EPIC v. CBP (Border Search Audits of Electronic Devices)

• Background |
• EPIC’s Interest |
• FOIA Documents |
• Legal Documents |
• Resources |
• News |

Top News

• Federal Agencies Move Forward Plan for DNA Collection: In a Privacy Impact Assessment, Customs and Border Protection and Immigration and Customs Enforcement announced a plan for the DNA collection of individuals detained at the border, including U.S. citizens. The change comes after a Department of Justice proposed rule that removed the authority of DHS components, including CBP and ICE, to exempt detained individuals from DNA collection. EPIC joined a coalition of civil liberties and immigrant rights organizations in comments to the Justice Department and urged the DOJ to rescind the proposed rule. The coalition stated the proposed rule was an "unacceptable and unnecessary privacy intrusion" that will impact not only the individual's DNA being collected but also family members, including American citizens. In an amicus brief to the Supreme Court, EPIC argued that law enforcement's warrantless collection of DNA is unconstitutional. (Jan. 7, 2020)
• EPIC Comments on Canada Transborder Data Flow Policy: EPIC provided comments to the Office of the Privacy Commissioner on Canada's policy for transborder data flows. EPIC urged the OPC to require that legal protection for personal data protection extend across borders, citing risks to privacy after the Capital One breach impacted affected six million Canadians. EPIC also encouraged the OPC to recognize multiple grounds for transfer, coupled with strong accountability measures. This approach is reflected in the EU General Data Protection Regulation and the Council of Europe's Modernized Privacy Convention. EPIC recently submitted comments on the third annual review of the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. EPIC detailed the latest developments in the U.S., including the failure to reform bulk surveillance under Section 702 of FISA, the absence of comprehensive federal privacy law and a data protection authority, the full slate appointments to the PCLOB, and U.S. endorsement of the OECD AI Principles. (Aug. 6, 2019)
More top news »
Bill Introduced to Strengthen Privacy Protections At U.S. Borders » (Jul. 25, 2019)
U.S. Senators Patrick Leahy (D-Vt.) and Patty Murray (D-Wash.) have reintroduced legislation that would strengthen privacy protections through limiting warrantless border searches. Customs and Border Protection officials are currently authorized to stop and search drivers without a warrant or even reasonable suspicion of wrongdoing within 100 miles of any U.S. border. They can also search private land within 25 miles of the border. In practice, this means government officers have authority to conduct searches without cause in a region that includes nearly two-thirds of the U.S. population. The Border Zone Reasonableness Restoration Act of 2019 would reduce the "border zone" from 100 miles to 25 miles and only allow officers access to private property within 10 miles of the border. A companion bill was introduced in the House of Representatives by Representative Peter Welch (D-Vt.). EPIC has long advocated against privacy-invasive border surveillance and has filed numerous lawsuits to force CBP and Immigration and Customs Enforcement to be more transparent about their border surveillance practices.
EPIC Sues State Department About Secret Facial Recognition Database » (May. 20, 2019)
EPIC filed a lawsuit today to compel the State Department to release information about the transfer of facial images, gathered from visa and passport applicants, to other federal agencies. EPIC explained to the federal court in Washington, DC that the Customs and Border agency is now using those images in an unlawful border system. EPIC has called for the suspension of the CBP program. Senators Markey and Lee have also opposed expansion of the CBP program to U.S. citizens. In a related FOIA lawsuit, EPIC obtained documents concerning CBP's facial recognition program. A summary report revealed that the system did not perform operational matching at a "satisfactory" level.
EPIC to TSA: Conduct Rulemaking on Facial Recognition » (Apr. 26, 2019)
In comments to inform the Transportation Security Administration's 2020 National Strategy, EPIC recommended that TSA to suspend the facial recognition program at US airports. EPIC wrote, "The TSA's use of facial recognition lacks the safeguards necessary for implementation." EPIC has also warned lawmakers and the DHS about the biometric border program that incorporates deploy facial recognition. EPIC has urged the agency to undertake a notice and comment rule making that would provide the public with the opportunity to comment on the controversial program. EPIC successfully required TSA to conduct a rulemaking on its deployment of airport body scanners in EPIC v. DHS. EPIC also recommended that TSA incorporate the Universal Guidelines for Artificial Intelligence, endorsed by over 300 organizations and experts, for AI-based systems.
