DHS, CBP Admit They Have No Legal Authority To Access Americans' Social Media Accounts

from the CBP-reminded-of-this-2-months-after-Wyden's-letter dept

Since at least 2009, the DHS has asserted a legal right to copy/search the contents of anyone's electronic devices at the border. Its privacy assessment said no one has much privacy, at least not near US borders. Building on years of judicial national security deference, the DHS has recently expanded its searches of electronic devices, eliminating most of its adherence to the Fourth Amendment in the process. If your devices wander into the country's Constitution-free zones, you can expect to suffer diminished expectations of privacy.

Noting that border searches of electronic devices were increasing exponentially (more searches in February 2017 alone than in all of 2015), Senator Ron Wyden did two things: introduced a bill creating a warrant requirement for border electronic device searches and asked the CBP (Customs and Border Protection) about its new demands for social media/email account passwords.

The DHS has responded [PDF] to Wyden's questions, and the answers are a bit surprising.

U.S. border officers aren't allowed to look at any data stored only in the "cloud" — including social media data — when they search U.S. travelers' phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News.

The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, D-Ore., and verified by Wyden's office, not only states that CBP doesn't search data stored only with remote cloud services, but also — apparently for the first time — declares that it doesn't have that authority in the first place.

This admission about a lack of legal authority contradicts the assertions made in its 2009 Privacy Impact Assessment, which placed CBP agent hunches above anything resembling reasonable suspicion or probable cause. But the answer aren't quite as clear-cut as it might appear from the NBC New summation.

With or without legal authority, the CBP is still performing searches of thousands of devices. Returning US citizens aren't exempted from these searches. They are often free to go, even if their devices might need to be left behind so the CBP can search/copy the device's contents. This may be done without reasonable suspicion because, as the letter puts it, any device might hold evidence of criminal activity (terrorism, smuggling, and child porn are specifically named).

What the CBP cannot do -- at least according to this letter -- is retrieve information and data not stored on the phone itself. But this would only prevent CBP officers from accessing cloud-based storage. Much of the information contained in email and social media accounts is not stored locally, but there's no practical way to separate local/cloud data when officers have access to the entire device. The letter appears to indicate officers need to restrict their searches to SMS messages, call logs, and photos/videos stored on the device.

How this operates in practice is another matter. The letter states CBP cannot demand passwords/pins from American travelers, but points out this may result in their electronics being detained indefinitely even as the citizens themselves are free to go. It says CBP officers have been instructed to stay away from social media/email accounts, but the April 2017 "reminder" appears to be the direct result of Wyden's probing questions, which were sent to the DHS at the end of February. What CBP was doing before the senator started asking questions is anyone's guess, but anecdotal evidence suggests CBP is treating US citizens as badly as it does foreign visitors.

What isn't in the letter is a direct response to Wyden's question about the number of US citizens subjected to these intrusive searches. The DHS claims not to have this information on hand but has promised to turn over some data later this year.

In the meantime, American citizens are receiving only slightly better treatment than arriving foreigners. Assertion of rights are the border will often be taken as unprompted admission of guilt. While the CBP may not have a legal basis to demand access to social media accounts, it does appear its demands for access to people's phones isn't stifled by many legal hurdles. Considering most phones/laptops contain social media account info, it's up to Americans to believe the CBP isn't accessing data it's been told to stay away from.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 4th amendment, cbp, cloud, device searches, dhs, laptop searches, local storage, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 14 Jul 2017 @ 7:34am

    Knowing this in advance you can always create some disposable account and register in your phone with a few dozen pics just to pretend it's being used. Of course it would be better if these megalomaniacs simply respected privacy and freedom and did their jobs instead of using the broad sweep but absent that you can always fool them. It's not like the people working at these schemes are very smart in the first place.

    link to this | view in thread ]

  2. icon
    That Anonymous Coward (profile), 14 Jul 2017 @ 9:28am

    "doesn't have that authority in the first place"
    If only we had some people elected to positions would had our best interests at heart & would reign in agencies that go rogue & undermine the bedrock of the nation.
    We could elected them every 2 years, so if they aren't doing the job we could replace them with people who would & not just bow to pressure of being branded a terrorist lover for upholding the founding principles.

    But then I have weird ideas...

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 14 Jul 2017 @ 9:32am

    This admission about a lack of legal authority contradicts the assertions made in its 2009 Privacy Impact Assessment

    So, DHS lied again. What's new?

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 14 Jul 2017 @ 10:28am

    but there's no practical way to separate local/cloud data when officers have access to the entire device.

    ....yes there is. Simply turn off internet access. All devices have methods of doing so easily. Once that's done, the only things accessible on the device are those things which are currently stored on the device.

    link to this | view in thread ]

  5. icon
    Anonymous Anonymous Coward (profile), 14 Jul 2017 @ 11:34am

    Re:

    Simply turn off internet access. All devices have methods of doing so easily.

    Once they have the device, it can just as easily be turned back on. Oh, you think they don't have your passcode? Be prepared for detention for not turning it over.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 14 Jul 2017 @ 11:46am

    Re: Re:

    That the CBP may not want to separate local/cloud data when examining the device doesn't change the fact that it can very easily be separated.

