9th Circuit Appeals Court: 4th Amendment Applies At The Border; Also: Password Protected Files Shouldn't Arouse Suspicion

from the well-that's-a-surprise dept

Here’s a surprise ruling. For many years we’ve written about how troubling it is that Homeland Security agents are able to search the contents of electronic devices, such as computers and phones at the border, without any reason. The 4th Amendment only allows reasonable searches, usually with a warrant. But the general argument has long been that, when you’re at the border, you’re not in the country and the 4th Amendment doesn’t apply. This rule has been stretched at times, including the ability to take your computer and devices into the country and search it there, while still considering it a “border search,” for which the lower standards apply. Just about a month ago, we noted that Homeland Security saw no reason to change this policy.

Well, now they might have to.

In a somewhat surprising 9th Circuit ruling (en banc, or in front of the entire set of judges), the court ruled that the 4th Amendment does apply at the border, that agents do need to recognize there’s an expectation of privacy, and cannot do a search without reason. Furthermore, they noted that merely encrypting a file with a password is not enough to trigger suspicion. This is a huge ruling in favor of privacy rights.

The ruling is pretty careful to strike the right balance on the issues. It notes that a cursory review at the border is reasonable:

Officer Alvarado turned on the devices and opened and viewed image files while the Cottermans waited to enter the country. It was, in principle, akin to the search in Seljan, where we concluded that a suspicionless cursory scan of a package in international transit was not unreasonable.

But going deeper raises more questions. Looking stuff over, no problem. Performing a forensic analysis? That goes too far and triggers the 4th Amendment. They note that the location of the search is meaningless to this analysis (the actual search happened 170 miles inside the country after the laptop was sent by border agents to somewhere else for analysis). So it’s still a border search, but that border search requires a 4th Amendment analysis, according to the court.

It is the comprehensive and intrusive nature of a forensic examination—not the location of the examination—that is the key factor triggering the requirement of reasonable suspicion here….

Notwithstanding a traveler’s diminished expectation of privacy at the border, the search is still measured against the Fourth Amendment’s reasonableness requirement, which considers the nature and scope of the search. Significantly, the Supreme Court has recognized that the “dignity and privacy interests of the person being searched” at the border will on occasion demand “some level of suspicion in the case of highly intrusive searches of the person.” Flores-Montano, 541 U.S. at 152. Likewise, the Court has explained that “some searches of property are so destructive,” “particularly offensive,” or overly intrusive in the manner in which they are carried out as to require particularized suspicion. Id. at 152, 154 n.2, 155–56; Montoya de Hernandez, 473 U.S. at 541. The Court has never defined the precise dimensions of a reasonable border search, instead pointing to the necessity of a case-by-case analysis….

For years, we’ve repeated two key arguments for why border searches of laptops and other devices should be illegal.

  • You mostly store everything on your laptop. So, unlike a suitcase that you’re bringing with you, it’s the opposite. You might specifically choose what to exclude, but you don’t really choose what to include.
  • The reason you bring the contents on your laptop over the border is because you’re bringing your laptop over the border. If you wanted the content of your laptop to go over the border you’d just send it using the internet. There are no “border guards” on the internet itself, so content flows mostly freely across international boundaries. Thus if anyone wants to get certain content into a country via the internet, they’re not doing it by entering that country through border control.

We’d never seen a court even seem to acknowledge that content on devices is different than contents in a suitcase… until now. One interesting tidbit, is that they specifically note that “secure in their papers” part of the 4th Amendment, while noting that what’s on your device is often like your personal “papers.”

The amount of private information carried by international travelers was traditionally circumscribed by the size of the traveler’s luggage or automobile. That is no longer the case. Electronic devices are capable of storing warehouses full of information. The average 400-gigabyte laptop hard drive can store over 200 million pages—the equivalent of five floors of a typical academic library…. Even a car full of packed suitcases with sensitive documents cannot hold a candle to the sheer, and ever-increasing, capacity of digital storage.

The nature of the contents of electronic devices differs from that of luggage as well. Laptop computers, iPads and the like are simultaneously offices and personal diaries. They contain the most intimate details of our lives: financial records, confidential business documents, medical records and private emails. This type of material implicates the Fourth Amendment’s specific guarantee of the people’s right to be secure in their “papers.”…. The express listing of papers “reflects the Founders’ deep concern with safeguarding the privacy of thoughts and ideas—what we might call freedom of conscience—from invasion by the government.”… These records are expected to be kept private and this expectation is “one that society is prepared to recognize as ‘reasonable.’”

