An Inspector General (IG) audit of Custom and Border Protection’s (CBP) controversial border searches of electronic devices revealed that the agency overwhelmingly struggles to conduct searches that comport with the Constitution and agency protocol. While CBP does not agree with CDT’s assertion that these warrantless searches are unconstitutional, they do acknowledge at least one significant Fourth Amendment limitation to the latitude the agency traditionally enjoys at the border. Specifically, CBP has repeatedly stated that its ability to warrantlessly search electronic devices like cell phones at the border is limited to information that is resident on the device when it crosses the border with the traveler. The IG reviewed CBP conduct between April 2016 and July 2017 and found, contrary to policy and the demands of the Constitution, “officers did not consistently disconnect electronic devices, specifically cell phones, from the network before searching them.” By failing to disconnect devices officers may have unconstitutionally reviewed information stored remotely, including data from social media accounts or data stored in the cloud.
Border agents have long held the ability to search through travelers’ possessions without a warrant, probable cause, or even reasonable suspicion. The Supreme Court acknowledged in United States v. Ramsey (1977) that “searches made at the border, pursuant to the longstanding right of the sovereign to protect itself by stopping and examining persons and property crossing into this country, are reasonable simply by virtue of the fact that they occur at the border….” This rule is not absolute but “is grounded in the recognized right of the sovereign to control, subject to substantive limitations imposed by the Constitution, who and what may enter the country.” Data stored remotely does not cross the border with the traveler, and a search of this data during one of these border searches is unconstitutional.
In 2017, in response to questions raised by Senator Ron Wyden (D-OR) who was concerned about officers accessing remotely stored data, then Acting (now confirmed) CBP Commissioner Kevin McAleenan clarified that CBP’s authority to search data on electronic devices stored remotely is limited:
“CBP’s authority to conduct border searches extends to all merchandise entering or departing the United States, including information that is physically resident on an electronic device transported by an international traveler. Therefore, border searches conducted by CBP do not extend to information that is located solely on remote servers.”
To that end, officers are to ensure that devices are not connected to a network, or are on “airplane mode.” The audit took place before the 2018 Directive on Border Searches, which requires officers to affirmatively ask travelers to disable connectivity or have the officer do so themselves, and after a 2017 internal memorandum instructed officers to take such steps. The 2009 Border Directive, which guided some of these searches, had no such requirement. The IG report states that because of these inconsistent instructions, the records reflects poor compliance with this requirement. Of the 194 records reviewed, 154 were completed prior to the issuance of the April 2017 memo. None of the 154 contained evidence that data connections were disabled on electronic devices searched. 40 records were reviewed after the 2017 memo, and while they were reviewed and approved by supervisors, more than one-third of the records (14 of 40) lacked a statement confirming that the electronic device’s data connection had been disabled.
This systemic failure calls into serious question CBP’s ability to conduct these searches “judiciously, responsibly, and consistent with the public trust.”
The IG also found other significant flaws.
Searches of electronic devices were not always properly documented.
CBP policy requires that every search of an electronic device at the border be accompanied by a report that includes items like a description of the search, and supervisory approvals and extensions when appropriate. Out of 194 records reviewed 130 (67%) featured one or more omissions. Consequently the IG observed that “because of inadequate supervision to ensure OFO officers properly documented searches, OFO cannot maintain accurate quantitative data or identify and address performance problems related to these searches.”
CBP failed to ensure that traveler data copied during advanced searches was deleted.
During an advanced search (in which external equipment is connected to the device in order to gain access, review, copy, and analyze the device’s contents) data from the device is transferred to a thumb drive from which it is then uploaded to a CBP database. An inspection revealed that data on these thumb drives was not consistently deleted, leaving it vulnerable to unauthorized disclosure.
CBP has not developed performance measures for the advanced searches of electronic devices pilot program.
