Monday, August 04, 2008

Crossing Borders

As you may have read, on July 16 the Department of Homeland Security and the office of U.S. Customs issued a “Policy Regarding Border Search of Information.” You can find a link to the policy in this article on Wired.

I did a post a couple of years ago in which I talked about the applicability of the border search exception to the 4th Amendment.

Essentially, the exception says government agents can search property moving across an international border without obtaining a warrant or having probable cause to search because such searches further important policies: They allow the government to control the flow of contraband and other items into and out of the country and, in so doing, enhance the government’s ability to enforce the laws and promote general safety and security. The border search exception to the 4th Amendment’s warrant requirement is simply an application of a principle that has been around for centuries, probably millennia – ever since a sovereign claimed title to territory and wanted to control what was coming into and leaving that territory.

The exception encompasses two kinds of border searches: Routine border searches, which are the ones you’ve probably seen and maybe experienced if you’ve crossed international borders. Customs officers can go through your luggage and other possessions just to see if anything is in there that shouldn’t be. They don’t need what the law calls reasonable suspicion or probable cause, i.e., they don’t need to think I’m up to something in order to be able to search (though I suspect good agents tend to do just that, to maximize the effectiveness of their searches).

The other kind of border search is the nonroutine search. The U.S. Supreme Court has held that border agents have to have “reasonable suspicion” (individualized suspicion, but less than probable cause) to go beyond the basic, check the luggage and other possessions scope of a routine border search. So, they have to have reasonable suspicion to conduct a physically intrusive search of a person, like a strip search.

In that earlier post and one I did last May, I talked about a California case in which the federal district court held that border agents need reasonable suspicion to search the contents of someone’s laptop. As I explained in my past last May, in U.S. v. Arnold the Ninth Circuit Court of Appeals reversed that decision, and held that they do not need reasonable suspicion; the effect of that decision is to bring the contents of laptops and any other device that can contain information within the scope of a routine border search. I happen to think that decision is wrong, but it’s what we have unless and until the Supreme Court comes down on the other side.

I assume the July 16 police is intended to implement the Arnold decision. It’s probably also intended to provide some clear, consistent standards to be used in this still evolving area.

The policy isn’t about SEARCHING laptops and other devices as much as it is about what happens after they’ve been searched. It focuses, as the title indicates, not on the device but on the information in the device. It begins by saying that in a border search,
and absent individualized suspicion, officers can review and analyze the information transported by any individual attempting to enter, reenter, depart, pass through, or reside in the United States, subject to the requirements and limitations provided herein. Nothing in this policy limits the authority of an officer to make written notes or reports or to document impressions relating to a border encounter.
Policy Regarding Border Search of Information, supra. So to this point, the officer who conducts a border search of a laptop can make notes on the data he sees on it.

The policy then goes on to say border agents can “detain documents and electronic devices, or copies thereof, for a reasonable period of time to perform a thorough border search”, which can occur at the site of the border stop or “at an off-site location.” Now we’re adding the ability to seize your laptop and hold it “for a reasonable period” so it can be searched, either at the airport (say) where you were stopped or anywhere else it can be taken, tested and returned in “a reasonable period” of time. Policy Regarding Border Search of Information, supra

The officers who conduct such a search, usually an offsite search, can “seek translation and/or decryption assistance from other Federal agencies or entities.” Policy Regarding Border Search of Information, supra. If they encounter information that “requires referral to subject matter experts to determine whether the information is relevant to the laws enforced” by Customs and Border Patrol agents, they can send a copy of the information to an agency or entity to obtain such “subject matter assistance” if they have reasonable suspicion “of activities in violation of the laws enforced” by Customs and Border Patrol Officers. Policy Regarding Border Search of Information, supra.

I find that last part interesting. Reasonable suspicion isn’t required to this point, so I’m wondering why it’s required here. As I noted earlier, reasonable suspicion is required when a border search moves from routine to nonroutine. This aspect of the policy seems to assume that the acts of copying information and/or having it reviewed by an outside expert constitute one or more 4th Amendment events that are not within the scope of a routine border search. As I’ve explained before, there are two 4th Amendment events: searches (violate privacy) and seizures (interfere with possession and use of property).