EPIC Urges Congress to Examine Surveillance at the Border » (Mar. 5, 2019)
In advance of a hearing on border security, EPIC sent a statement to the House Committee on Homeland Security urging an examination of surveillance programs in use at the border. EPIC asked the Committee to examine the warrantless searches of mobile devices, social media profiling, and the use of drones. EPIC has filed several FOIA lawsuits against DHS regarding these surveillance activities, warning that border surveillance programs often capture the personal data of Americans. A previous FOIA lawsuit EPIC v. CPB uncovered Palintir's role in the development of the Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to travelers, including U.S. citizens.
EPIC To PCLOB: Review 12333, Facial Recognition, AI, Smart Borders, and 702 Authority » (Feb. 7, 2019)
In advance of a Privacy and Civil Liberties Oversight Board forum on "Countering Terrorism while Protecting Privacy and Civil Liberties: Where do We Stand in 2019," EPIC sent a statement to the Board outlining priorities. EPIC said the Civil Liberties Board should (1) release the report on Executive Order 12333; (2) limit government use of facial recognition; (3) establish safeguard for government AI use; (4) monitor proposals for "smart" borders and assess privacy impacts on US residents; and (5) reform Section 702 surveillance authority. The independent agency reviews federal agency programs to ensure protections for privacy and civil liberties. EPIC helped establish the PCLOB. In 2003 EPIC testified before the 9-11 Commission and urged the creation of an independent privacy agency to oversee the surveillance powers established after 9/11. EPIC also set out initial priorities for the PCLOB and spoke at the first meeting of the Oversight Board in 2013. In 2016, EPIC awarded former PCLOB Board Member Judge Patricia Wald with the EPIC Champion of Freedom Award.
EPIC to Senate: Oversight Board Must Review Government Use of Facial Recognition, AI » (Feb. 5, 2019)
In advance of a hearing about the Privacy and Civil Liberties Oversight Board, EPIC sent a statement to the Senate Judiciary Committee outlining priorities. EPIC said the Civil Liberties Board should (1) release the report on Executive Order 12333; (2) review the use of facial recognition technology and propose safeguards; (3) review the use of artificial intelligence and propose safeguards; and (4) monitor proposals for "smart" borders and assess privacy impacts on US residents. The independent agency reviews federal agency programs to ensure adequate safeguards for privacy and civil liberties. EPIC helped establish the PCLOB. In 2003 EPIC testified before the 9-11 Commission and urged the creation of an independent privacy agency to oversee the surveillance powers established after 9/11. EPIC also set out initial priorities for the PCLOB and spoke at the first meeting of the Oversight Board in 2013. In 2016, EPIC awarded former PCLOB Board Member Judge Patricia Wald with the EPIC Champion of Freedom Award.
EPIC Sues Border Agency about Searches of Cellphones » (Feb. 1, 2019)
EPIC will file a lawsuit today to compel a federal agency to release audits so as to determine whether the searches of electronic devices are lawful. The Border Search Directive sets out when and how Customs and Border Patrol officials may inspect cellphones, tablets, and laptop computers of travelers crossing the US border. The Directive requires the agency to develop an auditing mechanism to ensure lawful searches, yet the agency has not published the auditing requirements or the results of the audits. So, EPIC has sed for the release of the procedures. The American Bar Association recently adopted a new policy that urges Congress, the courts, and the Department of Homeland Security to enact legislation and adopt policies to protect the privacy rights of travelers. EPIC filed a related lawsuit against Immigration and Customs Enforcement for information about the warrantless searches of cell phones.
American Bar Association Takes Stand on Privacy Rights and Border Searches » (Jan. 29, 2019)
Leaders of the American Bar Association completed their midyear meeting yesterday and tackled a range of policy issues, including privacy at the border. The ABA adopted a new policy that "Urges the federal judiciary, Congress, and the Department of Homeland Security to enact legislation and adopt policies to protect the privacy interests of those crossing the border by imposing standards for searches and seizures of electronic devices, protection of attorney-client privilege, the work product doctrine, and lawyer-client confidentiality." The resolution was introduced by the ABA Section of Civil Rights and Social Justice and the Criminal Justice Section. EPIC Senior Counsel Alan Butler is the Chair of the ABA Civil Rights and Social Justice Section's Committee on Privacy and Information Protection. EPIC has previously submitted "friend of the court" briefs advocating for Fourth Amendment protection of cell phone data in Riley v. California and Carpenter v. United States.
