US Customs and Border Protection, a component of the Department of Homeland Security, today posted a revised policy on Border Searches of Electronic Devices and a Privacy Impact Assessment of some of the changes made by the new policy.
CBP has received (and largely ignored) numerous complaints by travelers who have been detained and told they wouldn’t be allowed to go unless they told CBP the passwords to their smartphones, laptop computers, or other electronic devices. Electronic devices have been seized and copied, and in some cases returned only long afterward and/or in altered or damaged condition. A lawsuit challenging suspicionless searches and seizures of data stored on travelers’ electronic devices, brought by EFF and the ACLU, is pending in Boston.
Federal courts have generally been overly deferential to government claims to the existence of a general exception to the Fourth Amendment making it per se “reasonable” to search or seize anything at or “near” a border or at an international airport, regardless of whether there is any basis to suspect a traveler of anything except international travel.
As the new PIA correctly notes, “The 2009 policy was silent regarding CBP’s handling of passcode-protected or encrypted information.”
CBP now says as follows, without citing any basis for this assertion:
Travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents… Passcodes or other means of entry may be requested and retained as needed to facilitate the examination of an electronic device or information contained on an electronic device, including information on the device that is accessible through software applications present on the device. If an Officer is unable to complate an inspection of an electronic device because it is protected by a passcode or encryption, the Officer may… detain the device pending a determination as to its admissibility, exclusion, or other disposition.
In other words, CBP is now claiming the authority to confiscate your cellphones, laptops, memory cards, and any other electronic devices if you won’t tell CBP your passwords, and to retain the passwords you give them as well as the contents of those devices.
Yes, this applies to U.S. citizens and permanent residents as well as visitors.
The PIA admits that, as a general “Principle of Purpose Specification” for fair information practices, “DHS should specifically articulate the authority which permits the collection of PII [Personally Identifiable Information] and specifically articulate the purpose or purposes for which the PII is intended to be used.”
But the DHS dismisses these concerns: “There is no privacy risk to purpose specification. The legal precedent is clear, and all information is maintained, stored, and disseminated consistent with published systems of records notices.”
The claim about this all being consistent with published notices sounds plausible and perhaps reassuring — until you look at the notices in question. CBP says that passwords for electronic devices, and images of data extracted from electronic devices, will be stored in the Automated Targeting System (ATS). But there’s no mention of passwords or device images in the most recent (or any previous) system of records notice (SORN) for ATS. Nor is there any “catch-all” category in that SORN that would appear to include this data.
Even if the public had been given proper notice, the Privacy Act permits the collection of information about how individuals exercise rights protected by the First Amendment only if this has been explicitly authorized by Federal law. No Federal statute mentions the collection by CBP or DHS of passwords for, or data from, travelers’ electronic devices.
Pursuant to the Privacy Act, it’s a crime for a federal agency or official to maintain a system of records without having first published a SORN giving notice of all of the categories of information included in the syatem. If CBP officials have been storing passwords to travelers electronic devices, or data obtained from those devices, in ATS, any CBP agents responsible for those actions are criminals.
We won’t hold our breath waiting for these CBP officers to be prosecuted, but travelers shouldn’t think that any of this is within what is allowed by existing laws and court precedents, much less what should be allowed by the First and Fourth Amendments to the Constitution.
What should you do if officers of CBP or other DHS components ask you for the password to your electronic device or want to confiscate it or copy data from it?
First, don’t disclose your password(s) and don’t consent to any search or seizure. Telling an officer your password might be construed as giving them permission to use that password to make a complete copy of all of the data on your device. Police at borders or elsewhere have the legal authority to conduct some searches without your consent, but you are never required to consent. That’s what “consent” means. If they are going to do it anyway, they will do it with or without your consent. Consenting to a search or seizure they are going to carry out anyway can only make your situation worse, not better. Make clear that if they search or seize your device or data, it will be a nonconsensual search. If you are given a receipt for your device(s) or some other form to fill out or sign, use it as a chance to put your denial of consent in writing in a way that will make be harder for them later to claim that you consented. Write, “I did not and I do not consent to this search or seizure.” It’s generally a bad idea to sign anything without first consulting a lawyer.
Second, if they ask you for your password or other data, ask them for the Paperwork Reduction Act notice including the “OMB Control Number” applicable to this collection of information. “What is the password to this device?” is a verbal collection of information, which is prohibited by the Paperwork Reduction Act (PRA) unless it has been approved in advance by the Office of Management and Budget (OMB), a “control number” has been assigned by OMB, and individuals from whom information is to be collected are given notice of this. Neither CBP nor DHS has ever requested or received OMB approval for collection of device passwords or images, so these agencies are forbidden by the PRA from imposing any sanctions on individuals who decline to provide this information.
Third, tell the officers if any or all of your devices contain privileged data, and invoke your rights under the Privacy Protection Act. If you intend to post some of your photos or descriptions of events on social media, your documents and digital materials are covered by the Privacy Protection Act — but only if the officers conducting the search or seizure know that the device contains privileged information. So tell them. Consider putting a copy of this notice and copy of the law on each of your devices as a “README” file, and carrying a paper copy of at least the first page in your wallet or somewhere handy. This probably won’t stop the border cops, but it might get them to pause while they ask for higher-level approval for the search or seizure. As we’ve discussed previously, there’s a partial exception to the Privacy Protection Act for some border searches, but it’s limited. And if they search or seize your device anyway, knowing that it contains material prvileged by the Privacy Protection Act, you can go after them personally for money damages.