DHS says agents are in the right to ask for passwords, decryption help.
Joe Raedle/Getty Images
cache miss 106:single/related:5282658b4cc238d9568e45a46826e398 empty
In recent days, there have been numerous media reports of a NASA Jet Propulsion Laboratory employee and American citizen who was forced to unlock his phone while returning to the United States at Houston’s George Bush Intercontinental Airport.
In that case, Sidd Bikkannavar wasn’t sure what his rights were—he seemingly was unaware that there is a very broad exception to the Fourth Amendment at the border that allows officials to conduct warrantless searches.
Now, let’s imagine that you arrive at the United States border, and a customs official asks you to unlock your digital device and inspect it. You, being a privacy-conscious person, decide to refuse to hand over your password, unlike Bikkannavar. What are the ramifications of telling a Customs and Border Protection agent to go pound sand? What would happen to your device? And, how long could CBP hold you for refusing to comply?
Ars spoke with several legal experts, and contacted CBP itself (which did not provide anything beyond previously-published policies). The short answer is: your device probably will be seized (or “detained” in CBP parlance), and you might be kept in physical detention—although no one seems to be sure exactly for how long.
An unnamed CBP spokesman told The New York Times on Tuesday that such electronic searches are extremely rare: he said that 4,444 cellphones and 320 other electronic devices were inspected in 2015, or 0.0012 percent of the 383 million arrivals (presuming that all those people had one device).
How long is too long?
The most recent public document to date on this topic appears to be an August 2009 Department of Homeland Security paper entitled “Privacy Impact Assessment for the Border Searches of Electronic Devices.” That document states that “For CBP, the detention of devices ordinarily should not exceed five (5) days, unless extenuating circumstances exist.”
The policy also states that CBP or Immigration and Customs Enforcement “may demand technical assistance, including translation or decryption,” citing a federal law, 19 US Code Section 507. A related document says that “officers may seek such assistance with or without individualized suspicion.” Refusing to comply with this statute is “guilty of a misdemeanor and subject to a fine of not more than $1,000.” It does not mention the amount of time that an in-airport detention could potentially last.
One law professor who has written extensively on computer criminal law, Orin Kerr, notes that there is frustratingly a lack of cases that deal with this particular statute.
Border agents say that this law requires people crossing border to disclose their password if asked. But does it say that? No cases. pic.twitter.com/2FeJdPTkZ6
— Orin Kerr (@OrinKerr) February 15, 2017
Brian Owsley is a former federal magistrate judge in the Southern District of Texas, which borders Mexico, who now teaches law at the University of North Texas. He said was unsure how long such a physical detention could theoretically last for refusing. “I suspect no longer than about 36 hours,” he e-mailed Ars. “These ports of entry are often not equipped to handle long-term detainees, especially overland stations. In all likelihood, they would take the individual before a judge and proceed from there. A judge could try to hold them indefinitely, but I would have Fifth Amendment concerns about that.”
“For a US citizen, CBP essentially has to let them back into the country,” Nathan Freed Wessler, an attorney with the American Civil Liberties Union, told Ars. “They can’t be detained indefinitely for refusing to provide a password. They may be detained for hours and they may seize the phone for weeks or months while [CBP tries] to break into it.”
“Civil liberties suffer”
While the issue of electronic searches has cropped up recently in the early days of the Trump Administration, travelers have previously been subjected to such searches and litigated their claims.
Back in 2010, David House, a founder of the Bradley Manning Support Network, was forced to surrender his electronic devices upon arriving on a flight from Mexico to Chicago. He was questioned about his political activities related to the Manning Network by two DHS officials, who seized his devices and demanded that he give up his password to unlock his computer. House declined to do so. When those devices were not returned promptly, he ended up suing DHS. The case eventually settled in 2013.
One of House’s lawyers, Catherine Crump, who was then an attorney at the American Civil Liberties Union and now teaches law at the University of California, Berkeley, told Ars that the government claimed House had committed a misdemeanor in violation of 19 US Code Section 507. “They claimed he violated a statute requiring people to provide aid to border officials upon request,” she e-mailed. “I am not sure how much of this was government posturing. Presumably a lot—I have never heard of anyone being charged under this statute for not disclosing a password. The answer to how long someone could be detained is likewise unclear. Other countries have limits on how long a citizen can be held at the border, but there is no such publicly declared limit in the US. This is all symptomatic of a more general problem. There are not clear limits on what border agents can and cannot do, and civil liberties suffer as a result.”
Crump also represented a French-American student named Pascal Abidor in a similar case. He sued over a 2010 incident where his computer was searched while he was on a train from Montreal to New York. The judge eventually sided with the government and dismissed the case in 2013.
“This is enough to suggest that it would be foolish, if not irresponsible, for plaintiffs to store truly private or confidential information on electronic devices that are carried and used overseas,” US District Judge Edward Korman wrote at the time.
Since his case started receiving substantial media attention, Abidor told Ars that the secondary searches stopped and that he has not had his electronic devices searched or seized.
“That being said, I have changed my practices—I expect that anything I bring will be searched,” he e-mailed on Tuesday. “When I travel, I do so with the bare minimum of electronic devices. But sometimes, I have needed to bring my laptop with me and this has meant that I have had to put myself at risk of government intrusion and violation of my rights. Fortunately, I have been ok.”
He concluded: “If I was asked to unlock my phone or computer by border officials today, I would politely say no, ask for an attorney, and deal with the consequences from there.”
However, in 2015, a federal judge in the District of Columbia ruled in favor of a South Korean businessman who has his laptop seized at Los Angeles International Airport, and searched without a warrant.
The ACLU’s Nathan Freed Wessler, who noted he has personally been sent to secondary screening but has never been asked about his own electronic devices at the border, added that this puts travelers in a “tough spot” between balancing their privacy rights and their ability to get where they are going.
“It’s the ACLU’s position that people should not be put in course of situations to turn over a password and that any detention of somebody at the border needs to be justified by a real investigative need,” he said. “Somebody insisting on their privacy rights shouldn’t be justification by itself to hold [that person], but very few courts have weighed in as to how long can CBP hold somebody in general and there is basically no case law on how long they can hold somebody if they’re trying to get into a device.”