Monday, August 31, 2009

News on the Laptop Search Front

There has been activity in DHS on Customs and Border Protection policy regarding laptop searches.

First, I tweeted a while back that the ACLU has sued Homeland Security for access to records regarding the searches.

On August 18, 2009 Immigration and Customs Enforcement issued a directive (7-1.6) on the topic. The ICE directive continues the policy that the border search of electronic devices does not require the consent of the arriving traveler and, by implication, does not require suspicion directed at that traveler. At any point during the search, the electronic device may be detained for further review including further review by another federal agency or a third party. ICE does say that the Special Agent has the discretion to copy the contents of the device for later review and return the original to the traveler. Searches are "generally" to be completed within 30 calendar days. If outside assistance is employed, the search must be completed within a reasonable time based upon specific factors stated in the directive.

Regarding the treatment of sensitive information, the directive requires ICE to treat confidential business information as such including invoking the Trade Secrets Act. Attorney-client privileged or work product information is to be brought to the attention of the ICE Office of the Chief Counsel or the United States Attorney's Office for consultation. Special care is also to be given to medical information and work-related information carried by journalists.

On August 20, Customs and Border Protection issued its own directive (3340-049) on the subject. The directive notes that "CBP will protect the rights of individuals against unreasonable search and seizure and ensure privacy protections while accomplishing its enforcement mission." It goes on to note that border searches may be conducted without individualized suspicion. Customs states that whenever possible searches should be conducted with the traveler present.

Regarding possibly privileged information, where the searching officer believes the information may be evidence of a crime or otherwise fall within CBP jurisdiction, the officer is to seek advice from the Office of Chief Counsel or the U.S. Attorney's Office. The directive creates pretty strict guidelines related to timing. Supervisory approval is required to detain the device after the traveler has been released. Detentions of more than five days require Port Director-level approval and detentions beyond 15 days require approval from Headquarters. Where information is encrypted, not in English, or otherwise not readily accessible, the CBP officer may seek technical assistance from another federal agency even in the absence of individualized suspicion.

Lastly, on August 25, DHS issued a Privacy Impact Assessment on the whole issue. This document reviews the legal authority and history for searches of arriving passengers and their possessions. It then paces this authority in the context of CBP's and ICE's mission to protect national security and enforce the law. Next, the document summarizes the information contained in the two directives.

Following that, the Privacy Impact Assessment discusses DHS Privacy Office Fair Information Practice Principles, which are based upon the Privacy Act of 1974. These principles are:
  1. Transparency: People should be aware that their information is being collected, used, retained, shared, and maintained.
  2. Individual participation: Typically, the Privacy Act requires individuals to be involved in data collection to ensure that it is accurate and complete. With respect to ongoing law enforcement investigations conducted by DHS personnel, this is impractical and might interfere with the investigation.
  3. Purpose Specification: DHS should specify the authority and purpose for the data collection. The authority for the search is well-established. To the extent that specifying the purpose for the collection may interfere with an ongoing investigation, this might be impractical.
  4. Minimization: The limited time frames for detention of devices minimizes the amount of data taken. Material that is formally seized is retained until a final determination is made with respect to the seizure.
  5. Use Limitation: Information should only be retained in furtherance of immigration, customs, or other law enforcement matters and once that matter is resolved, the material is returned or destroyed.
  6. Data Quality and Integrity: CBP takes forensic precautions to prevent the alteration of data. ICE must maintain data integrity to ensure the quality of evidence for later use in a criminal proceeding.
  7. Security: CBP and ICE have policies and procedure to prevent the unauthorized dissemination of the information. For example, CBP may examine the electronic device away from other travelers. IT system safeguards prevent unauthorized access to copies of data.
  8. Accountability and Audit:both CBP and ICE have oversight procedures in place to track the examination, copying, maintenance, and sharing of the detained information.
That is an all too brief summary of some pretty detailed documents. I recommend that anyone interested in this topic review them thoroughly. Moreover, travelers need to keep in mind that the authority for these searches is basically unquestionable. So, be prepared. You need to know your own criminal record and what is on your hard drive (including in your deleted files, temporary files, and internet cache) when you cross the border. Use good judgment in what you carry, treat the CBP personnel with respect, and keep in mind that your realistic chances of being randomly stopped are pretty slim.

All of this seems unlikely to mute interest in this topic. People are just too used to having all sorts of private and embarrassing information on their electronic devices. The problem for the civil libertarian looking for a policy change is that the type of information in which CBP is interested is in the possession of the least sympathetic characters out there: child pornographers and terrorists. This is not about some sorority girl keg stand photos. But, the reason that this is important is that the sorority girl (and the child pornographer) both have rights. At the border, though, those don't get you too far.


Anonymous said...

Larry -

A laptop is no more than the electronic version of a briefcase, despite what civil libertarians may claim. Customs' authority to search and copy materials contained in a briefcase is well-established, so this big hoo-hah is little more than a red herring. But the ACLU was right to bring the suit - it will eventually establish that Customs is doing no more than the job requires.

From figures I saw someplace recently, the number of "intensive" laptop searches has been quite low, whic further helps to establish the government's case.

Larry said...

Don't disagree at all. This is mostly a public relations issue for CBP. People seem to have not gotten the message and their internalized notions about what the local police can do during a traffic stop, for example, is leading them to the wrong conclusions.

Laptop briefcase said...

I will have to agree on this, i have really kind of experienced that thing!


Cheryl said...

I doubt many of us will ever have our laptop checked like this. Do we really not want them to possibly find crucial evidence on someone's computer because we are worried about the embarrassing stuff we have on ours? I hope we are not that selfish.