Report: CBP's Border Device Search Program Is An Undersupervised Catastrophe

from the scattershot-security dept

The CBP is searching more devices than ever and ramping up an "extreme vetting" program that includes biometric scans, demands for social media account passwords, and more intrusive searches across the board. As the number of device searches continues to increase, the agency's technical chops and and internal oversight aren't keeping pace.

That's according to recently-released Inspector General's report [PDF], which finds little to like about the CBP's search processes and policies, other than they occasionally manage to catch criminals attempting to enter the US. The CBP's Office of Field Operations is supposed to be taking charge of device searches, ensuring they're done effectively and intelligently. So far, it appears the OFO has taken a hands-off approach to management, resulting in bad practices and worse security.

[B]ecause of inadequate supervision to ensure OFO officers properly documented searches, OFO cannot maintain accurate quantitative data or identify and address performance problems related to these searches. In addition, OFO officers did not consistently disconnect electronic devices, specifically cell phones, from networks before searching them because headquarters provided inconsistent guidance to the ports of entry on disabling data connections on electronic devices. OFO also did not adequately manage technology to effectively support search operations and ensure the security of data.

Here's the kicker: the OFO is so laid back it still hasn't begun to address a problem raised by the Inspector General more than a decade ago.

Finally, OFO has not yet developed performance measures to evaluate the effectiveness of a pilot program, begun in 2007, to conduct advanced searches, including copying electronic data from searched devices to law enforcement databases.

Considering the pace of technology development, the OFO has managed to put the CBP more than a decade behind. Playing catch up now will probably bring them to five years behind schedule sometime within the next couple of years and ahead of the office's baseline expectations sometime around never.

These device searches can be intrusive. In some cases, devices are held for months as the agency performs forensic searches and analyzes the data. These intrusions need to be justified, but the IG found CBP officers can hardly be bothered to do the paperwork.

We reviewed 194 EMRs [Electronic Media Reports] and identified 130 (67 percent) that featured one or more problems, which totaled 147 overall.

The DHS's own search policies say device searches will be limited to data at rest, unless a deeper search can be justified. The OIG says none of the 154 EMRs compiled before the DHS reiterated this rule in April 2017 contained any evidence data connections were disabled before searches were performed.

This lack of care undercuts one of the arguments the DOJ offered when fighting against a warrant requirement for phone searches: that criminals could destroy evidence on a seized device using remotely-triggered software. The CBP either doesn't think this is a possibility or it sincerely doesn't care if it's jeopardizing its own searches. Either way, it does nothing to give the government's overdramatic assertions any more credibility.

The list of bad news goes on and on. The CBP failed to renew licenses for forensic software, resulting in the inability to perform advanced searches for period of months. It also ignored retention policies, allowing data copied from people's devices to sit around on external storage devices indefinitely. As the OIG points out, this isn't just a policy violation. It's also a security issue. Agents could peruse communications and data they have no business looking at and the theft of a storage device could result in unauthorized disclosures of travelers' data.

If there's a silver lining, it's that the CBP concurs with the IG's determination that it sucks. There's been no pushback from the agency -- only vows to make the needed improvements. But that's tempered by the fact the CBP still hasn't begun to address issues raised by the OIG in 2007. These recommendations will likely put the agency even further behind the technological curve, raising the chance of criminals and terrorists escaping detention and increasing the risks posed to travelers that their data might be abused by the CBP, or worse, some rando who happens to walk off with an unguarded USB stick.

Filed Under: 4th amendment, border search, dbp, device search, ofo, search


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • icon
    That Anonymous Coward (profile), 17 Dec 2018 @ 6:36am

    But but but TERRORISTS!!!!!!!!!!!

    Or as is coming to light, the government seems to like to have vast troves of information about citizens that they can troll at their leisure to 'encourage' people to cooperate.

    See also: What was the first date the feds had info on Aaron Swartz, nope it was years before that.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Dec 2018 @ 7:59am

      Re: TERRORISTS!!!!!!!!!!!

      This started long before Bin Laden suddenly made 'terrorism' a household word. Americans who went to the middle east after the 1991 war to rebuild damaged facilities were warned that when coming back into the country, they would be searched for pirated software. This was back in the days when getting bootleg software meant having to personally know someone ... or buying it in Middle East countries where bootleg software was sold openly for little more than the cost of the blank disks. One thing that was never explained of course, was how Customs authorities could tell the difference between legally licenced and pirate software, either as disk backups or installed on a computer. But regardless, the threat worked, and most people were too scared to play that sort of Russian Roulette.

      reply to this | link to this | view in chronology ]

      • icon
        Bamboo Harvester (profile), 17 Dec 2018 @ 8:23am

        Re: Re: TERRORISTS!!!!!!!!!!!

