Border searches of US citizens' mobile devices do not extend to data stored solely on remote servers, according to Kevin McAleenan, Acting Commissioner of the US Customs and Border Protection Agency.
McAleenan offered this clarification in a June 20, 2017 letter, obtained by NBC News this week, sent in response to an inquiry initiated by US Senator Ron Wyden (D-Ore.) in February.
Wyden wrote Homeland Security Secretary John Kelly to express concern about reports that Americans have been pressured to provide authorities with device passcodes when reentering the country.
"These reports are deeply troubling, particularly in light of your recent comments suggesting that CBP might begin demanding social media passwords from visitors to the United States," Wyden wrote. "With those passwords, CBP may then be able to login to accounts and access data that they would otherwise only be able to get from internet companies with a warrant."
McAleenan's answer partially addresses that concern.
"In conducting a border search, CBP does not access information found only on remote servers through an electronic device presented for examination, regardless of whether those servers are located abroad or domestically," McAleenan's letter explains.
Yet the wording of his reply leaves some ambiguity because data may not be "only" or "solely" on remote servers. It may also be stored on the device in some form, putting it potentially within the scope of CBP scrutiny. Depending on how an native or browser app has been coded and configured, it may cache data locally.
Email apps and web apps, like Google Docs, may do so in order to function when not connected to the internet or to provide a more responsive user experience. Some data stored in this manner may only be accessible through forensic tools, but if it's on the device, it's fair game.
The Register asked CBP for clarification but has not yet received a response.
US citizens may not be barred from reentering the country if they choose not to unlock their devices for CBP personnel. But border agents have the option to keep unexplored devices for further examination for five days or possibly more.
The same "should" hold true for lawful residents (green card holders), according to the American Civil Liberties Union (ACLU), which hedges its assertion by advising non-citizens to consult with an immigration attorney about device unlocking concerns.
Residents of foreign countries attempting to visit the US run the risk of being denied entry if they decline to a CBP request to provide access to a device. For those who comply, the ACLU advises entering any password manually if possible rather than providing it to the CBP, in order to avoid having it stored in a database. ®
- Black Hat
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Federal government of the United States
- Government of the United Kingdom
- Identity Theft
- Palo Alto Networks