Bloomberg published a brief on the issue of border searches that was written for them by the international law firm of Morrison Foerster on the subject of border searches.
Given that lawyers wrote the piece, their concern is about protecting attorney-client confidential information at the border, but the subject applies to everyone.
According to Customs and Border Protection (CBP), they searched 4,444 cell phones in 2015 and 23,877 phones in 2016. We don’t know if the shape of that curve will continue, but if it does, that would forecast over 100,000 phone searches in 2017.
Even if that curve is correct, that still is a tiny percentage of all of the people (and phones) that enter the U.S. in any given year, so the odds of you being chosen would seem to be very low.
Border agents searching phones is certainly not limited to the U.S. but statistics for other countries are not available.
According to Morrison Foerster, courts have held that, under U.S, law, CBP and Immigration and Customs Enforcement (ICE) agents may ask to search electronic devices at the border and may request individuals to disclose their password so they can conduct the search. My definition of request includes the ability to decline. I do not think their definition of request includes that option.
The courts have further said that they can conduct a manual search of any electronic device without a warrant and without reasonable suspicion.
If they want to conduct a forensic investigation (meaning using specialized software to look in the nooks and crannies of that electronic device, they must have “reasonable suspicion”. That is defined to mean “a particularized and objective basis for suspecting the particular person stopped of criminal activity”. This definition is not exactly crystal clear and the Supremes have not yet had the opportunity to rule on this subject.
Homeland Security, the department of which CBP and ICE are a part, did a privacy impact assessment for border searches of electronic devices in 2009 – a long time ago in tech years.
If the traveler claims that a device contains privileged material, either attorney-client or otherwise, the CBP agent must consult with either the Associate/Assistant Chief Counsel or the U.S. Attorney’s Office before doing the search. How that helps is not really clear to me, but I would guess that it is a check and balance to make sure that they follow the rules.
ICE says that a claim of privilege doesn’t preclude a search, but that for some types of information including attorney-client privileged, proprietary business and medical information they have to use special handling – an undefined term. Under certain limited situations, ICE policy requires the agent to contact the local ICE Chief Counsel’s office or local U.S. attorney before continuing the search.
Whether that will change anything or not is unclear and you will likely be detained until they get an answer back, which could be hours. It is not likely to be days.
People have said that they have been detained for hours and not allowed to use their phone (which of course, if ICE or CBP took the phone would be hard anyway).
If you are one of those select few people that are asked to hand over your phone, know what your plan is. You can decline to turn over the password knowing that you will likely be detained and eventually likely brought before a judge where you will have a chance to make your case, but understand that it is unlikely to go in your favor.
Here is what the law firm of Morrison Foerster suggests – which is not a whole lot different than what I would suggest.
- If you are travelling internationally, consider taking a clean smartphone and/or laptop with no sensitive data on it. That way they can look to their hearts content and you don’t care.
- If all sensitive data cannot be removed, remove as much sensitive data as possible from your phone or laptop and then overwrite the deleted files. There is lots of software to do that.
- Inventory all sensitive data contained on any electronic devices that will be taken across a border. This is a recommendation that I hadn’t thought about. That way, if the device is searched or taken and copied, at least you know what has been compromised.
- Fully power down all electronic devices before passing through customs (U.S or any other country). This makes it much less likely that technical software will be able to snoop on the device once they power it back up.
- If CBP or ICE requests to search your devices, let them know if there is privileged or business sensitive information on the devices.
I might suggest a few more ideas.
A. For extremely sensitive information consider encryption and I don’t mean transparent encryption like Microsoft Bitlocker. Transparent encryption will hand over the data with no other restriction once they log onto the device. There are many forms of non-transparent encryption which will not reveal data to casual observers without additional effort. The trade-off is that non-transparent encryption means more work for you.
B. Store data in the cloud and don’t store it locally. If you use this, make sure that you understand the security (and insecurity) features of the software and enable features that may not be enabled by default. Understand what controls the cloud service provider may have. An example of how NOT to do that is to use Dropbox since Dropbox, by default, caches names and in many cases the actual files, on the computer, defeating the whole objective.
C. Talk to a computer security expert [like me 🙂 ] before you go to understand your options and the implications. The general trade off will be security or convenience, pick one.
D. If the agent takes your computer or phone away – out of your sight – you can assume the device is now compromised. Big companies understand this and employees are instructed to contact the security office. Power down the device when you get it back and do not turn it back on. Hand it to corporate security as soon as possible. Most large companies already have a plan to deal with this and will issue you new devices. Just because you don’t see any changes does not mean there are no changes.
All of this, of course, depends on your level of paranoia. If there is protected information on the device, you now need to decide if you have a security breach and if that breach is reportable under state laws. Talk about a catch-22. Contact legal counsel to help you make this decision. I suspect that if you talk to two lawyers about this subject, you will get three opinions – at least.
Clearly, the easiest answer is to minimize the amount of data and devices that you take across the border.
If you are worried about data being DELETED in this process, then definitely securely upload the data in real time (as close to the point of creation as possible). For example, if you are an investigative journalist and are worried about you data and sources, this would be my recommendation no matter what. If the data is encrypted prior to unload, you control the encryption key and that key is not stored on the device, then this will provide the maximum protection.
Welcome to today’s world – not always simple.
Still, the odds of you having to fork over your device are low. Unless you are that person who gets picked.
Information for this post came from MoFo’s web site.