Jan 05 2018

New DHS policy on demands for passwords to travelers’ electronic devices

US Customs and Border Protection, a component of the Department of Homeland Security, today posted a revised policy on Border Searches of Electronic Devices and a Privacy Impact Assessment of some of the changes made by the new policy.

CBP has received (and largely ignored) numerous complaints by travelers who have been detained and told they wouldn’t be allowed to go unless they told CBP the passwords to their smartphones, laptop computers, or other electronic devices. Electronic devices have been seized and copied, and in some cases returned only long afterward and/or in altered or damaged condition. A lawsuit challenging suspicionless searches and seizures of data stored on travelers’ electronic devices, brought by EFF and the ACLU, is pending in Boston.

Federal courts have generally been overly deferential to government claims to the existence of a general exception to the Fourth Amendment making it per se “reasonable” to search or seize anything at or “near” a border or at an international airport, regardless of whether there is any basis to suspect a traveler of anything except international travel.

But the new CBP policy stretches the government’s claim of authority for warrantless, suspicionless, searches and seizures of electronic devices and data even further than its 2009 predecessor.

As the new PIA correctly notes, “The 2009 policy was silent regarding CBP’s handling of passcode-protected or encrypted information.”

CBP now says as follows, without citing any basis for this assertion:

Travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents… Passcodes or other means of entry may be requested and retained as needed to facilitate the examination of an electronic device or information contained on an electronic device, including information on the device that is accessible through software applications present on the device. If an Officer is unable to complate an inspection of an electronic device because it is protected by a passcode or encryption, the Officer may… detain the device pending a determination as to its admissibility, exclusion, or other disposition.

In other words, CBP is now claiming the authority to confiscate your cellphones, laptops, memory cards, and any other electronic devices if you won’t tell CBP your passwords, and to retain the passwords you give them as well as the contents of those devices.

Yes, this applies to U.S. citizens and permanent residents as well as visitors.

The PIA admits that, as a general “Principle of Purpose Specification” for fair information practices, “DHS should specifically articulate the authority which permits the collection of PII [Personally Identifiable Information] and specifically articulate the purpose or purposes for which the PII is intended to be used.”

But the DHS dismisses these concerns: “There is no privacy risk to purpose specification. The legal precedent is clear, and all information is maintained, stored, and disseminated consistent with published systems of records notices.”

The claim about this all being consistent with published notices sounds plausible and perhaps reassuring — until you look at the notices in question. CBP says that passwords for electronic devices, and images of data extracted from electronic devices, will be stored  in the Automated Targeting System (ATS). But there’s no mention of passwords or device images in the most recent (or any previous) system of records notice (SORN) for ATS. Nor is there any “catch-all” category in that SORN that would appear to include this data.

Even if the public had been given proper notice, the Privacy Act permits the collection of information about how individuals exercise rights protected by the First Amendment only if this has been explicitly authorized by Federal law. No Federal statute mentions the collection by CBP or DHS of passwords for, or data from, travelers’ electronic devices.

Pursuant to the Privacy Act, it’s a crime for a federal agency or official to maintain a system of records without having first published a SORN  giving notice of all of the categories of information included in the syatem. If CBP officials have been storing passwords to travelers electronic devices, or data obtained from those devices, in ATS, any CBP agents responsible for those actions are criminals.

We won’t hold our breath waiting for these CBP officers to be prosecuted, but travelers shouldn’t think that any of this is within what is allowed by existing laws and court precedents, much less what should be allowed by the First and Fourth Amendments to the Constitution.

What should you do if officers of CBP or other DHS components ask you for the password to your electronic device or want to confiscate it or copy data from it?

