By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She now spends much of her time in Asia and is currently researching a book about textile artisans. She also writes regularly about legal, political economy, and regulatory topics for various consulting clients and publications, as well as scribbles occasional travel pieces for The National.
NBC News reported last week that Customs and Border Protection (CBP) concedes it lacks authority to access data stored only on the cloud when its agents examine the electronic devices of US citizens crossing the border.
The NBC news report, Border Patrol Says It’s Barred From Searching Cloud Data on Phones, was based on a CBP Letter, dated June 20, sent in response to written questions posed to CBP acting commissioner Kevin McAleenan by Senator Ron Wyden. Last April, Wyden and Senator Ron Paul introduced the Protecting Data at the Border Act that require border officials get a warrant based on probable cause before they could to search or seize cellphones at the border.
McAleenan provided the answers in advance of his confirmation hearing, according to this article in The Verge, US Customs says it can’t search cloud data at the border.
The money quote from the CBP letter:
CBP’s authority to conduct border searches extends to all merchandise entering or departing the United States, including information that is physically resident on an electronic device transported by an international traveler. Therefore, border searches conducted by CBP do not extend to information that is located solely on remote servers. I appreciate the opportunity to offer that clarification(CBP Letter, question 1b, p. 3).
The letter added:
In conducting a border search, CBP does not access information found only on remote servers through an electronic device presented for examination, regardless of whether those servers are located abroad or domestically. Instead, border searches of electronic devices apply to information that is physically resident on the device during a CBP inspection (CBP Letter, question 1c, p. 3).
And it further elaborated that border officers were recently reminded of this policy in April:
As explained in greater detail above, CBP border searches extend to the information that is physically resident on the device, and does not extend to information that is solely located on emote servers (known as solely “in the cloud”). In fact, with my concurrence, CBP’s Office of Field Operations issued a nationwide muster in April 2017 reminding its officers of this precise aspect of CBP’s border search policy (CBP Letter, question 4, p. 4).
Now, the first problem I have with this statement is well-summarised by this article in Ars Technica, US border agents: We won’t search data “located solely on remote servers:
The phrase “located solely on remote servers” seems like it’s a step toward privacy, but it’s unclear what the statement would mean in practice. After all, many modern apps—notably social media, e-mail, or messaging apps—keep data on remote servers, but a smartphone often also keeps a local copy of the message or relevant data. Plus, if the phone is on and not otherwise in airplane mode, it’s likely going to be able to connect to the Internet and automatically pull the latest data.
To guard (imperfectly and somewhat) against this, as the Ars Technica account makes clear, the American Civil Liberties Union warns people crossing the US border to put their phones into airplane mode.
Constitutional Status of the US Border
But there’s an even bigger border risk with the CBP policy that travellers should consider. Now, the border isn’t a Constitution-free zone– at least for US citizens– no matter what border officials might like you to believe.
While The Fourth Amendment to the US Constitution-– which in theory protects against “unreasonable searches and seizures”– does apply at the border, it is subject to a loose,imperfectly defined border exception, developed via Supreme Court cases (and also further complicated by statutes).
Allow me to quote from Chief Justice William Rehnquist’s opinion in the 1985 case of United States v. Montoya:
Consistently, therefore, with Congress’ power to protect the Nation by stopping and examining persons entering this country, the Fourth Amendment’s balance of reasonableness is qualitatively different at the international border than in the interior. Routine searches of the persons and effects of entrants are not subject to any requirement of reasonable suspicion, probable cause, or warrant, and first-class mail may be opened without a warrant on less than probable cause (citations omitted).
The key question is: What constitutes a “routine search”? The Electronic Frontier Foundation (EFF) has examined this question in detail in Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud and concluded:
In sum, the border search exception provides that “routine” searches at the border do not require a warrant or any individualized suspicion that the thing to be searched contains evidence of illegal activity (emphasis in original; citations omitted).
Thus far, the US Supreme Court has yet to consider the issue of whether CBP examination of a traveler’s electronic device qualifies as a “routine search”.
What happens if the CBP decides to search your device? Again quoting from the CBP letter:
In the exceedingly rare instances when CBP seeks to conduct a border search of information in an electronic device– which affects less than one-hundredth of one percent of travellers arriving to the United States– CBP will never prevent a U.S. citizen from entering the United States because of a need to inspect that traveler’s device. Therefore, although CBP may detain an arriving traveler’s electronic device for further examination, in the limited circumstances when that is appropriate, CBP will not prevent a traveler who is a confirmed U.S. citizen from entering the country because of a need to conduct that additional examination (CBP Letter, question 1a, pp. 2-3)
Let’s assume the CBP has decided to detain your device for further examination. Are you obliged to make it easy for them to search that device: by, for example, turning over your passwords or pass codes, or disabling the fingerprint sensor. On this question, allow me to turn to this report by the CATO Institute, CBP Dodges Sen. Wyden’s Electronic Searches Question, on the CBP Letter:
Many electronic devices are locked with either a passcode or a fingerprint sensor. Sen. Wyden explicitly asked whether CBP officers are obliged to inform travelers that they are not required to disclose social media account passwords or passcodes to unlock electronic devices.
