Report: CBP's Border Device Search Program Is An Undersupervised Catastrophe

from the scattershot-security dept

The CBP is searching more devices than ever and ramping up an “extreme vetting” program that includes biometric scans, demands for social media account passwords, and more intrusive searches across the board. As the number of device searches continues to increase, the agency’s technical chops and and internal oversight aren’t keeping pace.

That’s according to recently-released Inspector General’s report [PDF], which finds little to like about the CBP’s search processes and policies, other than they occasionally manage to catch criminals attempting to enter the US. The CBP’s Office of Field Operations is supposed to be taking charge of device searches, ensuring they’re done effectively and intelligently. So far, it appears the OFO has taken a hands-off approach to management, resulting in bad practices and worse security.

[B]ecause of inadequate supervision to ensure OFO officers properly documented searches, OFO cannot maintain accurate quantitative data or identify and address performance problems related to these searches. In addition, OFO officers did not consistently disconnect electronic devices, specifically cell phones, from networks before searching them because headquarters provided inconsistent guidance to the ports of entry on disabling data connections on electronic devices. OFO also did not adequately manage technology to effectively support search operations and ensure the security of data.

Here’s the kicker: the OFO is so laid back it still hasn’t begun to address a problem raised by the Inspector General more than a decade ago.

Finally, OFO has not yet developed performance measures to evaluate the effectiveness of a pilot program, begun in 2007, to conduct advanced searches, including copying electronic data from searched devices to law enforcement databases.

Considering the pace of technology development, the OFO has managed to put the CBP more than a decade behind. Playing catch up now will probably bring them to five years behind schedule sometime within the next couple of years and ahead of the office’s baseline expectations sometime around never.

These device searches can be intrusive. In some cases, devices are held for months as the agency performs forensic searches and analyzes the data. These intrusions need to be justified, but the IG found CBP officers can hardly be bothered to do the paperwork.

We reviewed 194 EMRs [Electronic Media Reports] and identified 130 (67 percent) that featured one or more problems, which totaled 147 overall.

The DHS’s own search policies say device searches will be limited to data at rest, unless a deeper search can be justified. The OIG says none of the 154 EMRs compiled before the DHS reiterated this rule in April 2017 contained any evidence data connections were disabled before searches were performed.

This lack of care undercuts one of the arguments the DOJ offered when fighting against a warrant requirement for phone searches: that criminals could destroy evidence on a seized device using remotely-triggered software. The CBP either doesn’t think this is a possibility or it sincerely doesn’t care if it’s jeopardizing its own searches. Either way, it does nothing to give the government’s overdramatic assertions any more credibility.

The list of bad news goes on and on. The CBP failed to renew licenses for forensic software, resulting in the inability to perform advanced searches for period of months. It also ignored retention policies, allowing data copied from people’s devices to sit around on external storage devices indefinitely. As the OIG points out, this isn’t just a policy violation. It’s also a security issue. Agents could peruse communications and data they have no business looking at and the theft of a storage device could result in unauthorized disclosures of travelers’ data.

If there’s a silver lining, it’s that the CBP concurs with the IG’s determination that it sucks. There’s been no pushback from the agency — only vows to make the needed improvements. But that’s tempered by the fact the CBP still hasn’t begun to address issues raised by the OIG in 2007. These recommendations will likely put the agency even further behind the technological curve, raising the chance of criminals and terrorists escaping detention and increasing the risks posed to travelers that their data might be abused by the CBP, or worse, some rando who happens to walk off with an unguarded USB stick.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Report: CBP's Border Device Search Program Is An Undersupervised Catastrophe”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: TERRORISTS!!!!!!!!!!!

This started long before Bin Laden suddenly made ‘terrorism’ a household word. Americans who went to the middle east after the 1991 war to rebuild damaged facilities were warned that when coming back into the country, they would be searched for pirated software. This was back in the days when getting bootleg software meant having to personally know someone … or buying it in Middle East countries where bootleg software was sold openly for little more than the cost of the blank disks. One thing that was never explained of course, was how Customs authorities could tell the difference between legally licenced and pirate software, either as disk backups or installed on a computer. But regardless, the threat worked, and most people were too scared to play that sort of Russian Roulette.

That Anonymous Coward (profile) says:

Re: Re: TERRORISTS!!!!!!!!!!!

Yeah I remember the wide spread infections across the ‘secure’ networks as the troops looked for entertainment & Hollywood couldn’t figure out a way to get them first run (or 3rd run films) because they were so panicked that someone worrying about being shot or a bomb would totally put the movie online to own them… on a sat link… with an upload speed that makes the 56k Modem look hella modern.

So there were drives being traded and cycled around, but ZOMG PIRACY BAD!!!!!! kept anyone from scanning them for virii so systems kept getting reinfected over and over and over.

