The agency uses metadata to create a system of record for electronic device searches but agents may be able to access information irrelevant to their cases.
More U.S. Border Patrol agents may have access to personal information collected from electronic devices searched at U.S. borders—even if it is immaterial to their work—due to a shift in how Customs and Border Protection manages digital forensic data across the enterprise.
A July 30 privacy impact assessment clarified the Border Patrol can conduct device searches under a CBP directive, and spelled out risks from using a software called PLX to create an agencywide system of record for all digital searches conducted at U.S. borders and ports of entry.
“By using PLX, [Border Patrol] will standardize the way it collects, retains, and uses information derived from digital forensic cases and data obtained from telecommunications providers pursuant to subpoenas or warrants,” the report reads.
PenLink, a technology company based in Lincoln, Nebraska that works with law enforcement agencies across the U.S., provides the software.
PLX doesn’t store the data from device searches, it allows agents to manage and analyze the metadata from such searches. Data is collected during border crossings using a variety of extraction tools to create a “mirror copy” of the data on the device. That data is then sent to a local network for storage. Information from the analysis of the data is transferred on a thumb drive to PLX.
The assessment highlights that a Border Patrol agent could potentially access the metadata, even if the agent has no connection with the investigation. The assessment states the agency will mitigate this by limiting access to trained forensics experts.
The privacy analysis also states concerns related to providing adequate notice that people crossing borders may be subject to digital searches is canceled out by posting the policy and the assessment. It added Border Patrol tries to conduct as many searches as possible in the presence of the subject.
The controversial digital forensics program faced legal challenges in the past. In 2019, a federal court ruled the U.S. government violated the Fourth Amendment by conducting suspicionless searches of electronic devices. Plaintiffs in the case, represented by the American Civil Liberties Union, argued digital searches went beyond enforcement of immigration and customs laws.
The case came as use of the digital forensics program spiked. In 2017, CBP conducted 30,200 searches of electronic devices, an increase of more than 10,000 from 2016.
This latest privacy assessment maintains Border Patrol can still use electronic device searches in a wide range of scenarios, including to gather information about suspected illicit activity or anything “indicative of criminal activity.” Anyone crossing the border and any devices they carry, like mobile phones or laptops, is subject to CBP search.
The report outlines an extensive list of data CBP can collect. Not only can a search yield contacts, call logs, text message exchanges and calendar events, it can also include social media account information, cell site information, location data and information about financial accounts and transactions. All of this data can then be stored by CBP for 75 years, according to the report.