your toddler in a pool - threaten going to trial if the person doesn't do X, and most people will comply, not because they aren't innocent, but because the might of the American justice system is such that you really don't want to fuck with it on the receiving end.
> 1. Any malicious person savvy enough to pull off a crime of interest to the Feds is smart enough to provide a wiped or burner phone to DHS/ICE, and they have to know this. So, what is the point in doing this if not to target law abiding citizens.
This isn't even remotely true. See for example the recent Anom honeypot[1]. Criminals do more or less the same things that ordinary citizens do, and often have strictly worse security practices because they believe "ordinary" things are weaker. This makes them great targets for snake oil.
That being said, I agree with (2). It's simply an unnecessary risk to keep this much data around for this long.
I believe there was a defcon talk about this but for the life of me I can't find it. My advice is to epoxy your lightning port closed (or snip the data connection inside the phone) and use wireless charging exclusively.
My guess is it would be like setting up a trap gun and putting a sign on the door warning about it. Still illegal. But I'm a rando on the Internet and a loooooong ways from being any kind of lawyer, and I didn't stay in a Holiday Inn Express last night, either.
> I give them the password to unlock it (otherwise they would seize the phone)
IIRC, I've read they can only hold your phone for 30 days or something like that, then they have to return it to you. They can delay an American citizen, but they can't deny entry.
Ever since then, I travel with a travel phone, make sure my photos are backed up when I cross a border, and shut it down before I go through border control. If they demand a password, I'll put up a little fuss and then let them take it.
If you don't read the 'Accept Me' On most random websites nowadays, most people are just openly giving up access to their devices/data without even knowing it.
At the passport control kiosks, they can just scan your face and give you an exit ticket. It was super quick, and surprising. I was able to skip talking to an immigration agent completely. They can do this because they have photos of me from previous kiosk visits, and because they can restrict the universe of photos they need to check to just those who were on recent flights. I wonder how well it works for twins traveling together or something. For any level of uncertainty, they can just have you go talk to a human instead.
Were you on the illusion that they didn't have your biometric data? Or that they didn't have the passenger list with your name in it? Those two are pretty transparent (and honestly, not a big deal).
One approach would be to upload everything, wipe the phone, then log back in but not connect to iCloud (or Google).
Once you've cleared the border, go to a coffee shop and download over their WiFi. Or not, if you're on a unlimited data plan.
That has the advantage of requiring only one phone but would definitely look like you were hiding something. So your approach of a travel phone is better.
Article is centrally focused on warrantless privacy violations: 15-year data retention, database access without warrant or documentation, and extraction of sensitive personal information (messages, photos, contacts).
FW Ratio: 67%
Observable Facts
Article states CBP 'keeps any information it takes from people's devices for 15 years' in a database accessible to thousands.
Article reports CBP takes 'sensitive information from people's devices, including text messages, call logs, contact lists and even photos and other private information.'
Page contains multiple ad placements with tracking parameters indicating surveillance-based ad model.
Article quotes Senator Wyden: 'CBP should not dump data obtained through thousands of warrantless phone searches into a central database, retain the data for fifteen years, and allow thousands of DHS employees to search through Americans' personal data whenever they want.'
Inferences
The article's detailed criticism of warrantless surveillance, indefinite data retention, and unmonitored access strongly advocates for privacy protection against government overreach.
The domain's own tracking infrastructure (visible ad parameters and consent mechanisms) creates structural tension with the editorial advocacy for privacy protection.
Article strongly criticizes government seizure of devices and unrestricted access to personal data as violations of liberty and security, advocating for warrant requirements.
FW Ratio: 67%
Observable Facts
Article states: 'border authorities are exempted from having to' secure a warrant before accessing device contents.
Article reports that if travelers refuse to unlock devices, 'authorities could confiscate and keep them for five days.'
Inferences
The article advocates for legal protections (warrants) that would limit arbitrary government power to seize travelers' devices and data.
Article emphasizes that CBP conducts 'indiscriminate' device searches and data collection without suspicion of criminal activity, violating presumption of innocence.
FW Ratio: 67%
Observable Facts
Article quotes Senator Wyden: 'instead of allowing "indiscriminate rifling through Americans' private records without suspicion of a crime."'
Article reports searches occur with 'as many as 10,000 devices every year' without indicating suspicion criteria.