But hey we totally protected Hollywood from the evil boogeymen and it only cost us our liberty and security… that was a fair trade off wasn’t it? Just because you leg got blown off doesn’t mean we should have human compassion & put every first run movie at your finger tips to remind you people back home care… we might lose a dollar.

Shawn (profile) says:

I’m not surprised

Given that nobody in charge appears to want to hold anyone under their command accountable for anything. At least not until the main stream press starts hammering them over the head with questions about why they are unable to do the job they are paid to do.

And this has been going on for years. It’s not just a Trump or Obama problem. We are talking about a government that was unsuccessful at running a brothel in Nevada.

Anonymous Coward says:

Re: I’m not surprised

“And this has been going on for years. It’s not just a Trump or Obama problem.”

Yup, and I wish more people understood this.

It is a human problem and all society everywhere has these same problems. Some try to work out methods of mitigating the issues that arise while others sweep it under a rug and hope no one notices because they are too lazy or something, maybe they are on drugs.

Bamboo Harvester (profile) says:

Re: Get a USB Kill device.

Considering that for FREE, I have full backup of my cellphone, why not just NOT carry one across the border? Pick up a cheap one on the other side and just let it update?


If I want to transport something and I know I’ll have problems if I carry it, I SHIP it instead.

Yeah, I’d be “in the right” to argue with customs or whoever if I decided to travel with the item(s), but I’m not nearly masochistic enough to want to waste hours and probably have the item(s) confiscated anyway, then have a court battle to get them back (when they’ve probably already been stolen and sold on ebay….).

T Usual says:

Similarly, some at borders have to open their baggage!

Yes, it’s difficult to believe, but uber-authoritarians in every country on the planet insist on some power to search the baggage and even bodies of persons.

We must do away with all nations and borders. The recent UN pact will enforce that and unlimited immigration too.

T Usual says:

Re: Re: Similarly, some at borders have to open their baggage!

How is a computer, cell phone or usb storage the same thing as a suitcase?

All may contain contraband. All may legally be examined and seized by any country.

It’s amazing that you comment twice without knowing the most elementary facts of the topic.

Anonymous Coward says:

Re: Re: Re: Similarly, some at borders have to open their baggag

Please educate us poor minions with your vast knowledge oh great sage of the brainiacs.

I realize that human activities are not necessarily logical in most all countries however the fact that something is done, whether officially allowed or not, is not in itself indicative of whether said practice makes any sense.

Your childish argument proclaiming the practice to be commonly accepted everywhere and therefore we should also … is a bit lacking in the supporting evidence area. I have read the specious arguments in favor and did not find any compelling reasons for violating the forth amendment.

What other elementary facts do I not understand? Will there be a test?

Anonymous Coward says:

Re: Re: Re: Similarly, some at borders have to open their baggag

Internet packets may contain contraband. Luckily, the CBP is not yet seizing packets for months-long investigations as they cross the border. But that makes it ridiculous that they’re inspecting devices that physically move across; those make up a tiny portion of international data transfer. I don’t recall hearing about them ever having found anything either; the airport guys brag about their confiscated toothpaste, knitting needles, and water (while simulated bombs are getting through), but we’ve never caught anyone trying to import data they shouldn’t?

Anonymous Coward says:

tell me what USA ‘security services’ is NOT an ‘Unsupervised Catastrophe’!they all have the same opinion, that they can do whatever the hell they want, to whoever the hell they want for whatever reason (NONE) they want and have no action taken against them! any persons monies or equipment involved can be taken and NOT given back unless a hell of a fight is put up by the owner(s) ensuring that these ‘public servants’ get unlimited gifts, for free, all year round!!

Anonymous Coward says:

Re: Re:

It’s completely random. On a trip across the border a bunch of years ago my then-wife and I were pulled over and searched, complete with dogs and mirrors to look under the car. It was a newer car in good shape and we were both clean and well groomed. We sat in that office for over 3 hours while they “did their thing”.

Of course nothing was found and we were sent on our way. I chalked it up as terror theater (not security theater, the random nature of the stops does nothing but incite fear in all travelers, precisely the goal of terror organizations).

That One Guy (profile) says:

"We'll get right on that... eventually... probably..."

If there’s a silver lining, it’s that the CBP concurs with the IG’s determination that it sucks. There’s been no pushback from the agency — only vows to make the needed improvements.

Saying ‘we’ll get better, promise’ is utterly meaningless since there’s no time-table and no-one interested in actually holding them to it. It costs them nothing to say that they’ll do it if they never actually follow through, and given the line immediately after that…

But that’s tempered by the fact the CBP still hasn’t begun to address issues raised by the OIG in 2007.

… I’d say their interest in actually doing something about the plethora of flaws plaguing the agency is in the ‘zero to none’ range.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »