I am training to be a lawyer, afterall, so let’s take a break from frequent flyer news today and focus on a recent court decision by the U.S. Ninth Circuit Court of Appeals regarding the confiscation of personal computers and other digital devices at U.S. borders.
In a ruling released this week, the Ninth Circuit affirmed that the government has a right to seize a digital device at a border crossing (and by that, I mean any location where an object or person first enters the United States), transport it to another location, and retain the data from the device indefinitely until analysis is performed. Note I said affirmed and not held–as it turns out, the government already has the right, according to past court decisions and DHS policy, to confiscate your digital device without suspicion.
Bottom line: if you have sensitive information on your device, you need to take steps to protect it when you travel.
Let’s return the Ninth Circuit’s decision:
Today we examine a question of first impression in the Ninth Circuit: whether the search of a laptop computer that begins at the border and ends two days later in a Government forensic computer laboratory almost 170 miles away can still fall within the border search doctrine. The district court considered the issue to be a simple matter of time and space. It concluded that the search of property seized at an international border and moved 170 miles from that border for further search cannot be justified by the border search doctrine. We disagree.
…
The Supreme Court has recognized three types of searches in which more is required than simple application of the border search doctrine. First, the Government must have reasonable suspicion to conduct “highly intrusive searches of the person.” Flores-Montano, 541 U.S. at 152; see also Montoyade Hernandez, 473 U.S. at 541. Second, the Court has recognized the possibility “that some searches of property are so destructive as to require” particularized suspicion. Flores-Montano, 541 U.S. at 155-56. Finally, the Court has left “open the question ‘whether, and under what circumstances, a border search might be deemed “unreasonable” because of the particularly offensive manner in which it is carried out.’ ” Id. at 154 n.2 (quoting Ramsey, 431 U.S. at 618 n.13).
Within this framework, we have specifically held that “reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border.” United States v. Arnold, 533 F.3d 1003, at 1008.
But why? In this case, the court held that the detainment of a laptop for 48 hours was not unreasonable. In attempting to limit their holding, they cautioned:
Still, the line we draw stops far short of “anything goes” at the border. The Government cannot simply seize property under its border search power and hold it for weeks, months, or years on a whim. Rather, we continue to scrutinize searches and seizures effectuated under the longstanding border search power on a case-by-case basis to determine whether the manner of the search and seizure was so egregious as to render it unreasonable.
Yet under this holding, the government CAN seize property under its border search power and can hold it for weeks, months, and even years without justifying itself. Under the Department of Homeland Security’s Privacy Impact Assessment, the federal government has asserted the right to copy the contents of any device seized and hold it indefinitely. So while you may get the device back within hours or days, your personal information can stay in government hands much longer. I think we can agree that the property on our laptops is more important and personal than the laptop itself. So even as the court gives lip service to protecting citizens form egregious government searches, they uphold the very act they describe as off-limits to government officials.
Thankfully, some on the Ninth Circuit understood what was really going on. Judge Betty Binns Fletcher’s dissent included the following analysis:
The real issue, as this case is framed by the government and the majority, is whether the Government has authority to seize an individual’s property in order to conduct an exhaustive search that takes days, weeks, or even months, with no reason to suspect that the property contains contraband. In other words, the problem with this case is not that the Government searched Cotterman’s computer in Tucson as opposed to Lukeville. The problem is that the Government seized Cotterman’s laptop so it could conduct a computer forensic search, a time consuming and tremendously invasive without any particularized suspicion whatsoever.
…
The majority fails, however, to substantively analyze the nature of the search itself, and so overlooks the fact that computer forensic searches are highly invasive, and a computer forensic search unlimited by any suspicion of particular criminal activity even more so.
Computers store libraries worth of personal information, including substantial amounts of data that the user never intended to save and of which he is likely completely unaware (for example, browsing histories and records of deleted files in unallocated space). See United States v. Flyer, No. 08- 10580, Slip Op at 2419, 2429 (9th Cir. Feb. 8, 2011); UnitedStates v. Comprehensive Drug Testing, Inc., 621 F.3d 1162, 1176 (9th Cir. 2010) (en banc). Computers offer “windows into [our] lives far beyond anything that could be, or would be, stuffed into a suitcase for a trip abroad.” David K. Shipler, Can You Frisk a Hard Drive?, N.Y TIMES, Feb. 20, 2011, at WK5. The majority gives the Government a free pass to copy, review, categorize, and even read all of that information in the hope that it will find some evidence of any crime. (emphasis above by judge)
A free pass to copy our personal information and search for wrongdoing: not the most comforting thought, even when you have nothing to hide. The ramifications for my profession, in which an attorney-client privilege exists and a lawyer can be sued for breaching that bond of trust, are grave. Say I was working on a case on my computer during a flight home and DHS decided to take a look at my laptop. I could not legally stop them and they would have access to privileged information: a mode of information that our whole system of justice depends on to function. Is security–the banner under which all constitutional violations seem to be justified under–really worth that price? I don’t think so.
Take steps to protect your files before you cross a U.S. border. That may not stop government officials from invading your privacy, but it will at least slow them down.
If you’re interested in reading the whole case, USA v. Cotterman, it is available here. It’s actually quite an interesting case about a man busted with child porn after crossing the US/Mexico border in Arizona. Keep in mind that while the border officials may have had a valid reason to search Cotterman’s laptop and cameras–although a crime committed nearly two decades ago seems a stretch–the court’s broad language makes clear that no reasonable suspicion is required for the government to search and seize our property.
Also check out the Electronic Frontier Foundation’s (EFF) Guide to Protecting Electronic Devices and Data at the U.S. Border.
Encrypted data may be an invitation for more questioning than necessary from an overzealous customs agent. Another option mentioned in the EFF article is to store the information elsewhere online, at a site like Dropbox, then download it after reaching your destination. Then before returning home, re-upload your files and then securely delete them from your device.
As Mike said, encrypting your data doesn’t really do much. The best thing to do is keep the data online and access it remotely.
If you’re really paranoid, consider picking up a cheap netbook or something to be able to login remotely and if they confiscate the machine, you’re not without it for an undetermined amount of time.
To an overzealous agent, encrypting your data does nothing more than show that you have something to hide. In fact, if they want to examine your laptop, encrypting your data makes them much more likely to examine your data. The government can compromise your encrypted data quite easily, and instead of taking a quick cursory glance at what you have, they will be more likely to examine all the data on your computer very closely. And based on how most people are, there is bound to be something illegal on your laptop.
As for swapping out data from a drop box, if you really want to make sure your data is secure from prying eyes, you must also defragment the hard disk, otherwise it is very easy for the shadow of the file to be recovered.
I really don’t have anything “illegal” to hide, but do have some sensitive work-related information on my hard disk.
I would much rather encrypt it on my hard drive than upload it to the internet.
I deal with FTP servers at work and don’t think they are all that secure.
Standard FTP is not secure, though you can use SFTP. Even better (though a pain to set up) is SCP.