Back in March, CDT, along with more than 50 other civil society groups and trade associations, wrote a letter to Department of Homeland Security Secretary John Kelly urging that he back away from DHS proposals to use border searches as a tool to collect passwords and other social media information. Today we received a response. Unfortunately, the reply largely ducks our concerns, ignoring the main issues at play and doing little to shed light on the government’s plans or put to rest controversy about its contentious proposal. This non-answer is deeply troubling because it seems to indicate that Customs and Border Protection (CBP, which is a sub agency of DHS) is doing nothing to change course from a recent, dangerous trend: the use of the U.S. border as a tool to conduct broad surveillance.
To understand why this is a big deal, we need to look at two things: the law at the border and trends in technology. When you enter the United States, your privacy rights are at their lowest point – the government can search you and your belongings, detain you for questioning, and, if you are not a U.S. citizen or lawful permanent resident, bar you from entering the country altogether.
This legal reality has always made for some uncomfortable privacy issues (strip searches are sometimes authorized at the border!), but our digital lives have supersized these issues. We now carry much more information about us – our political views, reading habits, and professional documents – in the form of mobile phones that are, like any other piece of property, subject to search. Worse, the government has started to leverage its immense border power to force disclosure of social media identifiers and passwords, which can be used to track travelers and invade their privacy even after they pass through the border.
The Obama administration started this trend. Back in 2009 DHS approved a policy that allowed any laptop to be searched without restriction. This policy remains in force today in spite of at least one appellate court ruling that some criminal predicate is required for a search and the reality that many more people travel with personal devices. The Obama administration also took the first steps toward requiring disclosure of social media information. In spite of widespread opposition and a lack of evidence that the information has value, they created a voluntary process for some visitors to declare their social media handles.
The Trump administration has doubled down. Secretary Kelly has promulgated proposals to collect not just social media identifiers but also passwords. The voluntary collection of social media identifiers has been extended to visitors from China, and identifiers and passwords would be required as part of so-called extreme vetting of visitors from six majority Muslim nations. CBP also seems to have ramped up use of the policy, dramatically increasing the number of phones searched and also singling out particular groups, including Muslims and foreign journalists.
These trends are certain to result in privacy invasions, excess government scrutiny, and harm to cybersecurity. It is likely that other nations around the world will move to adopt these same rules as well. As we told DHS back in March, the practical result is that border crossing will require full digital disclosure – exposing not just our personal information but also the tools we use to bank, communicate, and participate in our digital lives. This will not just infringe on free expression and privacy, but will also expose our personal information to the federal government who has a terrible track record of keeping such information safe. Ironically, it’s unlikely to have any security value, since bad actors conceal their accounts and the government drowns in information from innocent people.
So what can we do? First, Congress can continue to demand more information including how many device searches are happening (data on government searches is notoriously hard to get in this area). The confirmation hearing of a new CBP head would be a great place to start. Congress can also push to make DHS clarify the limits of its authority. Senator Ron Wyden recently forced CBP to admit that it does not have the authority to search cloud-based accounts that are linked to mobile devices. Finally, Congress must act – members should endorse the bipartisan Protecting Data at the Border Act to reign in invasive border practices.