Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

U.S. Customs Says It Cannot Search Cloud Data at the Border

July 17, 2017

I know that this victory for privacy could be short-lived, but huzzah for the letter written by U.S. Customs and Border Protection (CBP) acting commissioner Kevin McAleenan – which can be found in this July 13th story from The Verge. Basically, the letter (written in response to a set of questions by Sen. Ron Wyden) says that the CBP can't search travelers' cloud data at the border.

However, McAleenan draws a sharp distinction between data stored locally on the device and cloud data stored on remote servers. Customs has a fundamental mandate to search cargo as it enters the country, a mandate that McAleenan says extends to local disk drives. So your phones and computing devices are fair game.

CBP authority to conduct border searches extends to all merchandise entering or departing the United States, including information that is physically resident on an electronic device transported by an international traveler. Therefore, the letter says that border searches conducted by CBP do not extend to information that is located solely on remote servers.

However, the letter's phrasing leaves room for border searches of recent e-mail and social media messages, provided the information is accessible (for instance) on a traveler's phone at the time of the search (therefore, the data is not "solely" on a remote server).

Social media searches have grown more aggressive under the Trump administration, as border agents seek more information about travelers' online activities. Even visa-holding non-citizens can be denied entry to the US if agents perceive them as a threat, so travelers are often willing to hand over passwords rather than be turned away at the border. Notably, McAleenan reserves the right to request passwords from travelers, as part of commissioning their assistance in conducting a search.

"This assistance may occur by CBP requesting that the traveler open the manual lock on his or her suitcase, or unlock or otherwise make accessible the traveler's accompanying electronic device," the letter reads. "It is important to understand that CBP does not condition entry of U.S. citizens based on the provision of a password."

To me, this underscores the importance for lawyers, in particular, to make sure there is no confidential data on their devices when exiting or entering the U.S. Burner phones have become a requirement in some law firms when traveling abroad – so have clean "loaner" laptops which connect securely while abroad and are then wiped before reentering the U.S. Amazing the lengths we have to go through to protect our clients' data these days . . .

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson