We live in an era where BYOD – Bring Your Own Device – is transitioning from niche technical jargon to everyday reality, and people are beginning to use MDM and other mobile security solutions to counter the pitfalls of BYOD. But there are places where mobile security is not welcome. For example, the use of data security tools like encryption software is enough to raise suspicion and delay you (or stop you) at the US border. The implication is that you’re a suspicious individual because a password is necessary to access your device. What are you hiding there buddy, hm? appears to be the central question by the Department of Homeland Security.
From now on, the answer could very well be “that’s none of your business… unless you have reasonable suspicion” thanks to a watershed decision by the 9th U.S. Circuit Court of Appeals in San Francisco, California. This is the end of the border search exception doctrine, that there are exceptions to the Fourth Amendment at US borders, as we’ve known it for the last ten years. From now on, US Customs and Border Protection (CBP) agents can’t dig too deep into your digital possessions without a reasonable cause.
Kiddie Porn at the Center of the Case
Last Friday, the 9th U.S. Circuit Court of Appeals ruled, according to wired.com, “that U.S. border agents do not have carte blanche authority to search the cellphones, tablets and laptops of travelers entering the country.” The key word there is “carte blanche.” US border agents can still go through your laptop. If they want to do more than do a cursory examination, however, they must have a tenable reason.
The ruling was divided, although not controversially so: of the 11 judges, 3 dissented from the majority opinion (which is 82 pages long. Happy reading).
The ruling was a result of an arrest at the US-Mexico border. In a nutshell, a man by the name of Cotterman was singled out for inspection based on a “fifteen-year-old conviction for child molestation.” Although there was nothing incriminating on his, and his family’s, two laptop computers and three digital cameras (and presumably their non-digital belongings), CBP sent the laptop to a forensic examination facility. Deleted child pornography in a variety of media was discovered, including 23 password-protected files that were cracked open to reveal images of Cotterman molesting a girl. The court ruled that this in-depth digital examination requires probable cause, and that it was met in Cotterman (the dissenting opinion, in my opinion, makes a pretty strong case that probable cause was not met).
Password-Protection and Encryption is NOT Grounds for Suspicion
In the summary to US v. Cotterman, the court noted the following (my emphasis):
The en banc court wrote that password protection of files, which is ubiquitous among many law-abiding citizens, will not in isolation give rise to reasonable suspicion, but that password protection may be considered in the totality of the circumstances where, as here, there are other indicia of criminal activity. The en banc court wrote that the existence of password-protected files is also relevant to assessing the reasonableness of the scope and duration of the search of the defendant’s computer.
Within the body itself, it was commented on the presence of password-protection as a suspicious factor:
the government adds another [reasonable suspicion] – the existence of password-protected files on Cotterman’s computer. We are reluctant to place much weight on this factor because it is commonplace for business travelers, casual computer users, students and others to password protect their files. Law enforcement “cannot rely solely on factors that would apply to many law-abiding citizens,” Berber-Tinoco, 510 F.3d at 1087, and password protection is ubiquitous. National standards require that users of mobile electronic devices password protect their files…. Computer users are routinely advised – and in some cases, required by employers – to protect their files when traveling overseas.
The majority opinion goes on to note that password protection alone, in isolation, “will not give rise to reasonable suspicion” and that “to contribute to reasonable suspicion, encryption or password protection of files must have some relationship to the suspected criminal activity.”
The court also made a comment on full disk encryption:
We do not suggest that password protecting an entire device – as opposed to files within a device – can be a factor supporting a reasonable suspicion determination. Using a password on a device is a basic means of ensuring that the device cannot be accessed by another in the event it is lost or stolen.
Well, technically, it appears to be a comment on password-protection, but let’s face it, if you’re looking for a means that ensures that a device remains inaccessible when lost or stolen, it’s encryption that you want, not password protection.
And, last but not least, the use of passwords has been described as a “basic privacy right,” although I’ve got to wonder whether I’m quoting out of context. In the dissenting opinion (my emphasis):
Perhaps the most concerning aspect of the majority’s opinion, especially given its stated stance on privacy rights at the border, is its readiness to strip former sex offenders and others convicted of past crimes (and who are, theoretically, entitled to be presumption of innocence) of even the most basic of privacy rights, such as the right to password-protect their electronic devices…. Indeed, as the majority acknowledges, making legal files difficult to access makes “perfect sense” for anyone.
Who’d have thunk it? Encryption is a type of basic right.
The case is interesting in many ways. You can find thoughtful, intelligent coverage at arstechnica.com, wired.com, and techdirt.com, among other online media.
Related Articles and Sites: