CBP Warrantless Device Searches Continue To Increase And New DHS Guidance Isn't Going To Bring That Number Down
from the visit-a-country-with-zero-rights-without-even-leaving-the-country! dept
The DHS made two significant announcements late last week, both dealing with the CBP’s warrantless searches of electronic devices at the border. The first was a bit of info, showing the exponential increase in device searches in 2016 (jumping from 5,000 in 2015 to 20,000 in 2016) is part of a trend, rather than an anomaly. Searches increased another 59% in 2017, rising to 30,200 total.
The DHS and CBP also released statements justifying the ongoing increase in warrantless searches.
“In this digital age, border searches of electronic devices are essential to enforcing the law at the US border and to protecting the American people,” John Wagner, a deputy executive assistant commissioner at Customs and Border Patrol, said in a statement.
[…]
CBP’s authority for the border search of electronic devices is and will continue to be exercised judiciously, responsibly, and consistent with the public trust,” he added.
These statements are empty and useless. We had just as much of a “digital age” in 2015 and yet searches occurred far less frequently. There seemed to be no less law enforcement happening and no less “secure” as a nation than we are now. In fact, we may have been more secure with fewer searches as we hadn’t yet shifted towards a more antagonistic relationship with the rest of the world, starting with our southern bordering neighbor.
It’s also difficult to square claims of “judicious, responsible” use of device search authority with the exponential leap in number of devices searched and the DHS’s open admission it lacks legal authority for some of the searches its agencies perform.
Accompanying the release of 2017’s search numbers, the DHS released updated guidelines on border device searches. The guidelines roughly align with answers delivered by the DHS to Sen. Ron Wyden in response to questions about its warrantless device searches.
The CBP still has carte blanche access to devices of foreigners entering or leaving the country. Its ability to access devices carried by Americans is only slightly more limited. Anything residing on a device can be accessed by CBP officials without a warrant or even reasonable suspicion. From the CBP’s search guidelines [PDF]:
Border searches of electronic devices may include searches of the information stored on the device when it is presented for inspection or during its detention by CBP for an inbound or outbound border inspection. The border search will include an examination of only the information that is resident upon the device and accessible through the device’s operating system or through other software, tools, or applications. Officers may not intentionally use the device to access information that is solely stored remotely. To avoid retrieving or accessing information stored remotely and not otherwise present on the device, Officers will either request that the traveler disable connectivity to any network by placing the device in airplane mode), or, where warranted by national security, law enforcement, officer safety, or other operational considerations, Officers will themselves disable network connectivity. Officers should also take care to ensure, throughout the course of a border search, that they do not take actions that would make any changes to the contents of the device.
CBP officers can also perform “advanced searches.” These involve imaging device contents and possible access of remote storage. Again, the CBP claims it needs no warrant to perform these searches, only reasonable suspicion. The guidance makes no mention of the Supreme Court’s Riley decision, likely interpreting the decision to apply only to searches incident to arrest, rather than border inspections of “containers” and their “contents” under multiple court-granted warrant exceptions.
Yes, the CBP still equates phones and laptops to suitcases and personal effects. One of the statutes listed in its defense of warrantless access to electronic device contents refers to the CBP’s right to search “persons, baggage, and merchandise” entering or leaving the country.
On top of that, the CBP continues to insist all travelers must unlock or decrypt devices/accounts so contents can be inspected. The CBP says it can use external hardware to crack devices and/or detain locked devices indefinitely if travelers aren’t compliant. None of this requires a warrant. Nor does it even require reasonable suspicion. All the CBP needs to justify these seizures and searches is a traveler’s refusal to hand over passwords or PINs.
Unbelievably, this new guidance is an improvement. Prior to this, the DHS and CBP weren’t even limiting their searches to the low bar of reasonable suspicion. So, while the new guidance is earning limited praise from privacy and rights activists, it’s also gathering plenty of criticism. Ron Wyden, who was instrumental in getting the DHS to concede its social media account searches had no legal basis, offered up a golf clap for the DHS’s new guidance, along with a warning he would continue seeking a legislative end to the “Constitution-free” zone in which the CBP does all of its intrusive work.
