DHS, CBP Admit They Have No Legal Authority To Access Americans' Social Media Accounts

from the CBP-reminded-of-this-2-months-after-Wyden's-letter dept

Since at least 2009, the DHS has asserted a legal right to copy/search the contents of anyone's electronic devices at the border. Its privacy assessment said no one has much privacy, at least not near US borders. Building on years of judicial national security deference, the DHS has recently expanded its searches of electronic devices, eliminating most of its adherence to the Fourth Amendment in the process. If your devices wander into the country's Constitution-free zones, you can expect to suffer diminished expectations of privacy.

Noting that border searches of electronic devices were increasing exponentially (more searches in February 2017 alone than in all of 2015), Senator Ron Wyden did two things: introduced a bill creating a warrant requirement for border electronic device searches and asked the CBP (Customs and Border Protection) about its new demands for social media/email account passwords.

The DHS has responded [PDF] to Wyden's questions, and the answers are a bit surprising.

U.S. border officers aren't allowed to look at any data stored only in the "cloud" — including social media data — when they search U.S. travelers' phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News.

The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, D-Ore., and verified by Wyden's office, not only states that CBP doesn't search data stored only with remote cloud services, but also — apparently for the first time — declares that it doesn't have that authority in the first place.

This admission about a lack of legal authority contradicts the assertions made in its 2009 Privacy Impact Assessment, which placed CBP agent hunches above anything resembling reasonable suspicion or probable cause. But the answer aren't quite as clear-cut as it might appear from the NBC New summation.

With or without legal authority, the CBP is still performing searches of thousands of devices. Returning US citizens aren't exempted from these searches. They are often free to go, even if their devices might need to be left behind so the CBP can search/copy the device's contents. This may be done without reasonable suspicion because, as the letter puts it, any device might hold evidence of criminal activity (terrorism, smuggling, and child porn are specifically named).

What the CBP cannot do -- at least according to this letter -- is retrieve information and data not stored on the phone itself. But this would only prevent CBP officers from accessing cloud-based storage. Much of the information contained in email and social media accounts is not stored locally, but there's no practical way to separate local/cloud data when officers have access to the entire device. The letter appears to indicate officers need to restrict their searches to SMS messages, call logs, and photos/videos stored on the device.

How this operates in practice is another matter. The letter states CBP cannot demand passwords/pins from American travelers, but points out this may result in their electronics being detained indefinitely even as the citizens themselves are free to go. It says CBP officers have been instructed to stay away from social media/email accounts, but the April 2017 "reminder" appears to be the direct result of Wyden's probing questions, which were sent to the DHS at the end of February. What CBP was doing before the senator started asking questions is anyone's guess, but anecdotal evidence suggests CBP is treating US citizens as badly as it does foreign visitors.

What isn't in the letter is a direct response to Wyden's question about the number of US citizens subjected to these intrusive searches. The DHS claims not to have this information on hand but has promised to turn over some data later this year.

In the meantime, American citizens are receiving only slightly better treatment than arriving foreigners. Assertion of rights are the border will often be taken as unprompted admission of guilt. While the CBP may not have a legal basis to demand access to social media accounts, it does appear its demands for access to people's phones isn't stifled by many legal hurdles. Considering most phones/laptops contain social media account info, it's up to Americans to believe the CBP isn't accessing data it's been told to stay away from.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 14 Jul 2017 @ 7:34am

    Knowing this in advance you can always create some disposable account and register in your phone with a few dozen pics just to pretend it's being used. Of course it would be better if these megalomaniacs simply respected privacy and freedom and did their jobs instead of using the broad sweep but absent that you can always fool them. It's not like the people working at these schemes are very smart in the first place.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 14 Jul 2017 @ 9:28am

    "doesn't have that authority in the first place"
    If only we had some people elected to positions would had our best interests at heart & would reign in agencies that go rogue & undermine the bedrock of the nation.
    We could elected them every 2 years, so if they aren't doing the job we could replace them with people who would & not just bow to pressure of being branded a terrorist lover for upholding the founding principles.

    But then I have weird ideas...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jul 2017 @ 9:32am

    This admission about a lack of legal authority contradicts the assertions made in its 2009 Privacy Impact Assessment

    So, DHS lied again. What's new?

    reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 14 Jul 2017 @ 8:19pm

      Re: This admission about a lack of legal authority contradicts the assertions made in its 2009 Privacy Impact Assessment

      The question is though, were they lying then or are they lying now?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jul 2017 @ 10:28am

    but there's no practical way to separate local/cloud data when officers have access to the entire device.

    ....yes there is. Simply turn off internet access. All devices have methods of doing so easily. Once that's done, the only things accessible on the device are those things which are currently stored on the device.

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 14 Jul 2017 @ 11:34am

      Re:

      Simply turn off internet access. All devices have methods of doing so easily.