First, don’t disclose your password(s) and don’t consent to any search or seizure. Telling an officer your password might be construed as giving them permission to use that password to make a complete copy of all of the data on your device.  Police at borders or elsewhere have the legal authority to conduct some searches without your consent, but you are never required to consent. That’s what “consent” means. If they are going to do it anyway, they will do it with or without your consent. Consenting to a search or seizure they are going to carry out anyway can only make your situation worse, not better. Make clear that if they search or seize your device or data, it will be a nonconsensual search. If you are given a receipt for your device(s) or some other form to fill out or sign, use it as a chance to put your denial of consent in writing in a way that will make be harder for them later to claim that you consented. Write, “I did not and I do not consent to this search or seizure.” It’s generally a bad idea to sign anything without first consulting a lawyer.

Second, if they ask you for your password or other data, ask them for the Paperwork Reduction Act notice including the “OMB Control Number” applicable to this collection of information. “What is the password to this device?” is a verbal collection of information, which is prohibited by the Paperwork Reduction Act (PRA) unless it has been approved in advance by the Office of Management and Budget (OMB),  a “control number” has been assigned by OMB, and individuals from whom information is to be collected are given notice of this. Neither CBP nor DHS has ever requested or received OMB approval for collection of device passwords or images, so these agencies are forbidden by the PRA from imposing any sanctions on individuals who decline to provide this information.

Third, tell the officers if any or all of your devices contain privileged data, and invoke your rights under the Privacy Protection Act. If you intend to post some of your photos or descriptions of events on social media, your documents and digital materials are covered by the Privacy Protection Act — but only if the officers conducting the search or seizure know that the device contains privileged information. So tell them. Consider putting a copy of this notice and copy of the law on each of your devices as a “README” file, and carrying a paper copy of at least the first page in your wallet or somewhere handy. This probably won’t stop the border cops, but it might get them to pause while they ask for higher-level approval for the search or seizure. As we’ve discussed previously, there’s a partial exception to the Privacy Protection Act for some border searches, but it’s limited. And if they search or seize your device anyway, knowing that it contains material prvileged by the Privacy Protection Act, you can go after them personally for money damages.

25 thoughts on “New DHS policy on demands for passwords to travelers’ electronic devices

  1. Use a phone that has an sd card slot. Before boarding the plane, take an encrypted backup of your data on the sd card. Make a copy and send it by post. Also, save it on the cloud on a place you will remember. When the plane lands, wipe the phone. Give the 1st sd card to a fellow traveler. Take theirs.
    Tell the DHS officer you have wiped phone because it contains priviledge information. Let them short out it.

  2. @Gregory _Smith – As noted in the article, a legal challenge to suspicionless border searches of electronic devices by plaintiffs represetned by EFF and the ACLU is pending in U.S. District Court in Massachusetts.

    Complaint:
    https://www.eff.org/document/alasaad-v-duke-complaint

    More about the case from EFF:
    https://www.eff.org/cases/alasaad-v-duke

    More about the case from the ACLU:
    https://www.aclu.org/cases/alasaad-v-duke-challenge-warrantless-phone-and-laptop-searches-us-border

  3. After reading the PIA, I see where CPB claims to have the authority to do various things, but I see no mention of a statutory obligation on the part of the traveler’s to “assist” cpb in their duties, or to engage in self incrimination.

    Seems to me CPB’s authority is limited to a search for items on which customs duties might be owed.
    Is a contact list a dutiable item? How about Snapshots/Photos? Emails? Notes, appointments, or other personal information?

    Of course not, and are quite beyond reasonable search parameters.

    Can you be compelled to provide passwords or encryption keys? The PIA says “Travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents.”, but cites no statute to support such an assertion.

    It further claims “Officers may request passcodes or other means of access to facilitate the examination of an electronic device or information contained on an electronic device…” but again, cites no statute requiring the traveler to provide such passcodes.

    The PIA goes on to say “If an Officer is unable to complete an inspection of an electronic device because it is protected by a passcode or encryption, the Officer may detain the device pending a determination as to its admissibility, exclusion, or other disposition.”, but makes no mention of compensation to be paid to the traveler in such an instance.

