The Ninth Circuit has held that it is the right of the United States government to seize a digital device at a border crossing*, transport it to a secondary location, and retain the data from the device indefinitely until it can be accessed. It has been true for awhile that any device, any data, may be scrutinized at will by the United States government at border crossings without suspicion. This decision merely reaffirms that right, however, as many people seem to be unaware that the United States government may do so, I thought I would give a brief treatment to the holding.
Essentially, if you engage in United States/International travel and are: an attorney with privileged attorney/client information on your devices, a business traveler with confidential corporate information on your devices, or just a private citizen who doesn’t want the government to look through your private information without cause; you need to protect your information before you travel.
* Note that a border crossing is not limited to the physical border of the United States but any location in which a person or object is first entering the United States (IE arrival in Atlanta, GA on an international flight).
Blanket Search & Seizure of Digital Devices
From the Ninth Circuit’s opinion:
Today we examine a question of first impression in the Ninth Circuit: whether the search of a laptop computer that begins at the border and ends two days later in a Government forensic computer laboratory almost 170 miles away can still fall within the border search doctrine. The district court considered the issue to be a simple matter of time and space. It concluded that the search of property seized at an international border and moved 170 miles from that border for further search cannot be justified by the border search doctrine. We disagree.
The Supreme Court has recognized three types of searches in which more is required than simple application of the border search doctrine. First, the Government must have reasonable suspicion to conduct “highly intrusive searches of the person.” Flores-Montano, 541 U.S. at 152; see also Montoyade Hernandez, 473 U.S. at 541. Second, the Court has recognized the possibility “that some searches of property are so destructive as to require” particularized suspicion. Flores-Montano, 541 U.S. at 155-56. Finally, the Court has left “open the question ‘whether, and under what circumstances, a border search might be deemed “unreasonable” because of the particularly offensive manner in which it is carried out.’ ” Id. at 154 n.2 (quoting Ramsey, 431 U.S. at 618 n.13).
Within this framework, we have specifically held that “reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border.” United States v. Arnold, 533 F.3d 1003, at 1008.
In the matter before the court, the detainment of a laptop for roughly 48 hours was deemed not to be an unreasonable amount of time to detain personal property. However 48 hours is more than enough time to access files that are merely password protected. (More on passwords below). The Ninth Circuit maintained that a detention of 48 hours was reasonable, though they maintained a semblance of balancing the right to search with a right to privacy:
Still, the line we draw stops far short of “anything goes” at the border. The Government cannot simply seize property under its border search power and hold it for weeks, months, or years on a whim. Rather, we continue to scrutinize searches and seizures effectuated under the longstanding border search power on a case-by-case basis to determine whether the manner of the search and seizure was so egregious as to render it unreasonable.
Yet this fails to take into account the Department of Homeland Security’s written policy of mirroring data. See Privacy Impact Assesment, CBP and ICE Border Searches of Electronic Devices, August 25, 2009 (PDF link). Essentially, DHS and ICE routinely copy the entire storage medium of any electronic device that they detain. So while the government might return the device to a person after 48 hours, the data copied from any such device remains detained by the government.
The Court’s holding in Arnold, reaffirmed here, represents either a misunderstanding or misclassification of dealing with electronically stored information. It is not the physical device that is important or needs to be protected from search, rather it is the information contained therein that possesses value and needs to be protected.
In the dissent, Judge Fletcher eloquently describes the problem with the majority’s holding:
The real issue, as this case is framed by the government and the majority, is whether the Government has authority to seize an individual’s property in order to conduct an exhaustive search that takes days, weeks, or even months, with no reason to suspect that the property contains contraband. In other words, the problem with this case is not that the Government searched Cotterman’s computer in Tucson as opposed to Lukeville. The problem is that the Government seized Cotterman’s laptop so it could conduct a computer forensic search, a time consuming and tremendously invasive without any particularized suspicion whatsoever.
The majority fails, however, to substantively analyze the nature of the search itself, and so overlooks the fact that computer forensic searches are highly invasive, and a computer forensic search unlimited by any suspicion of particular criminal activity even more so (Judge’s emphasis).