    Thus, saying "there's no practical way to separate local/cloud data" when searching a device is clearly untrue. There is such a way, even if Tim didn't think of it when he wrote that statement, and the CBP is certainly paid far too much to ever think of it themselves.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 14 Jul 2017 @ 11:51am

    Re: Re: Re:

    Citation needed?

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 14 Jul 2017 @ 12:00pm

    account info

    Considering most phones/laptops contain social media account info, it's up to Americans to believe the CBP isn't accessing data it's been told to stay away from.

    The story says they can't look at data stored only in the cloud. They have not been told to stay away from social media account info contained in the phone/laptop. If you have Facebook pictures, stored conversations etc., delete them before crossing the border.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 14 Jul 2017 @ 12:08pm

    Re: Re: Re: Re:

    Citation needed?

    No, it isn't, due to obviousness.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 14 Jul 2017 @ 12:12pm

    Re: account info

    If you have Facebook pictures, stored conversations etc., delete them before crossing the border.

    You are aware that "delete" doesn't necessarily make some thing go completely away, right?

    link to this | view in thread ]

  11. icon
    Anonymous Anonymous Coward (profile), 14 Jul 2017 @ 12:34pm

    Re: account info

    I think your definition of cloud, my definition of cloud, and law enforcement's definition of cloud may be significantly different.

    For that matter, just what is the definition of cloud? Anything reached remotely? Something stored on a device named cloud? Something stored on a device not named cloud but substantially runs like something others call cloud? My Google email is on the server, not on my device, yet there are snippets of information on my device. Is that part cloud and part not cloud?

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 14 Jul 2017 @ 12:41pm

    Re: Re: account info

    You are aware that "delete" doesn't necessarily make some thing go completely away, right?

    Yeah. That can be fixed with proper cryptography, if the phone vendors want. (Change the key every few megabytes; then copy the data you want to keep, and delete the key to make the "deleted" segment unreadable.)

    The usual case, though, would be a TSA agent using the normal user interface, not hooking it up to some data-dumper.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 14 Jul 2017 @ 1:08pm

    Re: Re: Re: account info

    The TSA has, and often uses, special software to find "deleted" data.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 14 Jul 2017 @ 1:13pm

    Re: Re: account info

    "Cloud" is a vague marketing term to begin with. As a rule of thumb, if something can be accessed from the phone when it's in a Faraday cage, it's not in the cloud.

    link to this | view in thread ]

  15. identicon
    Michigander, 14 Jul 2017 @ 3:29pm

    Still a Constitution-Free Zone

    From Security Now! SN-615 https://www.grc.com/securitynow.htm June 6, 2017

    FATHER ROBERT BALLECER:

    PADRE: The last time I came back into the country was just a couple of weeks ago. And I have global entry, so I've got the little card that allows me to go quickly through. But they can still pull you aside for secondary. And so I get pulled aside for secondary, and so they wanted to see my phone......
    ....
    PADRE: And then they're looking through it for a few minutes, and the agent comes back and says, "Do you happen to have Dropbox and OneDrive?" And I'm looking at him going, you're hoping I have the app on my phone so you can go through my personal documents. I mean, that is horrible. That is completely out of control....

    Above taken from page 18+ of the PDF transcript. DL and read for full context.

    I am a US citizen living in Canada. This Anonymous Coward has taken to performing a factory reset on his phone and setting up a shopping Hotmail account only, when crossing the border, then reinstalling regular apps after.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 14 Jul 2017 @ 3:46pm

    Re: Re: Re:

    Thus, saying "there's no practical way to separate local/cloud data" when searching a device is clearly untrue.

    That depends entirely upon one's definition of "practical way to separate local/cloud data".

    Your solution implies that the CBR would never, never tap that airplane mode toggle to re-connect the device to the Internet, then look at the contents of apps, which just so happens now to have downloaded stuff from the cloud.

    My guess is that the author was seeking something that would actively prevent the CBR from reconnecting the device to the Internet. For example, a second password, just on airplane mode.

    link to this | view in thread ]

  17. icon
    Bergman (profile), 14 Jul 2017 @ 8:19pm

    Re: This admission about a lack of legal authority contradicts the assertions made in its 2009 Privacy Impact Assessment

    The question is though, were they lying then or are they lying now?

    link to this | view in thread ]

  18. icon
    Bergman (profile), 14 Jul 2017 @ 8:22pm

    Re: Still a Constitution-Free Zone

    With the way more recent iOS patches have been major bloatware, that would probably make the phone run more smoothly and quickly too.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 15 Jul 2017 @ 6:59am

    Re: Re: account info

    I think your definition of cloud, my definition of cloud, and law enforcement's definition of cloud may be significantly different.

    I imagine law enforcement would define it a fluffy thing in the sky. No data there!

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 16 Jul 2017 @ 7:06am

    Re: Re: Re:

    To say it can be easily separated is simply not true. For example, my devices show thumbnails of my pictures in the photos app as long as I'm not connected to the Internet, but full resolution photos are forthcoming when connected. So disconnecting from the 'net does nothing to keep anyone from seeing my pictures ( in low resolution format).

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 17 Jul 2017 @ 7:38am

    As if a lack of legal authority has ever been a real obstacle in the way of evidence fishing trips.
    Also agents would do a lot more cavity searches if they could. Gotta justify those funds somehow.
    And if they accidentally do find some sort of contraband it's even better (for them) as they can further justify themselves.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.