Monday, August 31, 2009

New Border Search Directives

As you may know, on August 27 the Department of Homeland Security announced its “new directives on border searches of electronic media.” There’s a Customs and Border Patrol (CBP) policy and an Immigrations and Custom Enforcement (ICE) policy. You can find both policies here.

DHS said the policies are intended “to enhance and clarify oversight for searches of computers and other electronic media at U.S. ports of entry—a critical step designed to bolster the Department’s efforts to combat transnational crime and terrorism while protecting privacy and civil liberties.” DHS explained that the “directives address the circumstances under which CBP and ICE can conduct border searches of electronic media—“consistent with the Department’s Constitutional authority to search other sensitive non-electronic materials, such as briefcases, backpacks and notebooks, at U.S. borders.”

As I’ve explained in several posts, the Constitutional authority to which the DHS refers is an exception to the 4th Amendment’s requirement that federal and state officers obtain a warrant before they search a place or a thing. The exception is based on an ancient principle, i.e., that a sovereign has the right to control what comes into and goes out of its territory. The border search exception therefore lets officers search property being carried by people entering the United States as well as those who are leaving it.

No one questions the validity of the exception or its applicability to things we carry into or out of the country. The issue that’s arisen over the last five or six years goes to the scope of the exception as it applies to laptops and other electronic media. As I’ve noted, the 4th Amendment gives us the right to be free from “unreasonable” searches and seizures, which means “reasonable” searches and seizures are legitimate.

To be reasonable a search or seizure has to be (i) reasonable at its inception (i.e., authorized by a search warrant or by an exception to the warrant requirement) and (ii) reasonable in scope. So if a police officer gets a warrant to search my home for a stolen 40-inch plasma TV, he is authorized to initiate a search for that item; for that search to be reasonable, the officer can only look where the item listed in the warrant can be, which means he can’t look in my dresser drawers or other places that couldn’t possibly contain the TV. And he can only search until he finds what he’s looking for; at that point, the authorization for the search is exhausted and he has to quit.

In several cases, defendants have argued that the scope of a border search of a laptop or other electronic media should be more limited than the scope of a search of luggage or other property. If a Customs or other border officer stops me and wants to search my luggage, he/she can go through the whole bag. That’s been the default standard for the scope of a border search; the officer can look through the entire contents of the property the person is carrying into or out of the U.S. The defendants in these case argued that the scope should be narrower for laptops and other electronic media because laptops, in particular, contain such a massive amount of information; defendants claimed that this creates a heightened level of privacy, and heightened expectation of privacy, in laptops and other electronic media . . . but those arguments have been pretty unsuccessful.

The new DHS policies seem to be responding to the issues raised in those cases, as well as the need to prescribe standardized practices for carrying out border searches of electronic media. DHS has issued both policies plus a statement outlining the privacy implications of the policy; since both policies are quite detailed, I’m not going to attempt to parse their provisions here. Instead, I’m going to offer some general comments as to what they say and don’t say.

The CBP policy is entitled “Border Search of Electronic Devices Containing Information.” Section 3.4 of the policy defines “border search of information” as excluding “actions taken to determine if a device functions . . . or . . . if contraband is concealed within” it’ The policy therefore applies to border searches the purpose of which is to examine information contained in an electronic device. Section 5.1.2 says that in “a border search, with or without individualized suspicion, an Officer may examine electronic devices and may . . . analyze the information encountered at the border, subject to the requirements and limitations provided herein and applicable law.” The reference to “individualized suspicion” makes it clear that the officer can examine information in a laptop or other electronic device without having “reasonable suspicion” (a lower level of probable cause) to believe there’s evidence of a crime in the device. The search, in other words, will be a routine part of a border inspection. Section 8.1(3) of the ICE policy says that “[a]t no point during a border search of electronic devices is it necessary to ask the traveler for consent to search.” That, of course, is implicit in the border search exception itself.

Section 5.3.1 of the CBP policy says officers can “detain electronic devices, or copies of information contained therein, for a brief, reasonable period of time to perform a thorough” search of the item and/or its contents. It says the detention period normally shouldn’t exceed 5 days, but that can be extended. The CBP policy refers to copying information but doesn’t address when copying is in order; section 8.1(5) of the ICE policy says that the officer “should consider whether it is appropriate to copy the information” in a device and return it to its owner. This section of the ICE policy says that when it’s appropriate, devices should be returned to their owners “as soon as practicable.”

That brings me to the thing I find interesting about both policies. Both carefully outline standards and practices to be employed in detaining (and analyzing) laptops and other electronic devices. Neither seems to address the issue I’ve addressed in at least one post – whether a border agent can detain the person who’s carrying the laptop (or other device) while they examine the device and/or its contents.