“I’ve said it before and I’ll say it again: Americans’ Constitutional rights shouldn’t disappear at the border. By requiring ‘reasonable suspicion’ before conducting forensic searches of Americans’ devices at the border, Customs and Border Protection is beginning to recognize what the Supreme Court has already clearly stated that ‘digital is different.’ It is my view that Americans will be safer when time and resources are spent on searching people with an actual cause…”
“However, there’s more work to do here. Manually examining an individual’s private photos, messages and browsing history is still extremely invasive, and should require a warrant. I continue to believe Americans are entitled to their full Constitutional rights, no matter where they are in the United States. That’s why Senator Paul and I last year introduced the Protecting Data at the Border Act, which would end the legal Bermuda Triangle at the border and require warrants for law enforcement officials to search Americans’ phones and laptops at the border.”
Filed Under: border, cbp, customs, device searches, dhs
Comments on “CBP Warrantless Device Searches Continue To Increase And New DHS Guidance Isn't Going To Bring That Number Down”
“Ron Wyden, who was instrumental in getting the DHS to concede its social media account searches had no legal basis…”
We need more Wydens in politics.
What happens if I just say no regarding unlocking my phone? Can they keep me in jail indefinitely?
Re: Re:
Why not ask the gentlemen still in jail for refusing to unlock their laptops they suspect there is CP on…
Re: Re: Re:
That’s entirely different, but to be honest I have issues with that too.
Re: Re: Re: Refusing to unlock your device.
I suspect CBP and any other US law enforcement agency have ways of making your stay super-uncomfortable if you don’t comply with an open request.
Their methods are very likely to be unconstitutional and inhumane, potentially violating international law regarding the treatment of prisoners, but they’ll totally get away with it anyway. Even if they kill you in the process.
Re: Re: Re:2 Refusing to unlock your device.
[Sad but True]
Re: Re:
You don’t even get to go to jail, where your presence would be logged. You can be kept “in custody” by CBP, where most of the regular detention safeguards enshrined in law are totally sidestepped.
Essentially, if you refuse to cooperate, you can be disappeared by CBP until you agree to cooperate.
But what really gets me about this is that other countries, especially Europe, have laws that get contravened by allowing a third party unfettered access to a device storing corporate material. So if I’m carrying a company phone and CBP orders me to unlock it so they can search/image the contents, if I refuse, they can hold me in custody. If I don’t refuse, on return to the EU I can be arrested/sued/fired for revealing third party information.
I’m actually in a situation now where it’s safer to take my personal phone containing business apps secured with business passwords (MS’s suite for example), than it is to take a dedicated business phone/laptop to the US.
Re: Re: Re:
And as a foreigner, you have no right to a lawyer.
Even if you fully cooperate, if you didn’t tell them what they want to hear they can ship you to a third country to be tortured until you "confess." At least that’s what the old INS could (and did) do before the CBP inherited their duties.
Re: Re: Re:
Solution is simple. You don’t go to the U.S. Getting disappeared and tortured is a personal risk nobody can ask of you. If the Americans want to do business with the rest of the world, they can go there instead. They already have a trade deficit they cannot really allow to grow any larger.
Re: Re:
What happens? They take your phone and you never see it again.
It’s not robbery, despite them having guns, you not being given a choice, and the law being clear that they can’t steal your property, because reasons.
Of course, if you do agree to give them access, you’ve violated the Computer Fraud and Abuse Act by violating the terms of service of various apps that say you can’t share passwords, and the CBP has you on camera committing that felony.
Re: Re: Re:
Of course, I can connect my devices to my home VPN network, before giving them access, so services will only see that I connected through my home machine, and will have no idea I connected from any CBP network.
Then all I will have to do when I get home is wipe out any evidence what I did. Completely wipe all of my devices, and the server for my home network, and destroy any evidence that can be used against me for violating the CFAA.
All I will have to do is totally the hard disk on my main server, and just simply reinstall Windows and all my programs.
No evidence = NO CASE
"Empty and useless"?
That is not an empty and useless statement. It is false. The correct statement would be
There are absolutely no laws enforced by searching people’s devices. It doesn’t even significantly contribute to the CBP doing its job of protecting the borders since of course criminals would not be storing useful information on searchable devices.
There are a number of laws violated by the search and/or detention of personal assets without reasonable suspicion or warrant.
Q: What in the actual hell do they think they are going to find?