Border Agency Finalizes Social Media Collection Rule » (Jan. 3, 2019)
Despite comments from EPIC and others, Customs and Border Protection will collect social media information from Americans and place that data outside legal protections provided by the Privacy Act. EPIC proposed opposed the collection of personal data and said that CBP should narrow the Privacy Act exemptions. The agency responded briefly to public comments, failing to defend the agency's decision. In a related FOIA lawsuit against DHS, EPIC obtained documents which revealed that federal agencies gather social media comments to identify individuals critical of the government.
EPIC Investigates Airport Facial Recognition Opt-Out Procedures » (Dec. 12, 2018)
In an urgent FOIA request, EPICis seeking documents from CBP about the procedures for travelers to opt-out of biometric entry/exit program. EPIC found that CBP frequently changes the program without any formal procedures. One consequence is that it is now more difficult for travelers to opt-out of the screening procedure EPIC wrote that "CBP is modifying rules as it is implementing the program," contrary to federal law. Earlier this week, EPIC urged Congress to suspend the program until privacy safeguards and meaningful opt-out procedures are established. In comments to the DHS Data Privacy and Integrity Advisory Committee, EPIC explained the substantial privacy risks of CBP's use of facial recognition technology.
EPIC to Congress: Federal Agency Making Up the Rules for Facial Recognition Screening » (Dec. 11, 2018)
EPIC has sent a statement to the Senate Judiciary Committee for an oversight hearing of Customs and Border Protection. EPIC cited frequent changes CBP has made to the opt-out procedures for the biometric entry/exit program. "Without legal authority or the opportunity for public comment, CBP is making up the rules as it rolls out the program," EPIC said. EPIC urged the Committee to suspend the screening program until privacy safeguards and meaningful opt-out procedures are established. Last week, EPIC warned Customs and Border Protection about facial recognition technology and urged the DHS Privacy committee to end the program.
EPIC Urges Congress to Examine Surveillance at the Border » (Nov. 28, 2018)
EPIC wrote to a Senate committee about the nominee to head the Immigration and Customs Enforcement agency. EPIC urged the Committee to examine the agency's practices, including the use of secretive algorithms and databases, warrantless searches of mobile devices, social media profiling, and the use of DACA application data for investigative purposes. EPIC has filed multiple FOIA lawsuits against ICE regarding theses surveillance programs. A previous FOIA lawsuit EPIC v. CPB uncovered Planter's role in Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to travelers.
Court Blocks EPIC's Efforts to Obtain "Predictive Analytics Report" » (Aug. 16, 2018)
A federal court in the District of Columbia has blocked EPIC's efforts to obtain a secret "Predictive Analytics Report" in a FOIA case against the Department of Justice. The court sided with the agency which had withheld the report and asserted the "Presidential communications privilege." Neither the Supreme Court nor the D.C. Circuit has ever permitted a federal agency to invoke that privilege in a FOIA case. EPIC sued the agency in 2017 to obtain records about "risk assessment" tools in the criminal justice system. These techniques are used to set bail, determine criminal sentences, and even contribute to determinations about guilt or innocence. Many criminal justice experts oppose their use. EPIC has pursued several FOIA cases concerning "algorithmic transparency," passenger risk assessment, "future crime" prediction, and proprietary forensic analysis. The case is EPIC v. DOJ (Aug. 14, 2018 D.D.C.). EPIC is considering an appeal.
EPIC Urges Suspension of Biometric Entry/Exit Program » (Jul. 25, 2018)
In comments to Customs and Border Protection, EPIC urged the agency to suspend the Biometric Entry/Exit Program. EPIC argued that less privacy-invasive alternatives should be considered and that the program should not move forward until Congress has passed regulations implementing safeguards for the use of biometrics. CBP solicited comments about the collection of biometrics, based on facial recognition, from people in vehicles crossing the border. EPIC said that such an expansion could quickly lead to a program of mass surveillance. In EPIC v. CBP, EPIC has sued the agency for details about the program. A report EPIC obtained in the lawsuit showed that facial recognition at a pedestrian border failed to perform at a "satisfactory" level.
EPIC FOIA: EPIC Obtains CBP Drone Operations and Privacy Directive » (Jul. 20, 2018)
