In what was presented to the public this week as a clarification of its privacy policy, the US Dept. of Homeland Security published a paper referring to new guidelines for its immigration and customs agents regarding how they may conduct border searches of travelers' computers and electronic media. Clarifying the existing law, both sets of guidelines reiterated the department's policy created during the previous administration: Agents may seize, detain, and/or retain individuals' PCs and media without having reason to suspect that those people or those machines and devices are connected with a crime.

"ICE [Immigration and Customs Enforcement] Special Agents acting under border search authority may search, detain, seize, retain, and share electronic devices, or information contained therein, with or without individualized suspicion, consistent with the guidelines and applicable laws set forth herein," states the new policy for immigration authorities published last August 18 (PDF available here). "Assistance to complete a border search may be sought from other Federal agencies and non-Federal entities, on a case by case basis, as appropriate."

The guidelines for Customs & Border Patrol (CBP) agents says pretty much the same thing, adding that whenever a CBP agent encounters technical trouble figuring out how a mechanism works, or what the meaning of some piece of information is, he can seek help from other US government sources. "In such situations, Officers may transmit electronic devices or copies of information contained therein to seek technical assistance from other federal agencies," reads the CBP guidelines (PDF available here).


What's been a subject of contention ever since the government tightened border inspection policies in the wake of 9/11 hasn't been so much agents' rights to act without suspicion (although for some, that already crosses the line) as the authority DHS grants them to transmit the information they find elsewhere, under the auspices of "seeking help." Both guidelines now state that agents may only seek help from other federal sources, but they are not explicit with regard to what level -- for example, whether a private consultant under retainer for the FBI would qualify.

In their assessment of the extent of the risks this clarified policy might pose to citizens' and visitors' personal privacy, published last Tuesday (PDF available here), both border agencies, acting jointly, identified six specific areas: "(1) travelers may need additional information regarding the authority [agents have] to conduct border searches; (2) the traveler may be unaware of the viewing or detention of his/her information by CBP and ICE; (3) personally identifiable information (PII) may be detained where it is not needed; (4) PII may be misused by CBP and ICE officers; (5) CBP and ICE may disclose PII to other agencies that may misuse or mishandle it; and (6) new privacy risks may arise as the technology involved in this activity is ever-changing."

In other words, individuals may not be fully informed as to the extent of agents' authority, and what safeguards there may be to protect identifying information from falling into the hands of someone who can misuse it -- the privacy threat here being that the traveler may not know what the threat really is. The solution, DHS asserts, is by making that information about the private information that could be misused, public -- specifically, by publishing it in the Federal Register.

Under the heading, "Principle of Transparency," the DHS report explains, "When ICE or CBP retain information from electronic devices, that information may be subject to the requirements of the Privacy Act. The Privacy Act requires that agencies publish a System of Records Notice (SORN) in the Federal Register describing the nature, purpose, maintenance, use, and sharing of the information. This PIA and the several SORNs published by DHS provide notice of the retention of PII at the border and the retention of some of the contents of electronic devices."

So at the very least, an explanation of the events surrounding the detention or seizure of travelers' computers may be available online to those travelers (along with everyone else) on GPOAccess.gov. However, the Department goes on to say, the extent of the information shared online this way may be limited, especially with regard to how much the detained information is being shared, as well as with whom. This is for the good of any investigation that may arise.

"Because notifying the traveler of the sharing of information could impede an investigation or other law enforcement or national security efforts, CBP and ICE do not make the information sharing process fully transparent to the public," the report states. "To ensure the protection of personal data without compromising the investigation, CBP and ICE have instituted strict oversight and review processes. Generally speaking, information, including PII, will be shared with other agencies where CBP and/or ICE require subject matter expertise, decryption, or translation."

Those oversight and review processes will make the sharing of that information with other agencies legal and permissible under the Privacy Act of 1974. Appropriate safeguards and audit trails will be kept to track when and where information is exchanged, but for the sake of privacy, that information will be kept private.