When I refer to “detaining” the laptop owner I’m not referring to the brief detention that’s implicit in any border crossing or even the somewhat expanded detention that’s involved in handing an item – including a laptop – to a border officer and waiting for him/her to look it over and hand it back. I’m referring to scenarios like the one I addressed in a recent post, i.e., scenarios in which the agent detains the laptop owner to try to get him to give the officer the key needed to un-encrypt the files on the laptop, or ask him about the laptop and its contents or for other reasons. Both policies seem to assume that if the officer(s) need to keep the device or its contents, they will do so but let the person leave.

I wonder if that’s accurate? Both policies set out procedures under which border agents can have a seized device or seized information sent to experts to have the information at issue translated from another language or decrypted. ICE Policy § 8.4(1)(a). But what about the owner? If you have probable cause or reasonable suspicion to believe there’s contraband or evidence of a crime (terrorism, say) on a laptop, are you really going to let the owner go on his merry way to Dubai or wherever? Alternatively, if the contents of a laptop are encrypted and it will take experts a very long time to decrypt the data, do you just let the laptop owner leave or, as in the Boucher case, do you try to get him or her to give you the encryption key?

Neither policy seems to address the option of simply asking the device owner for the key or password needed to access its encrypted or password-protected contents. I wonder why. Maybe they don’t address this option because they implicitly assume it’s inherent in a border search of an encrypted or password-protected device. That is, maybe the drafters of both policies assumed that the agent conducting such a search can ask the device owner for the encryption key or password without implicating any constitutional provisions.

The agent can certainly ask that question without implicating the provisions of the 4th Amendment; as I’ve noted, the 4th Amendment is about searching and seizing physical evidence, not about asking people questions or compelling them to testify. But as I noted in an earlier post, asking the question could implicate the Miranda principles. It might, therefore, be useful to address the Miranda issue that might arise in connection with a border search of electronic devices, perhaps in another policy.

I’ll probably do another post on these policies, once I’ve had time to review them in more detail and think more about what they say, and don’t say.

My initial reaction to the policies is the same reaction I’ve always had to this scenario. On the one hand, DHS is absolutely right: Taken literally, the border exception clearly applies to any container someone is trying to bring across a U.S. border; the rationale I noted above, i.e., that a sovereign has the right to control what comes into and goes out of its territory, applies with equal force to data stored in a laptop or other device. Data can be contraband, which has always been a primary focus of the border exception; data can also be evidence of a completed crime (espionage) or a prospective crime (planning a terrorist event). The justification for border searches therefore applies with equal logic to electronic containers and their contents.

At the same time, I sympathize with those who’ve argued that laptops, especially, are “different” for the purposes of applying the border search exception. There’s absolutely no equivalence between the magnitude and complexity of the information I carry in my laptop and in my carry-on bag. It seems, on an emotional, intuitive level, that this should somehow matter; I suspect that if asked, most people would say that it should matter.

The problem, of course, is figuring out how to do exactly what the DHS said it’s trying to do in these policies, i.e., reconcile the needs to combat crime/terrorism and to protect privacy. I think the DHS made a conscientious effort to do that in these policies; I also think we may need to revise the border search exception so it can better accommodate the realities of what I call “portable privacy” – the fact that the “papers” which record the details of our personal and professional lives are no longer locked away in our homes or offices. We increasingly carry that information with us; the issue we therefore need to resolve is the extent to which this compromises the 4th Amendment’s protection of it.

Ultimately, though, this may to some extent be a transient problem. As we increasingly store data online, we may not need to carry laptops or other devices when we travel into or out of the United States. Once we get to our destination, we can use a local computer to retrieve, print or use data we’ve stored online. That scenario takes the data entirely outside the scope of the border exception . . . unless we decided to apply the exception to data crossing national borders, as well as people crossing them. I may do a post on that possibility at some point.


Anonymous said...

This is certainly a slippery slope. With the technological advances of cell phones, at what points does your cell phone qualify for such a search?


Susan Brenner said...

It already qualifies: Section 3.2 of the CBP policy says that the devices subject to search under its provisions include "any devices that may contain information,such as computers, disks, drives, tapes, mobile phones and other communication devices, cameras, music and other media players, and any other electronic or digital devices."

Anonymous said...

From what I can find, it looks like the previous policy did not specifically call out mobile phones.

I also like how the data can be shared. Nothing new but does that mean that the shared data has to be deleted after a set number of days like the CBP data?


Susan Brenner said...

If you look at the policies (via the link in the post), you'll see that they go into a great deal of detail as to whom they can be shared with, the circumstances under which data does/does not have to be deleted, etc. They also specific that the agencies must keep detailed records of what is done with data.