Borderline Unreasonable Electronic Device Searches - Security Boulevard

Borderline Unreasonable Electronic Device Searches

It has long been the law that searches – of one’s person, places, houses and effects – without probable cause and a warrant are presumptively unreasonable. Moreover, searches of electronic devices, which contain massive amounts of intimate personal information, must be narrowly tailored to achieve a lawful governmental objective. Right? Not so much.

On Feb. 9, the United States Court of Appeals for the First Circuit in Boston ruled that law enforcement officials could seize and search – in intimate detail and without a warrant – the electronic devices of any individual who crosses an international border. Indeed, the court ruled, they can search such devices, at least initially, without any suspicion at all.

The law has long recognized that Customs and Border agents have greater rights to perform warrantless searches of individuals at the border due to their legal obligations to prevent contraband from entering the country. Thus, they can rummage through your bags at the airport looking for suspicious fruit, or check the contents of your trunk for the “good” Molson beer. The law has also recognized a distinction in border searches between “ordinary” searches, for which neither probable cause nor suspicion is required (checking your dirty laundry), and more detailed and “probing” searches (bend over and cough) for which some degree of suspicion is required. Traditionally, however, a judicial warrant has not been required when a customs official has probable cause to believe that a person is bringing contraband into the country, and they are searching someone or something crossing the border for that purpose.

The question for the federal court in Boston was whether searches of electronic devices are, in any meaningful way, different from searches of cars, luggage or people. In another case involving an exception to the requirement that police obtain warrants to search, the U.S. Supreme Court noted that searches of electronic devices were different. In Riley v. California, the court considered whether police could search a cell phone they seized after arresting someone (called a search incident to a lawful arrest) in the same way that they could, for example, search an address book in an arrestee’s pocket, or rummage through an arrestee’s clothes for weapons or blood/DNA. The Riley court found that electronic devices like cell phones were fundamentally different. 

The Riley court noted: The United States asserts that a search of all data stored on a cell phone is “materially indistinguishable” from searches of these sorts of physical items. That is like saying a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together. Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse.

The court went on to explain the differences between mass storage devices like cell phones and “ordinary” things. The court noted that the sheer volume of data on the devices, coupled with the ubiquitous nature of the devices, create privacy interests that simply don’t exist with other kinds of searches. More importantly, electronic devices are likely to have much more intimate information on them — the bulk of which has nothing whatsoever to do with whatever exception to the warrant requirement would permit some limited search. The Riley court noted:

Although the data stored on a cell phone is distinguished from physical records by quantity alone, certain types of data are also qualitatively different. An Internet search and browsing history, for example, can be found on an Internet-enabled phone and could reveal an individual’s private interests or concerns — perhaps a search for certain symptoms of disease, coupled with frequent visits to WebMD. Data on a cell phone can also reveal where a person has been. Historic location information is a standard feature on many smart phones and can reconstruct someone’s specific movements down to the minute, not only around town but also within a particular building. See United States v. Jones, 565 U.S. ___, ___, 132 S.Ct. 945, 955, 181 L.Ed.2d 911 (2012) (SOTOMAYOR, J., concurring) (“GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.”).

Mobile application software on a cell phone, or “apps,” offer a range of tools for managing detailed information about all aspects of a person’s life. There are apps for Democratic Party news and Republican Party news; apps for alcohol, drug, and gambling addictions; apps for sharing prayer requests; apps for tracking pregnancy symptoms; apps for planning your budget; apps for every conceivable hobby or pastime; apps for improving your romantic life.

With these principles in mind, the Boston federal court considered whether border agents could (1) search electronic devices without probable cause or suspicion or a warrant; and (2) whether, once they established some suspicion that something relevant was on the device, they could seize the device and send it off for the entire contents of the device to be imaged, analyzed, and disseminated to any and all law enforcement agencies or other government agencies without limitation and without judicial approval.

Under Customs and Border Patrol policies, agents may subject people and objects to either “basic” or “advanced” searches. For an “advanced” search, the agent needs to have both approval of a supervisor and “reasonable suspicion” of activity that violates the criminal statutes administered by CPB. However, even that “limitation” is illusory, since, for example, U.S. law prohibits the importation of materials that infringe copyright laws — so the existence of a downloaded song or video may create “suspicion” that the download was in violation of the copyright holder’s license (worth looking into at least), and provide the justification for an “advanced” search.

The first thing to note is that the “border” is not what you think it is. You think of the border as being the bridge or road between the U.S. and Canada or the U.S. and Mexico where there’s a Border Patrol station, a line of cars, and “permission” to enter. Alternatively, it’s the place in the airport where, after a long and exhausting trans-Atlantic or trans-Pacific flight, you drag your luggage to a station for inspection. The law treats the border as any place that’s within 200 miles of those locations — in essence, where more than 90% of people live or work.

The Boston federal court begins with the established precedent that “the expectation of privacy [is] less at the border than in the interior . . . [and] the Fourth Amendment balance between the interests of the Government and the privacy right of the individual is also struck much more favorably to the Government at the border.” Except that this “holding” is a tautology. The government may search you at the border because you have a lowered expectation of privacy at the border. Why do you have a lower expectation of privacy at the border? Because you know that the government may search you there. The second part of the holding — that the government has a legitimate interest in enforcing customs laws at the border, and that this interest can best be served by permitting some degree of search without a warrant or probable cause is probably a better way of looking at the issue. Under Fourth Amendment parlance, the border search is “reasonable” in light of the “legitimate” government interest in performing it. That, of course has to be balanced against the degree of intrusiveness of the search.

