By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She now spends much of her time in Asia and is currently researching a book about textile artisans. She also writes regularly about legal, political economy, and regulatory topics for various consulting clients and publications, as well as scribbles occasional travel pieces for The National.
NBC News reported last week that Customs and Border Protection (CBP) concedes it lacks authority to access data stored only on the cloud when its agents examine the electronic devices of US citizens crossing the border.
The NBC news report, Border Patrol Says It’s Barred From Searching Cloud Data on Phones, was based on a CBP Letter, dated June 20, sent in response to written questions posed to CBP acting commissioner Kevin McAleenan by Senator Ron Wyden. Last April, Wyden and Senator Ron Paul introduced the Protecting Data at the Border Act that require border officials get a warrant based on probable cause before they could to search or seize cellphones at the border.
McAleenan provided the answers in advance of his confirmation hearing, according to this article in The Verge, US Customs says it can’t search cloud data at the border.
The money quote from the CBP letter:
CBP’s authority to conduct border searches extends to all merchandise entering or departing the United States, including information that is physically resident on an electronic device transported by an international traveler. Therefore, border searches conducted by CBP do not extend to information that is located solely on remote servers. I appreciate the opportunity to offer that clarification(CBP Letter, question 1b, p. 3).
The letter added:
In conducting a border search, CBP does not access information found only on remote servers through an electronic device presented for examination, regardless of whether those servers are located abroad or domestically. Instead, border searches of electronic devices apply to information that is physically resident on the device during a CBP inspection (CBP Letter, question 1c, p. 3).
And it further elaborated that border officers were recently reminded of this policy in April:
As explained in greater detail above, CBP border searches extend to the information that is physically resident on the device, and does not extend to information that is solely located on emote servers (known as solely “in the cloud”). In fact, with my concurrence, CBP’s Office of Field Operations issued a nationwide muster in April 2017 reminding its officers of this precise aspect of CBP’s border search policy (CBP Letter, question 4, p. 4).
Now, the first problem I have with this statement is well-summarised by this article in Ars Technica, US border agents: We won’t search data “located solely on remote servers:
The phrase “located solely on remote servers” seems like it’s a step toward privacy, but it’s unclear what the statement would mean in practice. After all, many modern apps—notably social media, e-mail, or messaging apps—keep data on remote servers, but a smartphone often also keeps a local copy of the message or relevant data. Plus, if the phone is on and not otherwise in airplane mode, it’s likely going to be able to connect to the Internet and automatically pull the latest data.
To guard (imperfectly and somewhat) against this, as the Ars Technica account makes clear, the American Civil Liberties Union warns people crossing the US border to put their phones into airplane mode.
Constitutional Status of the US Border
But there’s an even bigger border risk with the CBP policy that travellers should consider. Now, the border isn’t a Constitution-free zone– at least for US citizens– no matter what border officials might like you to believe.
While the Fourth Amendment to the US Constitution-– which in theory protects against “unreasonable searches and seizures”– does apply at the border, it is subject to a loose,imperfectly defined border exception, developed via Supreme Court cases (and also further complicated by statutes).
Allow me to quote from Chief Justice William Rehnquist’s opinion in the 1985 case of United States v. Montoya:
Consistently, therefore, with Congress’ power to protect the Nation by stopping and examining persons entering this country, the Fourth Amendment’s balance of reasonableness is qualitatively different at the international border than in the interior. Routine searches of the persons and effects of entrants are not subject to any requirement of reasonable suspicion, probable cause, or warrant, and first-class mail may be opened without a warrant on less than probable cause (citations omitted).
The key question is: What constitutes a “routine search”? The Electronic Frontier Foundation (EFF) has examined this question in detail in Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud and concluded:
In sum, the border search exception provides that “routine” searches at the border do not require a warrant or any individualized suspicion that the thing to be searched contains evidence of illegal activity (emphasis in original; citations omitted).
Thus far, the US Supreme Court has yet to consider the issue of whether CBP examination of a traveler’s electronic device qualifies as a “routine search”.
