"Welcome to the United States! Passport, attorney-client information, and trade secrets, please."

By: Nicholas Huguelet nhuguelet@nemethlawpc.com Nemeth Law, P.C.

& Deborah Brouwer, dbrouwer@nemethlawpc.com Nemeth Law, P.C.

___________________________________________________________________________

Executive Summary

Homeland Security can search all items entering the United States – including your electronic devices. Designed primarily for cash smuggling and child pornography interdiction, these searches raise questions of how attorneys and employers can protect sensitive information. While reasonable suspicion is required before searching privileged information, it is not required before searching non-privileged trade secrets. Nevertheless, attorneys and employers can take steps to protect sensitive information at the border.

___________________________________________________________________________

Sidd Bikkannavar, an American citizen and NASA engineer, sat in a United States Customs and Border Protection (CBP) holding room after returning to the United States from a trip to the Patagonian deserts where he raced solar-powered cars. Sidd is “a seasoned international traveler” who has undergone additional background testing for the Global Entry program intended to expedite his entry into the country. He has been an engineer with NASA’s Jet Propulsion Laboratory (JPL) for the past ten years, most recently working on optics technology for the James Webb Space Telescope, which launches next year.

Like many of us, Sidd did not want to leave his work too far behind, so he took his NASA-provided cell phone on vacation with him. When he received the phone, Sidd recalls, he was told not to allow anyone access to it under any circumstances. At the US port of entry, Customs and Border Protection took Sidd to a holding room and demanded his phone and access PIN. Sidd protested, arguing that it was a government work phone and that he could not permit anyone access. He even flipped the phone over and showed the CBP agent the JPL barcode on the back. The agent insisted he had the authority to search the phone regardless. After some time, Sidd relented and handed over the phone and the access code. The CBP officer left the holding room with the unlocked phone, and was gone for thirty minutes. Sidd was not told what CBP looked at, whether anything was copied and retained, or who searched the device. When he got the phone back, Sidd shut it off for later analysis by the JPL IT department (needless to say, JPL’s cybersecurity team was not too happy about the breach).

The scary part of this encounter is that the CBP agent was right: CBP does have the authority to search your and your employees’ phones and other electronic devices when seeking re-entry to the country. While our clients may not be carrying around the secrets of the American space program, this encounter does raise questions of how far CBP can go in searching devices and how we can protect privileged and confidential information.

CBP Authority to Search Electronic Devices

Border searches have long been exempt from the “probable cause” search requirements of the Fourth Amendment. Absent this constitutional protection, Congress legislated and the Department of Homeland Security regulated. CBP now claims the authority to search “[a]ll persons, baggage, and merchandise arriving in the Customs territory of the United States from places outside thereof….” Under this authority, CBP and Immigration and Customs Enforcement (ICE) have issued directives on border searches of electronic devices, with the stated goal of preventing terrorism, money laundering, child pornography, trade secret violations, human and bulk cash smuggling, contraband, and export control violations. As much as law-abiding individuals may dislike having a federal agent rifle through their private messages and photos, electronic device searches have had some success.

Under these directives, an agent “may examine electronic devices and may review and analyze the information encountered at the border….” Absent unspecified “operational considerations that make it inappropriate,” the searches are supposed to be conducted in the presence of the individual carrying the device. This, however, does not mean that the individual will be able to witness the search itself. Generally, even if CBP permits you to remain in the room with the device, you will not be able to see what information is being accessed.

The information collected from your device will not necessarily stay with CBP and ICE either. The directive permits CBP to share the information it obtains with other “federal, state, local, and foreign law enforcement agencies to the extent consistent with applicable law and policy.” CBP may also share your information with other federal agencies to obtain necessary technical assistance, such as if the data is encrypted or in a foreign language. If your information is shared for this reason, CBP will notify you unless “notification would be contrary to national security or law enforcement or other operational interests.”

If CBP becomes aware of attorney-client privileged information, trade secrets, or other confidential information, the search does not end but special handling procedures do apply. To search attorney-client privileged information, the CBP officer must “suspect[] that the content of such . . . material may constitute evidence of a crime” and must seek advice from Associate/Assistant Chief Counsel before searching the material. Unlike other types of information, suspicion is required before attorney-client privileged information may be searched.

Confidential, but non-privileged, information is afforded somewhat less protection. The directive merely requires that CBP treat the information in accordance with the Trade Secrets Act, Privacy Act, or other laws or policies that might restrict the handling of the information. The CBP officer need not, however, form any suspicion of criminal activity before searching confidential non-privileged information.

Any devices searched may be detained by CBP for a “brief, reasonable period of time” usually not exceeding five days. Information obtained from a search may be retained by CBP only if it is “evidence of or is the fruit of a crime that CBP is authorized to enforce.” Otherwise, CBP will destroy the information.

Challenges to the Directive

The CBP and ICE directives have been challenged many times since CBP and ICE promulgated them. While courts have strong opinions about whether the searches should be done, the courts, for the most part, agree that the searches can be done. When analyzing the issue, courts generally fall into one of two categories: (1) mobile devices are viewed as any other piece of luggage that can be loaded or unloaded at will by the person carrying it, or (2) mobile devices are viewed as something that carries information about almost every aspect of a person’s life, which most people do not possess the requisit skill, knowledge, or technical experience to effectively unpack. In reaching the conclusion that border agents have a right to search electronic devices, the Southern District of New York analogized laptop computers to other closed containers, such as luggage. The Eastern District of New York simplified the matter even further by comparing electronic devices to “luggage, briefcases, and even clothing worn by a person entering the United States….” The court further advised that “the sensible advice to all travelers is to ‘think twice about the information you carry on your laptop,’ and to ask themselves: ‘Is it really necessary to have so much information accessible to you on your computer?’” Given the likelihood that the devices would be searched by either CBP or foreign border patrol agents, the court placed blame for any unwanted data inspections on the traveler. In the court’s words, “[t]his is enough to suggest that it would be foolish, if not irresponsible, for [travelers] to store truly private or confidential information on electronic devices that are carried and used overseas.”

