As more and more travelers have begun carrying their cellphones and laptops abroad, the searching of these and other electronic devices by customs inspectors has become a contentious issue. On Jan. 4, U.S. Customs and Border Protection (CBP) released an updated directive to its workers on the searching of electronic devices at border crossings. According to CBP statistics published on Jan. 5, the agency processed 397 million international travelers in fiscal year 2017 and searched 30,200 devices. This is an increase from the 19,051 device searches in fiscal year 2016, which recorded 390 million travelers. CBP noted the percentage of searches rose from .005 percent in 2016 to only .007 percent in 2017. But because of the increasing amount of personal information on these devices, travelers have been pushing back against these intrusions.
In September 2016, the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) filed a lawsuit against the Department of Homeland Security on behalf of 11 travelers whose phones and laptops were searched at the U.S. border without warrants. The lawsuit asserts that the Fourth Amendment to the U.S. Constitution should govern the border searches and therefore customs agents should be required to obtain search warrants. However, based on case law and a long history of international law, the lawsuit faces an uphill battle because border inspections traditionally have been treated separately from searches in criminal investigations that are governed by the Fourth Amendment. Sovereign countries have long had the ability to control commerce at their borders, and customs inspectors have had wide leeway to search goods and travelers' belongings for contraband at the border. Even citizens have less of an expectation of privacy at an international border crossing or a border zone than inside the country.
Because of these rulings and understandings, it is unlikely that the lawsuit will cause a massive legal change. But even if it did, it would change only U.S. policy and would have no impact on other governments, which follow similar, or even more aggressive, guidelines on searching electronic devices. The updated CBP directive serves as a great reminder of how incredibly vulnerable personal and proprietary business information in electronic devices is during international travel.
What Is and Is Not Covered?
Under the CBP order, customs inspectors have the authority to conduct a basic search of any electronic device without having probable cause of a crime or even suspicion of a crime. Devices are defined not only as computers, phones and tablets, but also as digital storage media, including external hard drives and thumb drives. Such a search is confined to information on the device, and it cannot be used to retrieve external data, such as that stored in the cloud. Officers will ask the owners to disable their device's internet connectivity during such a search. The basic search consists of the officer reviewing the contents of the device with his or her eyes.
Travelers can be compelled to provide passwords for the devices. Foreigners who refuse to provide the password to unlock a device or decrypt data on it can be denied entry to the United States. If a U.S. citizen refuses to provide the password, the device can be retained for up to five days, but the citizen cannot be denied entry to the country. CBP personnel are ordered to destroy passwords after using them to unlock the device. If after a basic search, the CBP officer develops reasonable suspicion that a device contains evidence of a violation of the law, or of a national security concern, the officer must contact a supervisor to request an advanced search, which is defined as one using external equipment to review, copy or analyze the device's contents.
But again, these guidelines pertain only to the CBP. The customs officials in other countries have similar policies when it comes to searching the electronic devices of international travelers. In many parts of the world, the authorities have broad leeway to inspect electronic devices, either at a border or elsewhere. Indeed, it is not unusual for travelers to have their hard drives imaged or accessed when passing through customs or copied surreptitiously when left unattended in a hotel room. Most intelligence and security agencies have "unlimited data plans" when it comes to collecting potentially valuable information, and travelers should protect their information accordingly.
Protecting Your Privacy
The ACLU-EFF lawsuit notes quite correctly that "People now store their whole lives, including extremely sensitive personal and business matters, on their phones, tablets, and laptops." And this is the first problem from my perspective. People simply should not carry that much sensitive information with them when they travel. Indeed, I would bet that a large majority of the traveling public isn't even aware of everything they have in their phones and laptops. In the past I've said that most people are unaware of what they have in their wallets or purses and noted that this lack of awareness makes it difficult to reconstruct what personal information was in their wallets or purses. This problem is magnified exponentially when it comes to the gigabytes of data stored on smartphones and computers, especially when those devices are used to connect to social media, online banking and shopping, and other services. Border searches by the authorities are not the only threat to this data. It is not unusual for travelers to have their devices stolen, and then the data can be exploited by criminals.
Besides personal information, proprietary business information is also a hot commodity. The Chinese government publicly stated
that it was trying to acquire critical technologies by whatever means necessary when it established its 863 program, set up in 1986 to stimulate the development of advanced technologies. In addition to its normal appetite for weapons-related proprietary information, the Russian government recently announced that it was launching a program to develop its internal capability in 77 key technologies. The Russians will likely accomplish a good deal of this "development" by stealing the technology from others rather than starting from scratch. And Russia and China are only two of the many countries that have an interest in looting proprietary information to help them develop their industrial bases. The bottom line is that no matter your business, you probably have proprietary information of interest to someone, and it is vulnerable during travel.