What happens if the CBP decides to search your device? Again quoting from the CBP letter:
In the exceedingly rare instances when CBP seeks to conduct a border search of information in an electronic device– which affects less than one-hundredth of one percent of travellers arriving to the United States– CBP will never prevent a U.S. citizen from entering the United States because of a need to inspect that traveler’s device. Therefore, although CBP may detain an arriving traveler’s electronic device for further examination, in the limited circumstances when that is appropriate, CBP will not prevent a traveler who is a confirmed U.S. citizen from entering the country because of a need to conduct that additional examination (CBP Letter, question 1a, pp. 2-3)
Let’s assume the CBP has decided to detain your device for further examination. Are you obliged to make it easy for them to search that device: by, for example, turning over your passwords or pass codes, or disabling the fingerprint sensor. On this question, allow me to turn to this report by the CATO Institute, CBP Dodges Sen. Wyden’s Electronic Searches Question, on the CBP Letter:
Many electronic devices are locked with either a passcode or a fingerprint sensor. Sen. Wyden explicitly asked whether CBP officers are obliged to inform travelers that they are not required to disclose social media account passwords or passcodes to unlock electronic devices.
The CATO account concludes “McAleenan dodges the question entirely”– and goes on to quote extensively from the CBP Letter (CBP Letter, question 3, pp. 3-4). I would add that in question 2 of the same letter, the CBP also dodged the related question of “[w]hat statutory authorities allow CBP to request or demand that a U.S. person provide his or her US personal electronic device PIN or password” (CBP Letter, question 2, p. 3). [Jerri-Lynn here: In the interest of keeping this post to a manageable length, I’ve not quoted the full sections from the letter here, but interested readers can easily examine them themselves.]
So, the bottom line here, at least for U.S. citizens, is that border officials cannot look at anything that may be found exclusively on the cloud. But they are allowed to search your electronic device for any information contained on that device– until Congress passes new legislation or further court decisions on this issue. US citizens can refuse to allow CBP agents to look at their devices, and to turn over the passwords for their electronic devices. To do so won’t bar their entry into the United States (although I imagine it would still subject them to significant hassles).
Border officials, however can detain their devices– and once out of a person’s control, the full force of the feds can be brought to bear to romp through one’s data. The CBP’s concession appears to mean that such romping wouldn’t extend to information remotely held. Yet even if the feds were to provide such an assurance, would you trust them? Particularly once you’ve surrendered your device to their tender mercies. (See, for example, this Ars Technica piece– which suggests my scepticism is amply justified: Man: Border agents threatened to “be dicks,” take my phone if I didn’t unlock it).
The NBC report drily notes:
Homeland Security has published numerous documents (PDF) detailing what it touts as its progress in decoding password and PIN protection on most devices.
Senator Wyden’s Response
It appears that Senator Wyden wasn’t gulled by the CBP response– and I expect we’ll hear more from him on this topic during McAleenan’s confirmation hearings (or at least, I certainly hope so). Ars Technica noted:
In a statement sent to [Ars Technica], Sen. Wyden expressed dissatisfaction about the agency’s response.
“It flies in the face of Americans’ expectations of Constitutional protections for Customs to conduct warrantless, suspicionless searches of Americans’ devices at the border,” he wrote. “That’s why I wrote the Protecting Data at the Border Act. I appreciate Mr. McAleenan provided substantive responses to my questions, particularly when it comes to limits on searching data stored in the cloud.”
“However, it’s critical that CBP revise its policies immediately while Congress works to enact my law,” Wyden continued. “CBP should take four steps right now: First, start tracking the number of Americans searched and type of device searched; Second, amend its policies to require reasonable suspicion prior to search; Third, fully inform Americans of their rights and CBP’s authorities before searching or requesting assistance to search a device; and finally, continue to educate officers as to the fact that they cannot search any cloud information at the border.”
What About Non-Citizens?
Sorry, you’re out of luck.
CNP data show that social media searches at the border rose sharply even before Trump was inaugurated, “tripling from October 2015 to October 2016 and rising slightly again by last March”, according to the NBC report cited above.
As The Verge article quoted above notes:
Social media searches have grown more aggressive under the Trump administration, as border agents seek more information about travelers’ online activities. Even visa-holding non-citizens can be denied entry to the US if agents perceive them as a threat, so travelers are often willing to hand over passwords rather than be turned away at the border.
