Social Media Needs A Travel Mode

News reports tell us that Customs and Border Patrol has become more aggressive about checking social media accounts at the border. In doing this, the United States joins a growing list of countries that recognized the value of these accounts, and the unique data mining opportunity that a border crossing provides.

These searches don't just involve agents skimming through your contact lists or photos—the border police can use software to rapidly dump the contents of your phone, and download your full history from every social media site you use.

The Fourth Amendment normally protects people in the United States from this kind of indiscriminate search, but at the borders, courts so far have ruled that Fourth Amendment protections don’t apply. In the eyes of the law, there is no difference between your phone and your suitcase. Both are open for inspection.

If you're a citizen, you can try to refuse such a request, but may find yourself detained for several hours or more, or subjected to stressful questioning. Your devices might also be confiscated.

If you’re a non-citizen, you could be denied entry, or detained indefinitely. Saying no to the US border patrol is risky.

And it’s not just at the border where your social media history is at the mercy of strangers. Any enterprising piece of malware living in an airport charger, hotel business center or shared USB stick that gets access to your Gmail or Facebook credentials can siphon down your life story.

Given these threats, why haven’t social media sites given us a way to limit our exposure when we travel?

All I care about when I’m on vacation is posting devastating beach photos that will make my friends jealous. So why do I need to carry the complete list of people I went to high school with, or an archive of messages I exchanged with a chance acquaintance ten years ago?

We don’t take our other valuables with us when we travel—we leave the important stuff at home, or in a safe place. But Facebook and Google don’t give us similar control over our valuable data. With these online services, it’s all or nothing.

We need a ‘trip mode' for social media sites that reduces our contact list and history to a minimal subset of what the site normally offers. Not only would such a feature protect people forced to give their passwords at the border, but it would mitigate the many additional threats to privacy they face when they use their social media accounts away from home.

Both Facebook and Google make lofty claims about user safety, but they’ve done little to show they take the darkening political climate around the world seriously. A ‘trip mode’ would be a chance for them to demonstrate their commitment to user safety beyond press releases and anodyne letters of support.

What’s required is a small amount of engineering, a good marketing effort, and the conviction that any company that makes its fortune hoarding user data has a moral responsibility to protect its users.

To work effectively, a trip mode feature would need to be easy to turn on, configurable (so you can choose how long you want the protection turned on for) and irrevocable for an amount of time chosen by the user once it’s set. There’s no sense in having a ‘trip mode’ if the person demanding your password can simply switch it off, or coerce you into switching it off.

A trip mode should also strike a balance between privacy and usability. You want enough of your contact list and message history on the site for it to still be useful, but not enough to hurt people if you’re forced to surrender your password, or if someone gains access to your device through other means.

Most importantly, such a mode should not put people in the position of attempting to talk their way past border guards. Border interviews are tense situations where it’s easy to put yourself in danger—lying to a Federal agent is a felony—or be pressured into making bad decisions.

The only people who can offer reliable protection against invasive data searches at national borders are the billion-dollar companies who control the servers. They have the technology, the expertise, and the legal muscle to protect their users. All that’s missing is the will.

Facebook has already done something similar with messaging. By baking state-of-the-art end-to-end encryption into WhatsApp, used by a billion people, they scored a major victory against dragnet surveillance. (Of course, being Facebook, they weren’t able to resist mining the metadata to feed their advertising platform.)

Google, for its part, has long promised its users end-to-end encryption, but never followed through.

Protecting people when they travel gives both companies a chance to show their moxie. Almost anything would be better than the status quo, which requires users to choose from one of the following bad options:

They can comply with lawful requests and expose all their friends, family and contacts to government or other hacker scrutiny.

They can delete their social media accounts entirely. But this requires a heroic level of self-abnegation, as well as plenty of planning. Facebook, for example, takes sixty days to actually erase your account after you turn it off. Many other social sites leave ‘deleted’ accounts in an indefinite state of suspended animation, where they can be turned back on as soon as you log back in.

They can travel with special laptops and phones used for travel only, without social media apps or browser history. But such feints are easy to circumvent, particularly at the US border, where your identity is known to the border patrol hours before you land. Border agents can find your profile online and make you log in on their own machine.

Some online guides have suggested creating decoy Gmail and Facebook accounts just for travel. Not only is this advice extremely dangerous (putting you in a position where you’re lying at the border), but it doesn’t work. Federal agents know how to use social media better than you do. They will find your real profile and have many, many questions for you about why you’re hiding it.

Finally, they can try to purge your social media history and contacts of as much old material as possible. But good luck with that. The entire business model of sites like Facebook and Google is to hoover up this information and store it forever. They want your full history even more than thieves, hackers, or intelligence agencies do.

Implementing a travel mode would involve security tradeoffs and careful decisions about user experience. But these are the kinds of things billion-dollar Internet companies are supposed to be good at. And they would find their employees are eager to make travel safer for their colleagues, families, neighbors and friends.

There are many threats to privacy that we don't see coming. Invasive social media checks at the US and other borders are not one of them. We know that dragnet surveillance of social media accounts is about to become widespread; the only question is what we’ll do to fight it. Tech workers at Facebook and Google must decide to apply collective pressure against their feckless CEOs, whose instinct is to lay low and hope the problem goes away.

Companies that have maneuvered billions of people into storing their most personal information on their servers, and worked aggressively to insert themselves into every facet of social and family life, owe it to their users to fight, and fight hard, for their safety.

If you want to put an always-on microphone in my home, then protect me at the border.