Inferences
Routine, suspicionless device searches treat all travelers as potential suspects, violating the presumption that citizens are innocent unless there is evidence of criminal conduct.
Article advocates for fundamental human rights and freedom against arbitrary government surveillance, aligning with Preamble's emphasis on human dignity and universal rights protection.
FW Ratio: 67%
Observable Facts
Article quotes Senator Ron Wyden stating: 'Innocent Americans should not be tricked into unlocking their phones and laptops.'
Article reports CBP practices add data from approximately 10,000 devices annually to a searchable database.
Inferences
The article's focus on protecting citizens from unrestricted government surveillance aligns with the Preamble's foundational commitment to human dignity and rights.
Article emphasizes government duty to respect legal order: warrants, documentation, informed consent, and limited search scope.
FW Ratio: 50%
Observable Facts
Article emphasizes that 'law enforcement agencies are typically required to secure a warrant if they want to access the contents of a phone or any other electronic device,' implying CBP should follow same rules.
Inferences
Article advocates for CBP to operate within legal frameworks that require warrants, documentation, and accountability—core social order mechanisms.
Article implicitly addresses dignity by criticizing government treating Americans as subjects of unrestricted surveillance without individual consideration.
FW Ratio: 50%
Observable Facts
Article emphasizes that travelers are searched 'indiscriminately' without individual suspicion or warrant.
Inferences
The framing of CBP practices as indiscriminate surveillance undermines equal dignity and individual respect.
Article emphasizes government duty to respect individual rights and limit surveillance power, framing CBP practices as duty violations.
FW Ratio: 50%
Observable Facts
Article quotes Senator Wyden proposing that CBP 'update CBP's practices so that device searches at borders are focused on suspected criminals and security threats.'
Inferences
Article frames the issue as government failure to fulfill its duty to balance security with individual privacy rights.
Article notes that CBP officers can access database 'without having to record the purpose of their search,' suggesting unequal and unaccountable application of power.
FW Ratio: 50%
Observable Facts
Article states 2,700 CBP officers can access the database 'without having to record the purpose of their search.'
Inferences
Lack of accountability mechanisms (not recording search purpose) indicates unequal protection and enables selective, unmonitored government action.
Forced device searches without consent or proper legal process could be framed as degrading treatment, though not explicitly addressed as such.
FW Ratio: 50%
Observable Facts
Article describes compelled device unlocking under threat of confiscation as a government practice.
Inferences
Forcing travelers to unlock private devices without warrant or legal process has implicit degrading dimensions, though article focuses primarily on privacy and liberty concerns.
Page contains TCF consent framework and GUC consent tracking with multiple data collection categories (precise geolocation, cross-device mapping, account matching, search history). Cookies and tracking are extensive but disclosed in consent mechanism.
Terms of Service
—
No ToS visible on-domain in provided content.
Identity & Mission
Mission
+0.10
Article 19 Article 27
Mission statement indicates commitment to technology news and expert reviews ('Find the latest technology news and expert tech product reviews'). Aligns with free expression and access to information.
Editorial Code
—
No editorial standards document visible on-domain in provided content.
Ownership
+0.05
Article 19 Article 20
Engadget owned by Yahoo/Oath (NewsMediaOrganization). Large corporate ownership may support editorial independence but not explicitly verified on-domain.
Access & Distribution
Access Model
+0.10
Article 25 Article 26
No paywall or subscription requirement observed. Content appears freely accessible, supporting universal access to information.
Ad/Tracking
-0.20
Article 12 Article 17
Multiple ad placements visible with responsive ad containers (#_R_ailfaiv5tilbH1_, #_R_iilfaiv5tilbH1_, #_R_qilfaiv5tilbH1_). Ad network tracking (xsmr, bid, rid parameters) indicates surveillance-based advertising model.
Accessibility
+0.05
Article 25 Article 26
Responsive design visible (media queries for mobile, tablet, desktop viewports). No explicit accessibility features (alt text, ARIA) observed in provided content, but technical structure supports basic access.
Page contains TCF consent framework and ad tracking parameters (xsmr, bid, rid) indicating surveillance-based advertising; domain engages in user data collection.
build 1ad9551+j7zs · deployed 2026-03-02 09:09 UTC · evaluated 2026-03-02 11:31:12 UTC
Support HN HRCB
Each evaluation uses real API credits. HN HRCB runs on donations — no ads, no paywalls.
If you find it useful, please consider helping keep it running.