Further, such scrutiny has been ramped up and is only expected to intensify, as Indeed, Fortune reports, New Social Media Screening for U.S. Visitors Goes Into Effect:
The Trump Administration, which vowed to implement “extreme vetting” at the borders, has implemented part of a controversial plan requiring some U.S. visa applicants to disclose their social media history before entering the country.
The plan, which requires applicants to disclose user names for social media platforms they’ve used in the past five years, was approved by the Office of Management and Budget on May 23 and is now in effect.
Plans are in place to expand such measures further, again according to Fortune:
The Department of Homeland Security began asking visitors for social media information—including Facebook and LinkedIn accounts—on a voluntary basis last year, and the Trump Administration has since moved aggressively to expand the vetting tactic. Homeland Security officials in April said they intend to expand the social media screening to citizens of close U.S. allies, including Britain and Australia, and to instruct more visitors to share their contact lists and other information from their phones.
Implementing such additional measures, I would imagine, will only serve further to depress US tourism figures.
I think an important question to ask is this:
Would any of these measures have prevented 9/11?
The answer looks like a “no” to me. Even if the hijackers were held up at the border, the saudi embassy prob would have helped get them in, anyway.
9/11 was a crisis ripe for exploitation by TPTB. The aftermath (patriot act etc) allowed authorities to spy on all Americans under the excuse of combating terrorists, I think it’s going to be hard to put that genie back in the lamp.
Thanks for this post.
The ad hoc overreach by CBP, re: electronic devices and others, an outgrowth of the war-on-terra™ (itself an out growth of the AUMF), has “grow’d like Topsy” with no end in sight. I’m glad to see this issue the being addressed by Congress.
The ad hoc overreach may finally be wearing out its welcome. From the latest George Will column:
‘ Last month, the House Appropriations Committee voted — by voice, perhaps unanimously — to include in a defense measure a provision repealing the 16-year-old AUMF, for the purpose of forcing the writing of one responsive to 2017 realities. Speaker Paul Ryan opposed using an appropriations bill for this purpose (although nowadays the House appropriations process is rarely used for its intended purpose — timely passage of appropriations bills). But Rep. Tom Cole, an eight-term Oklahoma Republican on the committee, said, “I don’t know any other way to get [the congressional leadership’s and the administration’s] attention because we’ve been talking about it for years.” ‘
In the meantime, we are left to protect our sensitive business and personal data as best we can. The information in your post helps with this task.
And what if I, as a non-citizen, don’t bring any devices and/or my password list and therefore cannot give them my log-in information? Can I be deported for that? I am soooooo looking to my trip to the US.
… and, what if you don’t use social media? Cranky old folks like me could probably convince the border guards that’s true. If you’re young, though, it seems to be expected that you do. Will you be turned away for being uncooperative?
We live in a border town in Canada and have family in the US. We now only go over to visit, just shopping or vacation is not worth the hassle, beside the exchange rates I find the prices in the US rising even faster than in Canada.
We also have no devices…not even a cell phone, ridiculously, we find ourselves nervous about this.
Border security tightened up tremendously after 9/11, for a few weeks after, guards with dogs and rifles patrolled the line of cars awaiting entry at the border gate.
We always go now with the expectation of being refused entry.
Here’s a prediction: As long as these policies are in place, no US city will win an Olympic venue bid.
I’m wondering what’ll happen in academia, and specifically my former primary field of health services research – the rest of the world isn’t going to want to attend US conferences anymore. Researchers often hold large databases of sensitive information that can’t quickly be ‘downloaded from the cloud’ once you enter the US so must be on a laptop/external drive.
It was already the case in 2010 that the UK Medical Research Council frowned upon any trial or study which proposed having data pass through US jurisdiction. I was in Australia at the time and the MRC put Australia ‘on the same level’ data-protection wise as the UK (rightly or wrongly) when it came to the fact the data would have to come to Sydney from the UK and go back again. We did still have to show that the panel provider we used stored all data on Australian servers but once that hoop was jumped through we were largely in the clear. That, of course, pre-dated the big expansion in cloud storage and I wonder what they do now….but given new data protection laws coming into force I am guessing that steep conditions will be imposed if the cloud is used, or (more likely) putting the data on the cloud in the first place will be prohibited. But, as usual, he who pays the piper calls the tune….
