EPIC v.CBP (Electronic Device Search Audits)
- DHS Proposes Database to Link Biometric Data, EPIC will Oppose: The Department of Homeland Security has published a Systems of Record Notice for the "Enterprise Biometric Administrative Records." The DHS seeks to link personal data in the IDENT biometric database to unique machine-generated identifiers. IDENT contains personal data on both U.S. citizens and non-U.S. persons.The IDENT database is tied to biometric databases maintained by the FBI, the Department of Defense, and the State Department. DHS also announced a Notice of Proposed Rulemaking that proposes to exempt the Enterprise Biometric Administrative Records database from many of the protections of the Privacy Act. EPIC is currently pursuing a Freedom of Information lawsuit against the State Department for information about the disclosure of personal biometric data to other federal agencies. Public comments on the Enterprise Biometric Administrative Records System of Record Notice or Notice of Proposed Rulemaking are due April 10 and April 15 respectively. EPIC will urge the DHS to suspend the project. And if the agency goes forward, EPIC will urge the agency to comply with all of the requirements of the federal Privacy Act. (Apr. 1, 2020)
- In FOIA Case, EPIC Obtains Details on State Department's Facial Recognition Program: In response to EPIC's Freedom on Information Act lawsuit, EPIC v. State, the State Department has provided EPIC with several agency agreements concerning State Department facial recognition program. The Consular Consolidated Database contains millions of images from visa and passport applicants, which other federal agencies are now accessing for purposes unrelated to the processing of visa and passport application. The State Department agreements include the Labor, Interior, and Defense Departments. Several of the documents EPIC obtained concealed the name of the federal agency accessing the State Department database. In a related EPIC FOIA lawsuit, EPIC obtained documents concerning Customs and Border Protection use of images from the State Department. (Feb. 19, 2020) More top news »
Each year, hundreds of millions of individuals cross the United States border; many of these individuals travel with an electronic device such as a cell phone, tablet, or laptop computer.
CBP continually claims it is permitted to warrantlessly search electronic devices, through its authority to search "[a]ll persons, baggage, and merchandise arriving in, or departing from" the U.S. For example, in FY2016, U.S. Customs and Border Protection ("CBP") officers processed 390.6 million arriving international travelers and searched the electronic devices of 19,033 travelers. In FY2017, CBP searched 30,200 electronic devices of individuals traveling to and from the U.S.—a nearly 60% increase from 2016.
Electronic devices store vast troves of personal data and can be used to access even more data through cloud-based applications. A cellphone may provide access to financial records, medical records, and even password directories. The data collected from these electronic device searches can reveal highly sensitive and intimate information about travelers including religious affiliations, political beliefs, financial status, medical conditions, and confidential work product—including information protected under attorney-client privilege.
The warrantless searches of electronic devices at the border pose significant privacy risks and could violate an individual’s Fourth Amendment rights. Since 2011, almost 250 complaints have been filed with DHS regarding warrantless border searches of electronic devices, many of which complain about the loss of privacy. To date, CBP has not published the auditing requirements for its electronic search procedures nor has it published the results of those audits. Without disclosure of the auditing mechanism, the public is left in the dark on how the agency assesses the strength of its electronic device border search policy.
In this Freedom of Information Act lawsuit, EPIC seeks all records relating to CBP’s auditing mechanism, all audits, and the CBP handbook on security policies and procedures.
CBP’s 2009 Directive
CBP’s CBP 2009 Directive No. 3340-049, titled Border Search of Electronic Devices Containing Information, sets out the agency’s policy for "searching, reviewing, retaining, and sharing information" contained in electronic devices, and superseded previous CBP policies pertaining to device searches. Under the 2009 Directive, CBP may seize information with probable cause related to immigration, customs, or other border enforcement mandates. Although information deemed "privileged or sensitive" will only be shared with "federal agencies[,]" all other information may be shared with "federal, state, local, and foreign law enforcement agencies."
Importantly, the 2009 Directive also included an auditing requirement where CBP "will develop and periodically administer an auditing mechanism to review whether border searches of electronic devices are being conducted inconformity" with the 2009 Directive.
CBP’s 2018 Directive
In issuing its updated CBP 2018 Directive, CBP claimed to increase "transparency, accountability, and oversight of electronic device border searches performed by CBP." This updated policy describes when and how CBP officials may search electronic devices, how agents will handle and review passcode-protected or encrypted information, how long the agency will retain data seized or copied from devices, under which circumstances CBP will transfer seized data to other federal agencies, and when the seized data will be deleted or destroyed.
The current CBP policy sets different standards for "basic" and "advanced" device searches. An advanced search (also referred to as a "forensic search")—which can only be conducted based on reasonable suspicion—occurs when an officer uses specialized equipment to "review, copy, and/or analyze [the] contents" of an electronic device via wired or wireless means. Any search of an electronic device that is not "advanced" is considered a basic search and does not require any suspicion.
