Please – I do NOT want this to become a “political” discussion. If you don’t consider this an issue worth addressing, I understand completely. But it has been raised in my context and I am just trying to think it thru.
I have an trip to EU coming up and it has been suggested that I “clean up” my iPhone so that if – on my return – it is “examined” by authorities it will have minimal personal information.
The simplest way I see to do that is
a complete reset / reinstallation of Apple iOS and apps
reload only apps needed for travel vendors
use a different email for the trip
delete all material on iCloud
not activate US phone service
activate only eSIM phone service for the countries I will be in
Very frankly, I have never done that sequence before and any thoughts about best practices is appreciated.
Specific issues not clear to me are
a) how to download and then remove all photos from iCloud so that they can be restored on return to US
b) how to backup and restore all the apps and their data I need in the US
– I would appreciate any recommendations for a reliable method to do a total iPhone backup and restore.
– I do back up my phone with Imazing, but have never done a full restore. So I would greatly appreciate hearing experience anyone has had with that program & function.
I have undoubtedly missed some key issues here and would be glad to learn more.
Thank you for any help and please lets just focus on the technical issues not the context in which I have encountered them
Instead of messing up your personal phone and iCloud accounts, have you considered a “burner phone” with no ties to your Apple account? I’ve seen that recommended for international travel in corporate environments to limit the exposure for industrial espionage.
If you haven’t already, you should review articles that the Electronic Frontier Foundation as published on this topic:
Though it’s becoming a rather tired trope, it’s important to consider your threat model. What information are you trying to protect? Do you have contacts, for example, with whom you might not wish to be associated, or who might suffer from association with you? Or is it just your personal information? Would disclosure of your emails or text messages be potentially harmful?
If you deal in sensitive information, the “burner” phone idea isn’t a bad one, but consider the inconvenience of having to change your workflow so you don’t require ready access to contacts and communications channels and the many other tools we rather take for granted on our phones these days.
Thank you for your thoughtful note. I actually have that article and it is part of what has prompted me.
I did think of a “burner phone” – have done that in other contexts – but I am self-employed – so this is my expense not corporate – and none of the reasonably priced android phones with international capability have eSIMs and I flinched at dealing with android and regular SIM. I may be wrong about that. If you have insights or experience in that context be glad to hear it.
I am not fearful about specific information as much as it prompting hassle. I just want there to be “not much of interest” on the device I have.
See my comment in my note to him about burner phone in this context. If you have any specific thoughts / experience regarding an implementation with an inexpensive android and regular SIM that would surely be appreciated.
Is this for a long trip? If it’s just a few days you could get a brand new iPhone here from Apple in the States for use as a burner phone abroad. If you return it within 14 days of purchase date, Apple will refund you 100% no questions asked (assuming it’s still undamaged of course). In my experience, Apple has always been excellent about this policy. I’ve used it to “short-term rent” an iPhone and even Macs at no cost in the past.
I’ve done this before by using a completely different iCloud account. (I no longer do this; I do not consider myself someone who needs to worry about having my phone searched either by the country I am traveling to or here at home when I return. But I did go to Russia in 2018 and definitely wanted a very minimal phone with me.)
I use 1Password as the password manager, and the email address I use for 1Password is not the email address I use for my normal iCloud account. I did not activate iMessage with this account.
I factory reset the account and, because I’ve used this iCloud account before, I restore from iCloud backup. This also means that I have some photos in my Photos app, for what that’s worth. The apps are very minimal and just what I need for travel - no social media apps (if I really want to use them while I am gone, I use Safari, though I tend to post things after I have returned home rather than while I am gone), just the stock Mail app (also without the email address I use for my real iCloud account - again, I use webmail with Safari for that, if I need it), etc.
After returning home it’s pretty simple to factory reset and restore from my regular iCloud account and bulk-download photos from iCloud.com to import to my Photos library.
“Reasonably priced” is relative, of course. You can get a used Pixel 6 on eBay for $160 and put GrapheneOS (free) on it and it would probably serve you well (this is my current daily driver). There is some (rather esoteric, I’d think) risk to using a used phone even if you wipe it first, but I don’t think you’re likely in that territory.
It’s popular to use the term “burner” to describe a cleaned-out phone, but it isn’t necessary to actually burn the phone after you’ve used it for a trip (unlike the phone you use, say, to make ransom demands after developing your world-destroying superweapon). The Pixel 6 still has at least a little life left in it, so it wouldn’t be a consumable expense.
I suppose there’s some risk that just having GrapheneOS marks you as someone with Something to Hide™, but I’ve not had any problems with that. Unless someone actually hooks up a Greyshift or some such to your phone, they’re unlikely to even notice that it isn’t stock Android.
In my view, I don’t think there is a single answer to the question. Some important factors to take into account include:
The border crossings you are concerned about (entering the EU? reentering the USA? using a transit visa? etc).
The basis for your concerns (are you an activist? do you plan to proselytize? are you a journalist? etc).
Reasons, if any, border guards and immigration officials would want to question you (associations with NGOs, prior behavior, past destinations, demographics, etc).
The purpose and format of your trip (business, tourism, group tour, individual travel, etc)
Personally, if I decided I was going to be at risk for either hostile border inspections or having my devices infected while abroad, I would use a burner phone. The hassle of preparing and restoring my “real” phone combined with the potential for something compromising turning up anyway during a search makes a burner my preferred option.
