Hacker News new | comments | ask | show | jobs | submit login
Border Search of Electronic Devices – CBP Directive [pdf] (cbp.gov)
111 points by troydavis on Jan 6, 2018 | hide | past | web | favorite | 105 comments

We really need a definitive SCOTUS ruling that searches of electronic devices violate the Constitution but if course we will never get that far. The intent of border searches originally was to identify goods being brought into the country to avoid paying duties or fees or being brought in illegally. Searching an electronic device is more akin to demanding to see what words are on a piece of paper you have in your pocket. Obviously the reason to search electronic devices is for political purposes like finding terrorists or illegal porn which is not what the Constitution is talking about.

Taxes, levies, excises, duties, substance schedules and a lot of other things are just implementations of political purposes/ideas.

Of course the difference between search for economic (tax evasion) control vs search for security (written/recorded "thought crime") control is the important difference here.


It is a political purpose, because "terrorist" is a politically charged definition whose application changes with the political climate.

The definition of 'criminal' changes over time too but that doesn't prevent us from prosecuting those who we determine to be criminals today.

Regardless of how the subtleties of politics shift over time, someone who enters a country seeking to kill and destroy should not be a allowed inside regardless of what they're called.

The percentage of 'terrorists' we are talking about is so small, it's hardly worth considering. It's a waste of everyone's time, and privacy to spend looking through anyone's phone at an airport

The major crimes we still recognize haven’t changed since humans started scratching on clay tablets. Murder, theft, rape, assault/battery, etc. Who was counted as a person and who the manner of gaining justice has changed, but not the crimes.


You could say the same thing about the word "murderer". While technically correct, that doesn't make it any less a matter of life and death.

Then let's stop talking about finding "terrorists" and call it finding "murderers" or "criminals."

"Terrorist" is a just word governments use to scare their citizens into giving up their civil liberties in exchange for security theater and authoritarianism.

Agreed. "Mass murderer" would be more to the point, albeit still somewhat subjective. The point is, the conversation should be about effective tactics/policies for saving lives. Disputes over terminology are mostly a distraction from that.

There are a number of abortion deniers whoop would disagree with you on "murder" and "death."

> finding terrorists isn't a "political purpose" it's a matter of life and death

If you believe that these actions are necessary to meaningfully reduce harm from terrorists, then the government's claim about life and death holds up.

The concern is that these actions do not meet those conditions (necessary, meaningful reduction), and that the government is using the argument to cover for actions it wants to take for other reasons, including political ones.

Also, even those conditions are not sufficient to justify it. The actions must be lawful, of course, and the loss of liberty must be worth the gains in security; the U.S. (generally) has valued liberty very highly.

Section 5.3 pertains to requesting passcodes, and that an Officer may ask you for the passcode (I don't see anything about individuals being obligated -- though see 5.3.4, which could be interpreted by "legal remedies"). However, section 5.3.3 says:

> If an officer is unable to complete an inspection of an electronic device because it is protected by a passcode or encryption, the Officer may, in accordance with section 5.4 below, detain the device pending a determination as to its admissibility, exclusion, or other disposition.

Section 5.4 elaborates further.

Also, I found 5.1.2 interesting:

> Officers may not intentionally use the device to access information that is solely stored remotely. To avoid retrieving or accessing information stored remotely and not otherwise present on the device, Officers will either request that the traveler disable connectivity to any network (e.g. by placing the device in airplane mode), or, where warranted by national security, law enforcement, officer safety, or other operational considerations, Officers will themselves disable network connectivity.

My employer made me sign an agreement that states (among other things) sharing passwords/passcodes is not allowed and that termination is a potential result of a violation of this policy. I'm going to keep my job and not unlock the whole-disk crypto protecting the data on my drive.

Since I work for an educational institution, there is potentially FERPA protected data on my drive. In some instance we also deal with HIPPA data. It's also interesting because my password manager stores it's data as encrypted files on that drive (mirrored from the cloud). I'm certainly not unlocking that either.

(IANAL.) Employment agreements generally are not enforceable when they conflict with the law, AFAIK. The security guard might be required to never open the door, but when a police officer or court gives them a lawful order to open it, they open it or go to jail. I doubt they could be fired for opening it in that circumstance; your employer cannot require to you violate the law.

