EPIC v.CBP (Electronic Device Search Audits)
- Congress to Consider Moratorium on Facial Recognition: POLITICO reports that House leaders will consider a moratorium on funding facial recognition following a House Oversight Committee hearing on DHS facial recognition programs. Prior to the hearing, EPIC briefed members of the House committee about the entry-exit program at US airports. Air travelers have reported that it is difficult to opt-out and the agency has still not conducted a required rulemaking. Last month, EPIC led a coalition of over 35 organizations urging Congress to halt the use of face recognition on the general public. In a statement in April to the House Appropriations Committee, EPIC recommended that Congress halt the funding for the facial recognition program at TSA, also within the DHS. After a Buzzfeed story featured documents obtained by EPIC about plans to expand facial recognition at airports, Senators Ed Markey (D-MA) and Mike Lee (R-UT) called for the suspension of the program. (Aug. 22, 2019)
- Federal Appeals Court Says Consumers Can Sue Facebook for Facial Recognition: A federal appeals court has ruled that users can sue Facebook for collecting and using their facial images. In Patel v. Facebook, users contend that Facebook violated an Illinois biometric privacy law by creating biometric templates of their faces without their consent. The court found that the Illinois law "protects the plaintiffs' concrete privacy interests" and violations of the law "pose a material risk of harm to those privacy interests." The court cited the common law roots of the right to privacy and also noted that "the Supreme Court has recognized that advances in technology can increase the potential for unreasonable intrusions into personal privacy." EPIC filed an amicus brief in the case, arguing that the violation of the privacy law was sufficient for Facebook users to sue the company. EPIC wrote the "Illinois Biometric Information Privacy Act imposes, by statute, legal obligations on companies that choose to collect and store individuals' biometric data." EPIC said that plaintiffs must only "demonstrate that a defendant has invaded a concrete interest protected by the law—nothing more." Last year, EPIC filed an amicus brief in Rosenbach v. Six Flags, where the Illinois Supreme Court unanimously decided that consumers can sue companies that violate the state's biometric privacy law. EPIC routinely submits briefs in support of consumers' right to sue in privacy case. EPIC has also long advocated for limits on the use of biometric data and has opposed Facebook's use of facial recognition software. (Aug. 8, 2019) More top news »
Each year, hundreds of millions of individuals cross the United States border; many of these individuals travel with an electronic device such as a cell phone, tablet, or laptop computer.
CBP continually claims it is permitted to warrantlessly search electronic devices, through its authority to search "[a]ll persons, baggage, and merchandise arriving in, or departing from" the U.S. For example, in FY2016, U.S. Customs and Border Protection ("CBP") officers processed 390.6 million arriving international travelers and searched the electronic devices of 19,033 travelers. In FY2017, CBP searched 30,200 electronic devices of individuals traveling to and from the U.S.—a nearly 60% increase from 2016.
Electronic devices store vast troves of personal data and can be used to access even more data through cloud-based applications. A cellphone may provide access to financial records, medical records, and even password directories. The data collected from these electronic device searches can reveal highly sensitive and intimate information about travelers including religious affiliations, political beliefs, financial status, medical conditions, and confidential work product—including information protected under attorney-client privilege.
The warrantless searches of electronic devices at the border pose significant privacy risks and could violate an individual’s Fourth Amendment rights. Since 2011, almost 250 complaints have been filed with DHS regarding warrantless border searches of electronic devices, many of which complain about the loss of privacy. To date, CBP has not published the auditing requirements for its electronic search procedures nor has it published the results of those audits. Without disclosure of the auditing mechanism, the public is left in the dark on how the agency assesses the strength of its electronic device border search policy.
In this Freedom of Information Act lawsuit, EPIC seeks all records relating to CBP’s auditing mechanism, all audits, and the CBP handbook on security policies and procedures.
CBP’s 2009 Directive
CBP’s CBP 2009 Directive No. 3340-049, titled Border Search of Electronic Devices Containing Information, sets out the agency’s policy for "searching, reviewing, retaining, and sharing information" contained in electronic devices, and superseded previous CBP policies pertaining to device searches. Under the 2009 Directive, CBP may seize information with probable cause related to immigration, customs, or other border enforcement mandates. Although information deemed "privileged or sensitive" will only be shared with "federal agencies[,]" all other information may be shared with "federal, state, local, and foreign law enforcement agencies."
Importantly, the 2009 Directive also included an auditing requirement where CBP "will develop and periodically administer an auditing mechanism to review whether border searches of electronic devices are being conducted inconformity" with the 2009 Directive.
CBP’s 2018 Directive
In issuing its updated CBP 2018 Directive, CBP claimed to increase "transparency, accountability, and oversight of electronic device border searches performed by CBP." This updated policy describes when and how CBP officials may search electronic devices, how agents will handle and review passcode-protected or encrypted information, how long the agency will retain data seized or copied from devices, under which circumstances CBP will transfer seized data to other federal agencies, and when the seized data will be deleted or destroyed.
The current CBP policy sets different standards for "basic" and "advanced" device searches. An advanced search (also referred to as a "forensic search")—which can only be conducted based on reasonable suspicion—occurs when an officer uses specialized equipment to "review, copy, and/or analyze [the] contents" of an electronic device via wired or wireless means. Any search of an electronic device that is not "advanced" is considered a basic search and does not require any suspicion.
