Monday, March 12, 2018

U.S. Customs and Border Protection: Search of Electronic Devices

On 4 January 2018, the United States (“U.S.”) Customs and Border Protection (“CBP”) issued Directive No. 3340-049A superseding Directive 3340-049 to standardise procedures its officers use during border searches, which include searches of all persons entering the U.S. through airports (the “Directive”). Pursuant to the Directive, the CBP has authority to conduct “routine searches of the persons and effects of entrants [into the U.S. which] are not subject to any requirement of reasonable suspicion, probable cause, or warrant.” In effect, this means the CDP may conduct border searches of electronic devices, such as laptops, tablets, and mobile phones.

This article outlines why business travellers should be aware of the Directive, and sets out the steps a business traveller can take to protect information they store on their digital devices when entering the U.S.

Privileged material 
Entrants into the U.S. should be particularly aware of Section 5.2 of the Directive, which covers privileged material. Section 5.2 sets procedures for CBP officers to follow when encountering material asserted to be protected by the attorney-client privilege or the attorney work product doctrine. Officers should first clarify with the owner of the electronic device which files are specifically protected by a privilege. Officers cannot search any privileged material without first contacting the CBP Chief Counsel office and establishing a Filter Team, composed of both legal and non-legal CBP personnel, to assist in segregating privileged materials from other files.

Searches can be basic or advanced. Basic searches are those conducted without the aid of external equipment CBP personnel use to review, copy, or analyse the device’s contents. They should be conducted in the presence of the device’s owner unless there are safety concerns rendering the owner’s presence inappropriate. Advanced searches are searches requiring external equipment to review the device. They require reasonable suspicion of unlawful activity.

Once CBP officers complete their search of an electronic device, they must destroy any privileged materials that they have copied. Business or commercial information should be treated similarly and protected from unauthorised disclosure.

Business travellers 
Business travellers who are stopped by CBP while entering the U.S. may consider taking the following steps:

• insist that any basic searches be conducted in their presence;

• tell the CBP officers that they do not want the device to leave their sight;

• call a legal adviser if necessary to ensure compliance with the Directive;

• ask the purpose and authority for a border search;

• ask to report concerns and seek redress from the CBP, if necessary;

• ask for a receipt if a device is detained by CBP officers who are entitled to detain devices for up to five days; and

• enter their own passcode or encryption key into a device instead of divulging it to CBP officers.

If a business traveller has on them any privileged, confidential, or trade secret information contained on the device or devices subject to search by CBP officers, they should advise CBP personnel performing the search.

How can sensitive information be protected? 
In order to facilitate the protection of sensitive information, it may prove helpful to segregate privileged, confidential, or trade secret information to a single, clearly labeled folder or directory when traveling internationally, so that the information can be easily identified to CBP and treated in accordance with the Directive.

As the Directive requires entrants to provide log-in and password information, encryption or password protection will not be a useful tactic for protecting sensitive information. One possible method of protection is not to store any privileged materials on your electronic devices at all. Retaining privileged documents in a password-protected secure cloud server or a remote file-saving system ensures that CBP, when searching your device, cannot access any protected material.

Section 5.1 of the Directive permits officers to search “only the information that is resident upon the device and accessible through the device’s operating system or through other software, tools, or applications.” This means that CBP officers cannot access information that is solely stored remotely, and must either enable airplane mode or disable internet connectivity before searching a device. Any person travelling to the U.S. should themselves ensure their devices are in airplane mode, or insist that CBP personnel disable their devices’ connectivity before conducting a search. This both protects remote files and prevents downloading of harmful malware. Any remotely stored information that is synced with the device’s operating system is, however, accessible; only remote information that is not downloaded will be protected.

In an effort to respond to the evolving world of information technology, the Directive aims to enhance the transparency, accountability and oversight of electronic device border searches performed by CBP. Business travellers who frequently participate in international travel may wish to consider the scope of the Directive, especially if the traveller’s electronic device(s) contain confidential or sensitive work-related information.