Lawyers Traveling Abroad: Precautions to Protect Client Data

Warning: TrueCrypt is not secure. See this post for details and information on migrating to Bitlocker or FileVault.

About a year ago, I learned that the U.S. was considered “high risk” on privacy and security by the international community because of the Patriot Act.  Being blissfully unaware of the contents of the Act, I dismissed this notion out of hand until this spring, when I discovered why: the Department of Homeland Security authorizes both U.S. Customs and Border Protection and Immigration and Customs Enforcement (ICE) to seize all electronic devices coming into the country and search the contained data. That includes your smart phone and flash drives.

Although this is not known to occur with frequency, it does occur, and half of those searched have been U.S. citizens. Since they don’t need probable cause, you just might get lucky.

Be Prepared

To prepare yourself for the possibility, Susan Gurley, Executive Director of the Association of Corporate Travel Executives, suggests the following:

  • Understand that no evidence is required to take your laptop
  • Anything can be searched (photos and online bank statements included)
  • Seized devices can be kept for an indefinite period of time
  • Don’t take anything you don’t want to share
  • Be cooperative, but ask for a receipt and badge number if your laptop is confiscated

What You Can Do

Given this scenario, the best course of action would of course be to put all your data in the cloud, leave your devices at home, and arrange for use of necessary devices abroad. Upon returning, load any new data, work product or other information into the cloud and return home device-free. You can always buy an inexpensive cell phone with no data capabilities to get you through the travel time, and take advantage of those great airport book stores to entertain yourself (you remember those days).

Not practical? Let’s take a look at other alternatives.

Mark Nestmann, an international privacy and wealth preservationist, offers these options:

  • purchase an inexpensive laptop and use only for international travel. Keep nothing on it except for the operating system and program files. Before you cross the border, “sanitize” it using a program such as Window Washer. When you return to the United States, securely “wipe” any confidential information off your hard drive, along with the “free space,” using a program like PGP Desktop.
  • Back up your data to an online backup site such as Carbonite. Encrypt the data before uploading it, using a product such as PGP Desktop or True-Crypt.
  • Buy an “unlocked” tri-band cell phone with a replaceable SIM card for international travel. When you arrive in a new country, purchase a domestic SIM card from a local phone dealer.
  • If you must carry sensitive data across the border, encrypt whatever device containing that data. However, CBP officials may demand that you decrypt any encrypted files before you proceed.
  • Blackberries and other smartphones come with built-in encryption. However, many smartphone encryption systems have significant weaknesses. A better solution (unfortunately only for Windows mobile smartphones) may be PGP Mobile.

Two lawsuits have been filed and are still pending: one in 2008 by the Electronic Frontier Foundation (EFF) and the Asian Law Caucus, requesting clarification on its policies for search and seizure of devices; the other in 2010 by the ACLU, NYCLU and the National Association of Criminal Defense Lawyers on behalf of National Press Photographers Association, criminal defense lawyers and a student: Pascal Abidor, a 26-year-old French-American citizen whose laptop computer was confiscated at the Canadian border. Abidor was released after being detained for three hours, but his laptop didn’t arrive back home until 11 days later.

In spite of the litigation, I doubt the Patriot Act will be amended anytime soon to modify the unfettered authority of customs, given the sad state of international affairs. Considering options to preserve confidential data needs to be on your to-do list.



  1. Avatar The Lawyer Mentor says:

    This is a great article–something that many of us don’t think about. But we should! I’m definitely a proponent of cloud computing, but thank you for offering alternatives for non converts.

  2. Sam Glover Sam G. says:

    If you are ultra-paranoid about the cloud and don’t trust encryption, you could use VNC (or something like GoToMyPC) to remotely access your computer while you are away. I did this successfully while in Europe a few years ago.

    There are a lot of options for getting your files after you are across the boarder, but I really think moving your data to the cloud is the best one—as long as you have a service provider you trust (I trust Google and Dropox, but I know not everyone does).

Leave a Reply