The Department of Homeland Security has a plan to demand social-media passwords from travelers seeking to enter the United States that could set the government on a collision course with social-media companies and their users. The plan would formalize a never-implemented and voluntary plan first proposed under the Obama administration.
On Tuesday, Trump-appointed Homeland Security Secretary John Kelly explained to the House Homeland Security Committee that officials could soon start demanding the social-media usernames and passwords of visitors to the United States from any of the seven majority-Muslim countries named in Trump’s recent executive order on immigration.
“We want to get on their social media, with passwords: What do you do, what do you say?” Kelly said, according to NBC News. “If [you] don’t want to cooperate, then you don’t come in.”
Kelly also indicated that officials want to see visitors’ Web-browsing history. He said they might demand that travelers “give us their password so we can see what they can do.”
While Kelly made it clear to Congress that demanding travelers’ log-in credentials is one of several yet-to-be-implemented plans to more strictly vet people who wish to enter the United States, the fact that it is being discussed at concerns legal and computer security experts.
Privacy protections under the U.S. Constitution against unreasonable search and seizure are harder to enforce at the border because of the government interest in controlling who and what enters the country. However, demands that travelers share their passwords could fall afoul of several international laws, as well as the common security advice of numerous social-media sites. When the Obama administration proposed a similar rule in June 2016, tech companies opposed it.
Facebook advises its users to “never share” passwords. “You should be the only one who knows it,” the social-media behemoth says. LinkedIn advises that its users “never” give out their passwords, “or write it down.” Twitter gets even more specific: “Never give your username and password out to third parties, especially those promising to get you followers, make you money, or verify you.”
Similarly, Snap cautions against sharing passwords with “other people, applications, or websites.” And because of the instant-read nature of the Snap service, users would likely miss messages, were their Snap accounts accessed by a third party.
The Department of Homeland Security did not respond to a request for comment. However, in the wake of President Trump’s executive order on immigration and refugees, some people already have been subjected to more invasive searches of electronic accounts.
The DHS plan is “ripe for litigation if they do it, and it’s ripe for retaliation if they do it.” — Al Gidari, director of privacy, Stanford Center for Internet and Society
Fred Jennings, a digital-rights attorney at New York City law firm Tor Ekeland, told The Parallax that he has documented the forced searches of several travelers’ electronic devices and accounts by Customs and Border Protection agents since the executive order was signed on January 27. And because at least one person whose phone was temporarily confiscated is a U.S. government employee and U.S. citizen, he and others are investigating whether the plan has already been implemented—and how broadly it might apply.
Al Gidari, the director of privacy at the Stanford Center for Internet and Society, says the plan could violate the standard set in United States v. Cotterman, which held that electronic devices cannot be subject to forensic search at the border without a cause for suspicion.
“As a general proposition, there’s a threshold legal standard that says that if there’s a reasonable suspicion that somebody would have child porn, for example, then you’re allowed to engage in a more intrusive search,” Gidari says. “But if those factors are not present, then you can’t do it, and it’s not constitutional.”
Gidari also says the proposed DHS requirement likely will not only violate the sections of the Convention on Cybercrime treaty and Executive Order 12333 stating that the U.S. will not access a foreign server without permission, but could even lead to other governments subjecting U.S. citizens to similar measures when traveling.
“The major risk of violation is when the U.S. accesses a server [such as a social-media service host] in a foreign jurisdiction under the Cybercrime Convention,” he says. The DHS plan is “ripe for litigation if they do it, and it’s ripe for retaliation if they do it.”
The proposal, as Kelly described it to Congress, could decrease consumers’ overall security, says Tarah Wheeler, a senior director of engineering at Symantec and public advocate for consumer security. The issue for her is if government access to an account determines whether a traveler can enter the United States.
“Never give your username and password out to third parties, especially those promising to get you followers, make you money, or verify you.” — account security advice from Twitter
“If this poorly worded proposal is that I must turn over my passwords, then I welcome it. That’s what two-factor authentication is for—to prevent malevolent actors from getting into my accounts,” she says. “But if the consequence is that I cannot get into the U.S. without permitting a government-sponsored hack of my verified Twitter account, then we have a problem.”
Wheeler also worries about government interference in legally protected communication under the plan. “There’s a fundamental difference between what I’ve chosen to make public on Facebook and Twitter, and the private messages I receive from people on those platforms,” she says. “Some of those messages may even be covered under attorney-client privilege or other confidentiality agreements.”
Kelly made it clear in his testimony before Congress that the plan would be mandatory for people entering the United States. “When they are over there, we can ask them for this kind of information,” he said. “If they really want to come to America, they will cooperate. If not, next in line.”