Two of President Trump’s top homeland security nominees faced tough questioning from Sens. Ron Wyden (D-OR) and Rand Paul (R-KY) about the civil liberties implications of border searches of digital devices during their confirmation processes. In this deep-dive legal analysis, we dissect the written responses of Kirstjen Nielsen and Kevin McAleenan to “questions for the record” submitted by Sens. Wyden and Paul.

Nielsen, the nominee for secretary of the U.S. Department of Homeland Security (DHS), served as chief of staff to the former DHS secretary, John Kelly. When Kelly became White House chief of staff for President Trump, Nielsen followed to become a White House aide. McAleenan, the nominee for commissioner of U.S. Customs and Border Protection (CBP), has served as acting commissioner since the beginning of the Trump administration.

Both Nielsen and McAleenan revealed that CBP is currently reviewing its 2009 policy directive on border device searches and will “revise and update it to reflect evolving and operational practices on this important and sensitive issue.” McAleenan also promised Sen. Wyden that he would make the revised policy public. We eagerly await the revised policy.

The only policy update since 2009 that CBP has publicly discussed so far is the April 2017 “muster” that directs border agents not to access cloud data during device searches, and to disable a device’s Internet access prior to searching to ensure this is the case.

Additionally, we will be interested to see whether and how the revised policy addresses two key cases that have come down since 2009: the United States Court of Appeals for the Ninth Circuit’s 2013 decision in U.S. v. Cotterman and the U.S. Supreme Court’s 2014 decision in Riley v. California.

In Cotterman, the Ninth Circuit held that the Fourth Amendment requires border agents to have reasonable suspicion before conducting a software-aided “forensic” search (as opposed to a manual search) of a digital device such as a laptop. In Riley, the Supreme Court held that cell phones are not subject to the search-incident-to-arrest exception—which permits warrantless and suspicionless searches of arrestees and items in their possession—and thus, consistent with the Fourth Amendment, police must first obtain a probable cause warrant before searching the cell phone of an arrestee. As we have extensively argued, Riley should apply at the border given the significant and unprecedented privacy interests travelers have in their cell phones, laptops, and other digital devices.

Referencing Cotterman, Sen. Wyden asked McAleenan: “If CBP has been able to protect our borders and, more broadly, U.S. national security, while following a reasonable suspicion standard in the 9th Circuit, why could the agency not also adopt the same standard elsewhere in the country?”

McAleenan responded: “CBP is actively engaged in reviewing its [2009] governing policy on the border search of electronic devices, to include setting appropriate policy limitations for these searches, particularly when forensic review is involved.”

This response is intriguing because it raises the question whether CBP is actually considering writing the Cotterman rule into its border device search policy directive, which would apply across the country and not just in the nine western states under the jurisdiction of the Ninth Circuit. Moreover, McAleenan could have argued that Cotterman has hampered CBP’s border security mission, yet his silence suggests that this has not been the case.

Sen. Wyden asked McAleenan how many border device searches were supported by reasonable suspicion.

McAleenan responded: “CBP does not compile this specific data set.”

This is disappointing. It would be helpful to have this statistic to see how often border agents actually operate with some objective reason to believe that a traveler has violated an immigration or customs law. This would shed light on any claims by CBP that a universally applied higher standard of suspicion for border device searches would be impractical. Also, it would be instructive to know at a more granular level whether certain ports-of-entry or even specific agents conduct suspicionless searches more often than others.

Sen. Paul asked Nielsen what the maximum amount of time is that border agents may delay entry for a traveler in order to search their devices.

Nielsen didn’t answer this question, but instead reiterated CBP’s default rule that devices may be detained for not more than five days. However, while the default length of a device detention is five days, § 5.3.1 of CBP’s 2009 policy directive expressly allows for indefinite device detention if a supervisor agrees there are undefined “extenuating circumstances.” Presumably applying this nebulous standard, for the last 10 months CBP has confiscated the phone of Suhaib Allababidi, one of the plaintiffs in our lawsuit against DHS and CBP concerning border device searches and confiscations. As to Sen. Paul’s actual question, our clients suffered entry delays for several hours while agents searched their devices. One client, Jeremy Dupin, was detained for seven hours on Christmas Eve, along with his young daughter.

