# Travel and border crossings — privacy stack > How border agents actually inspect phones and laptops, what a cold travel device looks like, the backup-then-wipe pattern, eSIM vs physical SIM, what "lawful refusal to unlock" actually buys you, hotel-WiFi and airport-charger threat models, and the post-trip reset. Markdown twin of https://xmr.club/guides/travel-privacy. CC-BY-4.0. Attribute "xmr.club". ## At a glance - Canonical: https://xmr.club/guides/travel-privacy - Slug: travel-privacy - Title: Travel and border crossings — privacy stack - Description: How border agents actually inspect phones and laptops, what a cold travel device looks like, the backup-then-wipe pattern, eSIM vs physical SIM, what "lawful refusal to unlock" actually buys you, hotel-WiFi and airport-charger threat models, and the post-trip reset. - Available locales: en, zh, es, ru - zh: https://xmr.club/zh/guides/travel-privacy - es: https://xmr.club/es/guides/travel-privacy - ru: https://xmr.club/ru/guides/travel-privacy ## Intro Crossing a border is the one routine moment where a stranger with broad legal power asks to look through your devices. Most travelers carry the same phone and laptop they use every day, signed into every account, with years of messages, photos, and saved tabs. Border agents know that — and increasingly run forensic extractions at primary or secondary inspection, sometimes copying the device, sometimes scrolling through it by hand, sometimes both. This guide is the practical stack: cold-device prep, the backup-then-wipe pattern, eSIM vs physical SIM, what the law actually says about refusing to unlock, the hotel-WiFi and airport-charger threat model, and a post-trip reset. It is not legal advice; the lawful-refusal section depends heavily on jurisdiction. ## Body ## What border agents actually do Border inspection of digital devices is now standard practice in most jurisdictions with computerised customs. Concretely, agents may: - **Visual scroll** — open the photo library, recent texts, browser tabs, installed apps. Cheap, common, leaves no trail. - **Forensic extraction** — connect the phone to a Cellebrite / Grayshift / MSAB device that dumps everything reachable without the lock code, then offline-cracks what isn't. Common at secondary inspection in US, UK, AU, CA; widely used elsewhere. - **Cloud retrieval** — pull what's stored under your accounts (iCloud, Google) once they have the device. The cloud is not protected by your device passcode. - **Detain the device** — keep it for days or weeks for forensic processing while letting you continue your travel without it. The defense is not "have nothing to hide." The defense is to *not have it on the device at the border*. That is the entire shape of this guide. ## The cold travel device The strongest move is the simplest: travel with a different device than the one you live on. A cold travel device is: - **A physically separate phone** (cheap recent Android or a second iPhone), set up fresh, with the minimum apps you need for the trip — maps, ride-hail, hotel/airline, one messenger, optionally a no-KYC wallet for spending. - **Or a separate laptop** — a clean OS install, no work files, no saved logins, no inbox. A second-hand ThinkPad with Linux is a workable budget option; so is a Chromebook in Guest mode. - **Signed into a separate identity** — a different Apple ID / Google account / Matrix handle than your day-to-day, with no contact list or message history linked. - **Hard to associate** — bought outside your home billing trail if possible (cash at a chain store, refurb from a no-account marketplace). The cold device exists so the inspection finds boring travel apps and nothing else. Everything you actually care about — work email, the messenger thread with your editor, your full-balance wallets, the photo of your kid — stays on a device that did not enter the inspection zone. ## Backup-then-wipe pattern If you must travel with your real device (most people), the pattern that buys you the most safety per minute of effort is: - **Full encrypted backup before departure** — Time Machine to an encrypted external, `borg` / `restic` to an encrypted remote, Signal "Set up a new device" + delete the old, iCloud backup with End-to-End Advanced Data Protection turned on, Google "Transfer to a new phone" once you have the new SIM. - **Verify the backup restores** — actually attempt the restore on a spare device or