Through a Freedom of Information Act lawsuit, EPIC obtained Customs and Border Protection's directive on Unmanned Aircraft System Operations and Privacy. The directive allows the agency to disseminate information collected through drone operations with federal, state, local, tribal, and foreign law enforcement agencies. EPIC's FOIA request stems from 2015 Presidential Memorandum that requires all federal agencies to develop and publish policies and procedures that address the privacy, civil liberties, and civil right issues posed by the use of drones. EPIC recently sent a statement to the Senate Committee on Homeland Security and Government Affairs, urging the Committee to not consider a S. 2836, Preventing Emerging Threats Act of 2018: Countering Malicious Drones, until all federal agencies establish drone privacy procedures.
EPIC Joins Coalition Urging Congress to Investigate Destruction of Records on Family Separation » (Jul. 12, 2018)
EPIC and a coalition of organizations sent a letter to Congress urging an investigation of the Department of Homeland Security's records management practices. The concern follows the administration's "zero-tolerance" immigration enforcement policy and family unification efforts. Recent reports indicate that border agents are improperly destroying records of the separated families, making it difficult to reestablish family connections. "The purposeful deletion of records by border agents would be a clear violation of the [Federal Records Act], with dire humanitarian consequences," the group stated. The letter also encouraged Congress to ensure DHS is fulfilling its transparency obligations by making its policy guidances available to the public. EPIC has previously warned the Senate about the misuse of immigrant data by the DHS.
EPIC to Congress: Warrant Should be Required for Searches of Phones at Border » (Jul. 10, 2018)
In advance of a hearing on "Examining Warrantless Smartphone Searches at the Border," EPIC has sent a statement to the Senate urging a warrant requirement for searches of electronic devices at the border. EPIC recently filed a Freedom of Information Act lawsuit against Immigration and Customs Enforcement for details of the agency's warrantless searches of mobile devices. ICE has contracts with Cellebrite to extract data from mobile devices, including personal data stored in cloud-based accounts, without judicial authority. Privacy complaints regarding the search of mobile devices at the border continue to increase. Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced S. 2386, legislation to restrict border searches of cellphones. EPIC Advisory Board member Professor Laura Donohue will testify at the hearing.
ICE Abandons "Extreme Vetting" Software to Screen Visa Applicants » (May. 18, 2018)
Immigration and Customs Enforcement has dropped a plan to use machine learning software to determine if a visa applicant might commit a crime or terrorist act. Last year, EPIC joined over 50 privacy, civil liberties, and civil rights groups to oppose the plan, stating that the "initiative was tailor-made for discrimination." EPIC has pursued several FOIA cases to uncover the use of secret algorithms by government agencies to score people, including EPIC v. CBP about the "Analytical Framework for Intelligence" that generated secret "risk assessments" on US travelers. In testimony for the 9-11 Commission, EPIC warned that "the use of information technology to identify individuals that may pose a specific threat to the United States" is a "complex problem [that] necessarily involves subjective judgments."
EPIC to Congress: Enhanced Surveillance at Border Will Impact Rights of U.S. Citizens » (Apr. 24, 2018)
EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing with the Commissioner of Customs and Border Protection. EPIC urged the Committee to ask the CBP Commissioner about the collection of biometric data at US airports. EPIC described the growing use of facial recognition that capture the images of US travelers. EPIC also pointed to a recent study that found racial disparities with the technique. EPIC is currently seeking records from the federal agency concerning the accuracy of facial recognition. EPIC also recommended the Committee examine how CBP will comply with state laws prohibiting warrantless aerial surveillance when deploying drones at the border. As a result of an earlier FOIA lawsuit, EPIC found that the CBP is deploying drones with facial recognition technology without warrant authority.
Senators Introduce Bill to Limit Device Searches at the Border » (Mar. 5, 2018)