    So what do we have here?

    CPB claims statutory authority to search and seize property and personal information, but cites no statute that requires a traveler either to assist them in their duties or to surrender their property without due process or just compensation.

    In view of the thousands of ways an individual can break the law without knowing it, I see no legal requirement for the traveler to assist in his own potential self incrimination (see Don’t Talk to the Police https://www.youtube.com/watch?v=d-7o9xYp7eE).

  4. Pingback: US Says They Can Keep Your Devices at the Border If You Won't Give Up Your Password - View from the Wing

  5. Pingback: US Says They Can Keep Your Devices at the Border If You Won’t Give Up Your Password | Visor Travel

  6. “‘What is the password to this device?’ is a verbal collection of information, which is prohibited by the Paperwork Reduction Act (PRA)…”

    Is this not contradicted by 5 CFR §1320.3(h)(6), which defines “information” for the purposes of the PRA to specifically *exclude* “a request for facts or opinions addressed to a single person”?

  7. Pingback: New top story on Hacker News: New DHS policy on demands for passwords to travelers’ electronic devices – ÇlusterAssets Inc.,

  8. Pingback: All the News You Didn’t Even Know Was Going Down - Antifa Today

  9. @Doug, they will likely just cite you with obstruction and work from there. Yes, I’m sure our secured 4th amendment right will be called obstruction and used against us.

  10. @AdamK – If you are a US citizen, they have to let you in or out of the country, even if you exercise your right to remain silent once you have provided evidence of US citizenship (e.g. your US passport) and a completed customs declaration form. The right to leave the US and to return to the US is recognized by Article 12 of the International Covenant on Civil and Political Rigths (ICCPR), a treaty ratified by the US: “Everyone shall be free to leave any country, including his own….. No one shall be arbitrarily deprived of the right to enter his own country.” If you are *not* a US citizen, CBP could try to deny you entry if you refuse to disclose device passwords, and US courts might not recognize a right to challenge that denial of entry.

    @David – The exception you cited applies only if a particular question is asked of only one person. The PRA applies whenever the same question (e.g. “What is the password to your phone?”) is asked of ten or more people: “Collection of information means … the obtaining, causing to be obtained, soliciting, or requiring the disclosure to an agency, third parties or the public of information by or for an agency by means of identical questions posed to … ten or more persons, whether such collection of information is mandatory, voluntary, or required to obtain or retain a benefit.” There *is* OMB approval and an OMB control number (OMB NO. 1651-0009) for the US customs declaration form (CBP Form 6059B), but that form as approved by OMB with that control number does not ask for passwords:

    https://www.cbp.gov/sites/default/files/documents/CBP%20Form%206059B%20English%20%28Sample%20Watermark%29.pdf

    https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201506-1651-002

  11. Pingback: O krok za daleko? Nie udostępnisz hasła do swojego komputera? Na granicy mogą Ci skonfiskować urządzenie

  12. This is all great for US citizens, but for a foreign traveler to pull this off at the border is nothing short of a “mission impossible” stunt. Prepare to get dispatched on the first flight back the moment you say “no, I don’t consent”.

  13. Pingback: Citizens: Just say “No” to requests for your passwords | Papers, Please!

  14. Pingback: Government and industry collaborate in travel surveillance | Papers, Please!

  15. We need an app that when inputing a special password, will totally erase all data on the phone. when tsa opens it, it will look like a new phone or one that was affected by the scanners. When you get it back, sign on to the cloud and off you go.

  16. @wookiee – My Pixel 3 has something like this built in called “Lockdown Mode”. Everything gets locked down and can only be opened with a password. Fingerprint and face ID don’t work. As long as you don’t give them your password, they can’t access your phone.

  17. Pingback: CBP aggregates and disseminates travel data from warrantless searches – Papers, Please!

Leave a Reply

Your email address will not be published. Required fields are marked *