partition. Untested backups are wishful thinking. - **Wipe before crossing** — factory reset, sign back in with the minimum: the airline app, the hotel app, one messenger, one wallet, one map. Cross the border with a clean device. - **Restore after the trip** — once you're past the inspection zone and back on a network you trust, restore from the backup or pick up the original from your encrypted remote. The pattern works because most inspections check what is *on* the device, not what is in your cloud backup. The cloud backup may also be reachable by subpoena, but that requires legal process, not a 20-minute visual scroll at a kiosk. The asymmetry is the point. ## eSIM vs physical SIM Whichever you pick, the goal is the same: don't have your home carrier's billing trail follow you into a foreign data session. Compare: - **Physical travel SIM** — Buy at a kiosk on arrival or order ahead. The carrier sees what you do; your home carrier doesn't. Easy to swap between devices; easy to dispose of after the trip. Downside: physical SIM trays leak. Customs can pull the SIM at inspection; lost / stolen phones lose the SIM with them. - **eSIM (real-name)** — Activated through an app, billed to your real-name account at a global eSIM marketplace. Convenient. Worst privacy property: ties the foreign session to a known identity. - **eSIM (XMR-paid, no-KYC)** — Services like Cypher eSIM accept Monero and issue an eSIM activation without tying it to your billing identity. Closest to "throwaway SIM" semantics in eSIM form. See [how to buy Monero no-KYC](/guides/how-to-buy-monero-no-kyc) if you don't have a balance to pay with. - **Hotspot off a friend's plan** — not actually private (the friend is now in your travel session) and is usually a tax-evasion shape your friend's carrier will eventually notice. For most trips: XMR-paid eSIM if available at the destination, physical local SIM if not. Keep the home SIM at home, in a drawer, powered off. ## Lawful refusal to unlock This part depends entirely on where you are. Treat the following as a sketch, not legal advice — check the law for the specific border you are crossing. - **United States (citizens)** — CBP claims authority to demand unlock at the border without a warrant. Refusal cannot result in denial of entry for a US citizen, but the device can be detained for forensic processing. Refusing biometric unlock is more legally defensible than refusing a passcode in most US case law as of mid-2026. - **United States (non-citizens)** — Refusal can result in denied entry, visa revocation, or being turned around. The legal calculus is dramatically different. - **United Kingdom** — Section 49 RIPA can compel passcode disclosure; refusal is itself a criminal offence with up to two years' imprisonment. UK is the strongest "you must unlock" regime in the English-speaking world. - **European Union** — Varies by member state. France, Germany, Netherlands have specific case law; some require warrants for forensic extraction at airports, some don't. - **Authoritarian regimes** — Assume any refusal is treated as suspicious behavior. The cold-device pattern matters most here. What this means in practice: the lawful-refusal lever is real but jurisdiction-specific and asymmetric for non-citizens. Don't plan a trip around it. Plan a trip around having nothing sensitive on the device that crosses the border, and let lawful refusal be a fallback rather than the primary defense. ## Hotel WiFi, airport chargers, public USB Three different threats that get bundled in the same paragraph in most travel-privacy guides. They're actually different: - **Hotel and airport WiFi** — captive portals, sometimes mandatory account creation, sometimes deep packet inspection. The defense is straightforward: a VPN client that launches before any browser, a kill switch that drops traffic if the tunnel falls. Pick one from the [best no-KYC VPN](/guides/best-no-kyc-vpn) shortlist; activate before connecting. - **Public USB charging (a.k.a. "juice jacking")** — overstated in popular press. Modern iOS and Android refuse data handshakes from a charger by default; you have to actively approve "Trust this device." The realistic risk is a malicious cable, not a malicious wall outlet. The cheap defense: carry your own USB-C cable, or a USB data-blocker dongle. Don't borrow cables from strangers, even at lounges. - **Hotel-room ethernet and TV-input ports** — almost never a useful threat