Senators Patrick Leahy (D-VT) and Steve Daines (R-MT) have introduced a bill that would place restrictions on searches and seizures of electronic devices at the border. The bill sets out detailed procedures for seizing electronic devices, including a warrant requirement prior to inspection of the device, data minimization, and exclusion of evidence that is obtained in violation of the Act. The bill also establishes reporting requirements to determine the scope and frequency of device searches. Senator Leahy stated that "no American should have to relinquish all of their privacy rights to their cell phones, laptops and other electronic devices, simply because they are coming home from a trip abroad." The bill would also require a warrant to use software to analyze seized electronic devices. In a statement to Congress last year, EPIC warned that enhanced surveillance at the border will impact citizens' rights.
Republican DACA Bill Would Expand Use of Drones, Biometrics » (Feb. 21, 2018)
The Secure and Succeed Act (S. Amdt. 1959 to H.R. 2579), sponsored by several Republican Senators, would link DACA with hi-tech border surveillance. Customs and Border Protection would use facial recognition and other biometric technologies to inspect travelers, both US citizens and non-citizens, at airports. The bill also establishes "Operation Phalanx" that instructs the Department of Defense—a military agency—to use drones for domestic surveillance. EPIC has pursued many FOIA cases on border surveillance involving biometrics, drones, and airport body scanners, In a statement to Congress, EPIC warned that "many of the techniques that are proposed to enhance border surveillance have direct implications for the privacy of American citizens."
EPIC FOIA- EPIC Obtains DHS Secretary Interview Notes on Border Security » (Jan. 8, 2018)
Through a Freedom of Information Act request, EPIC has obtained former Secretary of Homeland Security John Kelly's notes for an interview with NPR about border security. The notes include talking points about southwest border security and the construction of the southwest border wall. During the interview, Mr. Kelly also described DHS's plans to increase vetting of immigrants and coordination with the White House, despite the fact these issues were not included in the talking points. EPIC previously warned the House Oversight Committee that enhanced surveillance at the border will impact the rights of U.S. citizens. As a result of an earlier FOIA lawsuit, EPIC found that the Customs and Borders Protection is already deploying drones with facial recognition technology near the border.
EPIC FOIA: Report Reveals Failure of Border Biometric Matching Program » (Dec. 18, 2017)
Through a Freedom of Information Act lawsuit, EPIC has obtained a report from Custom and Border Protection, which evaluated iris imaging and facial recognition scans for border control. The "Southwest Border Pedestrian Field Test" reveals that the agency program does not perform operational matching at a "satisfactory" level. In a statement to Congress earlier this year, EPIC warned that biometric identification techniques are unreliable and lack proper privacy safeguards. EPIC is pursuing related documents for the use of biometrics at airports. EPIC has extensively litigated airport screening techniques, including EPIC v. TSA (concerning body scanner modifications) and EPIC v. DHS (concerning full body scanner radiation risks).
Nominee for DHS Secretary Favors Less Wall, More Surveillance Tech at Border » (Nov. 9, 2017)
Today Congress considered the nomination of Kirstjen M. Nielsen as Secretary at the Department of Homeland Security. Ms. Nielsen opposes a border wall but suggested an expansion of border surveillance. "Technology, as you know, plays a key part, and we can't forget it," she said. EPIC is pursuing a FOIA request regarding the use of DHS drones for border surveillance. Earlier EPIC cases - including EPIC v. DHS which led to the removal of x-ray body scanners in US airports - revealed that technologies for border surveillance invariably impact the privacy rights of Americans. Ms. Nielsen views on the use of DACA applicant data for enforcement remains unclear. EPIC recently warned that 800,000 DACA applicants face privacy risks as a result of the decision to end the Deferred Action for Childhood Arrivals.
CBP Plans to Exempt Social Media Data from Legal Protections » (Sep. 22, 2017)
Customs and Border Protection has published a system of records notice for the "Intelligence Records System." The agency proposes to exempt the database from many Privacy Act safeguards. The database contains detailed personal data from social media and commercial data services. CBP will use the "Analytical Framework for Intelligence" to secretly profile and evaluate social media users. In the FOIA lawsuit EPIC v. CBP, EPIC uncovered Palantir's role in Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to U.S. travelers. EPIC is now pursuing a FOIA request to Immigration and Customs Enforcement seeking details of the agency's relationship with Palantir.
NGOs to Meet with Privacy Commissioners at Public Voice Event in Hong Kong » (Sep. 19, 2017)
