Do you know that U.S. government agents assert the power to inspect—and seize for lengthy periods of time—the contents of any laptop computer entering or leaving the United States, without any grounds for suspicion? Are businesses aware that sensitive corporate information in the confidential email stored on their employees' BlackBerries could be read by Customs and Border Protection (CBP) agents at the airport without reasonable cause? And that the contents of thumb drives, external hard drives and similar storage devices likewise may be inspected and copied by CBP agents at U.S. borders, again without any suspicion or reasonable cause?
With these considerations in mind, businesses may want to reexamine their policies regarding the use by their personnel of laptops and cell phones in international travel. Business travelers can take several steps to reduce the risk that their proprietary secrets may be exposed to review by CBP agents.
The Border Search Doctrine
Border inspections are not new. The "border search doctrine" holds that the government may conduct, at the nation's borders and equivalent locations, such as airports, "routine" searches of individuals and their effects without suspicion. United States v. Ramsey, 431 U.S. 606, 616 & 619 (1977); United States v. Montoya de Hernandez, 473 U.S. 531, 538 (1985). Courts reconcile the border search doctrine with the Fourth Amendment by construing searches at the border to be "reasonable" because of the nation's sovereign power to control entry.
What is new is recent publicity regarding the application of the border search doctrine to laptops and other digital storage devices. Press reports that travelers have had laptops opened, searched, copied and in some instances seized for lengthy periods by CBP agents are both causing a reevaluation of the policy and raising alarms among business travelers.
The Customs and Border Protection Policy
On July 16, after a Senate Subcommittee hearing, CBP published the legal and policy guidelines within which agents may search, review, retain and share information possessed by persons entering the U.S., whether or not they are citizens. In a nutshell, the CBP policy asserts broad power to search any traveler's electronic device, even decrypting where possible, without any "individualized suspicion."
The CBP policy asserts that in the course of a border search, even "absent individualized suspicion, officers can review and analyze the information transported by any individual attempting to enter, reenter, depart, pass through or reside in the United States." The policy sets forth no criteria for determining who may be searched. CBP officers may examine, in addition to documents, books and other printed material, "computers, disks, hard drives and other electronic or digital storage devices." They may "detain documents and electronic devices, or copies thereof, for a reasonable period of time" to perform a thorough search. That search "may take place on-site or at an off-site location." For information that is encrypted or in a foreign language, CBP may obtain decryption or translation assistance from other federal agencies. Such assistance is supposed to be rendered within 15 days, but extensions are possible and there is no apparent sanction if delays occur. If CBP officers determine that there is probable cause to suspect unlawful activity, they may seize and retain the originals. If not, CBP may retain only documents relating to immigration matters; other materials are supposed to be returned or destroyed, although the policy statement does not indicate any means by which travelers can confirm that this, in fact, happens.
Defenders of the policy assert that it merely reflects the long-standing border search doctrine, which allows search of physical items without particularized suspicion (particularized suspicion roughly equates to reasonable cause). For example, the Supreme Court has held that the disassembly of a vehicle's gasoline tank is a "routine" border vehicle inspection not requiring particularized suspicion. United States v. Flores-Montano, 541 U.S. 149 (2004). But are gasoline tanks comparable to electronic data? Do the contents of a laptop (which of course in many instances could readily be accessed from the Internet within the United States after entry) deserve no more protection than physical items, such as suitcases and gasoline tanks? What about the traveler's interest in trade secrets and other proprietary data carried on the laptop? Does the First Amendment limit the border search doctrine's applicability to digitized data?
"Expressive Content": The Ninth Circuit's Arnold Decision and Encryption
To date, the two federal courts of appeals (and a number of district courts) have declined to hold that the First Amendment limits border searches of digitized data. The most recent case, United States v. Arnold, 523 F.3d 941 (9th Cir., April 21, 2008, rehearing denied), arose from a search of a laptop computer at Los Angeles International Airport. After being selected for a secondary search while entering the U.S., Mr. Arnold was asked by a CBP officer to turn on his computer. Upon booting up, another CBP officer opened folders on the desktop labeled "Kodak Pictures" and "Kodak Memories." The officer viewed the pictures, which included one depicting two nude women, and escalated the matter. Mr. Arnold was detained for several hours and further inspection of his computer found images that CBP believed could constitute child pornography.
After a grand jury indicted Mr. Arnold on child pornography charges, he moved to suppress the search on the grounds that the government had lacked reasonable suspicion. The district court granted his motion (United States v. Arnold, 454 F. Supp. 2d 999 (C.D. Cal. 2006)), and the prosecution appealed.