surface for travelers; included here because guides love to mention it. Skip. The expensive defenses (Faraday bags, daily device rotation, dedicated travel router) are appropriate for high-asymmetry travel — investigative journalism, dissident activity, security research at hostile venues. For routine travel they're theatre. Cold device + VPN-on-launch + your own cable covers the realistic 95th-percentile attacker. ## Post-trip reset The trip ends. Now: - **Disconnect from foreign networks before re-entering your home stack** — change the VPN exit, kill any remembered SSIDs from the trip, sign out of the travel-only messenger if you used one. - **Audit installed apps** — anything you installed at the destination "just to get into the hotel WiFi" or "to pay this taxi app" should come off the device. App stores leak metadata even after uninstall; you can't fix that retroactively, but you can stop the bleeding. - **Rotate sensitive credentials** — anything you used over an unknown network with non-end-to-end-encrypted protocols. Email passwords, exchange logins, anything you logged into from the hotel computer that one time. - **Wipe the cold device, or store it powered-off** — if you carried a dedicated travel phone, factory-reset it now while everything is fresh and seal it back up in a drawer for the next trip. - **Restore from backup if you used the backup-then-wipe pattern** — and verify the restore actually came back clean. ## What is NOT worth doing Some things travel-privacy guides repeat without examining: - **Faraday bags for everyday travel** — useful only if your threat model includes IMSI catchers or covert cellular tracking at a specific venue. For airport-to-hotel routine, an off button works. - **"Burner" phones bought without thought** — a $40 unlocked Android signed into your daily Google account is not a burner, it's just a worse phone. The identity behind the device is what matters; not the price tag. - **Aggressive operating-system hardening on a device you don't understand** — GrapheneOS on a Pixel is excellent *if you can administer it*. A misconfigured hardened device that locks you out at a border kiosk is worse than a default device you can actually unlock. - **Refusing to back up at all** — paranoia about cloud subpoenas leading travelers to skip backup entirely. Lost / stolen devices are statistically more likely than your specific cloud being subpoena'd. Encrypted backup beats no backup. ## See also - [Best no-KYC VPN](/guides/best-no-kyc-vpn) — the VPN shortlist your travel device should use before anything else. - [Pick a no-KYC email](/guides/pick-a-no-kyc-email) — for the travel-only inbox you set up on the cold device. - [Monero cold storage](/guides/monero-cold-storage) — what stays at home, not at the border. - [Telegram opsec](/guides/telegram-opsec) — if Telegram is your travel messenger, the failure modes you need to know. - [Privacy threat models](/guides/privacy-threat-models) — calibrate the rest of your stack to who you actually face. ## Picks - [Mullvad VPN](https://xmr.club/vpns/mullvad) — Account-number-only signup, cash-by-mail payments, no logs by design — your travel VPN should not be the link between your home identity and the hotel WiFi you used. - [IVPN](https://xmr.club/vpns/ivpn) — No-email signup, audited no-logs, multi-hop for high-asymmetry trips. Solid second pick if Mullvad is blocked at your destination. - [Cypher eSIM](https://xmr.club/sims/cypher-esim) — XMR-paid eSIM that activates without tying a local data plan to your real-name billing — useful when you do not want a physical SIM swap at arrival. - [Feather Wallet](https://xmr.club/wallets/feather) — Lightweight Monero wallet with built-in Tor — easy to spin up on a fresh travel laptop without sync-ing your full home node. - [Cake Wallet](https://xmr.club/wallets/cake-wallet) — Mobile XMR wallet that bootstraps in under a minute on a travel phone, then deletes cleanly on the post-trip reset. ## How to cite Source: xmr.club, "Travel and border crossings — privacy stack". https://xmr.club/guides/travel-privacy (CC-BY-4.0). ## Related - https://xmr.club/guides — full guides index (44 guides) - https://xmr.club/methodology — how the directory grades providers referenced in this guide - https://xmr.club/transparency — funding model + editorial firewall - https://xmr.club/data.json — full provider dataset (CC-BY-4.0) ## License CC-BY-4.0. Attribute "xmr.club".