June 10, 2021
With the weather getting warmer, and vaccinations against COVID-19 increasing, we are likely to see an increase in travel — including international business travel. But for individuals and companies seeking to protect their data privacy, a recent ruling by the United States Court of Appeals for the First Circuit may give rise to concern about the privacy of data contained on laptops, tablets and other connected devices carried across borders.
The United States Borders and Customs Service is the agency primarily responsible for protecting the borders from threats as diverse as the importation of illegal drugs and agricultural products to unlawful importation of monetary instruments, child pornography and other banned items. The U.S. Supreme Court has repeatedly held that, while the Constitution protects against “unreasonable” warrantless searches and seizures, travelers who cross international boundaries have a diminished expectation of privacy. Thus, in the case of “ordinary” border searches (searches of cars, luggage and persons) the high court has held that neither probable cause nor a warrant nor even individualized suspicion is required for the agents to conduct a search — even a thorough search. For a more intrusive search – such as a body cavity search – there, again, need not be a warrant, but there must be particularized suspicion. The court has not yet addressed the level of probable cause or warrant necessary for, for example, the taking of blood at the border.
Lowered Expectation of Privacy
In light of the “lowered expectation of privacy” at the border – or the “border search” doctrine – the government has established policies that permit them to search and seize (or seize, search, seize and then search) electronic devices like laptops, hard drives, cell phones, tablets and storage media at the border that is similar to the policy on searching your Samsonite. No warrant is required; no probable cause and no suspicion. More importantly, there is no limit on the scope of what the agents can search for, or why they can search. Additionally, because the agents lack the forensic resources to thoroughly search electronic devices at the border, their policies also permit them to continue the search by seizing the device, sending it to a law enforcement forensics lab, extracting all of the data from it, and conducting as detailed a search as they wish – all without a warrant, probable cause or suspicion.
Agency policies divide searches into “basic” searches – a physical examination of the device and its contents on the scene, using the “native” operating system (that is, not using forensic tools, and not decrypting encrypted files or reinstating deleted files) and an “advanced” search where the item is seized and data forensically extracted elsewhere. For basic electronic searches, no suspicion is required. For advanced searches, no warrant is required, and only the lowest evidence of suspicion.
To make matters worse for travelers, not only is there no limit to the scope or duration of the search, the government may also conduct “pretext” searches – that is, to use the fact that someone is traveling across the border as a pretext to seize and search their electronic devices when in fact, the reason for the search has nothing to do with protecting the border. While CPB “advanced” searches require “supervisory approval,” and under the CBP Policy may only be performed “[i]n instances in which there is reasonable suspicion of activity in violation of the laws enforced or administered by CBP, or in which there is a national security concern,” if such suspicion exists, there is no requirement that the “search” conducted of the electronic device be limited to looking for evidence of a violation of some border or import law. There is also no limit on how the government can use the information they glean from the search – they can send the data found to the SEC, to state regulators, to the IRS, or, in fact, to anyone they desire (within the limits of copyright or other laws.)
What’s even worse, since certain laws (and contract provisions) require a company to take “reasonable efforts” to protect the confidentiality of data, or privileges or other protections (like trade secrets laws) that state that the failure to reasonably protect the confidentiality of documents may constitute a waiver of the privilege or protection afforded by law. Confidentiality and nondisclosure contracts may require that you provide notice to the entity from which you obtained the data (the disclosing party) before you turn over their records to the government.
Borders, but no Boundaries
Finally, while we typically think of “the border” as being an airport or a geographically specific border crossing station, federal law provides that “the border” is actually any place that is within 100 miles of such a border. So, not only is a highway in El Paso, Texas, a “border,” all of Interstate 77 from Cleveland, Ohio, to Cambridge is similarly a “border,” since it’s about 100 miles from Lake Erie.
