Border agents can search your laptop without a warrant.

What the law actually says

The border search exception to the Fourth Amendment allows warrantless searches at US ports of entry. Courts have consistently upheld this exception. In 2018, the Ninth Circuit ruled in United States v. Cano that border agents can conduct basic searches of devices without any suspicion at all. More invasive forensic searches require reasonable suspicion, but the standard for what counts as basic versus forensic remains contested and varies by jurisdiction.

In practice, agents at US airports and land borders have broad authority. They can ask you to unlock the device. They can copy the contents. They can detain the device. You can refuse to provide a passcode, but refusal can result in the device being seized and forensically examined later, or in you being denied entry if you are not a US citizen.

The same search authority exists at the borders of most countries with active border security operations. The UK, Canada, Australia, and the EU member states all have equivalent frameworks, with varying standards for what level of suspicion is required before the search can begin.

The trend is hardening rather than relaxing. The recent Hong Kong amendment that made device unlock refusal a criminal offence codifies what the US framework leaves to enforcement discretion. Other jurisdictions are watching.

What they can actually extract

A basic manual search means an agent scrolls through your device visually. They look at recent messages, photos, contacts, browser history, and open applications. This takes minutes and covers whatever is immediately visible.

A forensic search using tools like Cellebrite or Graykey extracts far more: deleted messages, app data, encrypted messaging metadata, location history, and cached authentication tokens. Documented forensic extractions from seized devices show that a 7-character alphanumeric passcode on a locked iPhone was bypassed in six hours. That timeline shortens as tools improve.

Cloud data is separate from the device but not necessarily protected. If the device is authenticated to cloud services at the time of search, an agent can access those accounts through the device. Logging out of cloud services before crossing means the data is not present on the device, but the agent can still ask you to log in.

Who this affects most

Journalists carry source contact information. A border search that accesses messaging apps or contact lists can expose people who trusted a journalist with their identity. The technical protocols for source protection exist precisely because this exposure is real and documented.

Lawyers carry privileged client communications. Attorney-client privilege does not automatically protect devices from search at the border. The legal status of privileged material discovered during a border search is contested and has been litigated with inconsistent outcomes.

NGO workers operating in sensitive regions carry contact information for beneficiaries, field partners, and local networks. A border search can expose those networks. Documented cases show NGO workers consenting to searches under pressure and the access that followed.

Anyone returning from a high-risk region may face more scrutiny regardless of citizenship. The legal authority exists. The use of it is discretionary and often arbitrary.

What you can do before you travel

The most effective protection is a travel device that contains nothing sensitive. A separate phone or laptop, set up with a clean account, no personal data, and only the applications needed for the trip. If it is searched, nothing useful is found. The full travel security checklist covers this preparation in detail.

If a travel device is not an option, log out of sensitive applications before crossing. Not just cloud storage. Messaging apps, email, banking, anything that contains data you would not want read aloud in an airport. Logging out means the data requires authentication to access. It does not prevent agents from asking you to log in, but it removes the automatic access.

Disable biometric unlock. In the US, courts have treated biometric authentication differently from passcode authentication. Compelling you to provide your fingerprint or face scan has been allowed in some jurisdictions where compelling a passcode has not. The legal landscape is unsettled, but the practical risk is clear. A passcode you keep in your head is more protected than a fingerprint that is on your hand.

Use 1Password Travel Mode if you use 1Password. Travel Mode hides designated vaults at the device level. A border agent performing a device inspection finds no trace of the hidden vaults. The vault is not locked. It is absent. This feature exists specifically for this scenario.

Frequently asked questions

Can I refuse to unlock my device at a US border?

US citizens can refuse. Refusal may result in the device being detained. Non-citizens who refuse can be denied entry. The Fifth Amendment protection against self-incrimination in the context of device passcodes has been argued inconsistently across courts. Do not rely on legal uncertainty as a practical strategy at the border.

Does encryption protect my data?

Encryption protects against remote access and against forensic extraction when the device is powered off and locked. It does not protect against being asked to unlock the device in person. An unlocked device with full-disk encryption is as accessible as an unencrypted device to anyone holding it.

What happens to data copied from my device at the border?

CBP policy allows copies of device data to be retained for up to 75 days for review. The data can be shared with other agencies. There is no requirement to inform you what was copied or how it will be used.

Are foreign nationals treated differently than US citizens at the border?

Yes, in one critical respect: a non-citizen who refuses to unlock a device can be denied entry. A citizen who refuses can have the device detained but cannot be barred from re-entering the country. This asymmetry shifts the calculation of what counts as a refusal and what counts as cooperation under duress. For green card holders the situation is more contested. For visa holders, refusing is rarely a viable answer in real time. The travel device approach handles all three cases the same way: there is nothing to refuse, because there is nothing to find.

---

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.