Electronic devices often retain sensitive and confidential information far beyond the perceived point of erasure, notably in the form of browsing histories and records of deleted files. This quality makes it impractical, if not impossible, for individuals to make meaningful decisions regarding what digital content to expose to the scrutiny that accompanies international travel. A person’s digital life ought not be hijacked simply by crossing a border. When packing traditional luggage, one is accustomed to deciding what papers to take and what to leave behind. When carrying a laptop, tablet or other device, however, removing files unnecessary to an impending trip is an impractical solution given the volume and often intermingled nature of the files. It is also a time-consuming task that may not even effectively erase the files.

Huh. That last paragraph sounds a lot like my argument above. Very cool to see a court actually recognize this basic point. Considering it had been ignored for so long, I’d almost given up hope.

In this case, they also noted that part of the forensic analysis of the computer involved restoring deleted files, and note:

It is as if a search of a person’s suitcase could reveal not only what the bag contained on the current trip, but everything it had ever carried.

The court is equally worried about the fact that the device is often just a portal to cloud based services, and how a search of a device might lead to access to that data, even if it’s been snug and secure “in the cloud” the whole time, rather than crossing the border:

With the ubiquity of cloud computing, the government’s reach into private data becomes even more problematic.12 In the “cloud,” a user’s data, including the same kind of highly sensitive data one would have in “papers” at home, is held on remote servers rather than on the device itself. The digital device is a conduit to retrieving information from the cloud, akin to the key to a safe deposit box. Notably, although the virtual “safe deposit box” does not itself cross the border, it may appear as a seamless part of the digital device when presented at the border. With access to the cloud through forensic examination, a traveler’s cache is just a click away from the government.

Of course, this doesn’t mean that no searches can ever take place. Instead, they just need to be “reasonable” and live up to the standards of the 4th Amendment. In fact, in this very case they still say that there was “reasonable suspicion to conduct the initial search, and that appears like it may be a legitimate claim (the guy had a previous conviction for child molestation, which the agents believed — incorrectly, but they believed it at the time — was for child porn). But for everyone else, where there is no reasonable suspicion, our 4th Amendment protections just got stronger (at least if you’re entering the country in an area covered by the 9th Circuit (covering California, Alaska, Arizona, Hawaii, Oregon, Nevada, Washington, Idaho and Montana).

There’s one other important part of the ruling as well. In discussing the “reasonable suspicion” the court agrees it was there because of the prior conviction, as well as the fact that guy was travelling from Mexico which is “a country associated with sex tourism.” However, the government also argued that password protected files gave them reasonable suspicion, and thankfully the court slaps them down:

To these factors, the government adds another—the existence of password-protected files on Cotterman’s computer. We are reluctant to place much weight on this factor because it is commonplace for business travelers, casual computer users, students and others to password protect their files. Law enforcement “cannot rely solely on factors that would apply to many law-abiding citizens,” … and password protection is ubiquitous. National standards require that users of mobile electronic devices password protect their files…. Computer users are routinely advised—and in some cases, required by employers—to protect their files when traveling overseas….

There are some dissenting opinions, basically suggesting that this upturns more settled law, but the majority ruling makes a strong case for why the Supreme Court has actually not really directly answered this question before, but has tiptoed carefully around it. Still, it seems likely that there will be an appeal to the Supreme Court, so this probably isn’t over yet. Hopefully, the Supreme Court will uphold this important ruling, and recognize that we don’t give up our 4th Amendment rights at the border.

Filed Under: , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “9th Circuit Appeals Court: 4th Amendment Applies At The Border; Also: Password Protected Files Shouldn't Arouse Suspicion”

Subscribe: RSS Leave a comment
62 Comments
easytime1 (profile) says:

Re: Re: Re: Re:

So you do not think that people arriving back into the United States from a foreign country should not be searched based upon the fact that they are a United States Citizen? I guess you do not recognize the sovereignty of the United States and it’s rights to defend it’s borders? I guess your logic includes letting terrorists just waltz right into the country along with the heroin smugglers.

Anonymous Coward says:

This is huge

With the ubiquity of cloud computing, the government?s reach into private data becomes even more problematic. In the ?cloud,? a user?s data, including the same kind of highly sensitive data one would have in ?papers? at home, is held on remote servers rather than on the device itself. The digital device is a conduit to retrieving information from the cloud, akin to the key to a safe deposit box.