They don’t need your phone to search your cloud data. They need it to search for data not in the cloud.
I don’t see how any of this would prevent a smart and determined enemy from bringing dangerous software into the country. As long as there’s an Internet, there’s no reason they’d have to physically take it across a border.
Absolutely correct. It is theatre. And there are thousands of ways to avoid it. As with crime, only the dumb ones get caught.
You need one phone for travel (empty of information) and another phone to leave at home (with all the information).
The dumb phone decision is looking better all the time.
Indeed. Get several, before it’s too late. With cash.
Curious. When “dumb” phones disappear, a lot of people will not be able to afford telephony at all. I-phone rates are set in relation to data used, right? So far, so good. However, the i-phones themselves are so expensive by themselves, sans “data plans,” hmmmm. Now that “phone booths” are relics of a bygone age, Tardis notwithstanding, poor people will truly become an “underclass.” Try to apply for a job without a “home phone.” I had some trouble explaining why our single dumb phone had a different area code from where we live. Traditional ways of viewing the world die hard.
There will always remian dumb phones in the prepaid lines (essentially viewed as disposable phones) after all crooks need them to make tracing harder. Might be an opportunity for a black market in phones.
This is good news, but I’m not real happy about “The Cloud,” either.
What I’d really like is a simple solution for the problem of taking a clean machine across an international border and then making it, well, unclean again. Quickly and easily.
Surely there’s a solution? It sounds like such an obvious business model.
You could store your data on a blockchain and use a “brain wallet” for the keys that give you access (a “brain wallet” is a remembered phrase that represents the keypairs, but don’t use Bible quotes or anything brute-forcible). You arrive “clean” but plug in your brain phrase and Voila.
Blockchain is a super-inefficient way to compute or store data (see below) but this would work.
Note: it’s already illegal to store certain strings of numbers on your computer (child porn JPEGs are just one example)
There are lots of ways to do this. One simple way is to use something like Dropbox or Google drive sync. Delete the client, delete your files, and it’s clean*. When you’re ready to resume, reinstall the client, synch, and you’re set.
I’m not sure how to have something much better than this. If you have a single client that can easily swap between clean and dirty, then any search of the computer will uncover the client, which would immediately be suspicious.
*You’d need to be sure to secure delete everything. Also a simple uninstall may leave traces of the client, e.g. in Windows Registry. For a bit more work but more control over what’s installed where, you could use rsync.
Some clouds are safer than others. Spideroak (US) and Tresorit (Ireland) store your info encrypted with a passphrase of your choosing that they do not know or store (still some trust needed on that). That passphrase should of course be long and random (diceware.com) right from the start.
Any gear that crosses a border might be compromised either by data theft or by malware insertion or both so it is best just not to transport machines across borders unless you know a corruptible microstate diplomat willing to carry yours in a diplomatic bag. Of course, if they’re corruptible …
I’m guessing there is a package deal for this whole problem but it is priced at elite levels, involving burner machines that really get burned.
This all looks manageable for citizens who are prepared to cope with a bit of hassle. There will be (and probably are already) technology solutions to exploit this loophole. PIN/passcode security on a physical device generally won’t stand up to more than casual attack, so if you have to surrender your device you should assume it will be compromised. To me, the secure option looks like:
1. Sign up for a remote backup service of some kind, controlled by a (strong) master password to be used for restoration
2. Factory reset your phone before travelling
3. Once you are through border controls, restore your phone from the backup using the master password.
Now you have a stock factory device with no personal information on it and nothing for officials to find if they seize it. There will be no need to give them a passcode as it won’t have one – if you haven’t logged in since the reset (which you shouldn’t) it will power up to the initial setup process. They have no grounds for asking for your Google/Apple credentials, or your master password if they know about the remote backup service, because everything that’s on the device is already available to them and anything else is on a remote server and therefore protected.
