Starting last summer, we noted that the Department of Homeland Security had quietly tested the waters to expand the information it requested of travelers entering the United States, to “optionally” include social media handles. By December it was officially in place. And then, just days into the new administration, the idea was floated to expand this program even further to demand passwords to social media accounts.
In other words: that escalated quickly. We went from “hey, maybe we could ask people to volunteer what their social media profiles are” to “hey, let’s demand all social media accounts, including passwords” in, like, six months.
In response, a ton of human rights and civil liberties organizations have posted an open letter condemning this dangerous plan.
This proposal would enable border officials to invade people’s privacy by examining years of private emails, texts, and messages. It would expose travelers and everyone in their social networks, including potentially millions of U.S. citizens, to excessive, unjustified scrutiny. And it would discourage people from using online services or taking their devices with them while traveling, and would discourage travel for business, tourism, and journalism.
Demands from U.S. border officials for passwords to social media accounts will also set a precedent that may ultimately affect all travelers around the world. This demand is likely to be mirrored by foreign governments, which will demand passwords from U.S. citizens when they seek entry to foreign countries. This would compromise U.S. economic security, cybersecurity, and national security, as well as damage the U.S.’s relationships with foreign governments and their citizenry.
Policies to demand passwords as a condition of travel, as well as more general efforts to force individuals to disclose their online activity, including potentially years’ worth of private and public communications, create an intense chilling effect on individuals. Freedom of expression and press rights, access to information, rights of association, and religious liberty are all put at risk by these policies.
The first rule of online security is simple: Do not share your passwords. No government agency should undermine security, privacy, and other rights with a blanket policy of demanding passwords from individuals.
There are lots of reasons why the proposal is bad — but the security one is probably the biggest. People should never share passwords with anyone, but most especially foreign governments who have no interest in protecting them. And the letter is accurate that this will just encourage other countries to do this back to Americans (and others) and create a massive security nightmare. And that doesn’t even touch on the chilling effects created by such promised surveillance.
Of course, one hopes that this kind of insane policy will get people to recognize that passwords suck as a security system. At the very least, it should encourage people to use multifactor authentication that can’t just be handed over to some random border control person demanding your passwords. But that’s no excuse for DHS going down this path in the first place. It’s a bad proposal that won’t help DHS protect us, but will cause tremendous harm and create serious security problems.