I want to see this brought up in an argument against efforts to access old emails stored at 3rd party servers without a warrant. Emails don’t stop being personal papers after 180 days.

Internet Zen Master (profile) says:

Wait, a sane circuit court?!

There’s no such thing! This is a bunch of malar-

the 9th Circuit (covering California, Alaska, Arizona, Hawaii, Oregon, Nevada, Washington, Idaho and Montana)

Oh, it’s from the 9th Circuit you say? Well that explains everything!

The West Coast of the United States tends to be saner when it comes to things involving computer-related tech. [Exhibit A: Ron Wyden]

With the exception of California and their constant “We must violate everyone’s privacy FOR TEH CHILDRENS” routine.

Now the big question is whether or not this’ll get appealed on the grounds of “But, but, TERRORISM!”

The Zen Master says, “We’ll see.”

Dan (profile) says:

"There are no "border guards" on the internet itself..."

I’m going to cry ‘bullshit’ on this one, Mike.

You already covered the NSA wiretap rooms in San Fran. The border guards are there not to remove data from laptops, but for surveillance of it. You know anything going through those telecom trunks are stored for later retrieval for evidence, if deemed necessary.

So yes, there are border guards on the internet. I really wish you would stop saying otherwise. Or at the very least, tell me those NSA taps are now gone.

Anonymous Coward says:

Re: "There are no "border guards" on the internet itself..."

If you send everything in plain text, you should expect it to be read. It’s the digital equivalent of sending a postcard.

Encrypted streams, OTOH, are much, much harder to deal with. Unless the NSA has a specific reason to target your communications, no one is looking at them as it is still far to expensive (in terms of compute power) to decrypt all encrypted streams just to have a look.

It’s pretty much the difference between a post card and a letter in an envelope crossing the border….

And, BTW, if the NSA has a reason to target your communications, nothing you as an individual can do will stop them, not even RFC 1149.

Anonymous Coward says:

Re: "There are no "border guards" on the internet itself..."

I’m really not sure what point you’re trying to make. I mean you’re not honestly suggesting that Mike is trying to obfuscate that various agencies in the US government have insane domestic spying powers are you because that gets pointed out and derided in these pages all the time.

Tofof says:

En Banc

It’s perhaps worth nothing that – for the 9th Circuit Court of Appeals (the court involved here) – en banc actually means a panel of 11 rather than the usual panel of three judges. Unlike other, smaller appellate districts, it doesn’t actually mean before the entire set of judges of the district (29, in the 9th’s case, hence the exception).

I wouldn’t have bothered, except that the term was defined and defined incorrectly. Or rather, defined correctly for all but the singular exception that happens to be the relevant one here.

In any case, en banc does still carry the far stricter weight of correctness of a thorough judicial review and decision.

Rekrul says:

This rule has been stretched at times, including the ability to take your computer and devices into the country and search it there, while still considering it a “border search,” for which the lower standards apply. Just about a month ago, we noted that Homeland Security saw no reason to change this policy.

Well, now they might have to.

TOP SECRET

Memo to all border agents;

Effective immediately, there will be a policy change in regards to searches of electronic devices. Since the court has ruled that you need reasonable suspicion to search an electronic device, all agents are hereby instructed to make up a reason before performing such a search.

Department of Homeland Security

Furthermore, they noted that merely encrypting a file with a password is not enough to trigger suspicion.

You know, Hiding a file on a modern computer isn’t hard at all, today’s users are just too clueless about their computers to know any better than storing possibly incriminating files in My Documents. Encrypt the file, name it something like syscore.dmp and drop it into one of the OS directories 2-3 levels deep. Nobody will ever find it unless the file is huge and they run a scan of the used space on the drive.

Anonymous Coward says:

so what has Homeland Security got to say now about ‘:Not Searching Your Laptop Doesn’t Benefit Your Civil Liberties, So We Can Do It.’

in other words, as not searching wont help you, then searching wont help or hurt you, so we can do it anyway just in case we perhaps find something that might help us accuse you of possibly having done something at sometime, maybe! just like everything else today, guilty unless able to prove innocence as well as guilty just because we can charge you

horse with no name says:

All of this analysis, and you still managed to miss the point.

