A great win for privacy in this country.

The 9th Circuit Court of Appeals has ruled in an en banc hearing that searches at the borders must adhere to the 4th amendment.  A cursory once over of your laptop or tablet is OK, just as they can rifle through your luggage, but they can’t go deeper than that without probable cause or a search warrant.  Further, the court held that merely password protecting or encrypting a file on your personal computer is not probable cause in and of itself.

From the ruling:

The amount of private information carried by international travelers was traditionally circumscribed by the size of the traveler’s luggage or automobile. That is no longer the case. Electronic devices are capable of storing warehouses full of information. The average 400-gigabyte laptop hard drive can store over 200 million pages—the equivalent of five floors of a typical academic library…. Even a car full of packed suitcases with sensitive documents cannot hold a candle to the sheer, and ever-increasing, capacity of digital storage.

The nature of the contents of electronic devices differs from that of luggage as well. Laptop computers, iPads and the like are simultaneously offices and personal diaries. They contain the most intimate details of our lives: financial records, confidential business documents, medical records and private emails. This type of material implicates the Fourth Amendment’s specific guarantee of the people’s right to be secure in their “papers.”…. The express listing of papers “reflects the Founders’ deep concern with safeguarding the privacy of thoughts and ideas—what we might call freedom of conscience—from invasion by the government.”… These records are expected to be kept private and this expectation is “one that society is prepared to recognize as ‘reasonable.’”

Electronic devices often retain sensitive and confidential information far beyond the perceived point of erasure, notably in the form of browsing histories and records of deleted files. This quality makes it impractical, if not impossible, for individuals to make meaningful decisions regarding what digital content to expose to the scrutiny that accompanies international travel. A person’s digital life ought not be hijacked simply by crossing a border. When packing traditional luggage, one is accustomed to deciding what papers to take and what to leave behind. When carrying a laptop, tablet or other device, however, removing files unnecessary to an impending trip is an impractical solution given the volume and often intermingled nature of the files. It is also a time-consuming task that may not even effectively erase the files.

This is huge.  I’ll leave it to the lawyers to sort out what for everyone else what it all means, but it seems to me that the 9th Circuit is saying that the old doctrine that the 4th amendment doesn’t apply to people who are entering the country because they are outside the country is dead–unless of course DHS appeals to SCOTUS.  I haven’t traveled outside the country except on official business in years, and each of those trips I had to submit to searches by MPs doing customs work.  That won’t change for those people in that circumstance because its a condition of employment, but for everybody else this is great news.  The other alternative, and one that I’ve advised people to use is to use an encrypted cloud service like Dropbox, Box, Google Drive, or Skydrive, and uninstall the connections to that from your devices before hitting the checkpoint.

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Pinterest
Share On Reddit

29 replies
  1. 1
    Walker says:

    Further, the court held that merely password protecting or encrypting a file on your personal computer is not probable cause in and of itself.

    This is a big deal, particularly since this is becoming standard in most OS filesystems. People are being encouraged to protect their data out of personal safety, not because they are doing something clandestine.

  2. 2
    General Stuck says:

    unless of course DHS appeals to SCOTUS.

    This right wing supreme court lives to overturn 9th circuit decisions. Though they haven’t been bad at all on stuff to do with the so called war on terror. It seems like a slam dunk for breaking into peoples hard drives without probable cause. If another 9-11 happens, the republicans will have us all taking monthly polygraphs to determine loyalty and impure thoughts against the empire. Which is why going after terrorists first seems like a good idea. But rifling through peoples papers, which is what confiscating laptops is, needs to stop. Everything is a balance when it comes to civil liberties, with the lean toward preserving them, but not for purity sake/.

  3. 3
    General Stuck says:

    Further, the court held that merely password protecting or encrypting a file on your personal computer is not probable cause in and of itself.

    and filed under the most common of common sense

  4. 4
    Baud says:

    This will ultimately be decided by the Supreme Court. However, given that many international travelers are business people who depend on their electronic devices, I give it a better than even shot of being upheld.

  5. 5
    Culture of Truth says:

    but they can’t go deeper than that without probable cause or a search warrant.

    This is incorrect:

    We therefore hold that the forensic examination of Cotterman’s computer required a showing of reasonable suspicion, a modest requirement in light of the Fourth Amendment.

  6. 6
    Onkel Fritze says:

    Does anybody know whether this applies only to American citizens or to everybody entering the US?

  7. 7
    Culture of Truth says:

    Right now, if you are arrested, even for a minor traffic violation, police can search your smart phone, but not a container in your car. We need to resolve this obvious problem. This opinion may help.

  8. 8
    Gin & Tonic says:

    Like most, IANAL, but perhaps unlike some, I am a paranoid nutcase when it comes to data, which I encrypt in various ways. So my questions to the lawyers — in the unlikely event I were detained at the border, and encrypted drives/filesystems were found, and the password(s) were demanded of me, what would happen if I simply forgot it/them? The data would presumably be confiscated and sent to the NSA, but can I be detained indefinitely, until I “remember”?

  9. 9
    Culture of Truth says:

    Further, the court held that merely password protecting or encrypting a file on your personal computer is not probable cause in and of itself.

    This the actual holding:

    Although password protection of files, in isolation, will not give rise to reasonable suspicion, where, as here, there are other indicia of criminal activity, password protection of files may be considered in the totality of the circumstances.

