Last week, U.S. Customs and Border Protection (“CBP”) released a revised Directive governing searches of electronic devices at the border. These are the first official revisions CBP has made to its guidelines and procedures for devices since its 2009 Directive. The new Directive is intended to reflect the evolution of technology over the intervening decade, and CBP’s corresponding need to update its investigative techniques.
Notably (and as in previous CBP Directives), the new Directive does not require officials to obtain a warrant before conducting searches of travelers’ devices—even if the traveler being searched is an American—based on CBP’s position that searches and seizures at the border are exempt from the Fourth Amendment’s “probable cause” requirement. CBP nevertheless acknowledges that its searches must still meet the Fourth Amendment’s “reasonableness” requirement, which the self-imposed restrictions contained in the Directive are meant to achieve.
- “Reasonable Suspicion” for Forensic Searches: The new policy distinguishes between “basic” searches and “advanced” searches. “Basic” searches involve simply reviewing the device and the information contained on it, much as an ordinary user does when he or she scrolls through information on their phone or tablet. As in the 2009 Directive, border officials are permitted to conduct such searches without any particularized suspicion.
- “Advanced” searches, on the other hand, involve connecting external equipment to the device in order to not only gain access to it, but also to review, copy, and analyze its contents. Under the new Directive, these more “forensic” searches now require supervisory approval and either a national security concern or reasonable suspicion of activity in violation of laws enforced or administered by CBP.
- Protection of Information Stored in the Cloud: The new Directive continues the policy initiated by CBP in April 2017 that prohibited officials from intentionally accessing information stored remotely. In addition, the Directive specifies that in order to avoid accessing such cloud data, officials must request that the traveler disable connectivity to any network (for example, by placing the device in airplane mode). When warranted by national security, officials can disable the device’s network connectivity themselves.
- Additional Procedures for Privileged Information: Although the 2009 Directive contained some limitations on reviewing information protected under the attorney-client privilege, the new Directive contains additional procedures that officials must follow if they encounter such data. Officials must now ask the traveler to clarify (ideally in writing) which specific files, file types, folders, or categories of information on their device may be privileged. Such privileged information must then be segregated by a designated “Filter Team” comprised of legal and operational representatives in order to ensure the information is handled appropriately.
- Bypassing of Passcodes and Encryption Mechanisms: The new Directive explicitly requires travelers to “present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents.” In that vein, officials may request a traveler’s assistance in unlocking their device and its applications, and may detain the device for a certain period of time if they are unable to complete their inspection because the device is passcode or encryption-protected. Moreover, the Directive specifically states that it does not limit CBP’s ability to use external equipment or “take other reasonable measures” to make the device and its contents legible, which may mean that officials are permitted to manually bypass passcode or encryption mechanisms themselves.
- Obtaining Technical Assistance from Non-Government Entities: Like the 2009 Directive, the new Directive permits officials, with supervisory approval, to seek technical assistance for rendering a device or the information contained on it in a condition that allows for inspection. No individualized suspicion is required. However, whereas the 2009 Directive limited the provision of such technical assistance to other “federal agencies,” the new Directive removes this limitation. As a result, entities (such as the device’s manufacturer or an application developer) may be asked to help CBP unlock a device or its contents.
CBP’s searches of electronic devices have increased by nearly 60 percent since FY 2016, and they likely will continue to increase in the years to come as the use of electronic devices (and the amount of data stored on them) proliferates.
Although many have welcomed CBP’s additional, self-imposed restrictions contained in the new Directive, others believe the Directive does not go far enough. As a result, members of Congress may continue to propose legislation that would place additional limitations on CBP’s ability to search electronic devices (particularly when the device belongs to a U.S. person), such as the Protecting Data at the Border Act introduced last year by Senator Ron Wyden (D-OR) and co-sponsored by Senator Rand Paul (R-KY).
With or without legislative action, the Directive requires that its guidelines and procedures be reviewed at least every three years. As a result, the debate over what rules of the road should govern electronic device searches will occur much more frequently than it has in the past.