ACLU sues America's border cops: Tell us everything about these secret search teams targeting travelers

FOIA lawsuit demands data on Tactical Terrorism Response Teams

When Andreas Gal, CEO of Silk Labs and a US citizen, returned to the US from a business trip in Europe last year, he was detained by US Customs and Border Patrol (CBP) for secondary screening. He claims he was threatened with unwarranted charges, denied access to an attorney, and told he had to unlock his electronic devices before he would be allowed to leave.

Most of the questions, Gal explained in a phone interview with The Register, were related to his work as CTO of Mozilla, a position he left in 2015.

"They didn't tell me what they were looking for," he said. "But having gone through this experience, it did not feel random."

Despite being told he had no right to an attorney, he says he refused to answer questions and was eventually allowed to go without unlocking his devices, though his Global Entry card – a subscription-based biometric border entry program to facilitate travel – was taken from him.

On Wednesday, the American Civil Liberties Union (ACLU) sued CBP claiming that the agency maintains secretive units to "detain, search, question, and/or deny entry to people with valid travel documents who present no security risk."

The ACLU complaint, filed in the Eastern District of New York, seeks CBP documents under the Freedom of Information Act that the agency has refused to produce.

It contends that these Tactical Terrorism Response Teams (TTRTs) have operated for the past few years and target individuals, including US citizens, "who do not present a security risk but may hold information or have a connection to individuals of interest to the US government."

"The public has a right to know how these teams operate, how their officers are trained, and whether the guidelines that govern their activities contain civil liberties and privacy safeguards," the ACLU said in a statement announcing its lawsuit.

The complaint says TTRTs target people without valid cause, based on hunches and instinct, raising the likelihood that travelers are subject to profiling based on race, religion, ethnicity, national origin, or proxies for those attributes. As such, TTRTs may be violating protections guaranteed by the US Constitution.

CBP watches for individuals on the US government's terror watchlist but TTRTs are expected to scrutinize people not on the watchlist and not known to be a security threat.

Gal, who was detained by a TTRT, believes it's possible that his past work on encryption and online privacy, his public disapproval of the Trump administration, or his campaign contributions to Democratic political candidates, may have led to him being targeted.

What concerns him about TTRT operations, he said, is we don't know much about them. "They can pull random people over for unclear reasons and ask them questions and bully them," he said.

For Abdikadir Mohamed, an immigrant, the experience was far worse. According to the ACLU, CBU officers in 2017 denied him entry into the US, interrogated him for 15 hours, and sought to deport him. Mohamed challenged the deportation order, which led to him spending 19 months in detention before a judge granted his asylum claim and allowed him to rejoin his family in the US.

The ACLU says TTRTs detained over 1,700 people in 2017.

A federal court decision last month in a separate case brought by the ACLU and the Electronic Frontier Foundation, Alasaad v. McAleenan, should limit the ability of US authorities to demand access to digital devices in the absence of reasonable suspicion and to conduct "fishing expeditions."

US border point

Shock! US border cops need 'reasonable suspicion' of a crime before searching your phone, laptop


CBP declined to comment on the lawsuit specifically but offered a statement explaining TTRTs.

“While all CBP officers are trained to identify individuals who may pose a threat to our nation, Tactical Terrorism Response Teams were created in 2015 and are specially trained in targeting and analysis to identify those attempting to enter the United States who are suspected of attempting to compromise our national security," CBP's spokesperson said in an email to The Register.

"The teams employ a variety of methods to mitigate possible threats that are standard throughout the agency and work in concert with all of CBP to carry out our border security mission."

Six months ago, Gal filed a lawsuit in California to force the government to provide him with records of his CBP interaction, after the government failed to respond to his request for those records under the Privacy Act.

He said he is opposed to terrorism and violence in any form and would want authorities to be aware of any such activity. But he also said he's passionate about privacy and believes the government needs to be accountable.

"I'm a a US citizen and these people seem to believe the Constitution does not apply at the border and they seem to believe the public does not deserve an explanation," Gal said. ®

Broader topics

Other stories you might like

  • TikTok: Yes, some staff in China can access US data
    We thought you guys were into this whole information hoarding thing

    TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.

    "100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."

    That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.

    Continue reading
  • The App Gap and supply chains: Purism CEO on what's ahead for the Librem 5 USA
    Freedoms eroded, iOS-Android duopoly under fire, chip sources questioned – it's all an opportunity for this phone

    Interview In June, Purism began shipping a privacy-focused smartphone called Librem 5 USA that runs on a version of Linux called PureOS rather than Android or iOS. As the name suggests, it's made in America – all the electronics are assembled in its Carlsbad, California facility, using as many US-fabricated parts as possible.

    While past privacy-focused phones, such as Silent Circle's Android-based Blackphone failed to win much market share, the political situation is different now than it was seven years ago.

    Supply-chain provenance has become more important in recent years, thanks to concerns about the national security implications of foreign-made tech gear. The Librem 5 USA comes at a cost, starting at $1,999, though there are now US government agencies willing to pay that price for homegrown hardware they can trust – and evidently tech enthusiasts, too.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading

Biting the hand that feeds IT © 1998–2022