        I remember when seeing "terrorist" or "bomb" in the papers meant another mailbox explosion in Belfast...

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Dec 2018 @ 9:10am

          Re: Re: Re: TERRORISTS!!!!!!!!!!!

          AS well as mailboxes, trashcans were also common targets for IRA bombs (a fact the TSA inexplicably chooses to ignore).

          reply to this | link to this | view in chronology ]

      • icon
        That Anonymous Coward (profile), 17 Dec 2018 @ 11:00pm

        Re: Re: TERRORISTS!!!!!!!!!!!

        Yeah I remember the wide spread infections across the 'secure' networks as the troops looked for entertainment & Hollywood couldn't figure out a way to get them first run (or 3rd run films) because they were so panicked that someone worrying about being shot or a bomb would totally put the movie online to own them... on a sat link... with an upload speed that makes the 56k Modem look hella modern.

        So there were drives being traded and cycled around, but ZOMG PIRACY BAD!!!!!! kept anyone from scanning them for virii so systems kept getting reinfected over and over and over.

        But hey we totally protected Hollywood from the evil boogeymen and it only cost us our liberty and security... that was a fair trade off wasn't it? Just because you leg got blown off doesn't mean we should have human compassion & put every first run movie at your finger tips to remind you people back home care... we might lose a dollar.

        reply to this | link to this | view in chronology ]

  • identicon
    Shawn, 17 Dec 2018 @ 6:38am

    I’m not surprised

    Given that nobody in charge appears to want to hold anyone under their command accountable for anything. At least not until the main stream press starts hammering them over the head with questions about why they are unable to do the job they are paid to do.

    And this has been going on for years. It’s not just a Trump or Obama problem. We are talking about a government that was unsuccessful at running a brothel in Nevada.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Dec 2018 @ 6:45am

      Re: I’m not surprised

      Almost as if our entire government has become unwieldy and no longer works to better the people of this country. Makes me want to take up the Cherokee cause and sue the government for trillions in recompense.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Dec 2018 @ 7:50am

        Re: Re: I’m not surprised

        "no longer works to better the people of this country"

        As if it ever did. History shows an almost complete lack of concern for the less fortunate from our and other governments.

        reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 17 Dec 2018 @ 7:23am

      Re: I’m not surprised

      Just because the IRS is used to fucking people over doesn't mean they should know how to run a brothel. One is for profit, and the other is merely for profit.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Dec 2018 @ 7:47am

      Re: I’m not surprised

      "And this has been going on for years. It’s not just a Trump or Obama problem."

      Yup, and I wish more people understood this.

      It is a human problem and all society everywhere has these same problems. Some try to work out methods of mitigating the issues that arise while others sweep it under a rug and hope no one notices because they are too lazy or something, maybe they are on drugs.

      reply to this | link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 17 Dec 2018 @ 11:02pm

      Re: I’m not surprised

      They couldn't figure out how citizens wouldn't want there to be government records of their vists & selections.
      Then you look at Congress & totally understand why they thought people would still turn out in droves.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Dec 2018 @ 7:36am

    Get a USB Kill device.

    If a large percentage of travelers had an unmarked USB Kill device, perhaps CBP would be more selective in what they scan. Just be sure to tell 'em "Don't put that in your reader." when they confiscate it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Dec 2018 @ 8:10am

      Re: Get a USB Kill device.

      I'm sure they'd find some interpretation of the CFAA that would allow them to arrest you for possessing it.

      reply to this | link to this | view in chronology ]

    • icon
      Bamboo Harvester (profile), 17 Dec 2018 @ 8:28am

      Re: Get a USB Kill device.

      Considering that for FREE, I have full backup of my cellphone, why not just NOT carry one across the border? Pick up a cheap one on the other side and just let it update?

      Seriously.

      If I want to transport something and I know I'll have problems if I carry it, I SHIP it instead.

      Yeah, I'd be "in the right" to argue with customs or whoever if I decided to travel with the item(s), but I'm not nearly masochistic enough to want to waste hours and probably have the item(s) confiscated anyway, then have a court battle to get them back (when they've probably already been stolen and sold on ebay....).

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    T Usual, 17 Dec 2018 @ 7:54am

    Similarly, some at borders have to open their baggage!

    Yes, it's difficult to believe, but uber-authoritarians in every country on the planet insist on some power to search the baggage and even bodies of persons.

