Border Searches of Electronic Devices: Oh, The Places Your Data Will Go

Rejhane Lazoja, a Muslim American, is challenging U.S. Custom and Border Protection’s (CBP) seizure of her cell phone, as well as the possible retention and sharing of her device’s data without any articulation of reasonable suspicion, probable cause, or procurement of a warrant. CDT is supporting pending litigation challenging these searches under the First and Fourth Amendments. Lazoja’s lawsuit highlights one aspect of these searches that we have not addressed: what happens to the data once a device has been subjected to a search at the border?

Lazoja arrived in Newark from Switzerland on February 26, 2018. She was flagged for secondary screening during which CBP requested she open her phone. When CBP refused to provide her an explanation for their request, Lazoja in turn refused to unlock the device because the phone contained photos of her without her hijab (religious headscarf) and pursuant to her religion, men who are not family cannot view them. She also explained that the device contained communications with her attorney. CBP seized her device and it was returned on July 6, 2018, 130 days later. Lazoja contacted CBP and requested CBP indicate whether copies of her device’s data were made, and if so that the data be expunged, and indicate whether the data was shared with any third parties. Receiving no information in response to her request, Lazoja, represented by CAIR-NY and CAIR-NJ, filed a Federal Rules of Criminal Procedure 41(g) Motion for Return of Property in Federal District Court in New Jersey, to compel the return of any copies of her data that may be in CBP’s possession, and to be informed of other parties that may also have a copy.

Her brief cites to CBP’s policy directive on border searches of electronic devices, which provides some guidance on what may have happened to her data. By our read of that directive, Lazoja is right to be concerned.

CBP’s Border Search of Electronic Devices Policy

CBP’s policy on border searches addresses when CBP officials may search electronic devices and the process that governs device and data retention, sharing, and destruction. We discuss each of these in turn below.

Search

CBP policy allows officers to conduct two types of searches at the border without a warrant: basic and advanced. A basic search is a manual search and – according to CBP – it requires no individualized suspicion to justify the search. An advanced search involves connecting external equipment to the device in order to gain access, review, copy and analyze the device’s contents, frequently while detaining the device for a number of days. This type of search requires supervisory approval and only an articulation of reasonable suspicion, or a national security concern.

Retention

A traveler is expected to present CBP with a device that is ready to be searched—in other words —unlocked. If the traveler does not, CBP is allowed, with a supervisor’s approval, to detain the device or make a copy of the data in order to effectuate its search. There is no time limit to these detentions, however initial approval allows a detention of 5 days, after which extensions require approval in increments of no more than 7 days. Again, in this case CBP seized Lazoja’s device for over 4 months, meaning CBP may have approved the continued detention 18 times.

CBP officials may seize and retain a device or copies of the data, when “they determine there is probable cause to believe that the device, or copy of the contents from the device, contains evidence of a violation of law that CBP is authorized to enforce or administer.” CBP is tasked with regulating and facilitating international trade, securing the border from terrorism, and enforcing U.S. regulations, including trade, customs, and immigration. In short, it enforces many, many laws. Without a finding of probable cause, “CBP may retain only information relating to immigration, customs, and other enforcement matters if such retention is consistent with the applicable system of records notice.” Practically speaking, this is hardly a limitation and depends greatly on how broadly CBP reads “relating.” This is certainly a lower standard than reasonable suspicion.

Information related to the inspections and the data itself may be retained in a number of locations. CBP officials note in the TECS database the details and impressions of all secondary inspections, including why they took place, and whether and why a device was searched or detained. TECS is the information sharing platform managed by CBP and is its primary screening tool. TECS hosts data collected by CBP and other agencies, and allows CBP officers to query other law enforcement data streams nonresident in TECS, like the FBI’s National Crime Information Center or the Terrorist Screening Center. If an officer was able to review the device during the inspection, notes about the inspection could include what information was on the device, like what the traveler was reading or with whom they were communicating. This information is retained for 75 years according to a 2008 SORN, or for “the life of the law enforcement matter to support that activity and other enforcement activities that may become related.”

Data copied by CBP may be retained in the Automated Targeting System to “further review, analyze, and assess the information physically resident on the electronic devices, or copies thereof.” The Automated Targeting System (ATS) is a subset of data connected to TECS and is “a decision support tool that compares traveler, cargo, and conveyance information against law enforcement, intelligence, and other enforcement data using risk-based scenarios and assessments.” In short, ATS alerts CBP of perceived high risk passengers and cargo. Information stored in ATS is retained for 15 years and then deleted. However, data won’t be deleted if it is “linked to active law enforcement lookout records, CBP matches to enforcement activities, and/or investigations or cases (i.e., specific and credible threats; flights, individuals, and routes of concern; or other defined sets of circumstances) will remain accessible for the life of the law enforcement matter to support that activity and other enforcement activities that may become related.”