The Public Voice will host an event with NGOs and Privacy Commissioners at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. "Emerging Privacy Issues: A Dialogue Between NGOs & DPAs" will address emerging privacy issues, including biometric identification, Algorithmic transparency, border surveillance, the India privacy decision, and implementation of the GDPR. Speakers include Chairman Isabelle Falque-Pterrotin of the CNIL and Article 29 Working Party, Commissioner John Edwards of New Zealand, and Director Eduardo Bertoni of Argentina. Also participating will be representatives of Access Now, EPIC, GP Digital, Privacy International, and the World Privacy Forum. The Public Voice, established in 1996, facilitates public participation in decisions concerning the future of the Internet.
Report Shows Increase in Open Government Lawsuits, EPIC Among Nation's Leading FOIA Litigators » (Jul. 27, 2017)
A new report from the FOIA Project shows a "dramatic rise" in the number Freedom of Information Act lawsuits filed by nonprofit and advocacy groups. According to TRAC, these organizations now account for more FOIA suits than "any other single class." EPIC was the fifth most frequent litigator among nonprofit and advocacy groups nationwide. In 2017, EPIC has filed five FOIA lawsuits. EPIC is currently litigating EPIC v. ODNI, EPIC v. FBI, and EPIC v. IRS, three of the leading open government cases concerning Russian interference with the 2016 Presidential election. Last week, EPIC filed a new FOIA lawsuit against Customs and Border Protection for information about the agency's deployment of a biometric entry/exit tracking system, including at US airports. For more information about EPIC's latest open government work, visit: https://epic.org/open_gov/.
EPIC to Congress: Examine Facial Recognition Surveillance at the Border » (Jul. 24, 2017)
EPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on "Technology's Role on Securing the Border." EPIC alerted the Committee to EPIC's recent FOIA lawsuit about the federal government's deployment of a biometric "entry/exit tracking system," including at US airports. A recent Executive Order on immigration will push forward the biometric identification system, and will include citizens returning to the U.S. EPIC has warned that biometric identification techniques, such as facial recognition, lack proper privacy safeguards. EPIC noted that the federal agency pursuing the border identification program is also deploying drones, and should comply with state laws and a 2015 Presidential Memorandum that limit drone surveillance.
EPIC: Enhanced Surveillance at Border Will Sweep Up U.S. Citizens » (Apr. 26, 2017)
A statement from EPIC to the House Oversight Committee for a hearing on border security warns that enhanced surveillance will impact citizens' rights. "The use of drones in border security will place U.S. citizens living on the border under ceaseless surveillance by the government." said EPIC. EPIC noted that Customs and Border Protection is already deploying drones with facial recognition technology on U.S. communities. In 2013, EPIC obtained records under the Freedom of Information Act which revealed that CBP drones could also intercept electronic communications in the United States. State laws in some border states prohibit warrantless aerial surveillance but the United States has failed to enact laws to limit drone surveillance. EPIC has sued the FAA for the agency's failure to create drone privacy safegruards as required by Congress.
EPIC Petitions Government to Suspend Drone Surveillance Program » (Mar. 22, 2013)
EPIC, joined by thirty organizations and more than a thousand individuals, has petitioned the Bureau of Customs and Border Protection to suspend the domestic drone surveillance program, pending the establishment of concrete privacy regulations. The petition states that "the use of drones for border surveillance presents substantial privacy and civil liberties concerns for millions of Americans across the country." The petition follows the revelation that the drones deployed by the federal agency are equipped with technology for signals interception and human identification. For more inform at ion, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones.
EPIC FOIA - New Details About Automated License Plate Readers Obtained » (Feb. 14, 2012)
In response to an EPIC Freedom of Information Act request, Customs and Border Protection has disclosed nearly 1,000 pages of documents on automated license plate readers and border body scanners. The documents include contracts with several companies, such as Rapiscan and L3, for vehicle and cargo screening x-ray devices. Previous documents obtained by EPIC revealed that the agency is developing integrated vehicle scanners, with backscatter x-ray, Closed Circuit Television, and automated license plate readers, that would be used with human subjects. Radiation experts have questioned the safety of these systems, which produce ionizing radiation. For more information see EPIC FOIA: Automated License Plate Readers and Border Checkpoint Body Scanners.

