Give us your Twitter, your Facebook, your passwords guarding your free expression

U.S. government is pushing a password-for-entry requirement

“We want to get on their social media, with passwords: What do you do, what do you say?” – Secretary John Kelly

Last week U.S. Secretary of Homeland Security John Kelly told members of the U.S. Congress that the Trump administration wants back-end access to the social media accounts of visitors to the U.S. as a condition for entry. This proposal, floated since the earliest days of the new administration, reportedly would require visitors to turn over passwords not just to social media accounts but also to their personal devices like smartphones.

This would represent a gross human rights violation. Few of us would give direct access to our social media accounts even to our closest loved ones. With that kind of access, federal agencies would see your private direct messages; which private groups you belong to (and who else is in the group); your profile and the profiles of your friends and connections; the activity logs that show what you’ve done using the account; and much more. Turning over your passwords like that would reveal not just your own private information, but also that of everyone you interact with on a private level. Imagine how devastating that would be for people with sensitive information about others, like human rights defenders, lawyers, journalists, activists, and dissidents.

In short, a password-for-entry rule would harm a wide range of human rights: the rights to privacy, freedom of expression, freedom of association, of thought, of religion, and of movement. It is outrageous, wholly unacceptable policymaking.

Here’s a more detailed look at why password-for-entry must never become the rule.

Password-for-entry threatens the human rights to privacy and the freedoms of opinion and expression, association, religion, and movement

If your online communications, location data, shopping habits, interests, and other digital details were used to determine whether you could enter a country, would you be yourself online? Would you make sarcastic jokes? Take part in a protest or any other political action? Join any new or interesting groups that might look suspicious to someone else? Mass surveillance has already changed the way we behave online. Giving a government agency total access to social media at the border would unquestionably have a much deeper chilling effect.

Privacy advocates already warn us that “anything we do online can be seen by anyone.” But under Secretary Kelly’s proposal, the adage would be, “governments will see everything we do, type, or think online.” Social media companies currently use sophisticated algorithms to predict our behavior, and DHS would likely employ the same techniques, even if these strategies have not been shown to work in countering terrorism. A program like the one Kelly proposes would likely fail to achieve any real security goal, while stripping people of the right to privacy, chilling their expression, and harming the right to free association.

Moreover, we shouldn’t expect that a search at the border would end once you enter the country. It’s entirely possible that with this kind of rights-harming policy in place, the government would go even further. Imagine, for example, if you didn’t change your password, and the government found another reason to access your account? Or to install malware that provided continuous back-end access to all of your activity?

Password-for-entry would have discriminatory impact

The Trump administration has already taken steps to implement several policies with discriminatory impact. As we have previously explained, “[t]his administration has made it clear that it has little regard for the rights of many classes of people, including anyone who lives outside of the United States.” For example, the Trump administration reportedly plans to change “countering violent extremism” programs so they focus exclusively, and explicitly, on Islam. It would also reportedly rename the programs, to something like “countering radical jihad.” We condemn any such changes, which, as we argue here, “would put discriminatory intent at the heart of practices that are already discriminatory in application.”

Secretary Kelly’s proposal seems to be following in the footsteps of these proposals; he indicated that a password-for-entry requirement may apply only to travelers from the seven Muslim-majority countries identified in the Trump administration’s travel ban (given that people from these countries are able to travel to the U.S. at all). However, even if it is limited in this way, you can easily imagine how the impact could be compounded. Suppose that a traveler is a member of a private Facebook group that promotes solidarity for Muslims. People who belong to that group could be barred from entering the U.S. based only on membership.

Password-for-entry would be disastrous for digital security

Any system that requires people to hand over their data entails digital security risks, whether an agency misuses or abuses back-end access, or the sensitive data it collects is breached. Those risks grow exponentially when you’re gathering data from potentially millions of travelers. Government agencies might attempt to ensure access by requiring that travelers turn off security measures such as two-factor authentication, a best practice for securing your personal information. Furthermore, many people use their Facebook accounts as an “authenticator” for other websites and services. Private data would then flow through Homeland Security’s communications infrastructure without any guarantee that it would be appropriately protected (consider what happened with the U.S. Office of Personnel Management. And it appears that even the NSA cannot keep its secrets under wraps). Moreover, suppose that border agents do insert malware to ensure continued back-end access to some accounts, as we suggested above. That would leave people susceptible to attacks from malicious actors that exploit it.

Password-for-entry would lead to reciprocal rules. It would also be a logistical nightmare.

After President Trump signed the travel ban on seven countries, one country named in the ban — Iran — responded by imposing a reciprocal policy for people traveling from the U.S. This kind of reciprocity is a common for immigration rules. Other countries could easily start imposing a password-for-entry rule on U.S. travelers, effectively “grounding” those who want to protect their private data from foreign governments.

Enforcing a password-for-entry rule would also raise all kinds of logistical hurdles. How would border agents even know whether a traveler has a certain social media account? Or only one account? Sophisticated travelers are already discussing how to avoid compromise of their personal data when they cross borders, considering options such as buying a second phone to travel with, or blocking access to certain accounts. A requirement like this would therefore have a disproportionate impact on people who aren’t as sophisticated, or who can’t afford a “work-around.” Those who are technologically savvy, including those planning to do the U.S. harm, such as terrorists and criminals, would likely simply find another way to communicate.

The policy might also dissuade innocent people who would otherwise be interested in visiting (or returning to) the U.S. on a temporary basis. Why do that and risk exposing their accounts to the U.S. government? Or be forced to stop using social media platforms? Asking for passwords would not just harm the U.S. tourist industry, it would also harm other sectors, such as the global tech sector, since many of the world’s leading tech companies are still located primarily in the United States.

In short, this proposal is so absurd and potentially devastating to human rights, it sounds like the kind of idea that politicians sometimes float to get credit simply for walking back. Yet the U.S. government (under the Obama administration) already floated the idea of requesting social media account information at the border, and then, over our objections and those of other rights groups, went right ahead with the plan. The Trump administration is continuing to press the password-for-entry idea. It’s time for all of us to speak out loudly against this plan. For those of us in the U.S., that includes insisting that our representatives publicly condemn and reject it.

We have to take this proposal seriously, right now. We can’t let a rule like this — that would crush human rights, harm digital security, mutilate immigration standards around the globe, and damage the economy — get any closer to reality.