Sen. Wyden noted: “When meeting with my staff, CBP personnel stated that the agency does occasionally perform border searches of Americans’ electronic devices at the request of other governmental agencies.”

McAleenan responded: “[T]he use of other federal agency analytical resources, such as translation, decryption, and subject matter expertise, may be needed to assist CBP in reviewing the information contained in electronic devices or to determine the meaning, context, or value of information contained in electronic devices.”

McAleenan was referring to § 5.3.2 of CBP’s 2009 policy directive. The problem with McAleenan’s response is that he conflated border device searches at the request of other agencies, with border device searches conducted with the assistance of other agencies. He failed to address the former issue, which raises the specter of government officials evading the Fourth Amendment's warrant requirement by trying to stretch the border search doctrine—which permits warrantless and suspicionless “routine” searches—to cover investigations unrelated to the border.

We know that CBP does conduct searches for other agencies, and that those searches have nothing to do with a traveler at the border possibly violating an immigration or customs law. For example, in U.S. v. Saboonchi, Ali Saboonchi (a dual U.S. and Iran citizen) was returning to the U.S. from a vacation to Niagara Falls with his wife when border agents saw in a government database that he was the subject of a pre-existing investigation for violating the trade embargo with Iran. That investigation started with the FBI and continued with Homeland Security Investigations (HSI), a part of U.S. Immigration and Customs Enforcement (ICE). When border agents called an HSI special agent to flag that Saboonchi was at the border, she told them to detain Saboonchi’s devices to, as the district court explained, “take advantage of” the government’s authority to conduct warrantless border searches, in the hope of furthering that separate investigation—which had no nexus to Saboonchi’s border crossing.

Sen. Wyden asked McAleenan: “Have CBP personnel ever surreptitiously installed surveillance software or malware onto a traveler’s device during a border search? Alternatively, has CBP assisted another government agency in covertly installing malware onto a traveler’s electronic device?”

McAleenan responded “no” to both these questions, but limited his answer “to my knowledge.” If this is true, we welcome this assurance, as we know that this has been a significant fear of many travelers.

Sen. Wyden asked McAleenan: “I think it’s important that people know their rights, and that CBP can’t demand people assist in unlocking a device at the border. Will you commit to making sure that individuals know their rights, and your authorities, before they’re asked to provide assistance in searching a device?”

McAleenan referenced a “tear sheet” claiming that it “clearly explains and details the authority supporting the search of their electronic device.” But this document does not notify travelers that they have a right to refuse to provide their password or PIN, or otherwise provide border agents access to their digital devices. To the contrary, this document commands travelers to comply with border agents’ demands:

CONSEQUENCES OF FAILURE TO PROVIDE INFORMATION: Collection of this information is mandatory at the time that CBP or ICE seeks to copy information from the electronic device. Failure to provide information to assist CBP or ICE in the copying of information from the electronic device may result in its detention and/or seizure.

Finally, McAleenan revealed in his responses to Sen. Wyden that the number of border device searches for fiscal year 2017 (which ran from Oct. 1, 2016-Sept. 30, 2017) was 30,151. This is compared to 5,085 searches for FY 2012—reflecting a six-fold increase in the past five years.

McAleenan also revealed that of the FY 2017 border device searches, 20% (6,003) of travelers were American citizens. This is a large number of Americans whose privacy was invaded simply for traveling abroad. Moreover, this number doesn’t take into account legal permanent residents (green card holders), who also enjoy the Fourth Amendment right to privacy in their cell phones and other digital devices.

We thank Sens. Wyden and Paul for continuing to shine a light on border device searches. The more we know about this rampant invasion of digital liberty, the easier it will be to reform it.

For more information on your rights at the border, read our whitepaper: Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud.

We also urge you to contact your members of Congress and tell them to support the Protecting Data at the Border Act (S. 823/H.R. 1899), which would require border agents to get a probable cause warrant before searching the digital devices of U.S. citizens and lawful permanent residents.