Another way of looking at it: You can write whatever you want on paper and sign it, but that doesn't make it enforceable. You could sign a document that makes you a slave or puts up your children as collateral for your ISP bill, but those agreements would be scrap paper (or evidence for the prosecutor).

Not scrap. They do evidence an intention to pay. They are an acknowledgement of the debt. The individual clauses may be struck as illegal, but the documemt and signatures are still a thing.

Which is fine, since you're a US citizen and can't be denied entrance. They're going to confiscate your devices, though.

Can LPR’s be denied entrance for refusing to unlock?

No, an LPR can only be denied entrance if:

(a) They are regarded as seeking admission and they are found inadmissible. Refusing to unlock their device will not make an LPR regarded as seeking admission as it’s not a reason listed in INA 101 (a)(13)(C): https://www.uscis.gov/ilink/docView/SLB/HTML/SLB/0-0-0-1/0-0...

(b) They are deportable. Simply refusing to unlock a device in itself will not make someone deportable as it’s not listed in INA 237 “General Classes of Deportable Aliens”: https://www.uscis.gov/ilink/docView/SLB/HTML/SLB/0-0-0-1/0-0...

Probably not, since they also can't be denied entrance by executive order. But I'm not a lawyer!

I believe an LPR could be paroled, pending a hearing with an immigration judge.

Saying that, the only people who cannot be denied entry to the US are indeed USC.

> Officers may not intentionally use the device to access information that is solely stored remotely.

Probably until some court rules that a client making the information seem local to facilitate access is legally equivalent to having that information local (and hence not under protection of 5.1.2).

Most likely followed later by some other ruling that a browser can be considered such a client.

Doesn't 5.1.2 mean that the device would be without network access throughout the search (regardless of what information is meant to be protected as stored remotely)?

Got the message? Better store everything in the back-doored cloud! Much less of a hassle to compromise

One thing to note: "This directive governs border searches of electronic devices -- including... at the extended border." The "extended border" extends a hundred miles from what we normally consider the border; the authorization for customs agents to conduct warrantless searches in the Immigration and Naturalization Act allows them "within a reasonable distance from any external boundary of the United States," and the Attorney General defined that distance as a hundred miles. The Supreme Court disagrees (Almeida-Sanchez v. U.S., U.S. v. Martinez-Fuente), and has ruled that border searches can only be done, well, at the border. Under this directive, an importer/exporter headquartered in downtown San Diego would be subject to these searches... a bit scary if the Supreme Court ever overturns its earlier border search decisions.

Yes, it’s indeed over the top. Here’s a map by the ACLU: https://goo.gl/images/HpPYby

It is indeed over the top. Almost too much to believe. Oh, wait. It is too much to believe.

This notion that any place within 100 miles of a border is a "4th Amendment Free Zone" is an urban legend. The ACLU should stop spreading it.

The exact issue we're talking about here has been tried all the way through the Supreme Court, which found that the border search exemption only applies to people with some nexus to an actual border crossing.

> The exact issue we're talking about here has been tried all the way through the Supreme Court, which found that the border search exemption only applies to people with some nexus to an actual border crossing.

Wrong. It found that warrantless “border” searches on public highways leading to it away from the Mexican border were legal based on either perceived ethnicity of drivers or passengers or even no individualized basis for suspicion. No nexus between the searched person or vehicle and an actual border crossing beyond being on a road which eventually led to or away from the Mexican border is required.

It's true that the only places that the decision applies to are public highways, not (e.g.) the interior of residences or businesses, so it's not any place. But it's pretty extensive.

Which case are you referring to?

Also, I can't tell if you're nitpicking my summary or if you actually do believe there's a 100-mile-wide Constitution-free zone hugging the US border.

> Which case are you referring to?


> Also, I can't tell if you're nitpicking my summary or if you actually do believe there's a 100-mile-wide Constitution-free zone hugging the US border.

“100-mile Constitution-free zone” is a simplification that, like any simplification, is somewhat inaccurate; there is a broad (unclear as to it's maximum limits, the 100 miles is current executive policy) in which the courts have allowed, in fairly broad circumstances, substantially lower standards for search and seizure than are otherwise Constitutionally applicable in the US, rendering the protections of the Fourth Amendment in practice much weaker.

