The primary spotlight in this part of the presentation is the hierarchy and authority of U.S. agencies associated with providing security at the border.
So DHS is the Department of Homeland Security; it is kind of the big overall blanket organization, or agency. These first three are components, the smaller agencies within the Department of Homeland Security (see image).
TSA stands for the Transportation Security Administration. Actually, when you cross the border you will not encounter this agency at all. This agency is responsible for conducting security inspections within the United States, and so if you happen to be in the United States and you are flying from one airport in the United States to another, then TSA is the one that will do security there. These are the ones that have the naked body scanners that everybody gets really upset about certainly; and these are the ones that will X-ray your carry-on baggage; these are the people who operate the magnetometers that you walk through – that’s TSA. You really don’t encounter these at the border.
CBP is Customs and Border Protection. These are the people who do the passport checks when you enter the United States. This is the agency that’s primarily responsible for border inspection. So chances are, most likely, that if somebody is going to inspect your computer, it may well be CBP.
ICE is Immigration and Customs Enforcement. I tend to think of CBP as kind of more bureaucratic agency, but ICE is more of an enforcement agency. They have authority to investigate immigration and customs violations, and violations of law at the border. So if an inspection escalates, it’s entirely possible that ICE might be searching a device. These are also people you might run into.
A lot of people ask about INS – that’s an agency that actually doesn’t exist anymore. It was pre-Department of Homeland Security, and now it’s been kind of wrapped into the DHS, and its functions sort of distributed to other little component agencies. But these are not people that you are likely to deal with anymore, because this agency doesn’t exist.So here are some of the things that border agents can do without any suspicion of wrongdoing whatsoever. They can detain travelers temporarily (up to a few hours) for questioning. They can detain your possessions temporarily – this includes taking possession of a device to analyze or to copy the data on it. They can certainly ask you lots of questions, though only a judge can really force you to answer questions, and we’ll talk about that later. And they of course have the authority to refuse admission. And one of the most frustrating things about dealing with agents at the border is the fact that they have tremendous discretion to make these decisions. So if you ask a question: “What can get you refused admission?” – that’s a very difficult question to answer, because I think it depends on the circumstances and who you are dealing with. I think one agent might refuse admission, where another might not.
So CBP’s policy makes clear that their agents can inspect electronic devices and data “with or without individualized suspicion” of the traveler. CBP says that they can keep a device for a “brief, reasonable” time which usually doesn’t exceed 5 days. They may send the device or copy of the data to another agency if they need help making sense of the data, i.e. if they encounter an encrypted version of data that they are trying to decrypt. If they are having some technical problems, or if the data happens to be in a foreign language which they can’t understand, they might seek assistance of another agency to help understand what they are reading. It’s worth noting that the policies don’t make clear what happens to those copies of the data that are sent to other agencies.
It’s clear that the policies anticipate that agents may run across sensitive data: things like medical information or privileged information, in one way or another. But it’s not clear what they do when they run across that data. Basically, the policies say, you know: “Be sure to talk to a lawyer, hire up in the agency if you need help figuring out what to do”. But the actual procedure for handling that information isn’t clear.ICE’s policy is very similar. Again, they can inspect information or devices “with or without individualized suspicion”. They are required, as a general matter, to complete searches of detained items within 30 days, but we’ve heard stories suggesting that under certain circumstances that can take much longer. They also can seek help from other agencies, and it is, again, unclear how they handle privileged or sensitive data.
We would now like to talk a little bit about how to interact with agents that you encounter at the border, given the fact that we know that they have expansive authority to search items. We think that one thing that is important to keep in mind is that they may be more likely to want to search an item if they sense that you are not cooperative. And so we would suggest, if you’re crossing the border, you consider avoiding giving agents excuses to become concerned about you, or concerned about your possessions. It is very important not to lie to border agents; that actually is in and of itself a crime. And, you know, if they ask you something like: “Do you know the password to this?” – and you say: “No” (while you actually do), that in and of itself can get you in so much more trouble than if perhaps you would just give it to them. It’s also important not to obstruct an agent’s investigation – that can, again, be a separate crime. We’re gonna talk about situations where these concerns may come up a little bit later. Also, I think it’s important to be polite to people, I think that they are likely to give you an easier time if you are trying to be gracious and professional about a situation. I really feel that you do not want to turn over information, but you should recognize that it doesn’t mean that you have to be obnoxious when you do it.As I mentioned, you may choose not to answer questions. You should recognize that even if you technically may have a right not to answer questions, that can still have adverse consequences. It may lead to your questioning, whereas you may not have been questioned otherwise. In a really extreme circumstance, if you’re dealing with a very difficult person, I think it could even mean that you don’t get admission to the country. For this reason, Seth and I think that it’s worth considering whether IT policies might be put in place that would give employees of companies external reasons for not answering questions. Maybe you might have a situation where a border agent says: “Could you please give us the password?” And you say: “I’m sorry, I can’t do that because my company has a policy that says I can’t do it”. I think it feels much better, and it’s much preferable to be able to point to an external reason why you can’t do something or you’re not willing to do something that’s not just “I don’t want to”. And I think that may tend to make your interactions certainly more smooth.