Do they think there is an image that can be used to overthrow the entire country?
Do they think terrorists are as stupid as the NSA and will leave their tools exposed where they can be found?
Do they think they will discover texts outlining exactly how they will kill all the white devils?
A: They expect to find very little.
They want to gather more haystacks & remind everyone that they are protecting us from all of them evil foriegn people.
It makes people consider if the trip here is worth the effort, which means some events will move well outside of the US.
This is big brother watching you & everyone you know, hoping to match a name to a terrorism watch list… despite the fact they are so stupid they terror review & deny boarding to children under 5, because their name is on the list. Unless 5 yr olds are way more advanced, there is no reason to subject a baby & parents to the CBP/TSA fondling & invasive questioning because the CHILD has the same name as a terrorist.
Terrorists don’t have unique names & lets not point out that for a not terribly huge amount of money you can get passports from various nations who will put whatever name you want on them.
This is stupid.
This is invasive & there is no evidence its stopped anything. They tell us they can’t tell us because the terrorists might figure out how to bypass it… You mean like back it up into the cloud with a password & then wipe the machine & restore it once they get past the feds?
This is more of the, well we poured 100 million into this program already, rather than admit it doesn’t work as we thought, lets dump another 100 million into it & see what happens. Sometimes admitting it was a bad idea & taking a new direction isn’t a bad thing.
Re: Re:
Politicians back these programs because they think it looks good when trying to get reelected. If they voted to kill these programs they would be lambasted in attack ads during the election cycle for being “soft on terrorism”.
Despite their utter uselessness these programs have to do something to “justify” their existence as an organization. The more they can appear in the news the better for them, good or bad. All this security theater is little more than “Look! We’re working hard to keep you safe!” Nevermind that you’ve sacrificed liberty for that.
Re: Re: Politicians back these types of laws because of re-election aspirations
Another reason to limit all elected politicians to one term, with no exceptions.
Also, require a means test to run, and to comprehend laws and ramifications thereof.
Re: Re: Re: Politicians back these types of laws because of re-election aspirations
Eh, while I can see where you’re coming from I disagree. We’ve already got problems with elected members not knowing House procedures, etc. It does no harm to have a bit of continuity and I’d hate to deny a constituency a decent public servant just because so many others have their snouts in the proverbial trough.
What we really need is to be more willing to hold our Critters to account at town hall meetings, etc. If they don’t fear us, they won’t work for us, they’ll work for their donors.
Re: Re: "Soft on terrorism"
So much like tough on crime which really means tough on poor people and marginalized groups…
…hard on terrorism really means dismissive on constitutional rights.
Got it.
Re: Re:
Careful there. There have been recent terrorist incidents where US politicians tried to paint encryption as a terrorist tool. It’s later shown that the terrorists didn’t have anything of value on their phones, or were coordinating using ordinary unencrypted SMS messages.
Plus it seems likely that American intelligence agencies have a different goal: Rather than just a database of everyone’s identities, they want a database of who knows and communicates with who. By vacuuming up everyone’s email and social media contact lists, they can build a database of connections.
After a terrorist incident or anti-corporate protest, they can check for connections between the those responsible and anyone else. And put everyone one, two or three steps out on the no-fly list.
Re: Re: Re:
They should just hack Facebook then.
Facebook has linked children adopted by different families, kids of parents who cheated & had kids out of wedlock, and a bunch of other not clear links between people.
https://gizmodo.com/how-facebook-figures-out-everyone-youve-ever-met-1819822691
https://gizmodo.com/keep-track-of-who-facebook-thinks-you-know-with-this-ni-1819422352
Kash Hill has many of these stories & people don’t stop & think about it but there is tons of data being given to them willingly without your consent that lets them build your shadow profile. Its not 6 degrees of separation its 3.5, the problem being even if its only 3 hops between you and a terrorist it doesn’t prove you are a terrorist, but gets you investigated even harder until they are satisfied you aren’t a threat… which might happen in 2045 or with your death.
Re: Re:
“They want to gather more haystacks & remind everyone that they are protecting us from all of them evil foriegn people.”
‘If Tyranny and Oppression come to this land, it will be in the guise of fighting a foreign enemy.’
~James Madison
Re: Re: Re:
I’ll refine this to “they want to gather more haystacks and remind everyone that they are protecting us all from those evil needles.”