The Ninth Circuit reversed. The court ruled that the search of Mr. Arnold's laptop was not unreasonably intrusive. In addition, the Ninth Circuit declined to create a First Amendment exception to the border search doctrine, on the grounds that doing so would protect terrorist material, prove difficult for CBP personnel to administer in practice and conflict with Supreme Court decisions refusing to apply a more stringent standard to Fourth Amendment searches when First Amendment material is the subject of the search. In so doing, the Ninth Circuit agreed with the Fourth Circuit decision in United States v. Ickes, 393 F.3d 501 (4th Cir. 2005), which also declined to create an "expressive materials" exception to the border search doctrine.
Some privacy advocates have taken issue with the Arnold and Ickes decisions. Peter Swire, former Chief Counselor for Privacy in the Clinton Administration, and the Electronic Frontier Foundation (EFF) contend that border searches of laptops and other digital devices should be treated as non-routine, thus requiring reasonable cause. The EFF argues that digital data not only implicate a person's dignity and privacy interests, but also, due to the vast storage capacity of today's devices, could render an inspection unreasonable in scope due to the sheer amount of data potentially affected.
The Arnold decision also comes on the heels of a recent decision by a lower federal court in Vermont which held that CBP may not require a person to disclose the encryption key used on his laptop. That decision, which is on appeal, held that the Fifth Amendment protects a traveler from being forced to divulge a password needed to open files when the act of revealing the password shows that the person has access to or control over potentially incriminating files. See In re Boucher, 2007 WL 4246473 (D. Vt. November 29, 2007). At this point, whether travelers can be forced to divulge keys or passwords needed to open or decrypt files is unclear. In practice, however, recent testimony before Congress indicated that persons who fail to divulge passwords or other keys necessary to access digitally-secured data are denied entry into the U.S.
Congress Is Getting Involved
The issue is now receiving attention in Congress. On June 25, the Senate Subcommittee on the Constitution held a hearing to review the DHS policy on inspections of electronic devices at border entry points.
In response to Arnold and the publication of the CBP policy, two bills have been introduced in the House of Representatives that would protect laptops from border searches. Rep. Zoe Lofgren (D-Calif), who represents a high-tech community, has introduced HR 6588, which would require that the government conduct laptop searches only if granted specific statutory authority to do so. Reps. Eliot Engel (D-NY) and Ron Paul (R-Texas) have jointly introduced HR 6702, which would require reasonable suspicion for a search of data and digital equipment of a traveler entering the United States.
These bills, of course, are a long way from becoming law. Until that happens, a traveler's laptop, BlackBerry, thumb drive and cell phone are all subject to search by CBP agents without any reason for suspicion.
What Should Business Travelers Do?
The ability of government border agents to open, review and copy digital information potentially is a matter of significant concern for businesses whose employees handle classified or confidential matter on their laptops. Although business travelers have long faced the risk of confiscation or industrial espionage when traveling in foreign countries, the Arnold decision extends the risk of unintended disclosure of the contents of laptops to government agents in the U.S. upon return.
On the other hand, given the multitudes of travelers leaving and entering the U.S. daily, it is unlikely that CBP is able to give more than cursory attention to most laptops. (Indeed, a greater risk to business security might be the tendency of employees to lose laptops in airports.) CBP agents surely lack time to examine the contents of every cell phone and BlackBerry carried into the nation. Therefore, the risk that CBP will select any one employee for a search may seem relatively small.
Still, however, businesses can have no assurance that their personnel departing for or returning from international travel will not have their laptops, cell phones, thumb drives and other digital storage devices inspected, opened, and potentially reviewed off-site, to be returned only sometime later. Such is the law in the United States today. This means that any business matter on a laptop—trade secrets, financial statements, draft contracts, reports on internal corporate investigations—may be opened and read by CBP personnel and referred to other government agents.
In addition, businesses may understandably worry about the security of digital data while in possession of the CBP. Although the CBP policy, by its terms, acknowledges that the Trade Secrets Act, the Privacy Act and other laws may apply to some material, the policy itself provides travelers no rights. And, even if there were security requirements under such statutes, businesses might wonder how security requirements are observed in practice. How much comfort can an executive have that the draft of an unannounced merger agreement is safe from prying eyes?
Therefore, businesses should consider directing their employees to remove all business materials (and personal material as well) from laptop computers or other digital devices before traveling. Instead, employees should consider taking "clean" computers having only the software necessary to conduct business abroad, and no additional stored files. This approach can work successfully where any data that must be used abroad can be retrieved through the Internet upon arriving at the destination.