***but I do them regardless 

Last week, I traveled to Toronto, and attended the 2025 Association of Professional  Responsibility Lawyers annual meeting. As always, I enjoyed hanging with my nerd friends and learning a lot. I completed my Board service after two terms.

Because international travel is a little ~interesting~ these days, I traveled with an inexpensive pay-as-you-go cell phone and an iPad instead of my usual phone and laptop. The goal here was to cross the border with no locally stored client data and, in fact, as little data as possible. Border agents have far broader leeway to search devices than other law enforcement officers; although statistics show detailed searches are exceedingly rare at United States ports of entry, I did not want to take the chance.  

A few months ago, a lawyer who represented pro-Palestinian protestors was allegedly targeted after returning from overseas. He was asked to turn over his phone for a search; he objected, citing privilege, but allowed them to review his contact list. (CPB disputes these allegations and I did not find an update.) He was allowed to leave. Although I have not represented protestors, in my non-Ethicking life I routinely represent Democrats in election matters, which elevated my concern. Just because you’re paranoid don’t mean they’re not after you, right?  

So, before I left, I dutifully emailed IT and told them I was traveling to Canada with a backup phone and they set up my firm's two-factor authentication on that phone (so I could access email and cloud services on my iPad), and I tested them to make sure everything was working. I printed out a copy of the 2018 CBP directive that is still allegedly in effect and put it in my trip binder. When we left Ann Arbor, Michigan, for the Ambassador Bridge, I logged out of everything and cleared the cache. We got into Canada in good order. 

And then... 

I discovered that I was locked out of my Facebook account, because the two-factor authentication app I used to log in was on my phone at home. (Have I ever blogged about my searing hatred for two-factor authentication? I understand why I need to do it but I do not have to like it.) This was not a huge deal--I do not use Facebook for any mission-critical tasks--but it was inconvenient and I had to let my parents know everything was fine, I was just locked out, not in a Canadian jail or anything.  I live-skeeted tidbits from the conference on BlueSky instead. Oh well.  

But then...I tried to log into my work email from my iPad. The two-factor authentication worked as it was supposed to, but then Microsoft would not let me in—I was, more or less, geofenced out. (Remember how I emailed IT and told them I was traveling to Canada? Anyhow.)  

I was able to reach them, and they had to verify with our office administrator that I should be granted access to my email and files. My first instinct was to get mad and play the “do you know who I am?” card (spoiler: they know I’m the one who keeps crashing TABS somehow and that’s about it) but then realized that checking in with someone not in Canada was a security measure in itself, and I just let the process play out. They granted me access, and all was well for the duration of the trip, including repatriation. 

Some may wonder why I went to all this trouble. (These people do not know me very well, but I digress.)  Lawyers have an ethical obligation under Model Rule 1.6 to take reasonable measures to avoid disclosure of confidential information, and border searches are no exception. Fourth Amendment protections don’t apply the same way at the border (and, of course, don’t apply at all to the other countries lawyers may travel to). For the US, the law as it currently stands allows agents to do a cursory search of, say, a phone or laptop, without a warrant, but they can only search local content. They can’t go fishing around a cloud server. 

A best practice, then, is to take as little client data as possible, which is why I had backup devices that were logged out (with caches cleared) and in airplane mode during crossings. If there had been a search, there would have been nothing exciting to see. If you must travel with your usual devices, logging out is a good idea, as is cleaning up all that random stuff stored on your desktop.  

If I did have client data on my phone or tablet and it had been identified for a search, I would have been ethically required to assert objections and do what I could to avoid disclosure of that information (and notify affected clients if I was unsuccessful). CPB cannot deny US citizens the ability to enter the country, but they can make it miserable. The ABA and the New York City Bar Association have some good guidance on this. Yes, it’s a lot of hoop-jumping. We shouldn’t have to do any of this.

But anyway. As it would turn out, it was my own preparation and not a border agent that made travel a bit more difficult than it needed to be. I learned I am far too terminally online for my own good, and I wondered what my Facebook friends were up to. But if that was the worst of it, I guess I’ll take it.