Introduce hard limits, and what happens next is predictable:
The US has agreements with other countries so that when an American shows his passport to enter a third country, the US is notified. That way an American can’t visit Cuba via Canada without the US knowing.
If the US can’t image Americans’ cell phones when they re-enter the country, they’ll demand that other countries image them – and send the contents to American authorities – when Americans arrive.
Americans will be the foreigners, so they won’t have any more right to refuse than foreigners showing up at American borders.
Re: Re:
As far as visiting Cuba, I did hear one one way that Americans keep their visits from being known. I heard some years ago, that slip “Benjamin” in your passport, the Mexican authorities will neither stamp your passport, nor send any record of it to the US government.
And slipping a $100 bill in your passport before handing it to Mexican auhorities does not break any American laws. It would break Mexican law, if Mexico ever decides to crack down on that, but you cannot be prosecuted in the United States for doing that.
Re: Re:
If you are dual national, because of where one, or both, of your parents were born, you just your other passport when going through Customs in other countries. That way your visit will never be recorded and sent to the US Government.
There are a lot of Canada/USA dual nationals, because of this a Canadian/USA dual national could transit Canada via Cuba and enter/depart Cuba using their Canadian passports, and Canada would not be required to send that information along to the United States, as long as they used the Canadian passports to transit Canada and enter/depart Cuba.
Re: Re:
Not a problem, just wipe your phone and reinstall before you leave the country, problem solved
“Officers may not intentionally use the device to access information that is solely stored remotely.”
… and then later …
“officers can also perform “advanced searches.” These involve imaging device contents and possible access of remote storage.”
Which contradicts the former statement.
So – all searches will be considered advanced searches. Their double speak does nothing but make them look bad.
What happens when people learn to dual boot their phones to a clean OS?
I’m starting to think this is being primarily used to deter citizens from leaving the country be it for family or business. Slurping up everyone’s data is just a bonus.
Police State anyone?
Re: Re:
Thanks for the offer, but I think I had enough.
Why not just store to the cloud and wipe the phone before crossing the border?
Re: Re:
That is why I say. Since I like to take road trips all over North America, by car, I always wipe my phones and laptops, and reinstall the operating systems, and all my programs, before crossing the border into either Canada, or the United States.
I do this because you can have illegal stuff on your devices and not know it. Malware and the like can download illegal stuff, and people have been burned for this. So wiping and reisntalling all my programs is how I do it.
As far as outbound searches go, you can avoid those, for now, using I-5 going into Mexico, becuase CBP does not currently have any facilities for stopping outbound travellers going southbound into Mexico on I-5.
And as far as connectivity, I never auto-save the password for the VPN on my home network, so that if my laptops or cell phones are imaged, they cannot accessing my home network, since the password would not be saved.
So the best idea is to make sure none your passwords are saved, so they cannot access anything remotely. Having to type in your password every time can be a pain and the ass, but it can also keep CBP from being able to access your home or office VPN.
What about cell phones that are broken? I dropped my phone sometime back, and the ability to connect to a comptuer to transfer data got broke.
I can use the phone, though the screen is cracked, and I can charge it, but I cannot connect to transfer data.
I wonder how CBP would react with this if I ever took my phone across the border, if they could not image anything becuase that part of the phone is broken. Even if they seized the phone, I don’t they would be able to extract anything if USB data transfer is broken.
Considering how the screen got cracked, I am amazed the phone still works. I can still make calls, and can still charge, but I cannot transfer data, I could see that as a problem if I ever travelled with it out of the country.
If ” Officers may not intentionally use the device to access information that is solely stored remotely.” and “all travelers must unlock or decrypt devices/accounts” – account based access is mostly solely stored remotely, if they’re asking for online accounts to be unlocked they’re intentionally accessing information that is solely stored remotely.
Re: Re:
Like I said, if you are going to countries where they insist you unlock online accounts, have your own home VPN set up and connect to to that, before giving them access, so IP of your home network shows up in their logs, instead of the IP range of whatever Customs service is inspecting you.
Then you use a secure wiping program, when you get home, to wipe any evidence that might be used against you in a prosecution from your devices, and from the server hosting you private VPN.
If their forensics cannot recover evidence against you, they will not build a case against you. Problem solved