Traveling to a country known for mass surveillance. How can I protect my data/privacy?

For this answer I’m assuming you are a normal traveler, who is concerned about their privacy. This means you’ll want to take your own phone and devices, and you won’t want to spend a lot of time and hassle on things like throwaway devices.

People who are under a specific threat, such as journalists or human rights activist, will have to take much more stringent measures which aren’t covered here.

Also I’m not going to discuss things that you’ve published on the internet (e.g. tweets or facebook posts), or the case where the government in question can get the information directly from the servers (e.g. if Facebook gave them access). Those are “out there”, and most impossible to retractively control.

Why does it concern me?

As noted elsewhere, millions of people visit countries like the US, UK, China or Turkey without a hassle and without being systematically searched. However it does happen.

Furthermore, if it happens to you is outside your control. It is not like “you only get checked if you did something”. Reasons for a digital check might include:

• You have the same name as someone on a watchlist
• An unfriendly neighbor reported you to the authorities
• You fit into a “profile” that makes you prone to checks (e.g. you are from a specific country, have a specific gender, age , non-white, you have bee to a “suspicious” country in the past, …)
• You are “randomly” selected for screening

When people tell you “it never happens”, it means just that it never happens to people like them (e.g. white, well-off tourists).

Also, don’t be fooled that those searches are only about “terrorism” or violent crime. A young woman visiting extended family may have her WhatsApp searched just to check if she’s taking an illegal Au-Pair job, for example.

Am I fine if my device is “secure”?

Modern phones and computers are often “secure” in the sense that they are almost impossible to access without the proper password; at least not by a border guard.

That makes no difference.

If they want to search your device, the agent will simply ask you to unlock it. They are legally entitled to do so, and they can refuse entry if you don’t. For a normal traveler this is actually worse than having someone look at their Facebook.

The only solution is to not have the data on you when you cross the border.

If you do plan to not allow access, though, you should disable all biometric login methods (face, fingerprint) while in transit.

What could happen?

As an average tourist, if you do raise flags the most likely outcome would be that you are held and questioned and possibly refused entry and sent home. The high-profile cases you see on the media will either involve someone who is of particular interest (e.g. because they are activists) or who have ties to the country already, or both.

Of course worse things sometimes happen (and depend on the country in question), but at the border they are generally only interested if letting you in is going to be a problem. Countries don’t usually want to cause incidents with random tourists for no particular reason.

At least that is true for most countries – you should still read your government’s travel warnings.

General rules would include:

• Answer questions truthfully, but don’t volunteer any information on your own
• Be friendly and cooperative (you are legit after all)
• If they ask you to unlock your device, do so (especially if you removed sensitive information beforehand)
• You can contact your embassy when you are accused of a crime; but they won’t help you “get in”

What can I do?

• Bring only the devices you actually need
• Delete all apps that have confidental content (e.g. social media apps, email, messaging apps)
• Remove your email and messages from the built-in apps
• Log out of all websites that have confidential content, and clear your browser cookies
• If you use a password manager (which you should), remove it from your device and keep the data in the cloud. 1Password, in particular, has a “travel mode”, which wipes passwords from your devices when enabled, and restores them afterwards.

In general, only wipe things that you actually care about. If you show up with a “blank” device, that may also raise a flag.

You can then restore everything after you cleared immigration.
If you care about your photos, you could back them up to the cloud before crossing the border, and delete them from the device.

Especially in countries like China you should also consider using a VPN, which decreases the chance that the local ISP can intercept or block your connection.

Also, travel without company data. For company trips, companies often have specific rules on what you can do with their data. You may even be liable if it gets exposed in such a situation and didn’t follow company rules.

Will they bug my phone?

For normal people: Most likely not. If you don’t unlock it there is a chance that they may take it away to unlock it with specialized equipment.

Bugging your phone is work, and there is a risk that you discover how they did it and go public and figure out a way to prevent them. They won’t do that for just the offchance that you might say something midly critical of their leader to your online friends.

Mass surveillance is usually done through other means than bugging people’s phones at border posts.

However, if you are separated from your device at the border you can either:

• Trust that it is fine
• Factory reset the thing and hope that it is enough
• Treat it as compromised and throw it away
• Have it inspected by an expert for backdoors

While the chances are remote, it is ultimately your decision what to do.

Caveat

In the end, you’ll have to make up your own mind about what you want to do. The above is my personal understanding and analysis. As those cases are very, very rare it is almost impossible to find enough people with personal experiences to discover a pattern…

If I were sufficiently paranoid, …

I would assume the operating system itself is "safe." For an iPad or IOS, I would backup to my laptop and reset to factory settings. Then re-install only those apps I intend to use while traveling. (If you suspect something unwanted has been installed, reset again.). I presume one can do something similar with Android or Windows Phone.

For the laptop, I would store my entire user account in a cloud account, delete the account, reinstall a clean O.S., and re-install the user account after arrival. If this is not possible in China, it might be worthwhile to pack the account into a compressed and encrypted backup on an SD card, hide that in a digital camera, and hope they don’t find it.

Generally, the SD card in a digital camera has a file system with specific directories the camera uses, and using the camera alone will not reveal those files exist. Snoops wanting to check would have to remove the SD card and put it in a computer (or mount the camera via USB as a "disk").

In my close to 30 years traveling to China and the US which you tagged I have never had a border agent or anyone else even touch my electronics much less take it away from me for even 1 second, on planes and going through security etc I always keep devices powered off anyway just to save battery but it also stops anyone remotely trying to install things since I don’t care how good of a hacker you are you ain’t that good that you can install on a turned off device.

The only surefire way to avoid the possibility of your data being viewed in these countries is don’t carry data in any form. The only surefire way to avoid the possibility of having your devices’ OS augmented by governmental addition is don’t carry any devices.

As the other answer notes, you can minimize the risk by carrying disposable devices with minimal, nonoffensive data. You can maintain your data solely in the cloud, but be careful not to carry software that will allow snoopers to identify those accounts, or worse, allow them access.

One option would be to not have any devices with you. Buy a cheap phone when you arrive in the country, use it in the country, and then discard it, sell it, give it away, or whatever before you go back home. That way your primary device with personal and company information is not placed at risk. Alternatively, buy a cheap device in your own country, and put a minimal clean social media profile on it so it won’t seem suspicious.