Background

Each year, hundreds of millions of individuals cross the United States border; many of these individuals travel with an electronic device such as a cell phone, tablet, or laptop computer.

CBP continually claims it is permitted to warrantlessly search electronic devices, through its authority to search "[a]ll persons, baggage, and merchandise arriving in, or departing from" the U.S. For example, in FY2016, U.S. Customs and Border Protection ("CBP") officers processed 390.6 million arriving international travelers and searched the electronic devices of 19,033 travelers. In FY2017, CBP searched 30,200 electronic devices of individuals traveling to and from the U.S.—a nearly 60% increase from 2016.

Electronic devices store vast troves of personal data and can be used to access even more data through cloud-based applications. A cellphone may provide access to financial records, medical records, and even password directories. The data collected from these electronic device searches can reveal highly sensitive and intimate information about travelers including religious affiliations, political beliefs, financial status, medical conditions, and confidential work product—including information protected under attorney-client privilege.

The warrantless searches of electronic devices at the border pose significant privacy risks and could violate an individual’s Fourth Amendment rights. Since 2011, almost 250 complaints have been filed with DHS regarding warrantless border searches of electronic devices, many of which complain about the loss of privacy. To date, CBP has not published the auditing requirements for its electronic search procedures nor has it published the results of those audits. Without disclosure of the auditing mechanism, the public is left in the dark on how the agency assesses the strength of its electronic device border search policy.

In this Freedom of Information Act lawsuit, EPIC seeks all records relating to CBP’s auditing mechanism, all audits, and the CBP handbook on security policies and procedures.

CBP’s 2009 Directive

CBP’s CBP 2009 Directive No. 3340-049, titled Border Search of Electronic Devices Containing Information, sets out the agency’s policy for "searching, reviewing, retaining, and sharing information" contained in electronic devices, and superseded previous CBP policies pertaining to device searches. Under the 2009 Directive, CBP may seize information with probable cause related to immigration, customs, or other border enforcement mandates. Although information deemed "privileged or sensitive" will only be shared with "federal agencies[,]" all other information may be shared with "federal, state, local, and foreign law enforcement agencies."

Importantly, the 2009 Directive also included an auditing requirement where CBP "will develop and periodically administer an auditing mechanism to review whether border searches of electronic devices are being conducted inconformity" with the 2009 Directive.

CBP’s 2018 Directive

In issuing its updated CBP 2018 Directive, CBP claimed to increase "transparency, accountability, and oversight of electronic device border searches performed by CBP." This updated policy describes when and how CBP officials may search electronic devices, how agents will handle and review passcode-protected or encrypted information, how long the agency will retain data seized or copied from devices, under which circumstances CBP will transfer seized data to other federal agencies, and when the seized data will be deleted or destroyed.

The current CBP policy sets different standards for "basic" and "advanced" device searches. An advanced search (also referred to as a "forensic search")—which can only be conducted based on reasonable suspicion—occurs when an officer uses specialized equipment to "review, copy, and/or analyze [the] contents" of an electronic device via wired or wireless means. Any search of an electronic device that is not "advanced" is considered a basic search and does not require any suspicion.

Under the 2018 Directive, without probable cause, CBP may retain information related to "immigration, customs, and other enforcement matters if such retention is consistent with the applicable system of records notice." CBP has interpreted "relating to" broadly, which leads to a lower standard than reasonable suspicion. Like the 2009 Directive, the updated policy allows CBP to broadly disseminate copies of seized information with "federal, state, local, and foreign law enforcement agencies" and third parties for assistance. The CBP 2018 Directive also states that travelers are "required" to "present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents" and authorizes officers to request traveler’s passcodes and/or seize their electronic devices if the traveler refuses to provide the requested information.

Following the issuance of the 2018 Directive and CBP’s reported dramatic increase in searches, Senator Patrick Leahy (D-VT) and Steve Daines (R-MT) introduced legislation that would require the government "to have reasonable suspicion or probable cause to search or seize Americans’ electronic devices at the border."

Auditing Requirement and OIG Report

The current CBP Directive includes an auditing requirement similar to the 2009 Directive. The 2018 Privacy Impact Assessment for CBP Border searches of Electronic Devices states that the DHS should "audit the actual use of PII to demonstrate compliance" under the Principle of Accountability and Auditing. The auditing procedures and auditing reports have yet to be made publicly available.