You should re-read it, because it explicitly rebuts the argument you're making. It holds specifically that Almeida-Sanchez stands, and that:

In Almeida-Sanchez v. United States, supra, the question was whether a roving patrol unit constitutionally could search a vehicle for illegal aliens simply because it was in the general vicinity of the border. We recognized that important law enforcement interests were at stake, but held that searches by roving patrols impinged so significantly on Fourth Amendment privacy interests that a search could be conducted without consent only if there was probable cause to believe that a car contained illegal aliens, at least in the absence of a judicial warrant authorizing random searches by roving patrols in a given area. Compare 413 U.S. at 413 U. S. 273, with id. at 413 U. S. 283-285 (POWELL, J., concurring), and id. at 413 U. S. 288 (WHITE, J., dissenting). We held in United States v. Ortiz, supra, that the same limitations applied to vehicle searches conducted at a permanent checkpoint.

It allowed the actions in this case specifically because they were not searches, in the same sense as a traffic stop is not a search, and the police, having pulled your car to the side of a city street for having expired tags, cannot without probable cause demand that you open your trunk to allow inspection.

You got kind of quiet there. :)

"Roughly two-thirds of the United States' population lives within the 100-mile zone."* That's incredibly disturbing.

* https://www.aclu.org/other/constitution-100-mile-border-zone

When you drive close to the Canadian and Mexican borders I've gone through those inland checkpoints. I've never seen that practiced along the littorals --never. Has anyone seen a checkpoint along the littorals? Curious.

Not a checkpoint but I've seen CBP sitting on the Mississippi - Alabama state line multiple times (I10).

What Almeida-Sanchez held is that searches under the border search exemption need to be connected somehow to an actual border crossing, not that they need to occur "at the border". But by the logic of Almeida-Sanchez, the "extended border" is a limiting factor for the government: it suggests that whether or not you've recently crossed, if you're more than 100 miles from the crossing, the border search exception no longer applies.

> The Supreme Court disagrees (Almeida-Sanchez v. U.S., U.S. v. Martinez-Fuente),

Martinez-Fuerte sharply limited Almeida-Sanchez: Almeida-Sanchez (1973), it's true, seemed to require warrantless border searches to be at the border, but Martinez-Fuerte (1976) allowed warrantless “border” searches at immigration checkpoints on public highways leading to it away from the Mexican border, even without any individualized basis for suspicion (much less probable cause) or when the decision to make stops was based entirely on the perceived ethnicity of drivers/passengers.

At some point weren’t they also trying to argue that an international airport constituted an extended border for these purposes?

There isn't much need to argue. People traveling to/from international destinations can be easily searched under a number of different theories. Fly Vancouver>Vegas and you can be searched in Vegas despite having already been searched in Vancouver. Sometimes if they find something in Vancouver they will still put you on the plane as arresting you for a US crime in Vegas is much cheaper than in Vancouver (normally done for people with outstanding warrants).

It's not just cheaper they are not allowed to arrest you in Canada. They can only deny entry or detain you until the Canadian authorities make the arrest.

Actually in Vancouver, before you clear customs to get on your flight to the US, you enter a secure area where there is a sign that says welcome to the US of A, and you are in fact on US soil, just like an embassy, I'm pretty sure they could even fly you directly to a Bellingham jail and the Canadian government/RCMP couldn't do a thing about it once your cRoss that imimaginary line in the airport.

> Preclearance facilities exist because of agreements made between the U.S. federal government and the governments of the host countries. Travelers who have passed through the U.S. government checks, but whose flight or ship has not departed, remain in the legal jurisdiction of the host country.


I stand corrected, thanks for the info, hopefully I will never need use that info but nice to know still! +1

The number of searches has increased quite a bit from 2016 to 2017


The best way is not to travel with anything that is not needed.

Use cloud services and a disposable OS.

The best way to play their (CBP) game is not to play. Don’t have anything available for them.

Is there any way to quickly wipe and restore a full macOS? or other OS for that matter? As someone who travels, well, all the time, it seems a massive amount of overhead at the moment.

If everything is in the cloud, that means I have to be sure to have fast, reliable internet at my destination (which is definitely not always the case). And any way I can think of to securely travel with a copy of my data is just the same problem: the CBP can request I unlock the other device.

