US idea to collect travelers' passwords alarms privacy experts

To better vet foreign travelers, the U.S. might demand that some visa applicants hand over the passwords to their social media accounts, a proposal that’s alarming privacy experts.

“If they don’t want to give us the information, then they don’t come,” said John Kelly, the head of the Department of Homeland Security, on Tuesday.

Kelly mentioned the proposal in a congressional hearing when he was asked what his department was doing to look at visa applicants’ social media activity.

He said it was “very hard to truly vet” the visa applicants from the seven Muslim-majority countries covered by the Trump administration's travel ban, which is now in legal limbo. Many of the countries are failed states with little internal infrastructure, he said.

Learning what social media services visa applicants use and asking for their passwords might become part of the vetting process, Kelly said.

The department is only “thinking about” this idea, Kelly said. But in December, U.S. Customs and Border Protection began asking foreign visitors traveling under a visa waiver program to provide their social media account IDs as an optional request.

A key concern is that the U.S. is relying on someone's political ideology to vet their entry, said Michael Macleod-Ball, chief of staff with the American Civil Liberties Union's Washington Legislative Office.

"The issue is what information are they (U.S. border agents) looking for, and how are they interpreting it," he said. "We've had all kinds of concerns over the ambiguities."

News that the Department of Homeland Security is thinking about expanding social media monitoring by demanding passwords rattled some experts.

“The price for admission into the United States shouldn’t mean giving up your online life,” said Robert McCaw, government affairs department director for the Council on American-Islamic Relations.

He sees too much potential for the U.S. to unfairly target Muslim groups.

“Do you remember every email account, or Facebook account, or every message board you signed up for?” he asked. “If you forgot to disclose one, wouldn’t you be lying to a federal agency?”

Many Muslim travelers coming to the U.S. also have kin or business associates in the country. Tracking their social media activity would inevitably mean the monitoring of Muslim U.S. citizens, he said.

“This will have a chilling effect on how people communicate with each other online,” he said.

From a security standpoint, demanding visa applicants hand over passwords and then storing them might be a huge problem in itself. The government hardly has a stellar record in keeping its own databases safe from hackers, said Christopher Dore, a partner at privacy law firm Edelson PC.

“The threat of a data breach to all that password information would be a huge danger to all those individuals,” he said. “It’s a recipe for disaster.”

Others think the DHS's proposal is pointless and note that U.S. intelligence agencies, such as the National Security Agency, are already mining the internet for hints about terrorist activity.

“It’s pretty obvious that if you’re a terrorist you can create a dummy social media profile,” said Timothy Edgar, academic director of Brown University's Executive Master in Cybersecurity program.

“Anyone who has an ounce of sense, and is plotting to do something bad, is going to get around this policy very easily,” he said.

Edgar said demanding passwords from visa applicants will probably dissuade certain foreign travelers, especially college students, from coming to the U.S.

The impact could spread, too. Other countries might try to follow the U.S. example and demand travelers at their borders also give up their passwords

“We are giving another excuse to the worst authoritarian governments to engage in widespread surveillance of social media accounts,” he said. “When a major country adopts a practice, that tends to validate it.”