In March 2017, Zainab Merchant, a graduate student in journalism at Harvard University, was stopped by U.S. customs personnel at Toronto airport as she attempted to return home from a trip to visit her uncle. Customs and Border Protection (CBP) took her laptop and asked her to unlock her phone. At first she refused and was told the devices would be taken indefinitely. Merchant eventually unlocked both and they were taken out of sight for more than an hour. The agents questioned Merchant about her trip, her religious beliefs, and an article she wrote about crossing the border. When CBP returned her phone, Merchant noticed the Facebook app was open and showing her friends list. Surely her privacy had been compromised.

Stories such as Ms. Merchant’s are on the rise, says the American Civil Liberties Union (ACLU). In 2018, CBP conducted some 33,000 warrantless searches of electronic devices — four times the number from 2015. CBP and Immigrations & Customs Enforcement (ICE) policies allow the agencies to look at devices “manually” even when there’s no suspected wrongdoing. Forensic-level searches require that the officers have “reasonable suspicion” that something is amiss.

Whether or not these tactics are lawful or Constitutional is a matter that has yet to be fully settled in the courts. This leaves a lot of gray area for travelers to worry about when it comes to privacy.

What are your privacy rights?

It’s complicated, according to the ACLU. The organization this week revealed new evidence that the Department of Homeland Security (DHS) trashes travelers’ First and Fourth Amendment protections by searching their smartphones and laptops at border crossings without a warrant. The information was obtained after the ACLU, together with the Electronic Frontier Foundation (EFF), sued DHS on behalf of Merchant and other travelers.

“The evidence … shows that the scope of ICE and CBP border searches is unconstitutionally broad,” said EFF Senior Staff Attorney Adam Schwartz. “ICE and CBP policies and practices allow unfettered, warrantless searches of travelers’ digital devices, and empower officers to dodge the Fourth Amendment when rifling through highly personal information contained on laptops and phones.”

What happens if you refuse to unlock your devices? Can you say no?

Part of the issue is that the agencies search devices for reasons apart from the enforcement of immigration laws. The ACLU says CBP and ICE will search phones and laptops for “general law enforcement purposes.” These might include intelligence gathering, or to augment other investigations. This is viewed as a privacy transgression.

What happens if you refuse to unlock your devices? Can you say no?

Here’s what to do at the border

Whether you’re entering the country via plane, boat, or other border crossing, you’re going to encounter CBP and possibly ICE. The U.S. government says it has the authority to search everything, including electronic devices, no matter the traveler’s legal status as a resident or visitor, and no matter if there’s any suspicion of a crime. This is still a contested legal matter.

You can tell CBP that you don’t consent to a search, but that won’t stop it from taking your phone. Moreover, this is likely to land you in a small room for hours as CBP escalates its search of your belongings.

What about your password? U.S. citizens cannot be denied entry into the country if they refuse to supply a password or unlock a device. In this case, however, it is likely that CBP will confiscate any devices and hold onto them indefinitely. CBP is not required to return devices in a timely fashion. Some travelers who’ve had their devices confiscated have waited weeks or months to get them back.

Non-citizens (tourists and visa holders) might have to weigh less-appealing options. Refusing to supply a password can lead to CBP denying entry, plain and simple. The government is attempting to make it mandatory that travelers not only unlock devices, but supply passwords to social media and other accounts. This is being fought in the courts.

If you’ve agreed to unlock your device, CBP agents may just give it a “cursory search” and return it quickly. If CBP opts for a “forensic search” it will be sent to a lab and held for at least five days. Forensic searches are thorough and can recover deleted messages and other data.

If you leave the airport without your device, obtain a detailed receipt.

The ACLU suggests people who consent to unlocking their devices do so themselves (enter it manually), rather than write the password down for CBP. If you do write your password down, it is likely to be stored by the government and the ACLU says you should change it as soon as practical.

If you leave the airport without your device, the ACLU says to obtain a detailed receipt, in addition to the name and badge number of the CBP personnel involved in the seizure. Devices that have been run through a forensic search should be returned (eventually) as long as there is no probable cause or evidence of a crime. The government may download all the data from the device, but it says the information will be destroyed within three weeks.

How do I protect my privacy?

There are steps travelers can take in order to minimize the impact of having devices seized and unlocked.

This may be difficult for many, but one suggestion is to carry as little with you as possible when traveling. That means as few devices as you can manage, and with as little data as possible. If you’re traveling for personal reasons, you might consider bringing a dedicated travel phone or laptop that has minimal data on board. All devices and accounts should be password protected, and devices should be encrypted. Use strong passwords, and keep them off when crossing the border.

See also: The best password managers for Android

Leave your data in the cloud. Don’t store anything locally on memory cards or hard drives — which, by the way, are also subject to search. Make sure apps on the device are disconnected from associated cloud accounts when crossing the border. At the moment, CBP policy states it will not search cloud data or any other data that’s only accessible via the internet. This means email and social media content that’s not physically present on the actual device is safe. Similarly, upload sensitive images from cameras and mobile devices before crossing the border. Ensure they are stored securely in the cloud.

Use airplane mode to your advantage. Since CBP searches are limited to what’s on the device, leave it in airplane mode so the phone doesn’t sync during any search at the border. This might allow you to unlock the device, or provide a password to appease CBP agents, while also complying with the law and protecting your data.

If you absolutely must travel with sensitive data, such as attorney-client information, the ACLU suggests you alert officers to the privileged material before providing access to the device. In these cases, the CBP is required to follow certain legal procedures.

Last, but not least, whatever you do, remain calm. Do your best to keep an even temper and deal with CBP and ICE agents in a polite and friendly manner.

Enjoy your summer travels safely, securely, and privately.