Ideally, we just wouldn't be able to be compelled to unlock our data, without the high probability of being forced to hand over the device because of our refusal. How is this not a violation of the Fourth Amendment? It's frustrating in the least.

Chrome is the only OS that makes this ridiculously easy, I think..

only because chromeos is so crippled.

this is like suggesting a kids toy in the shape of a power tool is easier to repair than a proper power tool. while true, you can't do the same tasks with the kids toy.

This seems like a no-brainer. If you don't want CBP digging through your data, it's not hard to backup and wipe your phone before a trip. Or just buy a cheap burner for travel purposes.

While I have never had a major problem, it certainly raises a LOT of eyebrows when I say I don't have a phone.

Most Officers simply don't believe me, and quite a few embassies had no idea how they would issue me a visa without a phone number on the application form.

I have an old Motorola "dumb" phone, but what I want to know is if I am asked "Do you have a Gmail/Facebook etc..account" I am required to tell the truth, am I also obligated to provide the password to access it regardless of whether or not I am carrying a device to access it?

I don't know if you must answer the question or provide a password, but I do know that lying to a federal agent is a crime that can land you in jail for up to 5 years.

It's really scary, say the wrong thing to a border agent and you can end up in prison, or banned from entry for life. I don't travel to the US often and unfortunately since 911, I am even less inclined to travel there due to the security measures imposed afterwards...does that mean the terrorists won?

That's an interesting question.

If I cross into the US with nothing digital at all (no phone, camera, laptop, etc.) do I have to provide logins and passwords to all my online accounts?

That would be very scary if indeed true.

or not to travel to countries with such policies, such as the usa or saudi Arabia.

Never is there any mention that by accessing the device of person A, the officer may be violating the rights of all people (say persons B, C, and D) who have shared information in confidence with person A.

This includes getting access to my family photos. I don’t want an officer, who self selected by applying for a job that he knows will give him access to family photos, to get access to my family photos, because what kind of person applies to that job?

There is not generally a right to confidentiality of information you share with a third party. There are a few exceptions (spouses, doctors, lawyers, among others). If party A shares information with party B outside one of these protected relationships, then I guess A's rights will not be violated if their information is discovered in party B's possession, whether or not party B shares that information voluntarily. (All subject to the search of B's information being constitutional.)

That really depends on the jurisdiction. For example in Germany it is illegal to share pictures of persons not being yourself without the other party's agreement. Google Translate does a decent enough job on the German Wikipedia entry:


The article in discussion is the US CBP, so the jurisdiction is pretty clearly the US and not Germany.

Do you believe those stupid disclaimers at the bottom of emails hold any water? Same principle here.

Ignorant question for those who have had to transit the US border (it has been many years for me) - are these device searches now routine? I.e. do they automatically request access to any locked smartphone, etc?

From https://www.cbp.gov/newsroom/national-media-release/cbp-rele...:

> In FY17, ... Approximately 0.007 percent of arriving international travelers processed by CBP officers (more than 397 million) had their electronic devices searched

I would guess devices are searched at the border for parallel reconstruction (to find information they already know without disclosing details about surveillance)

You would guess that based on what evidence? Just first principles, in the sense that if you ran an DOJ and a CBP with what you believe the same objectives as the real DOJ and CBP, that's what you'd do?

Two reasons:

(1) There were posts on HN around the time of the Snowden news of border agents presenting private emails, in one instance someone was traveling as a tourist but had email inviting them to perform as a musician

(2) In individual stories I read of searched phones, the agent already knew where to look (for example, went directly to an app with discussion arranging paid hookups)

We already know that parallel reconstruction is common for surveillance used by law enforcement (DEA, local police using Stingray, etc) so that seems more believable than random spot checks on .007% of people.

We know that parallel reconstruction is "common"? Can you back that up with evidence?

Google “parallel reconstruction stingray” or “parallel reconstruction dea”

Nothing prevents police or prosecutors from using inadmissible evidence, they just can’t produce it in court.

You should read your own link. Parallel reconstruction is an explicit exception to that rule. I would be thrilled if you can debunk parallel reconstruction, but that doctrine is the very reason for it.