Non-citizens can try the same thing but would be taking a bigger risk, including possibly being arbitrarily denied entry. I’d probably do it anyway if I was concerned, and claim if pressed that it was because the device had contained sensitive client information that was under NDA. But then I am a WASP from a Western country with no prior risk factors that I’m aware of (except maybe for posting on NC). If I was a brown-skinned Muslim, for example, I’d probably leave the data in place but manually delete anything that I thought might be incriminating beforehand (you could still use a backup service if you liked).
Actually on reflection, that’s probably insufficient as a factory wipe isn’t particularly secure (data can still be recovered via forensic analysis). It’s likely theoretically possible to use encrypted storage to protect it, but it might be tricky in practice and it could still lead to awkward situations (“we found this encrypted data on your phone, could you unlock it for us please?”) Alternatively you could look at ways to do a secure wipe, which would probably be enough to beat USCIS although likely not the FBI (but if they are involved, you have bigger problems).
The best and simplest solution is probably still to get a temporary device and log into it once you are across the border. You could then choose to use IOS/Android login and get most of your settings restored automatically, although you would need to dispose of it before crossing the border again if you did so.
How does airplane mode help? The data may have been already copied when the phone wasn’t in airplane mode?
The Feds will likely pass some legislation (which will of course be deemed as ‘passing constitutional muster’ by our surveillance-friendly higher courts) which removes the ‘physically resident on the device’ condition, thus making cloud data fair game for their depredations.
Lambert writes above:
What I’d really like is a simple solution for the problem of taking a clean machine across an international border and then making it, well, unclean again. Quickly and easily.
Surely there’s a solution? It sounds like such an obvious business model.
A MicroSD card, maybe? no bigger than a fingernail, really thin and thus easily concealable just about anywhere, and the newer ones have capacity up to 250MB. Pop that sucker either into a dedicated slot for such if your device has it or into a USB-form MicroSD reader and there you go. And presumably any standard way to encrypt an HD-style data volume will also work. Thoughts from our resident tech-sperts?
Is Lambert referring to a phone or laptop, any and all such devices. For Chromebooks and other cloud based machines (IPad not using local storage for example), it’s easy to wipe the machine and re-install. One could even set up two accounts, one to disclose to Feds directly, one to let Apple, MS, Google, etc; disclose on your behalf (without your knowledge).
More deeply, any device the Feds/KSB/China’s Gong-An inspect is likely to not be clean when given back to the owner, ie: its very easy to stick any spyware on a machine via USB, as the USB interface operates at a level below the OS. Nearly all devices now carry chips that have back doors. https://www.youtube.com/watch?feature=player_embedded&v=b0w36GAyZIA
Interesting that this site does not offer https security for posting, but does worry so much about privacy.
Https stops man-in-the-middle attacks. Given the nature of the NC site, I can’t imagine it would be an attractive target for man-in-the-middle attacks: no personal id theft-target forms to fill out; no commerce outside of the tip jar, which is handled by PayPal. NC isn’t a website that needs https, imo.
The Amnesic Incognito Live System
I quite like the data storage capacity on MicroSD cards. However:
“…,really thin and thus easily concealable just about anywhere,….”
I know you are not advocating smuggling anything across any border. But for any reader who might get that idea: do not attempt to smuggle anything physical thing across any border.
Is it impermissible “smuggling” to bring something like a MicroSD card into the United Police States of Amerika without telling the authorities? If someone has such a card tucked into a side fold of their suitcase, how is that qualitatively different from the SD card in my digital camera? I don’t tell the bordergoons to have a squizz at my Nikon to admire my holiday happy snaps. There are no boxes to fill in on U.S. Customs arrival forms saying “declare all data storage technology that you are carrying” like there are for cash over $10,000, food, boots claggy with farm dirt, etc.
(As far as I know, that is. I don’t fly into the U.S. any more because of the authoritarian “TAKE OFF YOUR SHOES, PEASANT! If you look at me crosseyed I’m going to make you miss your flight at the very least and maybe ship yer azz to Guantanamo if I get aggravated enough” attitude. When I visit relatives in the Land of Freedom, I fly into Canada and drive a rental car across the border. At high-volume road crossings, I get waved through quickly most of the time.* I have a U.S. passport.)
