Privacy Still at Risk Despite New CBP Search Rules

International travelers, citizens and foreigners alike, enjoy reduced privacy protections at ports of entry. Thanks to the “border exception” to the Fourth Amendment, Customs and Border Protection (CBP) officers do not need reasonable suspicion or probable cause to search electronic devices at airports. This regrettable authority made headlines last year after CBP officers searched phones belonging to innocent American citizens. CBP has updated its electronic device search policy via a new directive. While the directive does include a welcome clarification, it states that CBP can search anyone’s electronic devices without probable cause or reasonable suspicion.

The CBP’s new directive begins by outlining the unfortunate state of the Fourth Amendment at the border and ports of entry. The Fourth Amendment protects “persons, houses, papers, and effects” from “unreasonable searches and seizures.”

Yet, as Justice Rehnquist wrote in his majority opinion in United States v. Ramsey (1977):

[S]earches made at the border, pursuant to the longstanding right of the sovereign to protect itself by stopping and examining persons and property crossing into this country, are reasonable simply by virtue of the fact that they occur at the border.

In 1985, Rehnquist reiterated this point, writing in his United States v. Montoya de Hernandez (1985) majority opinion:

Routine searches of the persons and effects of entrants are not subject to any requirement of reasonable suspicion, probable cause, or warrant.

CBP conducted numerous warrantless searches of electronic devices last year. Perhaps most notable was the January 2017 case involving Sidd Bikkannavar, an American citizen, member of the CBP Global Entry program, and NASA Jet Propulsion Laboratory engineer. After arriving from Chile (not exactly a hotbed of international terrorism), a CBP officer at Houston’s George Bush Intercontinental Airport asked Bikkannavar to unlock his smartphone, which happened to be NASA property. Despite Bikkannavar pointing out that the phone contained sensitive information, the officer persisted, and Bikkannavar eventually gave up the phone’s passcode.

A month after CBP needlessly interrupted Bikkannavar’s travel, agency officials reportedly stopped another American citizen, Haisam Elsharkawi, from leaving Los Angeles on his way to Saudi Arabia. According to Elsharkawi, CBP officers put him in handcuffs and pressured him into unlocking his phone. The officers released Elsharkawi without charge hours after his plane had left.

Searches of electronic devices at the border are on the rise. According to CBP’s own figures, the number of international travelers processed with electronic device searches in the 2017 fiscal year increased almost 60 percent compared to the 2016 fiscal year. While the number of travelers subjected to these searches represents a small fraction of total international travelers, it’s clear that these warrantless searches have targeted innocent Americans and are unlikely to stop. At a time when the smartphone is an increasingly integral part of modern life, containing most of our intimate and private details, this authority is of acute concern.

The directive distinguishes between “Basic” searches and “Advanced” searches. During a Basic Search, officers may—with or without suspicion—“review and analyze” information found on the electronic device. If CBP officers conduct an Advanced Search they may connect the electronic device to equipment that can review, analyze, and copy its contents. The new CBP directive states that the reasonable suspicion standard applies to “Advanced” searches.

The directive makes clear that CBP officers still have the authority to seek technical assistance for any device if it cannot be accessed thanks to encryption or passcodes.

The directive also clarifies what information CBP officers can access. Last year, Senator Ron Wyden (D-OR) wrote to then Department of Homeland Security Secretary John Kelly, asking a range of questions about CBP’s search of electronic devices. CBP Acting Commissioner Kevin McAleenan responded.

According to McAleenan, CBP officers conducting an electronic device search only examine information that is “physically resident” on the device and do not access “information found only on remote servers.”

What information is found “only on remote servers” is not exactly clear cut, as Ars Technica’s Cyrus Farivar explained:

After all, many modern apps—notably social media, e‐​mail, or messaging apps—keep data on remote servers, but a smartphone often also keeps a local copy of the message or relevant data.

Late last year, McAleenan answered questions presented by the United States Senate Committee on Finance. In answering these questions he clarified the steps CBP officers take to ensure remote data is not accessed (emphasis mine):

Border searches of electronic devices extend to searches of the information residing on the physical device when it is presented for inspection or during its detention by CBP for aborder inspection. To ensure that data residing only in the cloud is not accessed, officers are instructed to ensure that network connectivity is disabled to limit access to remote systems.

The new CBP directive includes this policy:

To avoid retrieving or accessing information stored remotely and not otherwise present on the device, Officers will either request that the traveler disable connectivity to any network (e.g. by placing the device in airplane mode), or, where warranted by national security, law, enforcement, officer safety, or other operational considerations, Officers will themselves disable network connectivity.

This is a welcome clarification, but even with airplane mode enabled revealing details are still visible on a phone. Facebook group membership, emails, contact details, and photos are some of the information that’s available on a phone in airplane mode. Even if all of this information was hidden from CBP officers conducting a “Basic” search, the apps someone has downloaded can be revealing. You don’t have to be Sherlock Holmes to infer details about someone who has Coinbase, Tinder, Diabetes and Blood Glucose Tracker, and Muslim Pro apps on their phone.

CBP officers should have to secure a warrant before scouring our most intimate communications and details. A few years ago, the Supreme Court held in Riley v. California (2014) that police cannot search the digital information found on phones belonging to arrested persons without a warrant. In a brief for one of the cases considered in Riley v. California, the United States argued that searching information on phones is “materially indistinguishable” from searching wallets and purses. In his Riley v. California majority opinion Chief Justice Roberts correctly characterized this argument as “like saying a ride on horseback is materially indistinguishable from a flight to the moon.”

The modern smartphone is an essential feature of modern life. Almost every American adult owns a cell phone, with 77 percent owning a smartphone. Americans use these devices to contact family and colleagues, organize their finances, find love, publish their thoughts, find transport, play games, track their eating habits, listen to music, and much more. Allowing CBP officers warrantless access to devices that house this information risks needlessly violating Americans’ privacy.

Lawmakers in the House and Senate have introduced legislation requiring CBP to have warrants before searching phones. Until such legislation is passed or the Supreme Court revises the border exception to the Fourth Amendment, privacy at ports of entry will be dependant on CBP’s policies. Sadly, the new CBP directive shows that we should expect continued privacy violations at ports of entry for the foreseeable future.