Oregon senator criticizes CBP database created from travelers' cellphones
Agency engages in 'egregious violations' pressuring people to unlock their devices at airports, border crossings
The head of U.S. Customs and Border Protection faces sharp questions following revelations over the summer that the agency is building a massive database from electronic devices seized at the nation's airports and border crossings — adding text messages, call logs, photos and other sensitive data from as many as 10,000 devices per year.
In a letter to CBP Commissioner Chris Magnus published earlier this month, U.S. Sen. Ron Wyden (D-Ore.) urged the creation of "modernized search guidelines" and demanded the agency end its current practice of searching American's electronic devices "without warrants." Wyden argued travelers were "tricked into unlocking" phones and laptops in part because the agency doesn't inform people about their rights, or "provides misleading information."
Wyden pushed Magnus — the former police chief of the Tucson Police Department — to publish a written plan describing how CBP will address his concerns, adding that the agency engages in "egregious violations" of travelers' civil rights, pressuring them to unlock their electronic devices without "adequately informing them of their rights," and "dumping" the entire contents of these devices into the central database.
Wyden complained that data from phones, tablets, and laptops and other devices is "saved and searchable" for 15 years by "thousands" of Homeland Security employees "with minimal protections against abuse."
"I urge you to update Customs and Border Protection's practices regarding searches of Americans' phones and electronic devices at the border to focus on suspected criminals and security threats, rather than allowing indiscriminate rifling through Americans' private records without suspicion of a crime," Wyden wrote. "Such changes will better protect national security and respect the rights of Americans who travel overseas for business and leisure."
"Innocent Americans should not be tricked into unlocking their phones and laptops," Wyden wrote, adding that CBP should not "dump data obtained through thousands of warrant-less phone searches into a central database, retain the data for fifteen years, and allow thousands of DHS employees to search through Americans' personal data whenever they want."
CBP officials defended the practice, writing in a statement, the agency "works diligently to protect the rights of individuals against unreasonable search and seizure — and to ensure privacy protections — while also accomplishing its national security and border enforcement missions."
"Sensitive information, including text messages, call logs, contact lists, and in some cases, photos and other private records are stored in the CBP database," said Wyden. "Despite the sensitive nature of these records, government personnel searching the data are not asked to record the purpose of the search, which is an important safeguard against abuse," he wrote, adding that the agency did not outline how often the database is searched by government personnel or contractors.
Earlier this year, Wyden pushed for an investigation into the way U.S. Immigration and Customs Enforcement in Phoenix used a form of subpoena power — known as a customs summons — to order two companies to turn over every money transfer over $500 transmitted between Mexico and four southern border states: Arizona, California, New Mexico and Texas.
All told, officials with Homeland Security Investigations sought around 6.2 million records, obtaining these records using a total of eight customs summonses, which were sent to Western Union and Maxitransfers Corporation, demanding records for a six-month period following the order.
And, Wyden held up Magnus' nomination for the top job at CBP for months because under the Biden administration, the Department of Homeland Security and the Justice Department had "failed to answer basic questions" about how federal officers — including members of the U.S. Border Patrol's special operations group BORTAC — operated during unrest in Portland, Ore., in July 2020.
However, Wyden agreed to let Magnus' nomination move forward in September following a call with Homeland Security Secretary Alejandro Mayorkas. Wyden said that Mayorkas called the actions of some federal officers in Portland "unacceptable," and promised to release a report by the agency's Office of Intelligence and Analysis that reviewed the actions of DHS personnel in Portland.
In his letter, Wyden reminded Magnus of his promises before he was confirmed to lead the 58,000 strong agency. "As I stressed when we spoke before your confirmation, Americans' privacy rights should not depend on whether they enter the country by flying into Portland's PDX airport or Washington Dulles — CBP should adopt the 9th Circuit's stronger protections nationwide."
Under the nation's appellate court system, the 9th Circuit Court of Appeals has granted stronger protections for citizens in nine states, including Washington, Oregon, California, Nevada, Idaho, Montana, Arizona, Hawaii and Alaska. The 9th Circuit also covers the Northern Mariana Islands and Guam.
"CBP has imposed certain policy requirements, above and beyond prevailing legal requirements, to ensure that the border search of electronic devices is exercised judiciously, responsibly, and consistent with public trust," agency officials wrote in a statement, adding that searchers of electronic devices are part of CBP's longstanding practices. Such measures are "essential to enforcing the law at the U.S. border and to protecting border security," CBP officials wrote.
"The border searches help detect evidence relating to terrorism and other national security matters, human and bulk cash smuggling, contraband, and child pornography," the agency said, adding that searches of cellphones may also "reveal information about financial and commercial crimes, such as those relating to copyright, trademark, and export control violations."
"Finally, searches at the border are often integral to a determination of an individual’s intentions upon entry to the United States and provide additional information relevant to admissibility under immigration laws," the agency said. "CBP's broad authority to conduct border searches is well-established, and courts have rejected a categorical exception to the border search doctrine for electronic devices. Nevertheless, as a policy matter, CBP has imposed certain requirements, above and beyond prevailing constitutional and legal requirements, to ensure that the authority for border search of electronic devices is exercised judiciously, responsibly, and consistent with the public trust."
CBP said in 2021, around 179 million people traveled through the nation's airports and border crossings, and during that period the agency searched 37,450 devices, or around less than 0.02 percent of all international travelers.
Officials said the agency provides a "tear sheet," a brief document which describes the "purpose and authority" for a search, and includes a phone number to "seek redress" following a search.
However, Wyden said CBP officers are only required to provide the tear sheet "at some time during the search, not at the beginning." Travelers might not see it until after they are coerced into unlocking their devices," Wyden wrote. "Moreover, the tear sheet provides misleading information regarding their rights and CBP's authority to search their devices." Officers also do not tell people the data will reside with CBP for 15 years.
The Electronic Privacy Information Center, a non-profit research and digital rights advocacy group, remains critical of CBP's policies.
"These devices can include cell phones, computers, tablets, cameras, and hard drives," wrote Dana Khabbaz, a fellow with EPIC. "The agency maintains that these searches constitute a small percentage of CBP’s total interactions with international travelers. But in today’s world, devices like cell phones are keepers of a person’s most intimate information. For those travelers whose devices are being searched without probable cause, the invasion of privacy is anything but trivial."
And, as Khabbaz noted, "how thoroughly CBP can search a digital device depends on their level of suspicion — a legal standard — as well as whether there is a 'national security concern.'"
CBP officials said that a "basic search" allows an officer to "examine an electronic device" and the officer can demand a password or passcode. If the person refuses, the officer may "detain the device" for up to 5 days. Data stored on cloud services may not be accessed under a basic search, however, agents may dig through the contents, reviewing call logs, calendars, texts messages and photos. And, "basic searches" may be conducted "with or without suspicion," CBP said.
CBP officials may ratchet up their search under an "advanced" or forensic search, allowing officers to connect a phone or other device to external computers to review or copy the data. Officials can seize devices, and they may use software like Cellebrite to defeat encryption.
Last year, Wyden and Sen. Rand Paul (R-Ky.) introduced a bill limiting CBP's authority to use the border search exception to search phones and laptops. The Protecting Data at the Border Act had a House companion bill, introduced by Rep. Ted Lieu, (D-Calif.), but neither bill has moved forward.