Even with 4th amendment rules applying, presenting yourself at the border, as a member or contributor to something like Wikileaks, with encrypted files on your laptop will still be enough to qualify for a full search. Each piece in and of itself is not a trigger, but combining the person and the situation may be enough.

It really isn’t any different from a convicted gang member, walking down the street with a gun shaped item under his shirt tucked into his pants. You cannot just randomly search a gang member, and you may or may not be able to merit it based on the shape of a bump in the clothing, but together it may be reasonable cause.

All the 9th circuit ruling really does is make the border agents justify at a basic level why they are looking at things. It’s a big change in theory, but not really a big change in practical terms. Remember, the border agents can still refuse you entry for any reason at all, and they can still bar you from future entry without having to actually prove anything.

Rikuo (profile) says:

Re: Re:

I doubt you’ll reply this late, but “presenting yourself as a member to something like Wikileaks”.

Last I heard, Wikileaks hasn’t officially been declared a terrorist or criminal organisation by the US. Sure the US has obviously gone after it, but just saying you’re a member of Wikileaks isn’t the same as saying you’re a member of the Mafia or Al’Qaeda.

Oh and can you elaborate on the convicted gang member? Not being USian, I’m not up to date on gun ownership laws. I assume here that the guy is an ex-convict, being out on the streets. I remember seeing a video recently where a random member of the public was stopped by cops merely for having a gun, and he was able to successfully argue to them that simply seeing that he has a gun is not enough grounds to justify a stop and search. Do ex-cons lose the right to own guns after being released from prison?

Not an Electronic Rodent (profile) says:

Re: Re:

Even with 4th amendment rules applying, presenting yourself at the border, as a member or contributor to something like Wikileaks, with encrypted files on your laptop will still be enough to qualify for a full search.

Well I’m not an american, but if the 4th amendment applies at the border, doesn’t the 1st too? I seem to remember there’s something in there about “freedom of association”…. wouldn’t that make “being associated with a completely non-criminal organistion” a little bit problematical as the basis for a search?
I recall a spoof Not The Nine-O-Clock News sketch from my youth where “Constable Savage” detained a suspect for “Possession of thick rubbery lips and wiry black hair” and “looking at me in a funny manner”. You appear to be suggesting a similar standard of suspicion.

nasch (profile) says:

Re: Re: Re: Re:

“Freedom of association” is not found in the US constitution.

“While the United States Constitution’s First Amendment identifies the rights to assemble and to petition the government, the text of the First Amendment does not make specific mention of a right to association. Nevertheless, the United States Supreme Court held in NAACP v. Alabama that the freedom of association is an essential part of the Freedom of Speech because, in many cases, people can engage in effective speech only when they join with others.”

http://en.wikipedia.org/wiki/Freedom_of_association

Anonymous Coward says:

Re: Re: Re:2 "Freedom of association" is not found in the US constitution.

One might argue that the First Amendment freedom of assembly should apply in virtual as well as physical spaces. That is, two-way group communication in something like a forum or a wiki should constitute “assembly” in the way that town hall meetings were considered so in the framers’ time.

Anonymous Coward says:

Re: Re: Re:3 "Freedom of association" is not found in the

It does apply, the government is not allowed to block you from their twitter accounts, However social media sites, like place of assembly, like pubs and cafes in real space, can ban you for many reasons, so long as it not based on race, gender or other protected class.

Note you do not open your home to everyone just because you use it for a meeting of a swing circle, or any activist group.

Anonymous Coward says:

Of course, this doesn’t mean that no searches can ever take place. Instead, they just need to be “reasonable” and live up to the standards of the 4th Amendment. In fact, in this very case they still say that there was “reasonable suspicion to conduct the initial search, and that appears like it may be a legitimate claim (the guy had a previous conviction for child molestation, which the agents believed — incorrectly, but they believed it at the time — was for child porn).

The initial search turned up nothing, and they justified the second search on his prior conviction creating a reasonable suspicion. I don’t think that’s reasonable at all. He was returning from a vacation in Mexico with his wife. Why does the 15 year old conviction create suspicion?

Anonymous Coward says:

Potential for disaster

If this ruling gets overturned by the supreme court (and I see no reason to think they wont do it) it will spell absolute disaster for data privacy. Our government simply can’t control itself, do you really think they will pass up the opportunity to legalize the scrutiny of every one and zero that crosses the border if they can? Lets just pray that the supreme court doesn’t do it, its the only hope we have.