CBP has conducted advanced searches at the border since 2007 at which time they took place at four ports of entry. The program has since expanded to 67 ports of entry. CBP has yet to demonstrate the effectiveness of these searches and fails to track data that would help make this assessment like the number of instances in which information collected from searches resulted in a prosecution or conviction. These searches are very invasive; the Supreme Court observed in Riley v. California (2014) that “[m]odern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life.’” Currently advanced searches require only “reasonable suspicion,” and a supervisor’s approval, or a national security concern to justify it. Rather than first demonstrate the value of these searches relative to the privacy interests at stake, CBP has greatly expanded the program.
CBP Did Not Renew Software Licensing of External Equipment Expeditiously.
To conduct advanced searches CBP relies on a computer triage tool that enables examinations of laptops and hard drives. The tool requires an annual license renewal, which CBP allowed to lapse. The IG found that the license agreements were not in effect for 225 days between Jan. 31, 2017 and Sept. 12, 2017. Absent this license CBP could not conduct advanced searches at ports of entry. That it took more than 7 months to renew the license calls into serious question how “essential” these border searches are to CBP’s mission.
CBP’s response to the audit accepted the IG’s critiques and included a number of promised actions to address performance gaps including more internal oversight to ensure that CBP officials follow protocol. These measures may do little to assuage the concerns of travelers who could find their devices subjected to a border search. Based off of this report, they could be reasonably concerned about CBP’s compliance with its policy to, for example, delete their data after these searches.
Congress Can Take The Lead
Courts are slowly weighing in on the constitutionality of these searches, but litigation remains a long term strategy. In the meantime, CBP’s 2018 Directive on Border Searches outlines the protections afforded to travelers should they be subjected to such a search. The very least we should expect is for CBP to comply with this policy and perform the record keeping that is legally required and necessary to audit agency conformity.
But Congress has a role as well. The interest travelers have in their electronic devices, which “expose to the government far more than the most exhaustive search of a house” (Riley), is too great. Congress can monitor CBP’s progress as it implements the management changes that are responsive to the IG’s review. It can and should also demand greater transparency to inspect how CBP is exercising its authority and assess whether these searches may be disparately impacting certain nationals or communities.
Two pieces of legislation introduced in this Congress would help increase both traveler protection and transparency.
S. 823 and H.R. 1899 were introduced in April 2017 by Sens. Ron Wyden (D-OR) and Rand Paul (R-KY), and Reps. Jared Polis (D-CO), Blake Farenthold (R-TX), and Adam Smith (D-WA). This bill would require government officials to obtain a judicial warrant based on probable cause before accessing the contents of an electronic device in the possession of a U.S. person (citizen or lawful permanent resident). S. 823 and H.R. 1899 also include a number of reporting requirements including for the Department of Homeland Security (DHS) to gather and publish statistics on the nationality of individuals who are not U.S. persons whose devices were searched, the countries from which these travelers arrive, and the perceived race and ethnicity of travelers subjected to these searches.
Sens. Patrick Leahy (D-VT) and Steve Daines (R-MT) introduced S. 2462 in March 2018. The bill, which applies to U.S. persons, distinguishes the restrictions on CBP based on the type of search they conduct: basic or advanced. A basic (“manual”) search would require that a DHS officer have reasonable suspicion that the traveler violated a law enforced by DHS and the device contains evidence relevant to the violation. An advanced (“forensic”) search demands a probable cause warrant. Both changes would elevate the protections afforded U.S. persons at the border. The bill also includes mandatory reporting to Congress including statistics regarding the age, sex, country of origin, citizenship or immigration status, ethnicity, and race of the individuals transporting electronic devices that were subject to a search or seizure.
Both pieces of legislation expire at the end of the month and will need to be reintroduced in the new year. In 2019, CDT will encourage Congress to take an active role on this issue and will encourage the passage of legislation protecting the privacy of all travelers at the border as well as the inclusion of further transparency requirements. The IG report certainly makes the case that CBP should not be left to its own – or our – devices and that Congressional action is sorely needed.