From your link:

“The doctrine is subject to four main exceptions. The tainted evidence is admissible if:

- it was discovered in part as a result of an independent, untainted source”

We're mis-communicating. You said:

Nothing prevents police or prosecutors from using inadmissible evidence, they just can’t produce it in court.

That statement by itself is clearly false. The police cannot illegally search you and use that evidence as a means to find additional evidence, and then present that evidence in court as if it was untainted.

What I gather you meant now was that parallel construction allows them to do this. Parallel construction is the process by which unlawful evidence is used to direct the attention of LEOs, who, after plainly observing some other crime or probable cause indicator, then conduct a search.

I know what parallel construction is, but what I do not know is why you believe the process is common. Do you have any evidence for the frequency with which it is used? The revelation that it had ever happened was a major news story just a few years ago. Is it your belief that it was common practice, and that even though there are something like 500,000 working law enforcement agents in the US, somehow the secret never got out until recently?

To be very clear: I believe parallel construction has happened and will happen again in the future, but I do not believe it is routine or that any process at CBP is tuned to amplify it.

I don't want to debate the meaning of the word "common", but given the number of Stingers in use, and their NDA prohibiting disclosure, I think it's naive to assume that parallel reconstruction is rare. And yes, that's just my opinion.

When the police find a guy carrying $500,000 in his car, do you really think that was random chance?

> That statement by itself is clearly false.

No the statement is true. Detectives act on hearsay evidence all the time (which is inadmissible). They use everything they know about a suspect to drive an investigation.

Inadmissible means only that it can't be presented in court. While a jury must ignore inadmissible evidence, police have no such requirement. Most of their work is outside the courtroom, the trial is just the presentation at the end.

> The police cannot illegally search you and use that evidence as a means to find additional evidence, and then present that evidence in court as if it was untainted.

Isn't the problem that illegal (dragnet) searches still happen?

Police only need one warrant or one instance of probable cause to "deploy Stingray" in a city block, and then flag suspicious things, and then use the legal search conducted by the border patrol, to check what was suspicious.

Of course, the practicality of flagging a lot of people for minor things (that somehow are or become a crime when crossing a border) and then keeping those records somehow shared with the CBP in secret for all these years is simply not there.

Why would I google a very idiosyncratic phrase that next to nobody except you is using?

To understand what they're talking about?

Generally, if someone uses a phrase that's slightly different from the usual phrase ("parallel reconstruction" vs. "parallel construction"), he is running in circles that are almost certainly conspiracy theorists.

Rather unusual, especially when it comes to crossing the northern land border, and especially crossing that land border with more than one person in the vehicle.

It's fairly unusual for them to perform any search or inspection at the Canadian land border for Canadian or United States citizens or residents. I suspect that persons who are from nations which are considerably less diplomatically positive with the United States, and especially who have specific grounds for suspicion related to their identity or documents, would bear the brunt of searches in general and electronic device searches in particular.

Section 5.1 (page 4) describes new rules for US CBP searches:

“Officers may not intentionally use the device to access information that is solely stored remotely. Officers will either request that the traveler disable connnectivity to any remote network…”

So it sounds like a workaround is to avoid storing any data locally on the device. I wonder how effective that would be in practice. It might raise some suspicion if you unlocked your phone and they discovered you were logged out of everything, and there was nothing on the phone.

> It might raise some suspicion if you unlocked your phone and they discovered you were logged out of everything, and there was nothing on the phone.

There are countries[0] I travel to where that’s exactly what they find, essentially a freshly wiped phone. Hasn’t raised suspicion yet.

[0] it’s also how I travel to certain security conferences. Buy a used/refurbished device before, use for duration of event, sell immediately after.

> sell [device] immediately after

I've heard people say that if their laptop or phone were searched out of their sight by border officials, they'd sell it afterward.

But is it ethical? I think this meat might be contaminated; I'm not going to risk eating it, so I'll sell it.

I'd consider it my lucky day and auction it off to security researchers.


Sorry if I started the discussion provocatively. I'm thinking that there should be an alternative to throwing a $1000+ device in the garbage or passing the (potential) problem onto someone else. I don't know if there are any other alternatives, but I wanted to have a discussion from that angle.