Under the 2018 Directive, without probable cause, CBP may retain information related to "immigration, customs, and other enforcement matters if such retention is consistent with the applicable system of records notice." CBP has interpreted "relating to" broadly, which leads to a lower standard than reasonable suspicion. Like the 2009 Directive, the updated policy allows CBP to broadly disseminate copies of seized information with "federal, state, local, and foreign law enforcement agencies" and third parties for assistance. The CBP 2018 Directive also states that travelers are "required" to "present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents" and authorizes officers to request traveler’s passcodes and/or seize their electronic devices if the traveler refuses to provide the requested information.
Following the issuance of the 2018 Directive and CBP’s reported dramatic increase in searches, Senator Patrick Leahy (D-VT) and Steve Daines (R-MT) introduced legislation that would require the government "to have reasonable suspicion or probable cause to search or seize Americans’ electronic devices at the border."
Auditing Requirement and OIG Report
The current CBP Directive includes an auditing requirement similar to the 2009 Directive. The 2018 Privacy Impact Assessment for CBP Border searches of Electronic Devices states that the DHS should "audit the actual use of PII to demonstrate compliance" under the Principle of Accountability and Auditing. The auditing procedures and auditing reports have yet to be made publicly available.
In an Office of Inspector General ("OIG") Report concerning CBP searches of electronic devices at the border, the OIG found that between April 2016 and July 2017, CBP "did not always conduct searches of electronic devices at U.S. ports of entry according to its [standard operating procedures]" and stated inconsistencies in procedures due to "inconsistent guidance" from CBP headquarters. The OIG also found that CBP did not properly document these electronic device searches and could not "maintain accurate quantitative data or identify and address performance problems related to these searches."
The OIG also found that CBP officers did not ensure the security of data or adequately manage technology to effectively search the devices. The OIG reported that CBP "has not yet developed performance measures to evaluate the effectiveness of a pilot program, begun in 2007, to conduct advanced searches[.]"
In January 2019, the American Bar Association ("ABA") passed a resolution urging the federal judiciary to recognize the substantial privacy risks implicated by electronic device searches at the border. The ABA urged Congress to enact legislation to address the risks associated with device searches at the border. Until legislation is adopted, the ABA urged the DHS to adopt policy that would require a warrant based on probable cause for search and seizure of electronic devices at the border unless an exception other than the border search exception applies; prohibit the government from denying Americans or lawful permanent residents entry or exit based on their refusal to provide access to their electronic devices for search; protect the attorney-client privilege and work product privilege at border crossings; and require the government to record each instance of a forensic search and issue an annual summary report of these electronic device searches.
EPIC has an interest in protecting individuals’ Fourth Amendment rights against unreasonable search and seizure. In particular, EPIC is focused on preventing the erosion of constitutional privacy rights due to the emergence of new technologies. In Riley v. California, the 2014 Supreme Court opinion on the warrantless search of a cell phone during an otherwise lawful arrest, the Court cited EPIC’s amicus brief twice and ultimately recognized a significant privacy interest in mobile devices.
Central to EPIC’s mission is education, oversight, and analysis of government activities that impact individual privacy, free expression, and democratic values in the information age. Through its Domestic Surveillance Project, EPIC has obtained numerous government documents exposing details of various DHS surveillance programs. Recently, CBP turned over documents on its biometric entry/exit program, pursuant to EPIC’s request. The documents revealed CBP intends to expand facial recognition technology to passengers on 16,300 international flights per week in the next two years, despite the absence proper privacy safeguards to limit the technology’s use and ensure adequate oversight.
U.S. District Court for the District of Columbia (No. 19-00279)
- EPIC Complaint (February 1, 2019)
- U.S. Customs and Border Protection, CBP 2009 Directive: Border Search of Electronic Devices Containing Information (2009)
- U.S. Customs and Border Protection, CBP 2018 Directive: Border Search of Electronic Devices (2018)
- U.S. Department of Homeland Security, Privacy Impact Assessment Update for CBP Border Searches of Electronic Devices (Jan. 2018)
- Office of the Inspector General, U.S. Department of Homeland Security, CBP’s Searches of Electronic Devices at Ports of Entry - Redacted (Dec. 2018)
- Section of Civil Rights and Social Justice Criminal Justice Section, American Bar Association, Revised Resolution 107A (2019)
- Charlie Savage and Ron Nixon, Privacy Complaints Mount Over Phone Searches at U.S. Border Since 2011, New York Times (Dec. 22, 2017)
- Derek Hawkins, The Cybersecurity 202: Warrantless device searches at the border are rising. Privacy advocates are suing., Washington Post (Aug. 7, 2018)
- Emily Birnbaum, Border entry searches of electronic devices up nearly 50 percent last year: report, The Hill (Dec. 10, 2018)
- Aaron Boyd, CBP Officers Aren’t Deleting Data After Warrantless Device Searches, IG Says, Nextgov (Dec. 10, 2018)
- Catalin Cimpanu, US border agents aren't deleting travelers' data after device searches, ZDNet (Dec. 12, 2018)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.