Data may also be retained in other systems, including if relevant, any of the immigration systems like the Alien File, Central Index System, E3 (CBP’s access portal to ICE and DHS’s biometric databases, ENFORCE/IDENT), or others. CBP operates and has access to a staggering number of systems related to its responsibilities, all with their own data retention schedules. We do not have complete information on all aspects of the search and retention of data because, according to a 2009 DHS Privacy Impact Assessment on border searches of electronic devices, “providing specific transparency to the general public about all aspects of the program could compromise law enforcement or national security sensitive information.”

CBP policy does not affirm a traveler’s right to be notified that their data has been copied or retained.

In short, CBP has broad authority to retain data from electronic devices subjected to a search, and can retain such data for extensive periods of time. As we do not know what was resident on her device or why she was stopped, it is difficult to assess where Lazoja’s data might be, if retained at all. Certainly TECS will have a record of the fact of the search, as well as CBP’s notes about the search.

Sharing

As Lazoja points out in her motion, CBP can share information copied from a device in a border search broadly. According to the CBP directive on border searches of electronic devices, “[n]othing in this Directive limits the authority of CBP to share copies of information contained in electronic devices (or portions thereof), which are retained in accordance with this Directive, with federal, state, local, and foreign law enforcement agencies to the extent consistent with applicable law and policy.” In case there was any doubt about the breadth of this sharing authority, CBP assures us that “[a]s a federal law enforcement agency, CBP has broad authority to share lawfully seized and/or retained information with other federal, state, local, and foreign law enforcement agencies in furtherance of law enforcement investigations, counterterrorism, and prosecutions (consistent with applicable SORNs).”

A review of the SORNs reveals this to be the case. For example, information in TECS can be shared pursuant to 15 different routine uses such as “[t]o appropriate Federal, State, local, tribal, or foreign governmental agencies or multilateral governmental organizations responsible for investigating or prosecuting the violations of, or for enforcing or implementing, a statute, rule, regulation, order, license, or treaty where DHS determines that the information would assist in the enforcement of civil or criminal laws.” ATS is no different, and asserts similar broad sharing authority pursuant to routine use.

Furthermore, CBP may convey devices or copies of the data to third parties in order to receive technical assistance to search the device or get something translated. With reasonable suspicion of activities in violation of the laws enforced or administered by CBP, or where there is a national security concern, CBP may convey devices or data to third parties for subject matter assistance. Then, the agency providing the assistance may retain copies of the information “only if and to the extent that it has the independent legal authority to do so.” Thus, for example, if a traveler’s cellphone is shared with the NSA to obtain its assistance in defeating a security measure applied to the device, the NSA may retain and ingest into its databases any information it obtains from the device, to the extent retention furthers its mission and is consistent with its legal authorities. CBP policy states that when an electronic device or information is conveyed to a third party for assistance, the traveler will be notified, unless the “notification would impair national security, law enforcement, officer safety, or other operational interests.”

CBP has ample permission to share data retained from a border search of a device. Indeed the authority to share information that would “assist in the enforcement of civil or criminal laws” is broad. Again, without knowing the specifics of Lazoja’s case we cannot predict how data from her cell phone may have been shared. As noted above, the fact that the search took place as well as CBP’s observations will be retained on record in TECS, and that information is available to many entities.

Data Destruction

CBP policy states that if after reviewing the information there is not probable cause to seize the device or information therein, copies of the data held by CBP must be destroyed. CBP self imposed a deadline of deleting the data within 7 days of determining there is no probable cause, unless a supervisory official grants an extension in which case the data must be deleted within 21 days. Of course this deletion does not apply to the data CBP may retain that is “related” to its enforcement mission. Nor does this data deletion mandate extend to information shared with third parties that have an independent authority to retain the data.

Conclusion

Based on the broad authority conferred in CBP’s policy on border searches of electronic devices, it is certainly possible that some of Lazoja’s data has been been retained and shared. It’s difficult to determine whether this is the case without knowing the basis for the seizure of her data and device, or whether the information resident on her device revealed evidence of a violation of a statute enforced by CBP. What we do know is that these searches at the border implicate the fundamental freedoms of all travelers and raise the risk that incredibly personal and sensitive data will be retained for years and broadly shared throughout the government.

As of now, a date has not been set to hear Lazoja’s motion.