Recently, a Canadian journalist working for the CBC was selected for secondary while crossing the U.S. border to cover the Dakota Access Pipeline protests. He was held for six hours, questioned, had his devices taken, and was then denied entry. The full story is here:
The good news is that his devices were encrypted and he refused to decrypt them.
The bad news:
1.) The Keylogger Problem: The article makes clear that there was evidence that his devices had been tampered with, but it's unclear whether Ed Ou, the journalist, knew that he should never decrypt confiscated equipment, after it has been returned to you. Even if law enforcement is unable to access the encrypted data, they may modify your device to capture your disk encryption passphrase as you enter it, after you are released and once you believe that it is safe for you to do so.
2.) The Android Problem: The article doesn't mention whether Ou carried Android or iOS devices, but if he had Android devices, then unfortunately it is likely that law enforcement was able to access his data. Why? Android uses LUKS disk encryption, which is the same FDE technology that's used to encrypt most Linux systems. The problem is that LUKS' security relies heavily on the length of the user's passphrase. If it's short, it becomes fairly trivial to decrypt the drive. This is a problem on Android because Google chose to make the disk encryption and device unlock passphrase the same. So, if you choose a strong, 40 character disk encryption passphrase for you Android phone, then you will have to enter that every time that you want to unlock the screen. Unsurprisingly, almost no one does this. iOS solves this problem by mixing the user generated pin with a unique key generated by the device's secure enclave, which is a separate chip on the device. This way, you can have your easy to remember pin and eat your secure device encryption cake, too. Google can't implement something similar, because Android is device agnostic; Google doesn't make phones, they make a phone operating system, which should ideally work on as many phones as possible. As a result, Google has no easy route to solving this problem. In theory, a powered-down Android device with a 40 char passphrase is just as secure as a powered-down iOS device, but in practice no one has a 40 char passphrase.
In addition, there is a difference between how Android and iOS implement device encryption that is especially important. iOS implements file-level encryption, so that your device is encrypted, even if it is powered on. Android implements full disk encryption only, so that your device is only encrypted if it is powered off. Linux offers both LUKS (for full disk encryption, which Android uses) and ecryptfs (for file level encryption), but Android only implements FDE. Since most users rarely power down their phones, this seriously limits the practical benefits of Android's device encryption.
3.) The OPSEC problem. When he was pulled for secondary screening, law enforcement already knew that Ed Ou was traveling to cover the Dakota Access Pipeline protests. They ultimately denied him entry into the U.S., and his reporting was thwarted. This cuts to the heart of the dearth of adversarial thinking among most journalists. The privilege of the press is dead or dying. Anyone with a camera and an internet connection can report on things like protests, including protestors themselves (who produce most of the primary source stuff these days, anyway). Law enforcement sees journalists as no different from protestors, and treats them accordingly. It really doesn't matter whether you're an "activist" journalist or a just-the-facts style traditional skeptic, if you show up and record police tossing flash bangs at hippies, then from law enforcement's perspective, you are a part of the problem. It really doesn't matter how you personally feel about law enforcement. If you don't want your reporting to be thwarted, then you have to treat them as an active adversary. They already see you that way.
I've had a variety of interesting experiences crossing various borders in different parts of the world. Here are some things I've learned/things I would recommend.
A. Don't telegraph operational intent. This was Ou's biggest mistake. Even if he had traveled without devices (or with clean, newly bought devices), U.S. Customs and Border Patrol had already made up their minds that they weren't going to let him into the country to cover the DAPL protests.
Unless you're traveling back to your home country or traveling withing the Schengen zone as a citizen of a Schengen country, you have no particular right to enter a country.
So, have a cover for status. Ou could have booked a holiday trip to NYC to visit relatives/friends, and generated cover traffic with his bosses at CBC ("I need some vacation days to visit my friends/family.") and with his relatives/friends ("I can't wait to see you this holiday season."). Plaintext emails can be your friends, sometimes.
Think this is nuts? Fine. Don't expect to cover stuff like #NODAPL or West Bank protests. You will never make it past customs. Treat the security services with the respect they deserve, especially countries with strong SIGINT capabilities, such as the U.S., Israel, and the UK.
B. Travel with newly bought equipment (for laptops, used hardware is fine, if you're a Unix person), or no equipment at all. Your equipment should be clean. Naked in, naked out.
C. Use iOS. Don't use Android. iPhones are expensive, so use an iPod touch if you need a clean mobile device.
D. Power down your devices before transiting customs.
E. If any of your equipment is confiscated, then dispose of it immediately. Assume it is compromised. Do not boot it, or enter passwords. Cut your losses and chuck it.
Since this is obviously pretty cost prohibitive, I recommend crossing borders with no equipment at all, even clean equipment. You can buy what you need in-country. Transiting with clean equipment is just an opportunity to lose money when your devices are confiscated. You can encrypt and upload your work files and contact details, so that you can access them once you're inside the country where you wish to report, or you can have a friend message you the information/files you need via end-to-end encryption, once you've gotten in-country and can purchase equipment (and sell it before departure, if you can, to recoup some of the cost).
If you absolutely can't afford to buy burner equipment, then maybe you could try having a friend mail your (encrypted, powered down) stuff in a way that's less likely to garner attention (have them book an Aibnb for you under their name, then mail it there, where you can pick it up). However, this is a gamble, since your package could have been opened without your knowledge.
Finally, if you absolutely can't spend money this way, there are ways to go cheap and still remain effective. Besides mailing your stuff, encrypting and uploading your files & zero filling your laptop's hard drive before crossing a border is also an option (if you know how to do that). You will want to re-install a clean commercial OS for your border crossing, otherwise a laptop that doesn't boot will look weird to customs.
Edit: Feedback appreciated. Is this useful or impractical for your use case? How do my experience/opinions jive with yours, or not?