Richard Careaga (profile) says:

Cotterman

Even after this ruling, at least in the western US stares in the Ninth Circuit, the government can still require a traveller entering the country to produce her portable electronic life for inspection. No justification is required.

Can they take it away and send it off to a lab to be flyspecked? Yes, if they have a reasonable suspicion. The suspicion doesn’t have to be right, and it doesn’t necessarily have to be based on accurate information. And, even though juries are admonished not to draw conclusions about the guilt of someone claiming Fifth Amendment protections against self-incrimination, the authorities are permitted to assume that someone who won’t hand over the encryption keys has something to hide. That itself is not enough, but, when combined with other suspicions about what that something is can form part of the basis for the required reasonable suspicion.

This decision doesn’t actually do a whole lot to advance privacy. The government must have at least some reasonable suspicion, but that’s all, in the border setting. If they search any way, in any prosecution you can object to the introduction of evidence. Always assuming that circumstances such as being unable to afford a good lawyer don’t lead you to plea bargain.

What if you and your stuff are entirely clean of any wrong doing? You may get your stuff back. It might be in working order. You could get an apology/have a nice day form letter. Some of your stuff might go viral. You might have a case against someone for something, but mostly you’ve been screwed without much hope of redress.

The merits of border searches can be argued while waiting for the cows to come home, but we shouldn’t think of this case as a great victory for e-privacy.

Spointman (profile) says:

Jurisdiction?

I guess my biggest concern is that the SCOTUS is going to come back and say, “US border searches are done outside the borders of the US, by definition. The Constitution and other US laws only apply within the borders. Therefore, since anything outside the borders is outside our jurisdiction, the government may do what it likes there without our being able to review it.”

Anonymous Coward says:

I agree at least 99.9% of the time people have no information on their computers or cell phones that U.S. Customs and Border Protection (CBP) would be interested in or really need to see, however there are people that travel and bring back child pornograpghy images on their computers and that is a criminal act and CBP enforces the law in those instances. Additionally, CBP has caught several terrorists from the informaton stored on their computers. In most instances, CBP has a reasonable suspicion that indviduals have something on their electronic devices that need to be searched. CBP does not search every electronic device that crosses the border. The article makes it seem that this might be the case. The search of electronic devices is very limited in scope as are all searches. Only a tiny percentage of travelers get a search by CBP and then only a very small percentage of those individuals may have their electronic devices searched. This issue really only involves at most several thousand electronic device searches a year out of the hundreds of millions of travelers that cross our nations borders. CBP can easily show numerous seizures and proscutions of individuals that have violated the laws of the United States that had criminal information stowed on their electronic devices. My bet is regardless of the 9th Circuit ruling, CBP will appeal to the Supreme Court and pevail, as all previous 4th ammendment rulings have been in the favor of the government having the authority to perform warrantless searches at the border, icluding searches of personal docments, i.e no right to be secure in your personal papers at the nations borders.

G Thompson (profile) says:

Re: Re:

The amount of bullshit in your statement defies belief especially when referring to so called “child pornography” when in fact it is actually NOT called that by any agency in the world.

99.999999% of Indecent images are NOT transferred by cross-border travel via physical computers into nor out of the USA though they have been transferred via CD/DVD (though that is very rare nowadays).

Though reading your wall of text it is obvious you most likely work or are highly involved in the industry that has sprung up to profit substantially via the new post 9/11 Border Protection regime of the USA.

Anonymous Coward says:

you can say the same thing about being pulled over by the police. if you stand your ground to defend your constitutional rights and not let them search without a warrant, they think you have something to hide when in fact your point is to not let them walk all over your civil liberties. too many people give up their constitutional rights. police obviously won’t ask it in such a way that sounds that you have the power to decide whether they search your vehicle or not.

Anonymous Coward says:

Re: Re:

Exactly. The cop probably won’t ask, “May I search your car?”, but rather, “DO YOU MIND IF I search your car?”. That’s not something you want to answer with a yes or no. Simply state, “I do not consent to a search”. The cop may then try to put you on the defensive by asking something like, “What’s in there that you don’t want me to find?”. Stand your ground and reiterate that you do not consent to a search.
Let’s say you get stopped for speeding. If there’s no evidence or reason to believe that you’ve done anything worse than speeding, then he has no legal right to search your car without your consent. If, however, he sees an opened whiskey bottle on the passenger seat, that would give him the legal right to search your car even over your objections.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »