Sidd Bikkannavar, an engineer with NASA, flew out of the US on January 15, when Barack Obama was still the president.
He flew back on January 30, a week into the administration of Donald Trump and four days after the issuance of an executive order restricting travel from seven predominantly Muslim countries.
Judging by what Bikkannavar told The Verge, he also flew back into a whole new experience at the airport, where he claims to have been detained by US Customs and Border Patrol (CBP) and pressured to hand over his NASA-issued phone and the PIN to get into it – even though it could have contained sensitive information relating to his employment at the space agency.
Should this have happened? Bikkannavar is, after all, a natural-born US citizen. He’s also enrolled in the CBP’s Global Entry program, which allows expedited clearance for pre-approved, low-risk travelers upon arrival in the US.
Perhaps the timing of his detention had nothing to do with who was sitting in the Oval Office or the “extreme vetting” of foreigners that Trump has vowed. We only know his side of the story, since the CBP isn’t in the habit of putting out press releases about whatever possibly reasonable suspicions they might have about a traveler that would lead agents to detain that traveler.
In other words, this might not have been news at all a month ago. It could have been some random CBP detention and search of a phone. But in the current political climate the story feels much more weighty.
His Facebook update about the incident had been shared more than 2,000 times as of the Verge’s writeup. A tweet from a friend who shared Bikkannavar’s experience was also shared more than 9,000 times as of Monday evening.
At any rate, according to Bikkannavar’s account, this is what happened.
He arrived in Houston early Tuesday morning on January 31. After his passport was scanned, he was detained by CBP, who escorted him to a back room and told him to wait. A handful of other people were in the room.
After 40 minutes, an officer called his name, then led Bikkannavar into an interview room, where he explained that the CBP needed to search his possessions to ensure he wasn’t bringing anything dangerous into the country.
The officer presented Bikkannavar with a document titled “Inspection of Electronic Devices” and explained that CBP had authority to search his phone.
Bikkannavar didn’t want to hand over the phone. It is, technically, the property of NASA. He even showed the officer the JPL barcode on the back of phone.
I was cautiously telling him I wasn’t allowed to give it out, because I didn’t want to seem like I was not cooperating. I told him I’m not really allowed to give the passcode; I have to protect access.
The CBP wasn’t dissuaded. The officer insisted the CBP had the authority to search the device.
Bikkannavar wasn’t allowed to leave until he gave CBP his passcode. The document the officer gave to Bikkannavar had listed a series of consequences for failure to offer information that would allow CBP to copy the contents of the device, and Bikkannavar had no interest in exploring those consequences, he said.
It mentioned detention and seizure.
Ultimately, he handed over the phone and passcode. The officer left with the device and returned after 30 minutes.
Eventually, Bikkannavar was given back his phone. He immediately turned it off, since he knew he’d have to hand it over to the Jet Propulsion Lab (JPL) IT department, which would check what data had been copied and whatever might have been installed on the phone.
The JPL was none too happy about the incident. As it is, NASA employees are obligated to protect all work-related information.
this is from an IRL friend of mine. this is NOT my america. EVER. #MuslimBan Siid is a US Citizen. @CustomsBorder u say “Welcome Home” #NASA pic.twitter.com/W4UtF88rJy
— Nick Adkins (@nickisnpdx) February 6, 2017
Did the US government have the authority to search his phone?
There’s no clear answer, according to Orin S Kerr, a research professor of law at George Washington University. Writing in the Washington Post, Kerr said that courts have disagreed on what the standard is for computer searches at the border. In some, but not all, cases, the courts have decided that CBP requires reasonable suspicion to use a Cellebrite Physical Analyzer to search a phone’s contents.
What’s also unclear is whether the CBP had the authority to compel Bikkannavar to give up his passcode… or whether he could be detained until he did. From Kerr’s article:
Imagine the agents said, “If you want to go home today, tell us your passcode and we’ll release you right away. Otherwise, you’re going to be here a while.”
Does that put so much pressure on a person that it coerces him or her to disclose the passcode? I’m skeptical of that, given the pretty high bar of the voluntariness cases. But it’s an argument.
What would/should YOU do?
Besides slicing and dicing the legal nuances of the case, there’s the question of how to protect yourself from being forced to divulge your most personal details – or even the work-related information on your phone that you’re obligated to protect – in such a situation.
Wired recently published a guide to getting past customs with your digital privacy intact, and it’s well worth a read.
One thing to note is there’s no silver bullet. For example, if you set up two-factor authentication on your phone so that your online accounts require a temporary passcode that’s texted to you, then remove your Sim card (perhaps mailing it to your destination) so that you can’t get at the SMS messages, you might plead inability to unlock with the CBP.
But just how well will that go over with the agents? As Wired notes, it could easily spike their suspicions and lead to lengthy detention and intense grilling.
If you have suggestions on how to avoid having your privacy invaded at the border, and how to do it without unintentionally baiting the border guards, please do share in the comments section below.
29 comments on “Border guards force US citizen to unlock his NASA-owned work phone”
“We only know his side of the story”
And it is wise for everyone else to avoid drawing definitive conclusions as well. There are a number of possible scenarios, including but not limited to:
A cowboy border agent
Poor agency management
A planned setup (the person not insisting to speak to the agent’s superior is curious)
Activism (Exactly who is Nick Adkins? By his hashtag, he clearly doesn’t understand the Executive Order)
Lots of alternative facts to consider.
Billy, since the order doesn’t apply to US Citizens at all, I’m leaning toward “A cowboy border agent” or “Poor agency management.” For thr record, I know Sidd so it’s not fake news.