In February of this year, the federal court in Boston, in Alasaad v. Mayorkas, upheld the federal government’s policies regarding the scope and lack of warrant requirements for searches of electronic devices at the border, and the seizure of such devices for later examination outside the border. The Boston court rejected a ruling from a federal court of appeals in California that any search conducted without a warrant by CPB must be limited to searching for contraband, evidence of contraband or evidence related to laws enforced by the Border Control agencies. The Boston court also rejected the assertion that the Supreme Court’s ruling related to searches of cell phones without a warrant in Riley v. California, because the nature of electronic records on things like cell phones is substantially different from the types of things people would carry with them in the pre-cell phone era. The Boston court essentially said that border searches are essentially no different from searches of briefcases – if you deign to take records across the border, abandon hope all who enter here.
Finally, the court refused to recognize that electronic records might reveal information protected from disclosure to the government under the First Amendment (like membership in organizations, political speech, journalistic activities), and therefore that the government needed to balance the First Amendment rights of travelers against the need(s) to search. The Boston federal court also refused to limit the scope of the searches – basic or advanced – to the purposes of the border exception, such as to look for evidence of contraband or the like. So if a border supervisor thinks that there might be evidence of something within the jurisdiction of CPB or similar agency, they can ship off your phone or laptop to the NSA (or someone else) and any and all data on it can be used for any or all purposes. Schweet. That also means that, if you or your company are under investigation by some agency, and in litigation the government wants discovery of data that they are not entitled to, they can wait until someone travels across the border and voila! Unlimited access!
Assuming that the case stands up, anyone traveling should assume that whatever they are carrying with them is subject to seizure and search – not just by U.S. government border agents, but by foreign border agents, as well. Less clear is whether border agents can also use embedded authentication (for example, passwords) to log into remote storage facilities (the law may distinguish between storage of files and storage of communications) as an “extension” of the border search doctrine.
The short but impractical answer is to not bring with you any files or documents that you aren’t willing to have searched and seized. The less short, but equally impractical answer is to bring a “throwaway” computer – typically something like a Chromebook or similar device – which is used only to access mail and files that are stored remotely, and then to not store anything locally on the device. Not even movies or music, unless you can establish that you have a license to have them (piracy and copyright laws are also an excuse to seize and search devices).
Also, if you do use a Chromebook or similar device, do not store passwords for remote access on the device, enable biometrics, use multifactor authentication and have other security precautions against unauthorized access to the device and to data which may be accessed by the device. Third, you should also take normal security precautions for data, whether on a Chromebook or a 10TB hard drive. Encrypt. Encrypt. Encrypt. Whole disk encryption. File-level encryption. Folder-level encryption. Encrypted access to phones. And use several factors. Courts are split on whether they can force you to decrypt devices or files consistent with the Fifth Amendment, but having an encrypted device is more secure than not having one. Even more secure is having an encrypted device for which you do not have the key, right? But I never said these solutions would be practical.
Assert Your Authority
Finally, assert privileges. CPB policies for both “basic” and “advanced” searches require approval by the Department of Justice to search files or devices that contain privileged data – well, technically, only attorney-client privileged data, but that’s a start. Remember that attorney-client privilege applies to both the attorney and the client, so if you have anywhere on your device an email, a text message, a chat or something like that with an attorney or someone working with an attorney, and that was sent or received for the purposes of obtaining legal advice or representation – even with respect to the sale of your car, or a divorce, or anything, you can inform the CPB agent that your device contains attorney-client privileged information, and insist on DOJ approval. Of course, that means that you and your device will continue to be detained at the border for hours, or that you will be forced to surrender your device for an advanced search – so use judiciously.
None of these solutions are particularly good, since the inability of the CPB agents to view files during a “basic” search may mean that they now have suspicion that you are violating some law, and your device is taken from you for an advanced search. It’s a Hobson’s choice. The main takeaway, here, is that courts continue to treat mass storage devices like your old rucksack with a couple of file folders in it, rather than a person traveling with documentation of everything they have ever done and every place they have ever been from the beginning of time immemorial. Ultimately, the split among federal circuits may have to be addressed by the U.S. Supreme Court or Congress. Good luck there.
Source: Security Boulevard