The CATO account concludes “McAleenan dodges the question entirely”– and goes on to quote extensively from the CBP Letter (CBP Letter, question 3, pp. 3-4). I would add that in question 2 of the same letter, the CBP also dodged the related question of “[w]hat statutory authorities allow CBP to request or demand that a U.S. person provide his or her US personal electronic device PIN or password” (CBP Letter, question 2, p. 3). [Jerri-Lynn here: In the interest of keeping this post to a manageable length, I’ve not quoted the full sections from the letter here, but interested readers can easily examine them themselves.]
So, the bottom line here, at least for U.S. citizens, is that border officials cannot look at anything that may be found exclusively on the cloud. But they are allowed to search your electronic device for any information contained on that device– until Congress passes new legislation or further court decisions on this issue. US citizens can refuse to allow CBP agents to look at their devices, and to turn over the passwords for their electronic devices. To do so won’t bar their entry into the United States (although I imagine it would still subject them to significant hassles).
Border officials, however can detain their devices– and once out of a person’s control, the full force of the feds can be brought to bear to romp through one’s data. The CBP’s concession appears to mean that such romping wouldn’t extend to information remotely held. Yet even if the feds were to provide such an assurance, would you trust them? Particularly once you’ve surrendered your device to their tender mercies. (See, for example, this Ars Technica piece– which suggests my scepticism is amply justified: Man: Border agents threatened to “be dicks,” take my phone if I didn’t unlock it).
The NBC report drily notes:
Homeland Security has published numerous documents (PDF) detailing what it touts as its progress in decoding password and PIN protection on most devices.
Senator Wyden’s Response
It appears that Senator Wyden wasn’t gulled by the CBP response– and I expect we’ll hear more from him on this topic during McAleenan’s confirmation hearings (or at least, I certainly hope so). Ars Technica noted:
In a statement sent to [Ars Technica], Sen. Wyden expressed dissatisfaction about the agency’s response.
“It flies in the face of Americans’ expectations of Constitutional protections for Customs to conduct warrantless, suspicionless searches of Americans’ devices at the border,” he wrote. “That’s why I wrote the Protecting Data at the Border Act. I appreciate Mr. McAleenan provided substantive responses to my questions, particularly when it comes to limits on searching data stored in the cloud.”
“However, it’s critical that CBP revise its policies immediately while Congress works to enact my law,” Wyden continued. “CBP should take four steps right now: First, start tracking the number of Americans searched and type of device searched; Second, amend its policies to require reasonable suspicion prior to search; Third, fully inform Americans of their rights and CBP’s authorities before searching or requesting assistance to search a device; and finally, continue to educate officers as to the fact that they cannot search any cloud information at the border.”
What About Non-Citizens?
Sorry, you’re out of luck.
CNP data show that social media searches at the border rose sharply even before Trump was inaugurated, “tripling from October 2015 to October 2016 and rising slightly again by last March”, according to the NBC report cited above.
As The Verge article quoted above notes:
Social media searches have grown more aggressive under the Trump administration, as border agents seek more information about travelers’ online activities. Even visa-holding non-citizens can be denied entry to the US if agents perceive them as a threat, so travelers are often willing to hand over passwords rather than be turned away at the border.
Further, such scrutiny has been ramped up and is only expected to intensify, as Indeed, Fortune reports, New Social Media Screening for U.S. Visitors Goes Into Effect:
The Trump Administration, which vowed to implement “extreme vetting” at the borders, has implemented part of a controversial plan requiring some U.S. visa applicants to disclose their social media history before entering the country.
The plan, which requires applicants to disclose user names for social media platforms they’ve used in the past five years, was approved by the Office of Management and Budget on May 23 and is now in effect.
Plans are in place to expand such measures further, again according to Fortune:
The Department of Homeland Security began asking visitors for social media information—including Facebook and LinkedIn accounts—on a voluntary basis last year, and the Trump Administration has since moved aggressively to expand the vetting tactic. Homeland Security officials in April said they intend to expand the social media screening to citizens of close U.S. allies, including Britain and Australia, and to instruct more visitors to share their contact lists and other information from their phones.
Implementing such additional measures, I would imagine, will only serve further to depress US tourism figures.
Our IP Address: