blog / Oct 12, 2017 Joining Forces with Criminals, Deviants, and Spies to Defend Privacy by Jennifer Chermoshnyuk, Matt Beland SHARE Jennifer’s 17 years of legal industry and compliance experience puts her in good stead for her natural-born role as a benevolent troublemaker in risk management and information security. Matt is the CEO of Smooth Sailing Solutions, an information security consulting firm focused on helping clients develop customized, sustainable security solutions. When it comes to crossing the US border, we used to worry about the simple things—too many souvenirs to avoid paying import duties, lines short enough to get to a bathroom in a reasonable timeframe, maybe concerns about which fruits and vegetables could be kept from the last grocery run. Today, we’ve got one more thing to worry about—invasive searches of our data by the Customs and Border Protection (CBP) agents. Every week brings a new story of a traveler forced to choose between giving up their passwords or having their devices confiscated. You might be wondering what your organization’s policy might be for employees travelling with important data. Suppose you want your employees to refuse the search—are there any legal options or court decisions that are in your favor? There are thirteen US courts of appeal, or “circuit courts”. The circuit courts are the primary decision makers for legal precedent, based on appeals from the district courts within their territories. The decisions of the circuit courts are influential and often considered “law of the land”, if there isn’t a Supreme Court case.1 Unfortunately, a decision in one circuit may have nothing in common with that of another. Circuit courts often follow their own prior opinions and may not follow those of other circuits, which leads to the practice of “forum shopping”—choosing to pursue your case where there are favorable prior opinions. You might not be surprised to learn there are favorable circuit court precedents for a principled stand against these searches—but to use them, you’ll need to ally yourself with some unsavory characters. In the western US, the 9th Circuit found in 2013 that “Notwithstanding a traveler’s diminished expectation of privacy at the border, the search is still measured against the Fourth Amendment’s reasonableness requirement, which considers the nature and scope of the search.” United States v. Cotterman2 stems from the case of a registered sex offender found to be in possession of child pornography. The judge in Cotterman not only recognized the normalcy of password protection of data, the court pointed out: National standards require that users of mobile electronic devices password protect their files. See generally United States Department of Commerce, Computer Security Division, National Institute of Standards and Technology, Computer Security (2007) (NIST Special Publication 800-111). Computer users are routinely advised—and in some cases, required by employers—to protect their files when traveling overseas. See, e.g., Michael Price, National Security Watch, 34-MAR Champion 51, 52 (March 2010) Despite Cotterman ultimately losing his claim—a known sex offender with encrypted files is suspicious enough to constitute a reasonable search—the 9th Circuit opinion in this case set a new standard for laptop searches at the US border.3 What’s particularly interesting here is that, in defending the recent highly publicized incidents, CBP officials have pointed out that previous searches had uncovered, among other things, child pornography—a clear reference to Cotterman. Yet that same case is one that demonstrated a clear limit on unwarranted searches at the border! In United States v. Kim, the D.C. Circuit found that to justify an unwarranted search, officers must have reasonable suspicion of present or future crimes. A suspicion of the possibility of evidence of past crimes is not sufficient. Kim was suspected of having been involved in a plot to sell arms to Iran, but the Court found that CBP did not have reason to confiscate his laptop at the border. Indeed, the Court declared that, “while the immediate national security concerns were somewhat attenuated, the invasion of privacy was substantial…” The Court’s decision was based in part on a 2014 Supreme Court decision, Riley v. California. In Riley, the plaintiff was stopped for a traffic violation, which led to his arrest on weapons charges. An officer found and accessed a cell phone in his pocket. The State of California charged Riley with involvement in a previously unsolved shooting and sought a greater sentence due to his gang membership, proof of which was on the phone. Riley speaks to the privacy invasion involved in these searches, finding: Before cell phones, a search of a person was limited by physical realities and generally constituted only a narrow intrusion on privacy. But cell phones can store millions of pages of text, thousands of pictures, or hundreds of videos. This has several interrelated privacy consequences… A decade ago officers might have occasionally stumbled across a highly personal item such as a diary, but today many of the more than 90% of American adults who own cell phones keep on their person a digital record of nearly every aspect of their lives. The Court concluded that cell phones are “now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” The Court in Riley found that even when someone is under arrest, arrestees’ Fourth Amendment privacy rights aren’t thrown out the window entirely. So why would they be at the US border? There’s one more precedent to consider—and it shows that these issues aren’t new to the federal government or the court system. Towards the end of Prohibition, the judge in Go-Bart Importing Co. v. United States in 1931 castigated the officer who “[b]y pretension of right and threat of force… compelled [plaintiff] to open the desk and the safe and with the others made a general and apparently unlimited search, ransacking the desk, safe, filing cases and other parts of the office.” Considering the roles our phones and other devices serve, these unwarranted border searches are clearly the modern equivalent. So, there you have it: as law abiding US citizens and lawful permanent residents (LPRs) we find ourselves relying on a bunch of unsympathetic miscreants and perverts, from a child pornographer to a suspected Korean arms dealer, a gang member, and a few old-fashioned mobsters thrown in for good measure. The Electronic Freedom Foundation and the American Civil Liberties Union may have something to say about that; on September 13, 2017, they filed suit (in the District Court of Massachusetts, part of the 1st Circuit) on behalf of ten plaintiffs affected by unwarranted border searches of their personal devices. With their success, we should have a much more sympathetic set of characters to lean on in future defenses of our privacy. In any case, organizations should have clear, established security policies for such situations and instruct employees who travel (and carry sensitive information in password-protected devices) what to do when faced with these choices. 1 https://arstechnica.com/tech-policy/2014/01/supreme-court-enshrines-reasonable-suspicion-for-device-search-at-border/ 2 http://cdn.ca9.uscourts.gov/datastore/opinions/2013/03/08/09-10139.pdf 3 https://arstechnica.com/tech-policy/2013/03/appeals-court-raises-standard-for-laptop-searches-at-us-border/ SHARE MODIFIED: Oct 20, 2017 Tags: customs and border protection, cyber security, privacy, threat intelligence stay up to date Get the latest application threat intelligence from F5 Labs. There was an error signing up. Thank you, your email address has been signed up. submit Follow us on social media. Related Stories article / Jul 22, 2016 Web Injection Threats: The Cost of Community Engagement on Your Site article / Oct 23, 2016 DARPA Proves Automated Systems Can Detect, Patch Software Flaws at Machine Speed blog / Aug 12, 2016 Is HEIST a Risk or a Threat?