In 2015 some 380 million international travelers arrived in the U.S. and only 8,503 of those travelers had their electronic devices searched – only .002 percent. That is a pretty small number.
In 2016 there were 390 million international arrivals and CBP examined the devices of 19,033 of them – a little more than double the number from the prior year. Still it is a very small number.
In the first half of FY 2017 14,993 travelers had their devices searched. Assuming the second half of the year matches the first half, just about 30,000 travelers will have their devices searched. That will be about 350% of the 2015 numbers.
Of course there is no way to extrapolate what that means for 2018, but if the trend continues, it will likely increase.
One of the complaints that people have expressed is that there are no obvious rules governing whether a device can be searched. With all kinds of personal and sometimes embarrassing content on people’s phones and computers, DHS has decided to publish some general guidelines. Far from rules, but better than what was known before.
The Supremes have ruled in the past that Customs does not need either a warrant or reasonable cause to search your devices. If you are a U.S. citizen you can’t be denied entry into the country if you refuse to unlock your device, but if you NOT a citizen, they could send you back to from where you came.
In both cases they can detain you for a while – no definite time, which may encourage you to cooperate.
And, they can also search your device when you leave the country, but I suspect that is much less frequent.
The right to their arbitrary searches is rooted in the Constitution and was based on the concept of looking through your luggage for contraband. Extending that to your phone seems like a bit of a stretch, but the Supremes have weighed in and said it is OK.
Under the new rules, agents can search information stored ON the device, using the software on the device. This, in theory, says that they can’t read your GMail by opening your Mail app since that is not stored on your phone – or maybe it is. The way they have decided to deal with that is either CBP agents will ask you to put the phone in Airplane mode or if they don’t trust you to do that, they will do it for you.
Unless they have reasonable suspicion – whatever that means. Then they can use advanced search techniques – which I assume means that they can use forensic tools.
They can ask you for your passcode and detain a device that is encrypted (and, I assume, that you won’t decrypt).
The document also says that agents should take care not to make changes to the device. I assume that the first thing someone would say if CBP claims they found something incriminating is that it was planted. Advanced searches should be done in the presence of a supervisor, if available. Searches should also be done in the presence of device owner unless there are reasons not to allow this.
If the device owner says that information on the devices is protected by attorney-client privilege, the agent is supposed to ask for clarification as to what specific files or folders contain that information. Prior to searching those folders, the agent has to contact the CBP assistant chief counsel, who will coordinate with the U.S. Attorney’s Office on how to proceed. While they will still search that information, they will segregate it so that it might, possibly, be better protected.
At the completion of the CBP review, any copies of information will be destroyed unless they need to be preserved in accordance with a litigation hold.
All of this process needs to be documented on specific CBP forms. That alone will probably discourage agents from poking around. Filling out government forms is no fun.
Business confidential and trade secret information needs to be protected as well.
All of that information can still be shared with other agencies as long as they have processes in place to protect it – undefined processes.
If they ask for your passcode and you give it to them, they may keep those passcodes in case they need them later. Another reason not to reuse passwords.
If the device owner will not unlock the device, CBP can try to break into it.
Officers may detain devices and/or information on them for a reasonable period, usually 5 days, but that can be extended for a week at a time with approval, if needed.
If CBP keeps your device, they need to give you a receipt.
If CBP needs to get assistance from another agency for breaking into the device or evaluating the information on it, they need to get a supervisor’s approval and they need to tell the owner unless the purpose for sharing is counter-terrorism related.
So what should you do?
That kind of depends on your level of paranoia and what is stored on your device.
In general, try to avoid taking sensitive or embarrassing information across the border. For many companies, that means issuing burner phones and burner laptops (this is actually a more common practice than you might think). Upload encrypted data to the cloud before crossing the border in any direction and wipe and overwrite the files off the local device.
If CBP retains the device or takes it out of your sight, depending on your level of paranoia and the sensitivity of your mission, assume the device is compromised or bugged and treat it accordingly.
Mostly, it depends on your view of what is on the device and how much you trust or distrust the government.
Given the government’s inability to keep much of anything confidential, I would not assume that the government should be counted on to protect anything that they observe or copy. This is not because they are evil, but because they are part of a large bureaucracy. Large scale operations have some benefits, but privacy is not one of them.
Overall, it is a good, small, step forward that they have documented these rules, but there are a lot of loopholes in them.
Remember that this coming from someone is who way more paranoid than the average bear, so take that into consideration.