      Once they have the device, it can just as easily be turned back on. Oh, you think they don't have your passcode? Be prepared for detention for not turning it over.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jul 2017 @ 11:46am

        Re: Re:

        That the CBP may not want to separate local/cloud data when examining the device doesn't change the fact that it can very easily be separated.

        Thus, saying "there's no practical way to separate local/cloud data" when searching a device is clearly untrue. There is such a way, even if Tim didn't think of it when he wrote that statement, and the CBP is certainly paid far too much to ever think of it themselves.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 14 Jul 2017 @ 11:51am

          Re: Re: Re:

          Citation needed?

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 14 Jul 2017 @ 3:46pm

          Re: Re: Re:

          Thus, saying "there's no practical way to separate local/cloud data" when searching a device is clearly untrue.

          That depends entirely upon one's definition of "practical way to separate local/cloud data".

          Your solution implies that the CBR would never, never tap that airplane mode toggle to re-connect the device to the Internet, then look at the contents of apps, which just so happens now to have downloaded stuff from the cloud.

          My guess is that the author was seeking something that would actively prevent the CBR from reconnecting the device to the Internet. For example, a second password, just on airplane mode.

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 16 Jul 2017 @ 7:06am

          Re: Re: Re:

          To say it can be easily separated is simply not true. For example, my devices show thumbnails of my pictures in the photos app as long as I'm not connected to the Internet, but full resolution photos are forthcoming when connected. So disconnecting from the 'net does nothing to keep anyone from seeing my pictures ( in low resolution format).

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jul 2017 @ 12:00pm

    account info

    Considering most phones/laptops contain social media account info, it's up to Americans to believe the CBP isn't accessing data it's been told to stay away from.

    The story says they can't look at data stored only in the cloud. They have not been told to stay away from social media account info contained in the phone/laptop. If you have Facebook pictures, stored conversations etc., delete them before crossing the border.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jul 2017 @ 12:12pm

      Re: account info

      If you have Facebook pictures, stored conversations etc., delete them before crossing the border.

      You are aware that "delete" doesn't necessarily make some thing go completely away, right?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jul 2017 @ 12:41pm

        Re: Re: account info

        You are aware that "delete" doesn't necessarily make some thing go completely away, right?

        Yeah. That can be fixed with proper cryptography, if the phone vendors want. (Change the key every few megabytes; then copy the data you want to keep, and delete the key to make the "deleted" segment unreadable.)

        The usual case, though, would be a TSA agent using the normal user interface, not hooking it up to some data-dumper.

        reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 14 Jul 2017 @ 12:34pm

      Re: account info

      I think your definition of cloud, my definition of cloud, and law enforcement's definition of cloud may be significantly different.

      For that matter, just what is the definition of cloud? Anything reached remotely? Something stored on a device named cloud? Something stored on a device not named cloud but substantially runs like something others call cloud? My Google email is on the server, not on my device, yet there are snippets of information on my device. Is that part cloud and part not cloud?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jul 2017 @ 1:13pm

        Re: Re: account info

        "Cloud" is a vague marketing term to begin with. As a rule of thumb, if something can be accessed from the phone when it's in a Faraday cage, it's not in the cloud.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Jul 2017 @ 6:59am

        Re: Re: account info

        I think your definition of cloud, my definition of cloud, and law enforcement's definition of cloud may be significantly different.

        I imagine law enforcement would define it a fluffy thing in the sky. No data there!

        reply to this | link to this | view in chronology ]

  • identicon
    Michigander, 14 Jul 2017 @ 3:29pm

    Still a Constitution-Free Zone

    From Security Now! SN-615 https://www.grc.com/securitynow.htm June 6, 2017

    FATHER ROBERT BALLECER:

    PADRE: The last time I came back into the country was just a couple of weeks ago. And I have global entry, so I've got the little card that allows me to go quickly through. But they can still pull you aside for secondary. And so I get pulled aside for secondary, and so they wanted to see my phone......
    ....
    PADRE: And then they're looking through it for a few minutes, and the agent comes back and says, "Do you happen to have Dropbox and OneDrive?" And I'm looking at him going, you're hoping I have the app on my phone so you can go through my personal documents. I mean, that is horrible. That is completely out of control....

    Above taken from page 18+ of the PDF transcript. DL and read for full context.

    I am a US citizen living in Canada. This Anonymous Coward has taken to performing a factory reset on his phone and setting up a shopping Hotmail account only, when crossing the border, then reinstalling regular apps after.

    reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 14 Jul 2017 @ 8:22pm

      Re: Still a Constitution-Free Zone

      With the way more recent iOS patches have been major bloatware, that would probably make the phone run more smoothly and quickly too.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Jul 2017 @ 7:38am

    As if a lack of legal authority has ever been a real obstacle in the way of evidence fishing trips.
    Also agents would do a lot more cavity searches if they could. Gotta justify those funds somehow.
    And if they accidentally do find some sort of contraband it's even better (for them) as they can further justify themselves.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Caution: Copyright
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.