Plus it’s actually easy to smuggle physical things, at least if you’re a middle class-looking middle-aged whitefella. Security is not that stringent, from what I’ve found. Here’s a helpful tip — Glad brand turkey roasting bags are GREAT at concealing the smell of certain skunky substances from sniffer dogs. Learned that one from a weed dealer, and I can attest that it works. I mean for the small wheel of Italian goat’s cheese with black truffles that was given to me by an Italian hotel keeper toward the end of one trip, that was too rare/good to skoll down, so I brought it back to Oz that way. Bringing food items into this country is a high-penalty no-no. So are certain other smelly substances, but that’s best not to mention.
* I have gotten jacked worst at less-busy backroad border crossings such as from Quebec into Vermont. Coming into the Idaho Panhandle from British Columbia (“B.C. Bud” territory) in 2013, a government bullet-head scrolled through the entire history of my stand-alone GPS device (which leaves no digital trail of where I go, unlike your phone-based navigational aids) to trace where I had been. Totally overlooking what I had packed into the hollow part of my bicycle’s seat, which I had casually tossed into the bed of my pickup truck, heh-heh. While I was cooling my heels inside the waiting room, I overheard the borderobbers chortling about some chicken eggs that had seized from some hapless Asian tourist. These twisted buggers don’t have enough real work to do…
We- a middle aged couple with a lot of grey, were harassed for a good 3/4hour at the tiny border crossing in ND across from the International Peace Garden last September. We were on a vacation car trip through the northern tier of the US hitting some of the National Parks and areas we had never been to. I hate phones of any kind and left my iPhone at home but my husband had his business issued IPhone.
We were greeted pleasantly by the Canadian border guard whom we told we were just going over to visit the garden. He glanced at our passports and waved us in.
Upon return into our home country – the US – we were the only people at the border crossing the entire time and the US border Nazi guard made the most of it. My husband did throw him off a bit at first I guess when he picked up his phone from its dash holder unlocked it and gave it to the guy saying “feel free to search my phone”. And this was before most of the hubbub about phones… the guard seemed pissed though my husband did not say it in a hostile way at all but in a helpful tone. The nazi proceeded to pull everything out of trunk and paw through every inch of our stuff. He verbally harassed us about our ‘lie’ that we were just visiting the Peace Garden because he claimed “no one comes all the way up here to visit a garden”. We told him to talk to his Canadian counterpart about when we entered Canada and what we said. We had been in the garden maybe two hours tops. That seemed to REALLY set him off for some reason. Then he started really combing through the interior of the car and saying stuff we clearly saw as an attempt to get us angry. Luckily we saw it for what it was and kept our cool.
We travel abroad frequently and enter Canada at least once a year. And have for decades. Travel is our ‘thing’. We have been treated well even if difficult countries at difficult times. For example , we were in Egypt and Jordan in June after the Arab Spring. Customs in both countries were thorough, reasonable and quick.
But US customs and border people in every point of entry we have used in the past decade have gotten exponentially insane. The rudeness, the challenging aggressiveness, threatening attitude and even physical intimidation is off the charts. And we are small statured, white and middle aged. I cannot fathom what a dark skinned young man feels like…….
Friends we have from around the world are no longer intending to come to the US. A family from Zambia we have know for many years usually visits us regularly and we them. They were just denied visas. For no reason they were told. So we are meeting them in Nova Scotia this year renting a house on Cape Breton Island and spending our and their vacation $$ in Canada. Good job US government…
Sorry for the novel. This whole topic makes me nuts!
A couple of thoughts. 1 for companies don’ store data on mobile devices( consider the issue of theft of laptop and data breaches), rather use windows terminal server if on windows or the linux equivalents. In this case the data never is stored locally thus there is nothing to wipe. If you want local computing, use a virtual machine (say virtual box) and keep the VM’s needed in the cloud to download after passing thru customs. It may mean that you can not work on the plane but…
NB: This is a policy, not a reg, not a law. It can be changed tomorrow, or the day after this guy gets confirmed.
You guys should visit Europe….
The UK, has an army of border patrols, just to keep the Asylum seekers out.
Stopping cars for mobile devices… ???
Dont be daft, The UK imports 99% of all Illegal drugs used…
50,000 criminals keep our boarder staff busy !!! LOL