Earlier this month, MSK attorneys David Rugendorf and Frida Glucoft published an Alert summarizing the latest directive issued by Customs and Border Protection (CBP) regarding the search of electronic devices. A copy of their original article can be found here – Hold That Call International Travelers. Given the increasing likelihood of any traveler’s electronic devices being subjected to a search, whether arriving or departing the U.S. by air, ocean or land, these recent changes warrant a deeper dive.
First, for those who want to read the actual document, it is CBP Directive 3340-049A. As the earlier Alert noted, CBP has the broad rights to search any individuals, luggage, and cargo entering and leaving the U.S. Searches of cargo are governed by other laws and regulations. This directive deals only with arriving and departing travelers and their devices.
We start at the beginning. The CBP Directive defines electronic devices as “computers, tablets, disks, drives, tapes, mobile phones and other communication devices, cameras, music and other media players,” a very broad definition, so arguing your device is not subject to inspection will likely not succeed.
The Acting Commissioner of CBP appeared before the Senate Finance Committee in June 2017 and, at the time, Mr. McAleenan testified that inspection of electronic devices did not include data not resident on the device. That approach has now been incorporated into CBP’s formal policies. Specifically, the Directive states: “[t]he border search will include an examination of only the information that is resident upon the device and accessible through the device’s operating system or through other software, tools, or applications. Officers may not intentionally use the device to access information that is solely stored remotely [emphasis added].” The Directive goes on to instruct that CBP Officers (CBPO) should either request the traveler disable connectivity, such as by putting the device into airplane mode, or do so themselves if warranted by “national security, law enforcement, officer safety or other operational considerations.” CBPOs are also reminded not to make any changes to the contents of the device. Inspecting the electronic device with the traveler present is considered a basic search. However, an advanced search may also be warranted.
An advanced search involves the CBPO connecting the device to an external piece of equipment. This is typically done to “review, copy and/or analyze its contents.” Such activity is warranted if there is a reasonable suspicion of illegal activity. A traveler can assume this is happening if the CBPO takes the device into another room and does not come back for several minutes. An advance search requires the approval of a supervisor, if one is available, and if not, a report must be made to a supervisor as soon thereafter as practical.
An interesting statement in the Directive is the search is to be “conducted in the presence of the individual” but that does not “necessarily mean that the individual shall observe the search itself.” In other words, the CBPO is permitted to leave you standing in the search area while s/he takes the device elsewhere so its contents can be copied.
In August 2009, CBP and ICE jointly issued a policy statement about searches of electronic devices. Therein, CBP acknowledged the attorney-client and attorney work product privileges. That principal has been formalized in the current publication, which also acknowledges other situations where the data on the device may be sensitive or confidential. When it comes to devices carried by attorneys, when requested to hand over the device, attorneys must immediately state it contains privileged and confidential data, and then the CBPO is directed to work with Associate/Assistant Chief Counsel’s Office and potentially also the Dept. of Justice in searching the device. CBP will inspect any non-privileged materials on the device, but anything privileged may have to be referred to what CBP calls a “Filter Team,” the legal and operational staff that deals with privileged materials. Anything copied by CBP which is determined to be privileged will be destroyed, except anything retained in accord with Counsel’s office “for purposes of complying with a litigation hold or other requirement of law.” Given the number of lawsuits filed about searches of electronic devices and/or objecting to the scope of a particular search, this carve-out is not surprising.
One of the shortcomings of the August 2009 policy statement was it only recognized attorneys as being in a unique situation. The 2018 directive does not completely overcome that shortcoming, but does go further. For example, doctors may have privileged information on their devices based on the doctor-patient privilege. An equally well-recognized privilege exists for priests and their penitents. There are others, none of which are discussed. On the other hand, CBP does mention medical records, work-related information carried by journalists, and business or commercial information that is confidential or sensitive. In each case, CBP states the information should be handled in accord with existing laws.
If presented with a device that is protected by a passcode or encryption, the CBPO is authorized to ask the traveler for the details needed to unlock the device. If the traveler refuses, the device is likely to be detained. There is a supervisor approval process required before the CBPO may proceed, and the traveler is to be notified in writing the device is being detained. Of course, if one refuses to provide the unlock data, that will only raise the CBPO’s suspicion and will no doubt cause the traveler to be sitting around for quite a long time.
If a device is detained, CBP’s goal is to return it no later than five (5) days later, but, of course, there are provisions permitting a longer period of time if warranted and approved by a supervisor. CBP is also permitted to seek technical assistance in many forms. For example, if the device cannot be unlocked, that assistance might be from the manufacturer. There might be subject matter experts who need to translate the files or weigh in on the importance or unimportance of the data found on the device. While CBP’s goal is to keep custody of the device and share electronically only information of concern, there are procedures stated which allow the device to be transferred to another agency. That agency is expected to share its findings with CBP and return the device, unless there is a reason for that agency to retain the device and the data in order to enforce its own laws.
Throughout CBP Directive 3340-049A, CBP makes the point absent a mission related reason to keep it, if the data does not rise to the level of probable cause to believe a violation has occurred, the data will be destroyed. In this case, CBP defines destruction to be “deleting, overwriting, or degaussing” in compliance with its own information systems handbook.
What is a traveler to do? First, bear in mind that if you are an American citizen, you can refuse to permit the search of your electronic device and still enter the country. The opposite is the case if you are not an American citizen. If you are a foreign national and refuse to allow your device to be inspected, you can be denied entry.
In October 2017, we published an Alert about traveling with electronic devices, Tips for Traveling with Electronic Devices. The best practices we published then remain true now, with only a small bit of tweaking:
- If you don’t absolutely need the device, don’t take it with you.
- Keep in mind which of your devices has security settings and which do not. The ones which do not could be inspected, no matter the circumstances.
- You can put the data which you later want to access in the cloud with strong password protection (be sure to disable the connection) and carry the equivalent of a burner phone. Otherwise, make sure all your programs are closed.
- Do not keep more data on your device than you are willing to have exposed to CBP or ICE.
- If you have photos on a device, store them in your cloud account and remove them from your device.
- If you have programs open which link to data in the cloud, such as your social networks, your best option is to close those programs, but if time does not permit, at least put the device in airplane mode.
- If you do get selected for secondary, you really only have two choices – give the CBPO the information s/he wants and make the search process go as quickly as possible* or be prepared to sit around for several hours and, in the end, possibly be forced to leave your device behind to be returned (perhaps) at some later undefined point in time.
*Of course, if you are an attorney or work for a lawyer or law firm, or are in house, you must immediately object to the search of the device so as to have the best argument possible the attorney-client and work product privileges apply, provided you have work related materials on your device.