Most travelers pass through airport security with a single mental model: uniformed officers, checkpoints, and the assumption that their rights remain broadly constant throughout. That assumption is legally wrong, and the gap between what the Transportation Security Administration and U.S. Customs and Border Protection are each permitted to do to your smartphone represents one of the most consequential - and least understood - fault lines in American digital privacy law. The agency standing in front of you at any given moment determines whether your device is treated as a potential explosive hazard or as a searchable extension of your identity.
Two Agencies, Two Entirely Different Legal Mandates
The TSA's statutory purpose is aviation safety: keeping weapons, explosives, and other prohibited items off aircraft. When a TSA officer asks you to power on a laptop or tablet, the request is grounded in that narrow mandate - confirming the device is a functioning electronic, not a hollowed-out shell concealing something dangerous. What the TSA generally cannot do, absent a warrant, is scroll through your messages, open your photos, or extract data from your phone. Their legal authority ends at the physical object.
CBP operates under an entirely different constitutional framework. The "border search exception" to the Fourth Amendment holds that the government's sovereign interest in controlling who and what enters the country outweighs the warrant requirement that applies in virtually every other context. At international arrival halls, land border crossings, and overseas preclearance facilities - airports in Dublin, Shannon, Abu Dhabi, and elsewhere where U.S. customs processing occurs before departure - CBP officers may conduct warrantless, suspicion-free searches of electronic devices. The Supreme Court's 2014 ruling in Riley v. California, which established that police generally need a warrant to search a phone incident to arrest, has not been extended to the border context by federal courts in any binding, uniform way.
What a CBP Device Search Actually Involves
CBP distinguishes between two categories of electronic device inspection, and the difference is significant. A basic search involves a manual, on-device review of content that is directly accessible - photos, contacts, messages, browser history. No individual suspicion is required; an officer's discretion is sufficient legal basis. An advanced search goes further: it involves connecting the device to external forensic equipment capable of extracting, copying, and analyzing data beyond what is immediately visible on the screen. Advanced searches require reasonable suspicion of unlawful activity or a national security concern, along with supervisory approval.
If a search cannot be completed on-site - because the device is encrypted, the battery is dead, or the volume of data is substantial - CBP may detain the device. Under CBP Directive 3340-049B, the initial detention period is up to five days, with extensions requiring progressively higher levels of supervisory sign-off. Detentions beyond 15 days must be approved in seven-day increments by senior management. Critically, any data retained that is not connected to probable cause of a violation must be destroyed within 21 days. That said, the existence of a destruction requirement and its consistent enforcement are not the same thing, and travelers whose devices are retained have limited practical visibility into what happens during that window.
In fiscal year 2024, CBP conducted approximately 47,000 electronic device searches across roughly 420 million international arrivals - a rate of well under one percent of travelers. The numbers suggest that inspections are targeted rather than routine, but the legal exposure for those who are selected is real and not trivial.
The Refusal Question: Rights That Vary by Status
A traveler's right to decline to unlock a device exists in law, but its practical meaning depends entirely on citizenship status. U.S. citizens and lawful permanent residents cannot be denied entry solely on the basis of refusing to unlock a phone - the constitutional right to return to one's own country is settled. The consequence of refusal, however, is not immunity from a search; it is typically device detention and eventual forensic examination, potentially lasting weeks. There are documented cases in which a device was held for well over a year before a warrant was obtained to conduct a full data extraction.
Non-citizens, including visa holders and visa-waiver travelers, occupy more precarious legal ground. Admission to the United States is a privilege, not a right, under immigration law. Refusal to cooperate with a CBP inspection - including a request to unlock a device - can be treated as a factor weighing against admissibility. In practical terms, this means a non-citizen who declines to hand over their passcode risks being turned away at the port of entry. That asymmetry is not incidental; it is structurally embedded in how border authority has been interpreted by courts and exercised by the agency.
What Travelers Should Actually Do Before an International Flight
The civil liberties implications of the border search exception have prompted a range of practical responses from privacy advocates, legal organizations including the ACLU and the Freedom of the Press Foundation, and security-conscious professionals. The most consistently recommended approach is to minimize what is on the device before crossing a border - not through deletion, which may itself raise flags and whose forensic reversibility is frequently overstated in viral social media claims, but through thoughtful data hygiene before departure.
- Backing up sensitive data to an encrypted cloud service and signing out of accounts before travel means the device contains less to examine, regardless of whether a search occurs.
- Traveling with a dedicated device - a "travel phone" - that holds only what is necessary for the trip is a strategy used by journalists, lawyers, and executives who handle sensitive professional material.
- Full-disk encryption, enabled by default on modern iOS and Android devices, complicates but does not prevent advanced forensic searches; passcode compulsion at the border remains a legally unresolved area.
- Knowing the agency you are dealing with - TSA at the security checkpoint, CBP at arrivals and preclearance - is the first step toward understanding what authority that officer actually holds over your device.
The border search exception is unlikely to be narrowed in the near term. As portable forensic tools become faster and more capable, the cost of an advanced search - in time and logistics - will fall, making selective use of that authority easier and more frequent. For anyone who crosses international boundaries with a smartphone carrying professional communications, financial data, or confidential client information, the legal architecture described here is not a theoretical concern. It is the operating environment.