U.S. Customs and Border Protection (CBP) issued a new policy on border searches of electronic devices that's full of loopholes and vague language and that continues to allow agents to violate travelers’ constitutional rights. Although the new policy contains a few improvements over rules first published nine years ago, overall it doesn’t go nearly far enough to protect the privacy of innocent travelers or to recognize how exceptionally intrusive electronic device searches are.

Nothing announced in the policy changes the fact that these device searches are unconstitutional, and EFF will continue to fight for travelers’ rights in our border search lawsuit.

Below is a legal analysis of some of the key features of the new policy.

The New Policy Purports to Require Reasonable Suspicion for Forensic Searches, But Contains a Huge Loophole and Has Other Problems

CBP’s previous policy permitted agents to search a traveler’s electronic devices at the border without having to show that they suspect that person of any wrongdoing. The new policy creates a distinction between two different types of searches, “basic” and “advanced.” Basic searches are when agents manually search a device by tapping or mousing around a device to open applications or files. Advanced searches are when agents use other devices or software to conduct forensic analysis of the contents of a device.

The updated policy states that basic searches can continue to be conducted without suspicion, while advanced searches require border agents to have “reasonable suspicion of activity in violation of the laws enforced or administered by CBP.” [5.1.4]

This new policy dichotomy appears to be inspired by the U.S. Court of Appeals for the Ninth Circuit’s 2013 case U.S. v. Cotterman, which required reasonable suspicion for forensic searches. CBP’s new policy defines advanced searches as those where a border agent “connects external equipment, through a wired or wireless connection, to an electronic device not merely to gain access to the device, but to review, copy, and/or analyze its contents.”

The Cotterman ruling has been only applicable in the western states within the Ninth Circuit’s jurisdiction, whereas this new policy is nationwide. It’s notable, however, that CBP has taken five years to address Cotterman in a public document.

There are at least four problems with this new rule.

First, this new rule has one huge loophole—border agents don’t need to have reasonable suspicion to conduct an advanced device search when “there is a national security concern.” This exception will surely swallow the rule, as “national security” can be construed exceedingly broadly and CBP has provided few standards for agents to follow. The new policy references individuals on terrorist watch lists, but then mentions unspecified “other articulable factors as appropriate.”

Second, as we argue in our lawsuit against CBP and its sister agencies (now called Alasaad v. Nielsen), the Constitution requires border agents to obtain a probable cause warrant before searching electronic devices given the unprecedented and significant privacy interests travelers have in their digital data. Only a reasonable suspicion standard for electronic device searches at the border, and no court oversight of those searches, is insufficient under the Fourth Amendment to protect personal privacy. Thus, the new policy is wrong to state that it goes “above and beyond prevailing constitutional and legal requirements.” [4]

Third, it is inappropriate to have a legal rule hinge on the flimsy distinction between “manual/basic” and “forensic/advanced” searches. As we’ve argued previously, while forensic searches can obtain deleted files, “manual” searches can be effectively just as intrusive as “forensic” searches given that the government obtains essentially the same information regardless of what search method is used: all the emails, text messages, contact lists, photos, videos, notes, calendar entries, to-do lists, and browsing histories found on mobile devices. And all this data collectively can reveal highly personal and sensitive information about travelers—their political beliefs, religious affiliations, health conditions, financial status, sex lives, and family details.

Fourth, this new rule broadly asserts that border agents need only “reasonable suspicion of activity in violation of the laws enforced or administered by CBP” before conducting an advanced search. We argue that the Constitution requires that agents’ suspicions be tied to data on the device—in other words, border agents must have a basis to believe that the device itself contains evidence of a violation of an immigration or customs law, not a general belief that the traveler has violated an immigration or customs law.

The New Policy Explicitly (and Wrongly) Requires Travelers to Unlock Their Devices at the Border

The new policy basically states that travelers must unlock or decrypt their electronic devices and/or provide their device passwords to border agents. Specifically: “Travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents.” [5.3.1]

This is simply wrong—as we explained in our border guide (March 2017), travelers have a right to refuse to unlock, decrypt, or provide passwords to border agents. However, there may be consequences, such as travel delay, device confiscation, or even denial of entry for non-U.S. persons.

The New Policy Confirms Border Agents Cannot Search Cloud Content, But Details Betray CBP’s Stonewalling of EFF's FOIA Request

The new policy finally confirms that CBP agents must avoid accessing data stored in the cloud when they conduct device searches by placing devices in airplane mode or otherwise disabling network connectivity. [5.1.2] In April 2017, the agency said that border agents could only access data that is stored locally on the device. EFF filed a Freedom of Information Act (FOIA) request to get a copy of that policy and to learn precisely how agents avoided accessing data stored remotely.

CBP initially stonewalled our efforts to get answers via our FOIA request, redacting the portions of the policy that explained how border agents avoided searching cloud content. But after we successfully appealed and got more information released, and CBP Acting Commissioner Kevin McAleenan made additional public statements, we were able to learn that border agents were disabling network connectivity on the devices.

Frustratingly, CBP continued to claim that the specific methods border agents used to disable network connectivity—which we suspected was primarily toggling on airplane mode—were secret law enforcement techniques. The redacted document states:

To avoid retrieving or accessing information stored remotely and not otherwise present on the device, where available, steps such as [REDACTED] must be taken prior to search. Prior to conducting the search of an electronic device, an officer will [REDACTED].

Those details should never have been redacted under FOIA. CBP apparently now agrees. Section 5.1.2 of the new policy states:

To avoid retrieving or accessing information stored remotely and not otherwise present on the device, Officers will either request that the traveler disable connectivity to any network (e.g., by placing the device in airplane mode), or, where warranted by national security, law enforcement, officer safety, or other operational considerations, Officers will themselves disable network connectivity.

It thus appears that the new policy contains much of the same information that CBP redacted in response to our FOIA request. The fact that such information is now public in CBP’s updated policy makes the agency’s initial stonewalling all the more unreasonable.

Border Agents Will Now Handle Attorney-Client Privileged Information Differently

The new policy provides more robust procedures for data that is protected by the attorney-client privilege (the concept that communications between attorneys and their clients are secret) or that is attorney work product (materials prepared by or for lawyers, or for litigation). A “filter team” will be used to segregate protected material. [5.2.1.2]

Unfortunately, no new protections are provided for other types of sensitive information, such as confidential source or work product information carried by journalists, or medical records.

Conspicuously Absent: Any Updates to ICE’s Border Device Search Policy

While we welcome the improvements in the new policy, it’s important to note that it only applies to CBP. U.S. Immigration and Customs Enforcement (ICE), which includes agents from Homeland Security Investigations (HSI), has not issued a comparable new policy. And often times ICE/HSI agents are the ones who conduct border searches, not CBP agents, so any enhanced privacy protections found in the new policy are wholly inapplicable to searches by these agents.

CBP Must Update Policy in Three Years

Finally, the new policy must be reviewed again by CBP in three years. This is important, given that much has changed in the nine years since the original policy was published in 2009, yet CBP never updated its policy to reflect changes in the law that occurred during that time.

The loopholes and failures of CBP’s new policy for border searches of electronic devices demonstrate that the government continues to flout Fourth Amendment rights at the border. We look forward to putting these flawed policies before a judge in our lawsuit Alasaad v. Nielsen.