DHS, CBP Admit They Have No Legal Authority To Access Americans' Social Media Accounts
from the CBP-reminded-of-this-2-months-after-Wyden's-letter dept
Since at least 2009, the DHS has asserted a legal right to copy/search the contents of anyone's electronic devices at the border. Its privacy assessment said no one has much privacy, at least not near US borders. Building on years of judicial national security deference, the DHS has recently expanded its searches of electronic devices, eliminating most of its adherence to the Fourth Amendment in the process. If your devices wander into the country's Constitution-free zones, you can expect to suffer diminished expectations of privacy.
Noting that border searches of electronic devices were increasing exponentially (more searches in February 2017 alone than in all of 2015), Senator Ron Wyden did two things: introduced a bill creating a warrant requirement for border electronic device searches and asked the CBP (Customs and Border Protection) about its new demands for social media/email account passwords.
The DHS has responded [PDF] to Wyden's questions, and the answers are a bit surprising.
U.S. border officers aren't allowed to look at any data stored only in the "cloud" — including social media data — when they search U.S. travelers' phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News.
The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, D-Ore., and verified by Wyden's office, not only states that CBP doesn't search data stored only with remote cloud services, but also — apparently for the first time — declares that it doesn't have that authority in the first place.
This admission about a lack of legal authority contradicts the assertions made in its 2009 Privacy Impact Assessment, which placed CBP agent hunches above anything resembling reasonable suspicion or probable cause. But the answer aren't quite as clear-cut as it might appear from the NBC New summation.
With or without legal authority, the CBP is still performing searches of thousands of devices. Returning US citizens aren't exempted from these searches. They are often free to go, even if their devices might need to be left behind so the CBP can search/copy the device's contents. This may be done without reasonable suspicion because, as the letter puts it, any device might hold evidence of criminal activity (terrorism, smuggling, and child porn are specifically named).
What the CBP cannot do -- at least according to this letter -- is retrieve information and data not stored on the phone itself. But this would only prevent CBP officers from accessing cloud-based storage. Much of the information contained in email and social media accounts is not stored locally, but there's no practical way to separate local/cloud data when officers have access to the entire device. The letter appears to indicate officers need to restrict their searches to SMS messages, call logs, and photos/videos stored on the device.
How this operates in practice is another matter. The letter states CBP cannot demand passwords/pins from American travelers, but points out this may result in their electronics being detained indefinitely even as the citizens themselves are free to go. It says CBP officers have been instructed to stay away from social media/email accounts, but the April 2017 "reminder" appears to be the direct result of Wyden's probing questions, which were sent to the DHS at the end of February. What CBP was doing before the senator started asking questions is anyone's guess, but anecdotal evidence suggests CBP is treating US citizens as badly as it does foreign visitors.
What isn't in the letter is a direct response to Wyden's question about the number of US citizens subjected to these intrusive searches. The DHS claims not to have this information on hand but has promised to turn over some data later this year.
In the meantime, American citizens are receiving only slightly better treatment than arriving foreigners. Assertion of rights are the border will often be taken as unprompted admission of guilt. While the CBP may not have a legal basis to demand access to social media accounts, it does appear its demands for access to people's phones isn't stifled by many legal hurdles. Considering most phones/laptops contain social media account info, it's up to Americans to believe the CBP isn't accessing data it's been told to stay away from.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, cbp, cloud, device searches, dhs, laptop searches, local storage, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
If only we had some people elected to positions would had our best interests at heart & would reign in agencies that go rogue & undermine the bedrock of the nation.
We could elected them every 2 years, so if they aren't doing the job we could replace them with people who would & not just bow to pressure of being branded a terrorist lover for upholding the founding principles.
But then I have weird ideas...
[ link to this | view in thread ]
This admission about a lack of legal authority contradicts the assertions made in its 2009 Privacy Impact Assessment
[ link to this | view in thread ]
but there's no practical way to separate local/cloud data when officers have access to the entire device.
....yes there is. Simply turn off internet access. All devices have methods of doing so easily. Once that's done, the only things accessible on the device are those things which are currently stored on the device.
[ link to this | view in thread ]
Re:
Once they have the device, it can just as easily be turned back on. Oh, you think they don't have your passcode? Be prepared for detention for not turning it over.
[ link to this | view in thread ]
Re: Re:
Thus, saying "there's no practical way to separate local/cloud data" when searching a device is clearly untrue. There is such a way, even if Tim didn't think of it when he wrote that statement, and the CBP is certainly paid far too much to ever think of it themselves.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
account info
The story says they can't look at data stored only in the cloud. They have not been told to stay away from social media account info contained in the phone/laptop. If you have Facebook pictures, stored conversations etc., delete them before crossing the border.
[ link to this | view in thread ]
Re: Re: Re: Re:
No, it isn't, due to obviousness.
[ link to this | view in thread ]
Re: account info
You are aware that "delete" doesn't necessarily make some thing go completely away, right?
[ link to this | view in thread ]
Re: account info
For that matter, just what is the definition of cloud? Anything reached remotely? Something stored on a device named cloud? Something stored on a device not named cloud but substantially runs like something others call cloud? My Google email is on the server, not on my device, yet there are snippets of information on my device. Is that part cloud and part not cloud?
[ link to this | view in thread ]
Re: Re: account info
Yeah. That can be fixed with proper cryptography, if the phone vendors want. (Change the key every few megabytes; then copy the data you want to keep, and delete the key to make the "deleted" segment unreadable.)
The usual case, though, would be a TSA agent using the normal user interface, not hooking it up to some data-dumper.
[ link to this | view in thread ]
Re: Re: Re: account info
[ link to this | view in thread ]
Re: Re: account info
[ link to this | view in thread ]
Still a Constitution-Free Zone
FATHER ROBERT BALLECER:
PADRE: The last time I came back into the country was just a couple of weeks ago. And I have global entry, so I've got the little card that allows me to go quickly through. But they can still pull you aside for secondary. And so I get pulled aside for secondary, and so they wanted to see my phone......
....
PADRE: And then they're looking through it for a few minutes, and the agent comes back and says, "Do you happen to have Dropbox and OneDrive?" And I'm looking at him going, you're hoping I have the app on my phone so you can go through my personal documents. I mean, that is horrible. That is completely out of control....
Above taken from page 18+ of the PDF transcript. DL and read for full context.
I am a US citizen living in Canada. This Anonymous Coward has taken to performing a factory reset on his phone and setting up a shopping Hotmail account only, when crossing the border, then reinstalling regular apps after.
[ link to this | view in thread ]
Re: Re: Re:
That depends entirely upon one's definition of "practical way to separate local/cloud data".
Your solution implies that the CBR would never, never tap that airplane mode toggle to re-connect the device to the Internet, then look at the contents of apps, which just so happens now to have downloaded stuff from the cloud.
My guess is that the author was seeking something that would actively prevent the CBR from reconnecting the device to the Internet. For example, a second password, just on airplane mode.
[ link to this | view in thread ]
Re: This admission about a lack of legal authority contradicts the assertions made in its 2009 Privacy Impact Assessment
[ link to this | view in thread ]
Re: Still a Constitution-Free Zone
[ link to this | view in thread ]
Re: Re: account info
I imagine law enforcement would define it a fluffy thing in the sky. No data there!
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Also agents would do a lot more cavity searches if they could. Gotta justify those funds somehow.
And if they accidentally do find some sort of contraband it's even better (for them) as they can further justify themselves.
[ link to this | view in thread ]