CBP Officers Aren’t Deleting Data After Warrantless Device Searches, IG Says

Pedestrians crossing from Mexico into the United States at the Otay Mesa Port of Entry wait in line in San Diego.

Pedestrians crossing from Mexico into the United States at the Otay Mesa Port of Entry wait in line in San Diego. Denis Poroy/AP File Photo

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Aaron Boyd By Aaron Boyd,
Senior Editor, Nextgov

By Aaron Boyd

|

An inspector general report found Border Patrol officers didn’t follow standard procedures during device searches, mostly because those procedures weren’t clearly laid out.

Customs and Border Protection officers over two years searched more than 47,400 electronic devices owned by travelers entering the U.S. but often failed to delete travelers' information from portable drives, according to an inspector general investigation.

More than 787 million travelers entered the U.S. in 2016 and 2017, and border patrol officers downloaded and searched the data on devices for approximately 0.006 percent of those travelers, known as an advanced search. The criteria for what warrants an advanced search—compared with a standard, non-tool-assisted search of a device—was redacted in the report.

The program began as a pilot in 2007 at four ports of entry and has since expanded to include 67 distinct locations. When an advanced search is deemed necessary, officers download data from the device to a portable drive—usually a thumb drive—which is then plugged into CBP’s Automated Targeting System for analysis.

During such searches, officers are required to sever any external connections so they can only review data stored on the device and must immediately delete the information from the thumb drive after transfer. The IG’s analysis showed neither procedure was being properly followed.

According to the report, these issues were largely the result of unclear or undocumented policies. For instance, the office managing the program issued a memo in April 2017 requiring officers to ensure devices are disconnected from the internet or other networks. However, CBP’s standing directive at the time did not include that requirement.

The IG reviewed 154 search reports filed before the April 2017 memo and found none of the devices were properly disconnected before being searched. Of the 40 reports filed after the April 2017 memo that were reviewed, 14 did not include documentation from the supervisor proving the device’s connections had been severed prior to the search.

An additional memo in January 2018 included stronger, clearer language concerning disconnecting devices and an October 2017 system update added a mandatory data field in the reports to verify these actions.

The audit also showed officers failed to delete travelers' information from portable drives after they uploaded them to ATS, as required. During the review, investigators found travelers’ information stored on portable drives at three of five ports of entry, creating a significant privacy and security issue.

The deletion process is part of each officer’s training, according to CBP, however, there is no official written policy, the IG found.

“Based on our physical inspection, as well as the lack of a written policy, it appears [the Office of Field Operations] has not universally implemented the requirement to delete copied information, increasing the risk of unauthorized disclosure of travelers’ data should thumb drives be lost or stolen,” the report states.

“It’s bad enough that the search happens in the first place. What’s worse is that they’re keeping the data around,” Adam Schwartz, senior staff lawyer for the Electronic Frontier Foundation, told Nextgov, noting the foundation has a lawsuit pending against CBP asserting the search of devices without a warrant violates the Constitution. “What’s alarming about this inspector general’s report is that they were supposed to be deleting the thumb drives but they’re not, which shows a failure of minimally adequate management of this data in a secure fashion.”

Beyond poor cyber hygiene and data stewardship, the failure to clear the thumb drives “reflects, overall, a system that’s not committed to the privacy of these travelers,” he said.

The IG also docked CBP for not instituting performance metrics to measure the progress of these pilots. CBP records the number of device searches at each location but does not continue to track what comes next, including whether those searches led to prosecutions or convictions, according to the IG.

“Without performance measures … OFO will not be able to determine whether the advanced searches are achieving their intended purpose or whether the use of advanced searches should be expanded to other ports of entry,” auditors wrote.

Investigators made several recommendations to clarify policies and increasing documentation requirements, as well as creating and implementing better performance metrics. CBP officials agreed with all the recommendations and outlined immediate plans of action in response.

For their part, Schwartz said EFF was heartened by the fact that the investigation took place and considers the recommendations sound. That said, the foundation would like CBP and the IG to go further.

“I would say it is good the inspector general has done this study and brought these issues to light,” he said. “But our primary reaction is concern that there are so many problems concerning how they’re gathering and storing this sensitive traveler information.”

Editor's Note: This story has been updated to clarify which CBP employees are conducting device searches.

NEXT STORY: Russia Launched Cyber Attacks Against Ukraine Before Ship Seizures, Firm Says

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.