Computers store libraries worth of personal information, including substantial amounts of data that the user never intended to save and of which he is likely completely unaware (for example, browsing histories and records of deleted files in unallocated space). See United States v. Flyer, No. 08- 10580, Slip Op at 2419, 2429 (9th Cir. Feb. 8, 2011); UnitedStates v. Comprehensive Drug Testing, Inc., 621 F.3d 1162, 1176 (9th Cir. 2010) (en banc). Computers offer “windows into [our] lives far beyond anything that could be, or would be, stuffed into a suitcase for a trip abroad.” David K. Shipler, Can You Frisk a Hard Drive?, N.Y TIMES, Feb. 20, 2011, at WK5. The majority gives the Government a free pass to copy, review, categorize, and even read all of that information in the hope that it will find some evidence of any crime (Judge’s emphasis).
Solution: Encrypt All Sensitive/Confidential Information
If you are going to be traveling internationally to and from the United States, then encryption is a must. A password preventing the opening of a file on a system will not prevent a forensic technician from obtaining access to the data stored on the disc. Encryption actually protects the information stored on the disc by making it appear to be “scrambled.” Therefore encryption, along with a strong password, is required. Simple passwords are subject to brute-force cracking in a matter of minutes by the average desktop machine, never mind a workstation or cluster systems that a computer forensic lab will have available to crack a system.
For example, below is the time needed to crack a password consisting of 36 characters: The full alphabet, either upper or lower case (not both in this case) plus numbers.
0123456789 and either ABCDEFGHIJKLMNOPQRSTUVWXYZ or abcdefghijklmnopqrstuvwxyz
|Password Length||Combinations||Class A||Class B||Class C||Class D||Class E||Class F|
|4||1.6 million||2½ Mins||16 Seconds||1 Second||Instant||Instant||Instant|
|5||60.4 million||1½ Hours||10 Mins||1 Min||Instant||Instant||Instant|
Versus the time to crack a password that contains 96 characters: Mixed upper and lower case alphabet plus numbers and common symbols.
|Password Length||Combinations||Class A||Class B||Class C||Class D||Class E||Class F|
|3||884,736||88½ Secs||9 Secs||Instant||Instant||Instant||Instant|
|4||85 Million||2¼ Hours||14 Mins||1½ Mins||8½ Secs||Instant||Instant|
|5||8 Billion||9½ Days||22½ Hours||2¼ Hours||13½ Mins||1¼ Mins||8 Secs|
|6||782 Billion||2½ Years||90 Days||9 Days||22 Hours||2 Hours||13 Mins|
|7||75 Trillion||238 Years||24 Years||2½ Years||87 Days||8½ Days||20 Hours|
|8||7.2 Quadrillion||22,875 Years||2,287 Years||229 Years||23 Years||2¼ Years||83½ Days|
Note: Class D is a typical desktop machine, or next year’s high-end smartphone.
Taken from: Password Recovery Speeds. A full breakdown of password security is available from Lockdown.co.uk.
So as should be painfully clear, choose a strong password. Try something in the nature of ten characters with upper and lower case letters, numbers, and special characters (#*@^ etc.). Strong encryption without a strong password is next to useless.
As far as encryption software, the likely best choice is TrueCrypt. TrueCrypt is free/open source, peer-reviewed, and easy to use. There are a variety of technical reasons as to why TrueCrypt is the best option but it would be beyond the scope of this post. For further reading on TrueCrypt visit their site.
Privacy is Ethically Important and Required of Lawyers
It is worth noting that the Defendant in this case had a history of child pornography violations and was detained to have his laptop searched for child pornography. Child pornography is a horrible, horrible crime and I am not in any way advocating the protection of, or encouraging clandestine approaches to securing it. Rather, this holding and others like it give the government broad powers to detain and search information that people have legitimate reasons to keep private.
Lawyers in particular have an ethical duty to keep client/attorney communications privileged and confidential. Lawyers are often given access to the most private and intimate details of their client’s lives or business. Giving the government unfettered access to such information is a serious breach of the lawyer’s duty to keep this private information secured. As such, lawyers engaging in international travel in and out of the United States should seek out the means to protect their client’s information.
The full opinion is available here: USA v. Cotterman (PDF link)
For a further breakdown and discussion see Professor Kerr’s post at the Volokh Conspiracy.
UPDATE: The Electronic Frontier Foundation (EFF) has a Guide to Protecting Electronic Devices and Data at the U.S. Border