Can border agents legally copy all the data on your phone and laptop when you return home from a business trip?
In the past, the answer was, generally yes. In the future, the answer may be, generally, no.
A federal judge this week rejected the Trump Administration’s policy that allowed U.S. Customs and Border Protection (CBP) to search smartphones and laptops at airports and borders at their own discretion without the burden of reasonable suspicion.
The American Civil Liberties Union and the Electronic Frontier Foundation supported the ruling. They both sued the federal government in 2017 (the case is: Alasaad v. McAleenan) on behalf of 11 people whose gadgets got searched while they were returning to the US.
In the past, the point of exit from or entry into the United States was treated as a Fourth Amendment “gray area,” where it wasn’t clear if the Constitution’s prohibition on “unreasonable searches and seizures” by the government applied.
The ruling clarifies that it does apply. U.S. District Judge Denise J. Casper in Boston ruled that warrantless searches are “not limitless and must still be reasonable.”
A staff attorney for the ACLU named Nathan Wessler, told me that the case isn’t over yet. The judge still needs to rule on a few particular elements in the case, including on whether the ruling applies to everyone or just American citizens and residents.
EFF Senior Staff Attorney Sophia Cope said that the ruling requires “reasonable suspicion for all device searches — both manual (basic) and forensic (advanced); and the searches are limited in scope to searching for and interdicting digital contraband, such as child porn, copyrighted media, or classified information.”
Crucially, the judge in the case “recognized that broad searches for general evidence of wrongdoing are not tied to the main purpose of border searches, which is contraband interdiction.”
Cope pointed out that one ramification of U.S. policy is that other countries may be influenced by it. “We’ve always been concerned about a race to the bottom,” she said, and expressed hope that this ruling will slow invasive border policies by other countries.
She said the “government has 60 days to decide whether to appeal.”
What to know about protecting data from U.S. Customs searches
A spokesperson for the Department of Homeland Security told me this week that the CBP conducted 40,913 border searches of electronic devices in Fiscal Year 2019 (which begins on October 1 and ends on September 30). He pointed out that the searches represent less than .01 percent of the 414 million travelers passing through U.S. ports of entry that year.
The CBP searched some 30,200 devices last year, which is about 60 percent more than they searched in 2017.
In other words, the number of searches had been rising fast every year for several years.
Wessler said that, despite the ruling, it’s still possible that border agents may confiscate your phone or laptop and download all its contents, and that there’s not much you can do in that moment.
He advises to politely tell them you object to the search, which may — but probably won’t — help in a subsequent lawsuit. Saying you consent to the search may harm your case in a future lawsuit.
The only thing you might say that could stop border agents from copying your data is that specific information is covered by attorney-client privilege. Beyond that, there’s no distinction made by the government between “personal” data and company secrets.
The risk of having your data copied by the CBP is simply that it means there’s another copy out there beyond your control. It could get into the hands of an agent who’s “freelancing” for cybercriminals.
Here’s the single most powerful way to keep data away from Customs offices: Store it in the cloud.
The government makes an enormous distinction between data stored on devices’ storage media and data available through those devices in the cloud.
Cloud data is strictly off-limits for searches. Specifically, paragraph 5.1.2 of the CBP directive on
“border search of electronic devices” says that such searches can involve “only the information that is resident upon the device and accessible through the device’s operating system or through other software, tools, or applications. Officers may not intentionally use the device to access information that is solely stored remotely.”
The directive goes on to require that officers “either request that the traveler disable connectivity to any network (e.g., by placing the device in airplane mode), or, where warranted by national security, law enforcement, officer safety, or other operational considerations, Officers will themselves disable network connectivity.”
To be clear: Keeping data in the cloud places that data legally beyond the reach of U.S .border agents.
The bigger risk from industrial espionage
While the border situation is changing, so is the realm of good old-fashioned industrial espionage.
The three most important facts to know about industrial espionage are these:
- It’s more common than you think
- It’s on the rise
- Business travelers are especially vulnerable
The U.S. Department of Justice says that industrial espionage is a growing threat.
The German Association for Information Technology found that more than half of all German companies were hit by espionage, data theft or sabotage between the years 2016 and 2018. The value of data stolen from German companies alone is estimated to be around $50 billion.
For U.S. companies, the value of stolen data was estimated at $600 billion two years ago.
Industrial espionage is more common than many professionals think it is, and here’s why.
Everyone is aware of other kinds of attacks, such as ransomware and DDOS attacks. And there’s a good reason for that: The whole point of those attacks is to make sure you know about them.
Industrial espionage is the opposite. The whole point is to make sure you never know about them.
Hit with most attacks — you know it. Hit with corporate data theft — you don’t know. As a result, the frequency of such attacks is underestimated.
Industrial espionage sounds all cloak-and-dagger, and it’s often assumed that national foreign spy agencies are doing the spying. In fact, many such attacks are executed by other employees, by rival companies. Other times, it’s hackers seeking to sell your data on the darknet.
For all these groups, including state actors, business travelers can be easier targets. They’re not protected by physical security; their devices usually contain not only data and information about credentials, but also arbitrary information useful in a future social engineering attack — for example, contact information on colleagues, partners and customers.
Industrial espionage attacks don’t always target trade secrets or intellectual property. Sometimes they’re looking for customer information or other business intelligence information.
The methods for targeting business travelers for industrial espionage range from rifling through your devices in your hotel room while you’re out to stealing your smartphone while you’re in a bar.
How to protect yourself and your company
Going into 2020, with everything we know about the rules, laws, best practices of security specialists and worst practices of malicious cybercriminals and governments, here’s what you and business travelers within your organization should do to protect company data:
- Remove all sensitive or monetarily valuable data from all devices before travel
- Later, access them only through secure VPN connections
- Back up the non-sensitive data that remains before travel
- Make sure everything that can be protected by password is protected by strong, good passwords.
- Turn off your phone’s auto-join function for Wi-Fi
- When you return home from a trip abroad, with data backed up, wipe your devices and start over.
Another risk for travelers is the existence of insecure travel apps. Mobile security researchers from Zimperium’s zLabs found that among the top 30 travel apps, all iOS apps failed both privacy and security benchmarks. Among Android apps, some 45 percent failed on privacy and 97 percent failed on security. So watch out for those.
The bottom line is that business travelers are especially vulnerable to being victimized by data theft. U.S. Customs is still a risk. And industrial espionage is a growing risk. By understanding and applying the new “rules” for safe business travel, you can prevent your data and your company’s data from getting into the wrong hands.