DHS, CBP Admit They Have No Legal Authority To Access Americans' Social Media Accounts

from the CBP-reminded-of-this-2-months-after-Wyden's-letter dept

Since at least 2009, the DHS has asserted a legal right to copy/search the contents of anyone's electronic devices at the border. Its privacy assessment said no one has much privacy, at least not near US borders. Building on years of judicial national security deference, the DHS has recently expanded its searches of electronic devices, eliminating most of its adherence to the Fourth Amendment in the process. If your devices wander into the country's Constitution-free zones, you can expect to suffer diminished expectations of privacy.

Noting that border searches of electronic devices were increasing exponentially (more searches in February 2017 alone than in all of 2015), Senator Ron Wyden did two things: introduced a bill creating a warrant requirement for border electronic device searches and asked the CBP (Customs and Border Protection) about its new demands for social media/email account passwords.

The DHS has responded [PDF] to Wyden's questions, and the answers are a bit surprising.

U.S. border officers aren't allowed to look at any data stored only in the "cloud" — including social media data — when they search U.S. travelers' phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News. The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, D-Ore., and verified by Wyden's office, not only states that CBP doesn't search data stored only with remote cloud services, but also — apparently for the first time — declares that it doesn't have that authority in the first place.

This admission about a lack of legal authority contradicts the assertions made in its 2009 Privacy Impact Assessment, which placed CBP agent hunches above anything resembling reasonable suspicion or probable cause. But the answer aren't quite as clear-cut as it might appear from the NBC New summation.

With or without legal authority, the CBP is still performing searches of thousands of devices. Returning US citizens aren't exempted from these searches. They are often free to go, even if their devices might need to be left behind so the CBP can search/copy the device's contents. This may be done without reasonable suspicion because, as the letter puts it, any device might hold evidence of criminal activity (terrorism, smuggling, and child porn are specifically named).

What the CBP cannot do -- at least according to this letter -- is retrieve information and data not stored on the phone itself. But this would only prevent CBP officers from accessing cloud-based storage. Much of the information contained in email and social media accounts is not stored locally, but there's no practical way to separate local/cloud data when officers have access to the entire device. The letter appears to indicate officers need to restrict their searches to SMS messages, call logs, and photos/videos stored on the device.

How this operates in practice is another matter. The letter states CBP cannot demand passwords/pins from American travelers, but points out this may result in their electronics being detained indefinitely even as the citizens themselves are free to go. It says CBP officers have been instructed to stay away from social media/email accounts, but the April 2017 "reminder" appears to be the direct result of Wyden's probing questions, which were sent to the DHS at the end of February. What CBP was doing before the senator started asking questions is anyone's guess, but anecdotal evidence suggests CBP is treating US citizens as badly as it does foreign visitors.

What isn't in the letter is a direct response to Wyden's question about the number of US citizens subjected to these intrusive searches. The DHS claims not to have this information on hand but has promised to turn over some data later this year.

In the meantime, American citizens are receiving only slightly better treatment than arriving foreigners. Assertion of rights are the border will often be taken as unprompted admission of guilt. While the CBP may not have a legal basis to demand access to social media accounts, it does appear its demands for access to people's phones isn't stifled by many legal hurdles. Considering most phones/laptops contain social media account info, it's up to Americans to believe the CBP isn't accessing data it's been told to stay away from.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 4th amendment, cbp, cloud, device searches, dhs, laptop searches, local storage, privacy