How CBP Uses Hacking Technology to Search International Travelers’ Phones

U.S. Customs and Border Protection (“CBP”) continues to search travelers’ electronic devices at the border without a warrant despite years of advocacy from EPIC and others calling for an end to this practice. CBP reports that in Fiscal Year 2021, it conducted 37,450 searches of international travelers’ electronic devices. These devices can include cell phones, computers, tablets, cameras, and hard drives. The agency maintains that these searches constitute a small percentage of CBP’s total interactions with international travelers. But in today’s world, devices like cell phones are keepers of a person’s most intimate information. For those travelers whose devices are being searched without probable cause, the invasion of privacy is anything but trivial.

For searches at the border—including airports when entering the United States—CBP follows a 2018 directive that dictates the procedures officers must follow when searching electronic devices. The directive allows agents searching devices to access any information that is stored directly on the electronic device. Data stored on cloud services is not retrievable unless the CBP officer has a warrant or receives consent from the traveler. Audit charts obtained by EPIC through a Freedom of Information Act (“FOIA”) request also show that CBP does not always notify travelers of the search. How thoroughly CBP can search a digital device depends on their level of suspicion—a legal standard—as well as whether there is a “national security concern.”

Without having to show any suspicion, a CBP officer can conduct what’s called a “basic search,” which means examining a digital device and “review[ing] and analyz[ing] information encountered at the border.” Travelers are required to provide their passcodes. If they refuse, an officer is permitted to “detain the device” for up to five days. Officers can only keep information relating to immigration, customs, and other enforcement matters.

With reasonable suspicion or a national security concern, a CBP officer can conduct what’s called an “advanced search” or a forensic search. This means an officer can “connect[] external equipment . . . not merely to gain access to the device, but to review, copy, and/or analyze its contents.” A document regarding “Border Searches of Electronic Media” that EPIC obtained through a FOIA request instructs officers to place devices in airplane mode or to disable the data connection before the search begins. Officers can only keep information relating to immigration, customs, and other enforcement matters. Under CBP’s guidelines, the reasonable suspicion requirement is met if there’s a “national security concern” or reasonable suspicion of a law violation. Being on a “government-vetted terrorist watch list” can create reasonable suspicion.

Finally, with probable cause that the digital device has “evidence of a violation of law that CBP is authorized to enforce or administer,” CBP can seize the electronic device.

To conduct its “advanced searches,” CBP uses mobile extraction software from firms including Cellebrite, Grayshift, PenLink, and Magnet Forensics. Many of these firms also contract with other DHS agencies including with Immigration and Customs Enforcement (“ICE”) and state police departments. CBP records uncovered by EPIC through a FOIA Request show that beginning March 2019, CBP upgraded its mobile extraction software to also include technology that centralizes information it obtains through its advanced searches.

Cellebrite produces a mobile forensics tool, Universal Forensics Extraction Device (UFED), that allows law enforcement to extract data from mobile devices, including encrypted, password-protected, and deleted data. Cellebrite also sells an analytical tool that efficiently decodes, translates, and organizes extracted data. Grayshift’s Graykey is a mobile forensic tool that can extract data from “locked and encrypted” iPhones. PenLink’s PLX software can extract and analyze location data, a person’s social media and email communications, and other files. Magnet AXIOM boasts an ability to recover data from cell phones, computers, and cloud services. To extract cell phone data, Magnet AXIOM pairs with Graykey, Cellebrite, and Oxygen software. Oxygen software, like Graykey and Cellebrite, is a forensic mobile extraction tool that advertises capabilities including “bypassing screen locks, locating passwords to backups, extracting and parsing data from secure applications and uncovering deleted data.” As of today, CBP has at least $1,299,552 worth of active contracts for Cellebrite, Grayshift, PenLink, and Magnet Forensics software.

EPIC and other organizations have been fighting against these digital device border searches for years. EPIC filed an amicus brief in 2020 in the Fifth Circuit case Anibowei v. Wolf, which challenged warrantless mobile searches at the border. EPIC’s amicus brief emphasized that “[s]martphones are ubiquitous” and are a “window into [Americans’] personal lives,” containing information spanning from “bank records to medical records to photos, videos, and internet browsing history.” The Fourth Amendment, EPIC wrote, protects against warrantless searches of these devices, and, moreover, any interest the government might have in warrantless searches of cell phones at the border does not outweigh that privacy right. In 2020, EPIC also settled a FOIA lawsuit against ICE concerning records about ICE’s contracts for Cellebrite’s UFED technology.

Other groups have also advocated to end this practice. In 2019, the American Bar Association passed a resolution urging the adoption of a warrant and probable cause requirement for device searches at the border. In 2021, the ACLU and EFF petitioned the Supreme Court to hear the case Merchant v. Mayorkas concerning the legality of warrantless digital device searches. Recently, the Senate introduced a bipartisan bill to end warrantless device searches at the border.

Warrantless electronic device searches—and particularly searches of cell phones—are tremendously invasive. That a traveler decides to cross an international border at a particular time should not justify the Federal Government’s access to an incalculable amount of information about the traveler’s private life and associations. As CBP’s contracts and administrative guidelines show no sign of the agency voluntarily halting these searches, courts and legislators must heed the calls of advocates and act firmly to protect travelers’ privacy rights.