More than 325,000 people enter the United States via airports every day, with hundreds of thousands more crossing by land at the borders. Not only is that a lot of people, it’s also a lot of computers, smartphones, and tablets riding along in our pockets, bags, and trunks. Unfortunately, the Fourth Amendment protections we enjoy inside the U.S. for our devices aren’t always as strong when we’re crossing borders—and the Department of Homeland Security takes advantage of it. On the other hand, the border is not a Constitution-free zone. What are the limits to how and how much customs and immigrations officials can access our data? To help answer those questions, we’re offering the second in our series of posts on the Constitution at the border, focusing this time on the Fourth Amendment. Click here for Part 1 on the First Amendment or for Part 3 on the Fifth Amendment.

The Default Privacy Rule

The Fourth Amendment forbids “unreasonable” searches and seizures by the government. In most circumstances, the Fourth Amendment requires that government agents obtain a warrant from a judge by presenting preliminary evidence establishing “probable cause” to believe that the thing to be searched or seized likely contains evidence of illegal activity before the officer is authorized to search.

The Border Search Exception

Unfortunately, the Supreme Court has sanctioned a “border search exception” to the probable cause warrant requirement on the theory that the government has an interest in protecting the “integrity of the border” by enforcing the immigration and customs laws. As a result, “routine” searches at the border do not require a warrant or any individualized suspicion that the thing to be searched contains evidence of illegal activity.

The Exception to the Exception: “Non-Routine” Searches

But the border search exception is not without limits. As noted, this exception only applies to “routine” searches, such as those of luggage or bags presented at the border. “Non-routine” searches – such as searches that are “highly intrusive” and impact the “dignity and privacy interests” of individuals, or are carried out in a “particularly offensive manner” – must meet a higher standard: individualized “reasonable suspicion.” In a nutshell, that means border agents must have specific and articulable facts suggesting that a particular person may be involved in criminal activity. For example, the Supreme Court held that disassembling a gas tank is “routine” and so a warrantless and suspicionless search is permitted. However, border agents cannot detain a traveler until they have defecated to see if they are smuggling drugs in their digestive tract unless the agents have a “reasonable suspicion” that the traveler is a drug mule.

Border Searches of Digital Devices

How does this general framework apply to digital devices and data at the border? Border agents argue that the border search exception applies to digital searches. We think they are wrong. Given that digital devices like smartphones and laptops contain highly personal information and provide access to even more private information stored in the cloud, the border search exception should not apply. As Chief Justice Roberts recognized in a 2014 case, Riley v. California:

Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans the privacies of life.

Snooping into such privacies is extraordinarily intrusive, not “routine.” Thus, when the government asserted the so-called “incident to arrest” exception to justify searching a cell phone without a warrant during or immediately after an arrest, the Supreme Court called foul. Why is the Riley decision important at the border? For one thing, the “incident to arrest” exception that the government tried to invoke is directly comparable to the border search exception, because both are considered “categorical” exemptions. Given that the intrusion is identical in both instances, the same privacy protections should apply. Moreover, with the ubiquity of cloud computing, a digital device serves as a portal to highly sensitive data, where the privacy interests are even more significant. Following Riley, we believe that any border search of a digital device or data in the cloud is unlawful unless border agents first obtain a warrant by showing, to a judge, in advance, that they have probable cause to believe the device (or cloud account) likely contains evidence of illegal activity. However, lower courts haven’t quite caught up with Riley. For example, the Ninth Circuit held that border agents only need reasonable suspicion of illegal activity before they could conduct a non-routine forensic search of a traveler’s laptop, aided by sophisticated software. Even worse, the Ninth Circuit also held that a manual search of a digital device is “routine” and so a warrantless and suspicionless search is still “reasonable” under the Fourth Amendment. Some courts have been even less protective. Last year a court in the Eastern District of Michigan upheld a computer-aided border search of a traveler’s electronic devices that lasted several hours without reasonable suspicion. EFF is working hard to persuade courts (and border agents) to adopt the limits set forth in the Riley decision for border searches of cellphones and other digital devices. In the meantime, what should you do to protect your digital privacy? Much turns on your individual circumstances and personal risk assessment. The consequences for non-compliance with a command from a CBP agent to unlock a device will be different, for example, for a U.S. citizen versus a non-citizen. If you are a U.S. citizen, agents must let you enter the country eventually; they cannot detain you indefinitely. If you are a lawful permanent resident, agents might raise complicated questions about your continued status as a resident. If you are a foreign visitor, agents may deny you entry entirely. We recommend that everyone conduct their own threat model to determine what course of action to take at the border. Our in depth Border Search Whitepaper offers you a spectrum of tools and practices that you may choose to use to protect your personal data from government intrusion. For a more general outline of potential practices, see our pocket guides to Knowing Your Rights and Protecting Your Data at the Border.

We’re also collecting stories of border search abuses at: borders@eff.org

And join EFF in calling for stronger Constitutional protection for your digital information by contacting Congress on this issue today.