Other courts have recognized, though, that it is impractical – if not impossible – for the average traveler to unpack unwanted data from a device before leaving the country. Even deleting unwanted data may not completely remove it from a device. The Ninth Circuit highlighted the distinction between traditional luggage and electronic devices by reasoning that:

[w]hen packing traditional luggage, one is accustomed to deciding what papers to take and what to leave behind. When carrying a laptop, tablet or other device, however, removing files unnecessary to an impending trip is an impractical solution given the volume and often intermingled nature of the files. It is also a time-consuming task that may not even effectively erase the files.

Noting that the incriminating data involved in that case was found only through forensic examination of the unallocated space on the defendant’s hard drive (occupied only by previously deleted data that had not yet been overwritten), the Ninth Circuit continued its analogy, “[i]t is as if a search of a person's suitcase could reveal not only what the bag contained on the current trip, but everything it had ever carried.” Given the extensive forensic examination of the defendant’s laptop there, the Ninth Circuit called the actions of the border patrol “essentially a computer strip search.” Nevertheless, the court upheld the search, creating two separate standards, depending on the extensiveness of the search. A manual, cursory review of an electronic device conducted at a border (or its functional equivalent) may be done without suspicion. If CBP desires to conduct a computer forensic examination, however, there must exist reasonable suspicion of a crime. This reasonable suspicion standard lives only in the Ninth Circuit, and was a concept laughed off by the Eastern District of New York, which surmised that “Plaintiffs must be drinking the Kool-Aid if they think that a reasonable suspicion threshold of this kind will enable them to guarantee confidentiality.” Whether they compare electronic devices to luggage or recognize their ability to reveal “privacies of life,” courts routinely uphold the search.

Authority to Compel Travelers’ Passwords

While it’s fairly clear that CBP has the right to demand that travelers turn over electronic devices for inspection, the question remains: Did Sidd have to tell the agents the PIN to access his phone, or could he have just handed it over while refusing to unlock it? CBP, of course, answers that it does have the authority to compel travelers to reveal their passwords, citing a federal statute that provides “[e]very customs officer shall…have the authority to demand the assistance of any person in making any arrest, search, or seizure authorized by any law enforced or administered by customs officers, if such assistance may be necessary.” The “assistance” CBP requires is the password to your phone and a refusal to “assist” is a misdemeanor. On the other hand, courts have held that passwords (as opposed to fingerprint scanners) are protected by the Fifth Amendment’s privilege against self-incrimination. As of yet, however, there are no court decisions one way or the other regarding whether travelers must provide their passwords at the border. Regardless, US citizens are permitted to enter the country whether or not they reveal their passwords, possibly after being held and questioned for a period of time if they refuse. CBP may, however, detain the device while trying to access it through more sophisticated methods.

Maintaining Trade Secret Confidentiality at Border Crossings

For the most part, border patrol searches of electronic devices will be difficult to predict. But there are some actions that attorneys and companies can take to help protect privileged or confidential information before and after a border search. Some protective steps might include:

• Storing data on the cloud, rather than on individual devices. Although cloud storage may raise a host of other cybersecurity issues, if the data is not stored on the device crossing the border, it should not be accessible to CBP agents. Just be sure to log off of your cloud storage account.

• If employees frequently cross international borders to conduct business, consider keeping duplicate devices on either side of the border, so that an employee need never carry a device across the border.

• If you must travel with a device, consider travelling with a clean “loaner” device that you do not use for your day-to-day activities.

• Before travelling, remove all unneeded privileged or confidential information from your device. For example, you may want to remove your work email account from your phone before crossing a border and restoring it afterwards. While deleted information may still be revealed in the event of a forensic search, it will at least not be immediately visible to a cursory review at the border.

• If your device is searched, notify CBP that it contains attorney-client privileged information or other confidential information. Notifying CBP that certain information is privileged imposes a requirement that CBP must suspect a crime before proceeding with the search. For both privileged and non-privileged confidential information, CBP must take steps to ensure the confidentiality of the information. But beware – if the CBP agent suspects that evidence of a crime is within information claimed to be privileged, you will have to wait for Associate/Assistant Chief Counsel to arrive before the search can continue.

• Finally, if your device has been searched (particularly if searched out of your sight), you should assume that your data has been copied and shared with other law enforcement agencies. You should immediately change all of your account passwords afterwards.

Although we are not all carrying government secrets relating to the future of the space program, like Sidd, attorneys, clients, and employees all potentially have a wealth of confidential or privileged information on the electronic devices with which they travel. Taking some simple protective steps now may prevent that information from being unnecessarily shared with a third party.

Categories: Volume 8-1

The information on this website is for general information purposes only. Nothing on this site should be taken as legal advice for any individual case or situation.

This information on this website is not intended to create, and receipt or viewing of this information does not constitute, an attorney-client relationship.

© 2017 MDTC. All Rights Reserved.