    We must do away with all nations and borders. The recent UN pact will enforce that and unlimited immigration too.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Dec 2018 @ 8:01am

      Re: Similarly, some at borders have to open their baggage!

      How is a computer, cell phone or usb storage the same thing as a suitcase?

      But Mom! ... everyone else is doing it!!!

      Everything or nothing arguments rarely have a leg to stand upon.

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        identicon
        T Usual, 17 Dec 2018 @ 8:13am

        Re: Re: Similarly, some at borders have to open their baggage!

        How is a computer, cell phone or usb storage the same thing as a suitcase?

        All may contain contraband. All may legally be examined and seized by any country.

        It's amazing that you comment twice without knowing the most elementary facts of the topic.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Dec 2018 @ 9:00am

          Re: Re: Re: Similarly, some at borders have to open their baggag

          Please educate us poor minions with your vast knowledge oh great sage of the brainiacs.

          I realize that human activities are not necessarily logical in most all countries however the fact that something is done, whether officially allowed or not, is not in itself indicative of whether said practice makes any sense.

          Your childish argument proclaiming the practice to be commonly accepted everywhere and therefore we should also ... is a bit lacking in the supporting evidence area. I have read the specious arguments in favor and did not find any compelling reasons for violating the forth amendment.

          What other elementary facts do I not understand? Will there be a test?

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Dec 2018 @ 9:42am

          Re: Re: Re: Similarly, some at borders have to open their baggag

          Internet packets may contain contraband. Luckily, the CBP is not yet seizing packets for months-long investigations as they cross the border. But that makes it ridiculous that they're inspecting devices that physically move across; those make up a tiny portion of international data transfer. I don't recall hearing about them ever having found anything either; the airport guys brag about their confiscated toothpaste, knitting needles, and water (while simulated bombs are getting through), but we've never caught anyone trying to import data they shouldn't?

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Dec 2018 @ 5:17pm

          Re: Re: Re: Similarly, some at borders have to open their baggag

          out_of_the_blue just hates it when due process is enforced.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Dec 2018 @ 8:51am

    tell me what USA 'security services' is NOT an 'Unsupervised Catastrophe'!they all have the same opinion, that they can do whatever the hell they want, to whoever the hell they want for whatever reason (NONE) they want and have no action taken against them! any persons monies or equipment involved can be taken and NOT given back unless a hell of a fight is put up by the owner(s) ensuring that these 'public servants' get unlimited gifts, for free, all year round!!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Dec 2018 @ 9:03am

      Re:

      I would like to witness one of these self righteous idiots be given the treatment by their border troll comrades.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Dec 2018 @ 11:40am

    How do they decide what devices to do a data dump on?
    I recently traveled from US to Canada and back with 3 others carrying probably 3 devices each.

    No one got out of the car, no on asked for devices, just - have a nice day.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Dec 2018 @ 12:03pm

      Re:

      It's completely random. On a trip across the border a bunch of years ago my then-wife and I were pulled over and searched, complete with dogs and mirrors to look under the car. It was a newer car in good shape and we were both clean and well groomed. We sat in that office for over 3 hours while they "did their thing".

      Of course nothing was found and we were sent on our way. I chalked it up as terror theater (not security theater, the random nature of the stops does nothing but incite fear in all travelers, precisely the goal of terror organizations).

      reply to this | link to this | view in chronology ]

      • icon
        Thad (profile), 17 Dec 2018 @ 12:13pm

        Re: Re:

        It's completely random.

        I doubt it's completely random. I think the statistics probably show that some ethnicities are likelier to have their devices dumped than others.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Dec 2018 @ 4:04pm

          Re: Re: Re:

          Yup.

          Their self fulfilling prophesy about where all the crime is being committed is proven because they only look where they say they will find it.

          reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 17 Dec 2018 @ 11:58am

    In these 10+ years....

    Of smart phones and data..

    WHAT HAVE THEY FOUND??
    What Have they stopped?

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 17 Dec 2018 @ 1:37pm

    "We'll get right on that... eventually... probably..."

    If there's a silver lining, it's that the CBP concurs with the IG's determination that it sucks. There's been no pushback from the agency -- only vows to make the needed improvements.

    Saying 'we'll get better, promise' is utterly meaningless since there's no time-table and no-one interested in actually holding them to it. It costs them nothing to say that they'll do it if they never actually follow through, and given the line immediately after that...

    But that's tempered by the fact the CBP still hasn't begun to address issues raised by the OIG in 2007.

    ... I'd say their interest in actually doing something about the plethora of flaws plaguing the agency is in the 'zero to none' range.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.