As I explained in an earlier post, I think copying data is a seizure. It’s not a traditional, zero-sum seizure in which agents take my laptop, so they have it and I don’t; that pretty clearly interferes with my ability to possess and use the laptop. I think copying data is a non-zero sum seizure: I “lose” something -- I “lose” the exclusive ability to possess and access my data. So I would argue that the agents making a copy of the data on a laptop or other device is a seizure, and since such a seizure is not within the scope of a routine border search, it clearly requires at least reasonable suspicion.

The other point – that an expert’s reviewing the document – is clearly a search. Now someone I don’t know and to whom I have not given permission is reading through my private data. That’s a search without dispute.

What happens to the copy after the expert reviews it? Under the Policy, it must be destroyed unless (i) the examination gave the government probable cause to seize the data as evidence of a crime (child pornography or terrorist materials, say) or (ii) it comes under another provision of the Policy. If (i) doesn’t apply, Customs and Border Patrol officers can only keep data if it relates “to immigration matters.” The same rules apply to agencies with which border search agents have shared data under this policy, except in one instance: These agencies have to destroy the copies they have unless they have “the independent legal authority” to keep them, such as when the data “is of national security or intelligence value.” Policy Regarding Border Search of Information, supra.

The policy then includes sections dealing with particular types of data, such as business information (trade secrets, etc. . . . try to prevent unauthorized disclosure), attorney-client privileged information (try to preserve the privilege) and sealed letters (can’t be searched without first getting a search warrant, because mail is protected under another 4th Amendment principle).

I guess the most interesting thing I find in the Policy is the possibility that it recognizes copying data as a seizure . . . something I’ve contended for years. There really aren’t any reported cases dealing with the issue as yet, but it will come up. As I explained in the post I did on the topic, I think it’s important to set standards limiting the government’s ability to copy data; if there are no standards, then data can be copied with absolutely no justification, as I explained earlier.

As I noted in an earlier post, I can certainly understand why business travelers whose laptops contain sensitive, proprietary information would be disconcerted by this policy. (Actually, I can understand why anyone might be disconcerted by it.) I spoke on this issue a couple of years ago, and had a gentleman in the audience who came up after, very concerned about the prospect of the government wanting to get into the contents of the “highly encrypted” hard drives on the laptops employees of his company carried in and out of the country. He wanted to know what they could do. I told him I didn’t think there was much to do, except assume (hope) they weren’t pulled aside for one of these searches and maybe adopt a policy prescribing what an employee was to do in that situation (bag the trip and try to leave? cooperate? other?).

It seems to me this issue may be a transitory one: In an era of cloud computing, we can (I do) simply store copies of our files on an external backup service and use that service to access them one we’ve crossed the border. We could take a laptop with us, one that had absolutely no significant data on it, and use it to access our files once we arrived at our destination. We could then simply delete the files after we were through with them and bring the sterile laptop back through Customs.

If that idea caught on, there might be rent-a-laptop services at airports and hotels. So when I got to Paris for my business meeting, I could rent a laptop from them (leaving a credit card number or substantial deposit as a guarantee of my returning it), use it while I was in Paris, then turn it in and come home. There’s have to be some system for securely erasing all traces of the data I used, but I can’t see that as a major problem.

If this scenario becomes popular, then the government will have to decide if my act of accessing my files (stored on servers in, say, Denver) from Paris (as in France) is a “border crossing” encompassed by the border search exception. I wonder if Customs has thought of that idea?


Anonymous said...

I note you mention 'sealed letters' as mail being protected from search as a person crosses the border.

Does it seem like there would be some sort of angle where placing a laptop inside a large envelope, addressing it and stamping it would give it some protection from a search?

Susan Brenner said...

It's an interesting idea.

I think the conceptual problem courts would have with it is this: The sealed letter is private, under the Supreme Court's decision in Ex parte Jackson, because you've sealed it and then given it to the postal service -- which is in effect what the law calls a bailor, i.e., a person who has custody of your property for a limited time and a limited purpose. The sealing protects the contents from the postal service because the scope of their bailment (their legal duty with regard to the mail) is to transmit it, not to OPEN it and read what is not clearly apparent to anyone who comes in contact with it.

If you're talking about putting the laptop in an envelope, addressing it, sealing it and adding a stamp, it looks like a sealed package that would be sent through the mail, but it isn't in the mail. You still have it; you can open it.

In other words, the sealing of the envelope protects the contents of your mail from postal workers. If you put something in an envelope and seal it, then border agents could compel you to open it, just as they can make you open your luggage.

I think I'll do a blog post on this and the bailment issue, see if I can work it through in more detail.