I have mixed feeling regarding this…..I think NASA should’ve been contacted regarding the phone.
i would hand them my work phone and say you can keep it, but i am not giving you my psk
I probably would too.
Back your phone up before you travel and then delete everything off it. No address book or social media apps and tell them that the phone is new to you and you haven’t set it up yet. Might that work?
Don’t lie. If they can show you’ve owned the phone longer than you admit… it won’t be nice.
Be polite and tell them you wiped it recently because it’s good practice to limit the data you carry around with you. Maybe name a recent data breach as your motivation.
This was his work phone so he couldn’t delete info off of it. I have work apps on my phone. But our security is set up so that you can be in the phone but not have access to the work apps without another password. Sounds like NASA need to get on board with higher security if they were able to access sensitive info from just his phone password.
Unfortunately the best option is to not have any devices.
2nd. One you can wipe right after they look at it, to get rid of the spyware.
3rd. Dual boot, one for prying eyes, the other for yourself (not likely)
In any case, it should be disposable to you.
I would tell them get a court order. Call your attorney or company’s attorney before you speak. If you do this then you are protected. Work phones with sensitive data need more than a passcode but sadly most don’t even have that.
It’s easy, use 2 sets of devices, one for travelling which contain no information and other for real life outside the US border authorities’ reach.
Seems like JPL should make a policy to address this sort of thing. It may prove prudent for others to do the same. Should an employee of an agency be detained, simply provide them a contact to said employer for authorizing access.
I think this incident has exposed a grey area, in who has the right to access what. US citizens travelling outside the continental US should be informed by the CBP if this is a new mandate, so that the traveler can be aware beforehand, what may happen upon their return.
I think this should be handled through the legal team at NASA.
Personally I would not have surrender my PIN, unless advised to do so by NASA.
…yet another reason for staying in Europe, where you don’t need to be afraid of toddlers with guns…
Should have called JPL and let them make the decision.
You have few rights at border crossings. It’s just how it is, get over it.
Doesn’t it depend on your citizenship? It is my understanding that every US citizen has to be granted entry to the U.S. sooner or later. Only foreigners can be denied entry (I’m not sure about stateless persons).
You get a lot of thumbs down – but hopefully it’s because they don’t like this is true.
You can be kept, without access to outside communication for hours on end, asked any questions they want, searched – the powers of border agencies is almost unlimited.
For personal services, 2 factor auth is the way to go. Instead of your cell number, use a google voice number registered to your google account to receive the one time passcode. just be sure to remove the application from your phone before you come back in to the country. you may also go as far as removing gmail before you cross the boarder.
The only real answer to this problem is to start actively rolling back the ever-increasing tide of fascism in this country. Read the Fourth Amendment about people being secure in their persons, their papers, their places, their things. It’s much more than a problem of a cowboy agent it’s a problem of the cowboy government that no longer follows the highest law of the land which is called the Constitution. Then there is the ever increasing tide of police violence and abuse against quite often innocent citizens.
It is long past time for the American public to start saying NO! We need to start standing up for our rights in an absolutely unmistakable fashion that leaves no question that we are done being pushed around and abused by our own government.
Stories like this gentleman amount to no more than social rate of the American public by the ever-increasing fascism of our government and petty bureaucrats who aspire to godhood.
One possible way – backup the phone to a cloud service before you leave; reset the phone removing all data and just put the minimum on to get by but with a different account (so you are not giving access to your real cloud data). Then after you have got in, restore your phone from the real cloud data.
The downside with this is that it would probably take time to re-enable all the 2 factor authentications – I have at least 4 on my phone. I would probably use my previous phone and set it up for the minimum, and then follow the procedure above.
Should have added – the requirement to hand over passwords for all social media accounts and examination of phones etc means that I will no longer be visiting the US as a tourist. In my work I have managed R&D projects with various nationalities, so that I am bound to be targeted by association. I can foresee that the US tourist industry will soon take a hit, just as the UK is now reporting a huge shortage of workers because Brexit has dramatically reduced the number of EU workers prepared to come to the UK to fill vacancies.
Maybe I am missing something here. Isn’t there still an ongoing debate about if even judges have the authority to request passcodes for phones form people? If it’s questionable if even a judge is allowed to order you to give up your passcode, how can the CBP have that authority? I get that they might just not let you in if you don’t do as they say, so that might compell a lot of people. But that doesn’t make it legal, does it? And in this case, even more curious, what would (could?) they do to a US citizen if he doesn’t give them his passcode? They can hardly keep him from getting in his own country can they?
In the US, it’s commonly said that borders constitute a “Constitution-free zone.” That’s not strictly true, as the ACLU notes (https://www.aclu.org/other/constitution-100-mile-border-zone), but search rules certainly are different than outside of these so-called ports of entry. From the ACLU: “At border crossings (also called “ports of entry”), federal authorities do not need a warrant or even suspicion of wrongdoing to justify conducting what courts have called a ‘routine search,’ such as searching luggage or a vehicle.”
That is very frightening. And such a “constitution-free” zone sounds rather unconstitutional. Good thing I don’t plan on visiting the US any time soon.
Seems like another good reason to leave the USA to its paranoid isolation!
Lord, I wish I could argue with that.
I’ll stay and fix it. The boat hasn’t sunk yet.
We haven’t had a good Captain for a loooong time. The new one is trying, making mistakes, but it hasn’t been 2 months yet.
I was already freaked out by being finger printed when I visited the States last time. I’m worried about travel when the UK leave the EU – I have become so blasé about walking through EU borders. I won’t be travelling to the States anytime soon, but I will certainly be buying a new phone when I do, with a new disposable sim card and filling it with photos of kittens.
If this story is true, even if it was one employee using his power without understanding it, it’s really scary.