Under the 2018 Directive, without probable cause, CBP may retain information related to "immigration, customs, and other enforcement matters if such retention is consistent with the applicable system of records notice." CBP has interpreted "relating to" broadly, which leads to a lower standard than reasonable suspicion. Like the 2009 Directive, the updated policy allows CBP to broadly disseminate copies of seized information with "federal, state, local, and foreign law enforcement agencies" and third parties for assistance. The CBP 2018 Directive also states that travelers are "required" to "present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents" and authorizes officers to request traveler’s passcodes and/or seize their electronic devices if the traveler refuses to provide the requested information.
Following the issuance of the 2018 Directive and CBP’s reported dramatic increase in searches, Senator Patrick Leahy (D-VT) and Steve Daines (R-MT) introduced legislation that would require the government "to have reasonable suspicion or probable cause to search or seize Americans’ electronic devices at the border."
Auditing Requirement and OIG Report
The current CBP Directive includes an auditing requirement similar to the 2009 Directive. The 2018 Privacy Impact Assessment for CBP Border searches of Electronic Devices states that the DHS should "audit the actual use of PII to demonstrate compliance" under the Principle of Accountability and Auditing. The auditing procedures and auditing reports have yet to be made publicly available.
In an Office of Inspector General ("OIG") Report concerning CBP searches of electronic devices at the border, the OIG found that between April 2016 and July 2017, CBP "did not always conduct searches of electronic devices at U.S. ports of entry according to its [standard operating procedures]" and stated inconsistencies in procedures due to "inconsistent guidance" from CBP headquarters. The OIG also found that CBP did not properly document these electronic device searches and could not "maintain accurate quantitative data or identify and address performance problems related to these searches."
The OIG also found that CBP officers did not ensure the security of data or adequately manage technology to effectively search the devices. The OIG reported that CBP "has not yet developed performance measures to evaluate the effectiveness of a pilot program, begun in 2007, to conduct advanced searches[.]"
In January 2019, the American Bar Association ("ABA") passed a resolution urging the federal judiciary to recognize the substantial privacy risks implicated by electronic device searches at the border. The ABA urged Congress to enact legislation to address the risks associated with device searches at the border. Until legislation is adopted, the ABA urged the DHS to adopt policy that would require a warrant based on probable cause for search and seizure of electronic devices at the border unless an exception other than the border search exception applies; prohibit the government from denying Americans or lawful permanent residents entry or exit based on their refusal to provide access to their electronic devices for search; protect the attorney-client privilege and work product privilege at border crossings; and require the government to record each instance of a forensic search and issue an annual summary report of these electronic device searches.
EPIC has an interest in protecting individuals’ Fourth Amendment rights against unreasonable search and seizure. In particular, EPIC is focused on preventing the erosion of constitutional privacy rights due to the emergence of new technologies. In Riley v. California, the 2014 Supreme Court opinion on the warrantless search of a cell phone during an otherwise lawful arrest, the Court cited EPIC’s amicus brief twice and ultimately recognized a significant privacy interest in mobile devices.
Central to EPIC’s mission is education, oversight, and analysis of government activities that impact individual privacy, free expression, and democratic values in the information age. Through its Domestic Surveillance Project, EPIC has obtained numerous government documents exposing details of various DHS surveillance programs. Recently, CBP turned over documents on its biometric entry/exit program, pursuant to EPIC’s request. The documents revealed CBP intends to expand facial recognition technology to passengers on 16,300 international flights per week in the next two years, despite the absence proper privacy safeguards to limit the technology’s use and ensure adequate oversight.
U.S. District Court for the District of Columbia (No. 19-00279)
- EPIC Complaint (February 1, 2019)
- U.S. Customs and Border Protection, CBP 2009 Directive: Border Search of Electronic Devices Containing Information (2009)
- U.S. Customs and Border Protection, CBP 2018 Directive: Border Search of Electronic Devices (2018)
- U.S. Department of Homeland Security, Privacy Impact Assessment Update for CBP Border Searches of Electronic Devices (Jan. 2018)
- Office of the Inspector General, U.S. Department of Homeland Security, CBP’s Searches of Electronic Devices at Ports of Entry - Redacted (Dec. 2018)
- Section of Civil Rights and Social Justice Criminal Justice Section, American Bar Association, Revised Resolution 107A (2019)
- Charlie Savage and Ron Nixon, Privacy Complaints Mount Over Phone Searches at U.S. Border Since 2011, New York Times (Dec. 22, 2017)
- Derek Hawkins, The Cybersecurity 202: Warrantless device searches at the border are rising. Privacy advocates are suing., Washington Post (Aug. 7, 2018)
- Emily Birnbaum, Border entry searches of electronic devices up nearly 50 percent last year: report, The Hill (Dec. 10, 2018)
- Aaron Boyd, CBP Officers Aren’t Deleting Data After Warrantless Device Searches, IG Says, Nextgov (Dec. 10, 2018)
- Catalin Cimpanu, US border agents aren't deleting travelers' data after device searches, ZDNet (Dec. 12, 2018)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.