And one more thing™: here are two recent threads with related comments:
Another option is you could back up your iPhone, wipe it, and set it up with a temporary Apple ID for the duration of your trip. You’d need to figure out how to handle the cellular account (easy overseas, harder in the USA) with a temporary eSIM (maybe one for USA before you leave and a different one while overseas), and you obviously wouldn’t have your same US phone number. You’d also lose access to any apps you’ve bought under your normal Apple ID. But those inconveniences might be okay for a short trip (keep in mind which apps you’d want to have while traveling, such as airline, hotel, and travel apps). When you get back, just reverse the process – wipe the phone, reinstall the original Apple ID, and restore from backup.
One more tip: I haven’t tried it, but if you are using 1Password via a subscription, it has a “travel vault” option where you can include only certain logins while traveling. This could be safer as any border guards obtaining your phone would not have access to all your logins (and your entire digital life).
Personally, I think this is all overkill, unless you’re a in a targeted group and need extra security. Though I’d certainly go the burner phone route if I was going to certain countries like China or Russia.
The idea you and others have suggested of going to a different Apple ID for the trip is definitely the best alternative path that doesn’t involve a new phone – from Apple or other.
But as I think it thru, the time and hassle of any process involving clearing – resetting – and restoring a fully functioning iPhone is a bit daunting and more than sufficient to balance the cost of the burner.
I sincerely appreciate the extensive and supportive responses on Tidbits that helped me think this thru and reach a conclusion.
There’s another idea to consider. Depending on the specific risks you are concerned about, this may not be adequate protection. BUT, if your concern is related solely to border crossings (as opposed to being arrested/searched by local authorities sometime during your trip), you could take a burner phone AND your regular iPhone and take measures to prevent you from logging in to the iPhone until after you safely pass through customs.
Change the device passcode for your iPhone to a long, random, alphanumeric passcode that you cannot remember. (Also consider doing the same thing for your iCloud account password.)
Give those passwords to a trusted contact in the United Sates and establish a “code word” or phrase to verify your identity (e.g., “Purple TidBits” or “At your last birthday party we went to Ralph’s for dinner.”). … For added security, to prevent your trusted contact from using the passwords, you could use a peppering scheme to combine something you know and don’t share with the friend with the long random part you don’t know. For example, you could make your device passcode: xahvs-TFBRY-27935 and combine that with a pepper of dolphin, such that the real device passcode is: dolphinXahvsTFBRY-27935
Before going through customs, turn off your iPhone.
If you are stopped and your devices are seized, you could truthfully answer that you changed the password before leaving and can’t remember it. (How effective that is probably depends on the country you’re concerned about.) If your device is a recent model iPhone, is turned off, and is protected with a long alphanumeric passcode, it is probablyreasonably safe from being forcibly unlocked.
Upon safely passing through customs, you could then call your friend from your burner phone, provide the code word, and get the device passcode to unlock your phone.
You could, optionally, change the password to something you can remember until you’re ready for the return trip.
Before the return trip, repeat Steps 2-4.
After safe arrival back home after going through customs, get your password from your trusted contact and change it back to normal.
But a burner phone and no devices connected to your primary accounts is the safest option.
Well, you help close this thread with a truly unique suggestion.
As a purely personal comment
– setting yourself up to have to lie to any national authority is a fundamentally high-risk plan. There are clearly reasons why that particular one is problematic.
I will go with the burner plan. And if challenged, simply open the phone and even let them keep it they want. My only goal is to get home.
@rda Just using a burner sounds like the best option.
To be clear, I would never advise lying to any government when being questioned by authorities or going through customs. The concept I described is intended to be similar to the process companies sometimes use where a corporate device is remotely locked by corporate IT and then remotely unlocked. The concept is that the person who has the device does not know or have the password to unlock the device. Instead of requesting that it be unlocked by corporate IT upon safe arrival, you’re asking your trusted contact to provide the password to unlock it.
Anyway, burner phone is the safest option. … Have a great trip!
The major problem with this approach is that US customs and border control can seize your devices and even hold you (temporarily, if you are a returning US citizen; they can hold you or deny entry if you are a foreigner). And the period of time that they can seize your device I believe is measured in weeks and/or months. Presumably they try to use tools such as Cellebrite to try to guess the password. I’d agree that you should be safe from this with a reasonably modern iPhone and the presumed complex passphrase that you set up (but do not know), but then presumably they would copy the encrypted data and hold it for a possible future when there is an exploit they could use to access the data.
I imagine that US citizens trying to enter a foreign country would face a similar possibility.
It seems a lot easier to cooperate with a phone that has a limited set of data on it, if cooperating with your normal iPhone is something you’d like to avoid doing, or which you feel that you cannot do.
This has been an interesting discussion…and I understand how one might be accosted on entry elsewhere if you went to someplace they might not like people from your country…say Afghanistan for a US citizen…and also on return home if for instance you are a native born US citizen but have an Arabic or middle eastern name and physical appearance. However…for the majority of people and majority of places this seems overkill as long as you don’t have porn or documents marked Secret or titled Hoe to search for nuclear weapons on your phone. Going to the EU…or in my case a trip via South Africa to Botswana and back through Amsterdam to the IS after the photographic workshop I’m going on in the summer…this seems like a step too far. I don’t remember OP’s situation or destination…but unless one is a high visibility target like a DoD senior or a serviceman in uniform or the CEO of a company that might be a target or unpopular in the destination country…this seems a bit overboard maybe. Obviously certain situations vary…and there’s are still several countries I’m permanently prohibited from visiting based on my former security clearances (despite them being expired by 15+ years or so)…but absent some situations or destinations or cultural background…I don’t see a real necessity.
Much like password length and randomness…absent being a high value target where the expense of a brute force attack might be warranted…better is the enemy of good enough here I would think.