As noted, there are two possible searches – the “basic” search, which requires no suspicion and the “advanced” search which requires a supervisor’s approval. However, both basic and advanced searches are unlimited in their scope and degree of intrusiveness. In a basic search, agents may – without any suspicion whatsoever – examine and record every file, document, message, browser history, third party application, location information and data on the electronic device without limitation. They may share the contents of these files with any other agency or department for any purpose whatsoever. They may share them with foreign law enforcement, intelligence or regulatory agencies at will. In fact, they can use the “border search” as a pretext for gathering information in any other kind of investigation — criminal or not. The only legal distinction between a “basic” search, which requires no suspicion whatsoever, and an “advanced” search, which requires supervisory approval, is that an “advanced” search is “any search in which an Officer connects external equipment, through a wired or wireless connection, to an electronic device not merely to gain access to the device, but to review, copy, and/or analyze its contents.” As long as no “external equipment” is “connected” to the device for the purpose of reviewing or copying the data, it’s a “basic” search, no matter how extensive, invasive or long the search takes.

The Boston court then goes on to note that “given the volume of travelers passing through our nation’s borders, warrantless electronic device searches are essential to the border search exception’s purpose of ensuring that the executive branch can adequately protect the border.” That’s true even if the search has nothing to do with protecting the border. The Boston court then relies on law in the Fourth circuit holding that a warrantless border search may be conducted of a cell phone if agents have “sufficient individualized suspicion of transnational criminal activity” as justification to permit such searches without any suspicion whatsoever. In fact, that Fourth circuit case found that because of the “unparalleled breadth of private information” that a search of a cell phone could reveal, “a forensic search of a digital phone must be treated as a non-routine border search, requiring some form of individualized suspicion” even if not a warrant. The Boston court reads this as holding “that neither a warrant nor probable cause is required for a border search of electronic devices.” In fact, nothing is required.

The court then minimizes the privacy impact of “basic” border searches of electronic devices, since they are only searches of “property” and not as invasive as, for example, a body cavity search. The court trivializes the impact of such searches because they “require an officer to manually traverse the contents of the traveler’s electronic device, limiting in practice the quantity of information available during a basic search.” In fact, a “manual” search of the contents of an electronic device can be significantly more intrusive than an automated search, which can use tools and algorithms to search mass storage devices only for keywords and phrases which represent evidence of specific crimes. An automated tool can quickly conduct MD5 hash matches of all images for child pornography known on the NCMEC database without the CPB officer’s having to view your bikini pictures from Cabo. A manual search – the kind the Boston court finds to be less intrusive – has no such limitation.

The court also takes comfort in the fact that the “basic” search “only allows searches of data resident on the device” and not on cloud servers, email servers or third-party platforms to which one could get access from the phone, implying that, in an “advanced” border search, agents will search documents and communications remote from the border, which are not themselves being transported across the border, and which are not in the possession, custody and control of the traveler, without a warrant and without probable cause, as an “advanced” search. The Boston court also rejected the concept that border searches had to be limited to legitimate “border search” purposes – preventing the importation of contraband, essentially permitting customs agents to search any electronic device for any purpose without a warrant or suspicion.

Likewise, even under a “basic” search, the court permits government officials to “detain” the device – for from 5-30 days (depending on whether it is under CPB policy or ICE policy) without any suspicion, finding that the detention of the device is “reasonable.” Finally, the court rejects the notion that First Amendment expressive materials – the kinds of things likely to be found on a person’s cell phone — things like political affiliation, religious affiliation, expressive conduct and the like – are entitled to any special benefit under the law.

Practical Advice

The First Circuit opinion can best be summarized as – (at least for people entering the country through Maine, Massachusetts, New Hampshire, Puerto Rico and Rhode Island) – abandon all hope, ye who enter here. Everything on your phones, iPads, laptops and thumb drives are fair game for search – and even for remote search. It all can be shared with anyone they want to share it with. Corporate records, patents, trademark, trade secrets and other information enjoy no protection. Medical records, doctor-patient, priest-penitent and psychotherapist-patient privileged records can be rummaged through and published at will. Under ICE and CPB regulations, supervisor approval is only required for a search of attorney-client privileged materials.

So, for companies that wish to maintain the confidentiality of information should not have them on any devices (or accessible from any device) that is traveling internationally. Alternatively, they can permit traveling employees to have this information on their devices, but keep them encrypted in a way that the employee does not have the ability to decrypt the data (although this will invariably lead to seizure of the devices by CPB or ICE). Finally, if any employee has any information on any device that is attorney-client privileged (even something like an email to their divorce attorney), they should make a point of telling the customs agent that the device contains attorney client privileged materials, without specifically noting what information it is or where. This at least triggers a review by supervisors and possibly local Assistant U.S. Attorneys, but the traveler should be prepared to be detained while all this is happening. Finally, of course, many, if not most, people and companies will take the position that, “I’m not doing anything wrong, so I have nothing to hide.” That’s fine, but be prepared to have everything on your device seized, examined and used. And that’s kind of what the Fourth Amendment was designed to prevent.

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 126 posts and counting.See all posts by mark