CBP’s New Policy for Searching Devices Offers Thin Protection
Two weeks ago, the Knight Institute and The New York Times published roughly 240 complaints by travelers detailing the “traumatizing” and “highly inappropriate” electronic device searches they endured at international airports and other U.S. borders. The Knight Institute and others have argued that suspicionless device searches violate travelers’ First and Fourth Amendment rights, and that the government should not be permitted to conduct such searches without probable cause.
Last Friday, U.S. Customs and Border Protection (CBP) released a revised directive governing searches of travelers’ electronic devices at U.S. borders, along with an updated privacy impact assessment of those searches.
The new directive improves on the old one in some respects, but it fails to resolve the constitutional concerns that many have raised. The new directive also raises some new concerns.
The bottom line is that CBP still claims sweeping authority to search information stored on a traveler’s cell phone, laptop, or other electronic device.
- Travelers’ obligation to unlock their devices: The most concerning change in the new directive is a passage stating that travelers are “obligated” to turn over their devices in a manner that allows inspection, that CBP may request passcodes to travelers’ devices, and that CBP may detain devices it cannot access. In other words, CBP now claims the authority to ask travelers for their passcodes and seize the devices of those who refuse. CBP’s prior policy did not impose the same obligation on travelers, although many reported that in practice CBP threatened to detain their devices if they refused to unlock them.
- New standard for “advanced” searches: CBP’s directive now distinguishes between “basic” and “advanced” searches. The directive defines “advanced” searches as those involving the use of external equipment to review, copy, or analyze the contents of electronic devices. These may include, for example, searches that involve the use of another computer to quickly download and cross-reference a person’s contacts list against a government list of suspects, to scan a device for illicit content (e.g., child pornography), or to recover recently deleted content. The directive defines “basic” searches as anything else—including any manual review of a device by a CBP officer. While CBP officers may continue to conduct basic searches without any suspicion that a device contains evidence of a crime, the new directive requires that they articulate “reasonable suspicion” or a “national security concern” and obtain supervisory approval before conducting advanced searches. The new directive thus gestures towards the standard imposed by the Ninth Circuit Court of Appeals in its 2013 decision in United States v. Cotterman. Noting that advanced (what it called “forensic”) searches could expose reams of personal content, the court in that case held that the government may not conduct such searches without a showing of reasonable suspicion. But Cotterman was decided before U.S. v. Riley, in which the Supreme Court required police to obtain a warrant based on probable cause before conducting a search of a cell phone seized in connection with an arrest. There is a real question whether Cotterman remains good law. Moreover, the new directive does not actually implement the Cotterman standard, even as to advanced searches, because it allows CBP officers to conduct searches even without reasonable suspicion if they have a “national security concern,” a nebulous phrase the directive does not seek to limit. And, again, the directive does not impose any suspicion standard on basic searches. Like the old directive, it permits CBP officers to scroll through a traveler’s cell phone, reading personal emails or texts and perusing personal photos and contact lists, on the basis of no suspicion whatsoever.
- Prohibition on searches of remotely stored information: The new directive prohibits CBP officers from intentionally searching information not stored locally on travelers’ devices—i.e., information stored in the “cloud.” To implement this prohibition, the directive requires CBP officers to ask travelers to disable their device’s network connectivity, or to disable it themselves, before searching the device. This requirement appears to formalize a position the CBP Acting Commissioner took in response to inquiries from Senator Ron Wyden last June.
- New procedures for handling legally privileged information: The directive sets forth more detailed procedures for the handling of information travelers claim is legally privileged. CBP officers must ask travelers to identify any privileged information. Then, working with CBP legal counsel, officers must attempt to segregate that information and handle it “appropriately.” The directive calls for the establishment of a “Filter Team” or other means of segregating legally privileged information from the information under search. There are no new procedures for handling sensitive information carried by journalists, though, except as otherwise provided in “any applicable federal law and CBP policy.”
The bottom line is that CBP still claims sweeping authority to search information stored on a traveler’s cell phone, laptop, or other electronic device. The directive offers little comfort to travelers who have complained of distressingly invasive searches of their private conversations, personal photos, and digitally recorded thoughts. While the requirement of reasonable suspicion for some “advanced” searches and the prohibition on searching remotely stored information are steps in the right direction, they fall far short of adequately protecting travelers’ rights at the border.