US Customs holds citizens’ device data for 15 years

Each year, thousands of Americans reentering the US allow Customs and Border Protection agents to perform security checks on their phones and other electronic devices. New revelations indicate that whether or not these citizens are accused of a crime, their personal information is saved in a database searchable by thousands of agents and maintained for up to fifteen years.

According to the Washington Post, which broke the story last week, US Senator Ron Wyden sent a letter to CBP Commissioner Chris Magnus criticizing him for “allowing indiscriminate rifling through Americans’ private records.”

Furthermore, Gizmodo reported Wyden saying,

 “CBP should not dump data obtained through thousands of warrantless phone searches into a central database, retain the data for fifteen years, and allow thousands of DHS employees to search through Americans’ personal data whenever they want.”

What’s exactly going on here? For years Customs and Border Protection has collected data from up to 10,000 devices each year — including text messages, documents, social media posts, banking and health data, and other information — to a massive database known as the ‘Automated Targeting System’. 

The CBP claims their searches allow their agents to determine an individual’s “intentions upon entry” into the US, according to the Washington Post. Agency spokesman Lawrence “Rusty” Payne explained that the searches are lawful and CBP uses the data in their investigation of “individuals who are of a significant law enforcement, counterterrorism” or national security concern.

According to a Privacy Impact Assessment Update from 2018, a CBP agent first performs a preliminary search of the device in the owner’s presence, reviewing data such as contact lists, call logs, calendar entries, text messages, pictures, videos, and audio files. If the agent has a “reasonable suspicion” that the traveler poses a security threat, they can run an “advanced search” to copy the contents, which are then stored in the Automated Targeting System.

Travelers selected for a search receive an official document that explains,

“You may be subject to an inspection for a variety of reasons, some of which include: your travel documents are incomplete or you do not have the proper documents or visa; you have previously violated one of the laws CBP enforces; you have a name that matches a person of interest in one of the government’s enforcement databases; or you have been selected for a random search.”

However, while the document indicates that the searches are “mandatory,” it doesn’t provide details about what happens to the data, and often travelers don’t receive the document until after they’ve surrendered their devices. 

In fact, as Electronic Frontier Foundation (EFF) notes, these searches are not mandatory for US citizens, although those who refuse can have their devices confiscated for anywhere from days to months. Non-citizens can be denied entry, however.

In his letter, Wyden told Magnus, “Innocent Americans should not be tricked into unlocking their phones and laptops.” He has called for stronger privacy protections for American citizens whose information ends up in the database despite being accused of no crime.

The new revelations about the nature and scope of the ATS database have sent up red flags. Privacy advocates and some members of Congress argue that the process may amount to an infringement of Americans’ Fourth Amendment rights against unreasonable searches and seizures.

Independent tech blog The Register notes that the Electronic Privacy Information Center (EPIC) and other privacy advocates want the CBP to stop collecting this data. Earlier this year, EPIC put out a document explaining their concerns and wrote an amicus brief supporting a lawsuit that sought to prohibit warrantless searches.

According to EPIC senior counsel Jeramie Scott,

“Today’s cell phones and other electronic devices are filled with countless amounts of personal data — often more than what is contained in our homes. This makes CBP’s retention of data from tens of thousands of electronic devices through warrantless border searches an extremely invasive surveillance program that should be stopped immediately.”

Moreover, in a separate article, the Washington Post points out that Saira Hussain, a staff attorney at EFF, has argued in court that the CBP searches are unconstitutional, and suggests that although all Americans can be targeted for a search, CBP agents profile people from Muslim or Muslim-adjacent communities disproportionately.

In other news

• Hackers breach Uber and Rockstar Games. Take-Two Interactive, the parent company of Rockstar Games (maker of Grand Theft Auto video games), announced this week that the game company had been hacked. The Register reported that the company confirmed in a statement that the perpetrator obtained confidential information, “including early development footage for the next Grand Theft Auto.” Meanwhile, hackers also gained access to “several internal systems” at Uber.  These include the company’s Google G Suite account and Slack messages, as well as accounting materials. According to Gizmodo, Uber is blaming the hacker group LAPSUS$. This story is still unfolding, and more information on both hacks may surface in the coming days.

• Electric vehicles could rescue the US power grid. California recently adopted a regulation to ban the sale of all new gas-powered cars starting in 2035. While this will fundamentally change the auto-sales market statewide, there’s evidence that this rule will alleviate some pressure on overworked electrical grids. This accelerated transition to zero-emission automobiles is a cause for celebration by groups dedicated to air quality improvement and climate change activists. The regulation sets a precedent that will likely catch on in other places over time. With strained electrical grids failing across the US, the benefits of battery power could outweigh the angry shouts of oil companies. 

• A Swiss company aims to eradicate plastic coffee capsules. Any coffee lover who cares about the environment knows the pain it brings to see someone using a plastic capsule coffee machine. But now, Swiss coffee brand Migros has invented the CoffeeB machine, which uses plastic-free coffee balls instead of traditional capsules. As reported by TechCrunch, the science behind CoffeeB is to compress the coffee balls into a tasteless, colorless, seaweed-based layer that provides the ball structure and protects the coffee from flavor loss. Fully compostable, of course. 

• Facebook has gathered so much user data that engineers can’t find it all. The transcript from a court hearing, featuring testimony by two veteran Facebook engineers, has revealed a new troubling fact. Parent company Meta has compiled so much data from billions of people and contained it so confusingly that locating it all is impossible. According to the transcript, when asked to give a definitive answer as to where personal data is stored, Facebook’s engineering director replied, “I don’t believe there’s a single person that exists who could answer that question.” The Intercept goes on to assert that the transcript essentially boils down to two Facebook engineers describing their product as “an unknowable machine” and that Facebook’s sprawl has made it inconceivable to know what the platform consists of anymore. Yikes! 

Tip of the week: Protecting your data at the border

If you’re entering the US at an airport or any border checkpoint, you should be prepared to present your electronic devices for inspection. 

American citizens can refuse to unlock devices (despite CBP declaring it a mandatory search). However, CBP officials can then confiscate your device for days or even months. Noncitizens can be refused entry into the US if they refuse to comply. 

Assuming you decide to comply, here are some considerations that will allow you to comply with any search requests while protecting your data. 

• Assess your risk level. If you are a journalist, celebrity, lawyer, possess proprietary company information, or have other data that you don’t want to compromise, you may wish to take more precautions than the average citizen. 
• Consider traveling with minimal devices. Do you really need your laptop on a tropical vacation?
• Remove sensitive data before leaving home. You can back up your devices to a desktop computer, hard drive, or the cloud, then wipe/reset them, and then only install the apps necessary for the trip. 
• Use a temporary device (e.g. a burner phone)
• Use a passcode that not only locks the device but encrypts the data
• Power down devices before going to a checkpoint
• Be careful with biometric passcodes (finger or face recognition). They may not provide the same legal and security protections as passwords
• Log out of browsers and social media accounts; consider deleting social media apps for the border crossing

Electronic Frontier Foundation has a page with extensive information about assessing your risk, how to deal with possible search requests, how to document interactions afterward, and other legal and practical considerations, so it’s worth reviewing before you take your next international excursion.