Travel privacy: the carry-on checklist for crossing borders
Border agents in many jurisdictions can compel a fingerprint or face scan but not a passcode. Cloud sync becomes evidence the moment you cross. Here is the checklist for before, during, and after.
Crossing a border with a phone is not what it was a decade ago. Customs agents in the US, UK, Australia, China, and India have explicit legal authority to inspect your devices. In some jurisdictions they can compel biometric unlock. In some they can compel passcodes, in others they cannot. The rules vary, the enforcement is unpredictable, and the time to think about it is before you board the plane — not while a CBP officer is holding your iPhone.
This is the checklist I use. It is not a substitute for a lawyer if you are doing journalism in a hostile country. For ordinary travelers, it gets the job done.
Before you fly: a 60-minute prep
Update everything
Run the OS updates the day before you fly, not on hotel Wi-Fi. iOS, Android, macOS, Windows. Updates are big, hotel connections are bad, and a half-installed update on a foreign network is the worst possible state to be in.
Disable biometric unlock
In the United States, courts have held that police can compel a fingerprint or face scan but not a passcode (the latter is "testimonial" and protected by the Fifth Amendment). The same logic applies in several other jurisdictions. Once you cross the border, turn Face ID and Touch ID off until you are home.
- 1iOS: Settings > Face ID & Passcode > toggle off iPhone Unlock. Set Require Passcode to "Immediately."
- 2Android: Settings > Security > toggle off fingerprint and face unlock. Enable Lockdown mode (long-press power).
- 3On the device, learn the gesture to force-passcode-only: iOS = press power + volume-up briefly; Android = hold power, tap Lockdown.
- 4Practice the gesture. You want to do it instinctively when an agent says "hand me your phone."
Empty cloud-sync folders
Anything in iCloud Drive, Google Drive, OneDrive, or Dropbox is on the device the moment it is synced — and it is "in your possession" the moment you walk through customs. If you do not need your full client folder for the trip, sign out of cloud sync or selectively unsync.
- 1On macOS: System Settings > Apple ID > iCloud > iCloud Drive > Options > deselect what you do not need.
- 2On Windows OneDrive: right-click the cloud icon > Settings > Account > Choose Folders > deselect.
- 3For Google Drive desktop: Preferences > Folders from Drive > Stream files (do not Mirror).
- 4For Dropbox: Preferences > Sync > Selective Sync.
Travel-only accounts
For trips to higher-risk jurisdictions, set up a travel-only Apple ID or Google account. Sign out of your primary account before you fly. Sign back in when you are home. This is more work than it sounds — Apple and Google make account switching painful — but it is the cleanest separation between your real digital life and what an agent can see.
YubiKeys: travel with two, never one
A hardware key on your keychain is the right call. A hardware key as your only second factor is a disaster waiting to happen. Bring a spare. Keep one in your carry-on, one in your checked bag. If both are lost, you still have backup codes (printed, in a sealed envelope, at home).
At the airport: the device dance
- 1Power devices fully off before approaching customs. A powered-off phone with a strong passcode is much harder to extract than a locked but powered-on one.
- 2When asked to unlock, comply or refuse — both have consequences. In the US, a non-citizen who refuses can be denied entry; a citizen can be detained but eventually admitted.
- 3If you unlock, watch what they do. Many countries let you remain present during search. Some do not.
- 4Do not delete files in front of an agent. Obstruction is a crime in most places. The right answer is "I cleaned up my device before I traveled," not "watch me wipe it now."
While abroad
- Use cellular data for sensitive things. Hotel Wi-Fi, conference Wi-Fi, and airport Wi-Fi are all hostile until proven otherwise.
- When you must use Wi-Fi, use a VPN. PlanetProxy WireGuard configs work the same in São Paulo as they do at home.
- Disable AirDrop, Quick Share, and Bluetooth pairing prompts in public. These are how people get phished in transit hubs.
- Do not log into your primary email from a hotel business-center PC. Ever. Not for one second.
- Treat USB charging stations as untrusted. Use your own power brick or a USB data blocker.
After you return: the post-trip audit
- 1Run a full antivirus scan on every device that left the country.
- 2Rotate passwords for the accounts you used while traveling — at minimum email and bank.
- 3Check sign-in history (Google: myaccount.google.com/security; Apple: appleid.apple.com; Microsoft: account.microsoft.com).
- 4If you used a public computer for anything, rotate that password and check for new mail forwarding rules added to your account.
- 5Re-enable biometric unlock when you are home and the trip is over.
Country-specific notes
United States
CBP can search devices at the border without a warrant. They cannot compel a passcode from a US citizen, but they can confiscate the device for "forensic" examination — sometimes for weeks. Non-citizens have fewer protections; refusing can mean denial of entry.
United Kingdom
Schedule 7 of the Terrorism Act lets officers detain you for up to six hours and demand passwords. Refusal is a criminal offense. Plan accordingly.
China
Assume your devices are searched. Many travelers carry a burner phone with a fresh OS install and a single travel email. Re-image when you get home, do not just "factory reset."
India
Customs has discretionary authority to inspect devices, especially at major international airports. Cooperative tone helps; insisting on rights does not.
Border privacy is not paranoia. It is preparation. The thirty minutes you spend the night before a flight saves you the eight-hour incident report after one.
Frequently asked
Should I wipe my phone before crossing a border?+
For most travelers, no — a freshly-wiped phone is itself suspicious and may invite more scrutiny. Better to travel with a normal-looking but tightly cleaned device. For high-risk travel (journalism, activism in hostile countries), a clean burner is the right call.
Is a VPN legal in country X?+
In most countries, yes. Notable exceptions in 2026: VPNs are restricted or illegal in China, Russia, Iran, North Korea, and the UAE. Penalties range from fines to none-enforced-on-tourists. Research before flying.
What about laptops?+
Same playbook, more risk. Laptops carry more data and are easier to image. If you can leave the laptop at home and travel with an iPad, do that. If not, consider a travel-only laptop with only what the trip needs.
Run PlanetProxy for seven days, on us.
Same purple tile cards you see on this page, plus the green lock and a 50 ms hop to wherever you want to be.
Start the trial →More from the dispatch
GuidesPP · DispatchA survival kit for public Wi-FiGuides · 6 minA survival kit for public Wi-Fi
Hotel networks. Airport lounges. The cafe with the cute logo. Six concrete habits that take ten seconds and stop 95% of network-level attacks against you.
GuidesPP · DispatchSplit tunneling: when it's a feature, when it's a foot-gunGuides · 5 minSplit tunneling: when it's a feature, when it's a foot-gun
Letting some apps skip the VPN sounds great until you discover your banking app went out the back door. Here's a clean rule for when to use split tunneling.
GuidesPP · DispatchWhy your VPN keeps getting blocked by streaming services (and the fix)Guides · 7 minWhy your VPN keeps getting blocked by streaming services (and the fix)
Netflix says "you appear to be using a proxy." Disney+ shows the wrong library. Here is what is actually happening on the back end and how we route around it.