New DHS policy on demands for passwords to travelers’ electronic devices
US Customs and Border Protection, a component of the Department of Homeland Security, today posted a revised policy on Border Searches of Electronic Devices and a Privacy Impact Assessment of some of the changes made by the new policy.
CBP has received (and largely ignored) numerous complaints by travelers who have been detained and told they wouldn’t be allowed to go unless they told CBP the passwords to their smartphones, laptop computers, or other electronic devices. Electronic devices have been seized and copied, and in some cases returned only long afterward and/or in altered or damaged condition. A lawsuit challenging suspicionless searches and seizures of data stored on travelers’ electronic devices, brought by EFF and the ACLU, is pending in Boston.
Federal courts have generally been overly deferential to government claims to the existence of a general exception to the Fourth Amendment making it per se “reasonable” to search or seize anything at or “near” a border or at an international airport, regardless of whether there is any basis to suspect a traveler of anything except international travel.
But the new CBP policy stretches the government’s claim of authority for warrantless, suspicionless, searches and seizures of electronic devices and data even further than its 2009 predecessor.
As the new PIA correctly notes, “The 2009 policy was silent regarding CBP’s handling of passcode-protected or encrypted information.”
CBP now says as follows, without citing any basis for this assertion:
Travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents… Passcodes or other means of entry may be requested and retained as needed to facilitate the examination of an electronic device or information contained on an electronic device, including information on the device that is accessible through software applications present on the device. If an Officer is unable to complate an inspection of an electronic device because it is protected by a passcode or encryption, the Officer may… detain the device pending a determination as to its admissibility, exclusion, or other disposition.
In other words, CBP is now claiming the authority to confiscate your cellphones, laptops, memory cards, and any other electronic devices if you won’t tell CBP your passwords, and to retain the passwords you give them as well as the contents of those devices.
Yes, this applies to U.S. citizens and permanent residents as well as visitors.