Sorry, I probably was too sensitive to the reply. Mea culpa.

> I don't know if there are any other alternatives

In my opinion, there will likely never be anything to ensure nothing was done, hence why (well that plus the example you gave) I incorrectly assumed you were backhandedly making an insult rather than asking for a real discussion on it.

You're doing it, do you think it's ethical? If so, why?

(I actually don't care, but your response was ridiculous and I noticed you avoided answering.)

Would you please stop posting uncivil and/or unsubstantive comments to HN? You've done this a fair bit, and it violates the spirit of this site, as described at https://news.ycombinator.com/newsguidelines.html and https://news.ycombinator.com/newswelcome.html.

Your comment would be fine with just the first sentence.

Dang, I respect you and the work you do here, and I really value the HN site. I never set out to post uncivil and/or unsubstantive comments, and when I do I usually delete them or at least add an edit or reply to soften them. And if somebody calls me out on something I check myself, and apologise if I think I messed up.

I started to write a whole long thing defending my previous posts but I stopped myself. I did add up all the points from my most recent 10 comments, the total is 17. I'm having a bad run at average 1.7 points. So, yes, you're absolutely right, and I'll try to do better.

(There was one exception to my policy that happened recently, where I snarked at some person who was complaining about how hard it is for white men to speak their truth in silicon valley, from an account with a racial pejorative for username. My comment got flagged. Rightly so.)

I consider myself a hacker, I hope I'm a net benefit to the community, and I'd really like to see HN stay high quality. I did reread both the guidelines and the welcome page you linked and I am "on-board".

But, ...

Just kidding, no "but".

Sorry for the noise dude, I'll try to do better.

Thanks! I really appreciate this.

Cheers :-)

It's like an advertisement for Chromebooks ...

What is the most effective way to encourage our elected representatives to correct this potential for violation of our rights?

Are there any devices offering a silent panic passcode? It would be convenient for travelers if "123456" unlocked the device and "987654" erased local information and unlocked the device.

That way a properly backed up device could be carried across a border with risk only of inconvenience, not of data loss.

(The passcodes I showed are my passcodes. :-) Nobody else use them, OK?)

IANAL but previously when I have heard that question the common response is "this can later be considered intentional destruction of evidence and/or obstructing justice and can also be used as grounds for further detention because you must have something to hide"

EDIT: Also a commenter below reminded me that not obeying any order given to you by CBP/law enforcement is a direct violation of previously agreed to rules of the trusted traveler programs (Global Entry/TSA Pre, maybe even CLEAR?) which would cause you to be removed from any/all of those programs.

If you are opting into these "programs", you are already part of the problem.

With the opt-in... 30mins to cross a border. Without it.. slowdowns, flagging, questioning, etc... could be 6 hours. If one is travelling for business, opting out is not realistic.

We all sell out every day; might as well be on the winning team!

Not what you're looking for, but it's worth knowing that since iOS 11, there is a panic sequence that disables TouchID at least. This applicable in non-border LE interactions where a citizen can be compelled to touch the device, but not to give up their passcode (IANAL, this might be out of date, as precedents change).


TL;DR: Some businesses will forego an option to connect with a US supplier rather than try to send a lawyer through customs.

Does anybody know if there is an equivalent to Hidden Volumes for an OS? It would be pretty cool if you could give a password for your machine that loads up a default OS installation, or maybe some configurable fake user to make things look more 'legit'.

So what do we do if the CBP asks us to hand our devices over? Is there any way we can tell them to fly a kite?

Are you a US Citizen? Are you willing to temporarily (temporarily in this case is not implying a short duration, btw) lose your device? Are you able to waste time (as in hours or unlikely but possibly days) at CBP defending your rights without negative repercussions (as in missed flights, possibly missed work, missed family obligations, etc)?

If the answer is yes to all, then sure, politely refuse and stand your ground until you get your way. I try to make sure I can answer all yes when I travel, but the last one isn’t always possible.

Also, note that refusal to comply with ANY direction by CBP results in permanent unappealable revocation of trusted traveler status.

Fair point

Attorney-client privilege is interesting. What happens if you say that you have emails and voicemails from an attorney?

As I read it, they essentially promise not to look at it.

They're on to me and my evil attempt to smuggle lolcats into the US

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact