Privacy czar looks into border searches
Concern over amount of access to electronics
Canada’s federal privacy commissioner has launched an investigation into the Canada Border Services Agency’s practice of searching the electronic devices of travellers at the Canadian border.
The investigation comes amid mounting concerns over whether CBSA’s U.S. counterparts are not just searching travellers’ devices, but also downloading their contents for later examination and even cloning and mirroring the devices.
Border agents from both countries operate in a legal grey zone. Canadian courts recognize “reduced expectations of privacy at border points” for people dealing with Canada’s border authorities, who are able to search and examine possessions, including devices, without warrants, said Valerie Lawton, a spokeswoman for the Office of the Privacy Commissioner of Canada. People must provide their passwords if asked, or risk having the device “held for further inspection.”
“It is possible that issues related to retention may be examined during our investigation,” Lawton said, saying she couldn’t reveal further details about the investigation or the complaint that prompted it. Little is known about when, and how often, CBSA retains data collected from devices, where it’s held and for how long.
The CBSA does not collect statistics on electronic device searches, spokeswoman Line Guibert-Wolff said, and data may only be collected for “customs purposes.” Information can only be disclosed to other agencies if it meets guidelines in the Customs Act, which states information must relate to criminal proceedings, immigration or national security, among a few other categories.
She did not directly answer a question as to whether CBSA retains data from the electronic devices it searches.
Examinations of devices “do not require reasonable grounds to suspect or believe that a contravention has occurred,” she said, but CBSA policy states such examinations “should only occur where there is a multiplicity of indicators” or if undeclared, prohibited or falsely reported goods are discovered.
“Initial examinations of digital devices and media should be cursory in nature and increase in intensity based on emerging indicators,” Guibert-Wolff said. “The CBSA is committed to maintaining the balance between an individual's right to privacy and the safety and security of Canadians.”
“There's an enormous amount of uncertainty in what feels like a no-privacy zone,” University of Ottawa law professor Michael Geist said. “There's a sense that customs officials are empowered to do whatever they see fit … But the lack of transparency associated with these processes is enormously disturbing.”
Brenda McPhail, director of the privacy, technology and surveillance project at the Canadian Civil Liberties Association, said “We can't hold them to account as a society if it's not clear what the rules are, or how they've been told to interpret them.
“We're treating devices that provide a portal into our lives the same way that we treat a suitcase, and they're not equatable.”
As the privacy commissioner's investigation of the CBSA begins, privacy experts are raising concerns about the access to travellers' personal devices that American border officials have in situations where visitors can't say no. Statistics released by the U.S. Customs and Border Protection show media searches by U.S. border authorities increased five-fold in 2016 over 2015, and appear to be increasing even more under the Trump administration.
From the beginning of October 2015 to the end of September 2016, five times as many electronic media searches — 23,877 — were conducted by U.S. agents than the year before, Long confirmed. That's still a fraction of the total number of arrivals (390 million in 2016) but NBC reported this week 5,000 searches were conducted in February alone.
Anyone travelling to the U.S. can have their computers, disks, drives, phones, cameras and other devices searched by U.S. Customs and Border Protection. If a device is locked and a traveller doesn't provide the password, they can be refused at the border or detained.
“Keeping America safe and enforcing our nation's laws in an increasingly digital world depends on our ability to lawfully examine all materials entering the U.S.,” spokesman Dave Long said in an email.
Agents can look at data that helps identify someone's admissibility and “intentions upon entry,” Long said. They're also empowered to look for information about terrorism, national security, smuggling, contraband, child pornography and financial and commercial crimes. Any information gathered may be shared with other agencies as evidence.
Lawton said the privacy commissioner is aware officials in the U.S. have “broad inspection powers.” But “with respect to the retention of data, we are not privy to information about whether or how often this occurs.”
Long wouldn't confirm or deny whether border officials have the ability to copy information from devices. But a May 2015 privacy assessment from the Department of Homeland Security implies that as of a couple of years ago, border authorities were already employing the practice.
Trained officials can use tools to “create digital images of electronic media … seized under border search authority.” The tools are used to “image the media, creating a mirror copy to use as a working copy,” then “index the information and extract files and other data points,” the assessment says.
Adam Schwartz, with the Electronic Frontier Foundation, a privacy rights group in San Francisco, said it is known that agents have Cellebrite devices, which can be plugged into devices to harvest information.
“We've heard a lot of reports, for example, of a traveller unlocking (the phone), handing it to the agent, the agent takes it out of the room for 10 minutes. It's possible during those 10 minutes they're plugging a Cellebrite device or another forensic tool into the traveller's phone and copying information.”
A source in the intelligence community told the National Post that border officials may not have the language ability to assess all the data on someone's phone right away, so making copies could help officials continue investigating after the device is returned.
Schwartz and his colleagues published a white paper on border security which indicates U.S. border agents can look at all cloud data in addition to what's downloaded to a device. It also says agents have sophisticated enough forensic software that data recently deleted may still be retrieved.