In an Office of Inspector General ("OIG") Report concerning CBP searches of electronic devices at the border, the OIG found that between April 2016 and July 2017, CBP "did not always conduct searches of electronic devices at U.S. ports of entry according to its [standard operating procedures]" and stated inconsistencies in procedures due to "inconsistent guidance" from CBP headquarters. The OIG also found that CBP did not properly document these electronic device searches and could not "maintain accurate quantitative data or identify and address performance problems related to these searches."

The OIG also found that CBP officers did not ensure the security of data or adequately manage technology to effectively search the devices. The OIG reported that CBP "has not yet developed performance measures to evaluate the effectiveness of a pilot program, begun in 2007, to conduct advanced searches[.]"

ABA Resolution

In January 2019, the American Bar Association ("ABA") passed a resolution urging the federal judiciary to recognize the substantial privacy risks implicated by electronic device searches at the border. The ABA urged Congress to enact legislation to address the risks associated with device searches at the border. Until legislation is adopted, the ABA urged the DHS to adopt policy that would require a warrant based on probable cause for search and seizure of electronic devices at the border unless an exception other than the border search exception applies; prohibit the government from denying Americans or lawful permanent residents entry or exit based on their refusal to provide access to their electronic devices for search; protect the attorney-client privilege and work product privilege at border crossings; and require the government to record each instance of a forensic search and issue an annual summary report of these electronic device searches.

EPIC’s Interest

EPIC has an interest in protecting individuals’ Fourth Amendment rights against unreasonable search and seizure. In particular, EPIC is focused on preventing the erosion of constitutional privacy rights due to the emergence of new technologies. In Riley v. California, the 2014 Supreme Court opinion on the warrantless search of a cell phone during an otherwise lawful arrest, the Court cited EPIC’s amicus brief twice and ultimately recognized a significant privacy interest in mobile devices.

Central to EPIC’s mission is education, oversight, and analysis of government activities that impact individual privacy, free expression, and democratic values in the information age. Through its Domestic Surveillance Project, EPIC has obtained numerous government documents exposing details of various DHS surveillance programs. Recently, CBP turned over documents on its biometric entry/exit program, pursuant to EPIC’s request. The documents revealed CBP intends to expand facial recognition technology to passengers on 16,300 international flights per week in the next two years, despite the absence proper privacy safeguards to limit the technology’s use and ensure adequate oversight.

FOIA Documents

• EPIC’s FOIA Request (July 31, 2018)
• CBP’s FOIA Acknowledgement (Feb. 5, 2019)

Legal Documents

U.S. District Court for the District of Columbia (No. 19-00279)

• EPIC Complaint (February 1, 2019)

Resources

• U.S. Customs and Border Protection, CBP 2009 Directive: Border Search of Electronic Devices Containing Information (2009)
• U.S. Customs and Border Protection, CBP 2018 Directive: Border Search of Electronic Devices (2018)
• U.S. Department of Homeland Security, Privacy Impact Assessment Update for CBP Border Searches of Electronic Devices (Jan. 2018)
• Office of the Inspector General, U.S. Department of Homeland Security, CBP’s Searches of Electronic Devices at Ports of Entry - Redacted (Dec. 2018)
• Section of Civil Rights and Social Justice Criminal Justice Section, American Bar Association, Revised Resolution 107A (2019)

News

• Charlie Savage and Ron Nixon, Privacy Complaints Mount Over Phone Searches at U.S. Border Since 2011, New York Times (Dec. 22, 2017)
• Derek Hawkins, The Cybersecurity 202: Warrantless device searches at the border are rising. Privacy advocates are suing., Washington Post (Aug. 7, 2018)
• Emily Birnbaum, Border entry searches of electronic devices up nearly 50 percent last year: report, The Hill (Dec. 10, 2018)
• Aaron Boyd, CBP Officers Aren’t Deleting Data After Warrantless Device Searches, IG Says, Nextgov (Dec. 10, 2018)
• Catalin Cimpanu, US border agents aren't deleting travelers' data after device searches, ZDNet (Dec. 12, 2018)