  10. 10
    Culture of Truth says:

    A person’s digital life ought not be hijacked simply by crossing a border.

    customs agents made copies of the hard drives and performed forensic evaluations of the computers that took days to turn up contraband. It was essentially a computer strip search.

  11. 11
    J.W. Hamner says:

    Further, the court held that merely password protecting or encrypting a file on your personal computer is not probable cause in and of itself.

    Well that’s good since my employer requires me to encrypt any device that receives work email… including my phone. It was a brutal settlement with the Feds.

  12. 12
    John Cocktoasten says:

    Simply disconnecting from Dropbox, etc… won’t do shit. You would also have to completely delete the files from your computer. And under the old border crossing rules, if they took your computer they had more than enough time and could scan your drive and reconstruct the files, quite easily if you had just deleted them.

    Unless you secure deleted them by overwriting the file 5-8 times, the government could recover most of what you lost. Didn’t you read about the guy on wired that had his laptop hacked and remotely wiped. They still recovered almost all of his data.

    If your laptop was stolen odds are a simple delete would have been enough. They would just reformat the drive and sell it.

    But, your advice was in regards to how to protect yourself if the government took it at the border.

    And with the technology they would use to do the search, your advice was woefully lacking.

    John

  13. 13
    Burnspbesq says:

    This is a pretty major departure from past precedent on the scope of the “border search” exception to the warrant requirement. My personal view is that it’s the right answer from a policy perspective, but I’ll be surprised if the Supremes don’t reverse.

  14. 14
    Burnspbesq says:

    I’m not sure how this gets to be “a great win for privacy.” The defendant’s motion to suppress the kiddie pr0n was denied, and the court did not require probable cause for a forensic examination, only reasonable suspicion. So even if this decision survives Supreme Court review, I still find it pretty unsatisfactory.

    Did I just flip-flop? Yeah, I probably did to some extent. That sometimes happens when you click the link from a news story and start reading the opinion.

  15. 15
    ericblair says:

    @J.W. Hamner:

    Well that’s good since my employer requires me to encrypt any device that receives work email… including my phone. It was a brutal settlement with the Feds.

    We require work laptops to have full disk encryption, and so does the DoD. Yay for this decision.

  16. 16
    Burnspbesq says:

    @Gin & Tonic:

    can I be detained indefinitely, until I “remember”?

    Pretty unlikely to happen. More likely that what happened in Cotterman would happen: the defendants were allowed to leave, but their laptops and cameras were confiscated.

    If you’re really concerned, either store everything in the cloud or FedEx a disk image on a USB drive to yourself, and wipe your hard drive before you cross the border.

  17. 17
    cat says:

    Dropbox

    I know of at least one person whose dropbox account was closed because he had encrypted files stored on it.

    I wouldn’t recommend dropbox to anyone who wants to keep their data secure.

  18. 18
    Fred Fnord says:

    Isn’t ‘reasonable suspicion’ fulfilled by a customs agent saying ‘I thought he was acting suspicious’?

    If so, this of course constitutes no protection whatever, it’s just good for preventing upstanding white businessmen from being inconvenienced. The SC is sure to uphold.

  19. 19
    Culture of Truth says:

    Isn’t ‘reasonable suspicion’ fulfilled by a customs agent saying ‘I thought he was acting suspicious’?

    Almost, but there’s still an objective element. That is, a court could review the facts and decide the agent’s judgment wasn’t justified.

  20. 20
    LongHairedWeirdo says:

    @Burnspbesq:

    But remember, *most cloud storage does not encrypt your data*. (It may encrypt it to-and-from, but not on the storage itself.) If it’s something you don’t want people to see, use a third party encryption tool.

  21. 21
    LongHairedWeirdo says:

    @cat: I believe Dropbox is the only major cloud storage player that *does* encrypt user files. And I’m not sure I get why they would check, or care, if a file was encrypted.

    I’m not saying you’re wrong – but what you’re saying doesn’t make a lot of sense to me.

  22. 22
    cat says:

    @LongHairedWeirdo:
    1. He used TrueCrypt to encrypt files.
    2. DropBox support said he would have to give up his TrueCrypt password or have his account closed.
    3. He told them he wouldn’t give it to them. DropBox closed his account.

    He is not one to make up stories or misrepresent events. I am not sure whats to not understand. We had discussions about the why. I cant remember those.

  23. 23
    Lee says:

    As someone who works for a company that actually is under attack from China on a regular basis, everything is encrypted and password protected.

    I’m glad to see our security won’t cause me to be treated even more like a criminal.

  24. 24
    phil says:

    @LongHairedWeirdo:

    Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so).

  25. 25
    burnspbesq says:

    @LongHairedWeirdo:

    most cloud storage does not encrypt your data

    I know that. That’s why I use Wuala. They do.

  26. 26
    mclaren says:

    Of course anyone with a brain would make an image of their entire hard drive using the linux program dd (or the Windows equivalent, North Ghost 2003 or or Acronis Image or what-have-you) and encrypt the hell out of the image file, rar it into smaller blocks and add par 2 recovery files with smartpar, and then upload the image file blocks to the cloud.

    After which you do a milspec forensic wipe of your laptop hard drive. When the border agents demand to examine your laptop, let ’em paw through the BIOS settings.

    “Your laptop isn’t working, sir.”
    “It’s working fine. There’s just nothing on the hard drive.”

    To recover the image file from the cloud, of course, you use a portable linux disk.

    The Unspeakable Savagery of Authoritarianism (formerly known as the US of A) has turned into the new Soviet Union. Everyone with a brain acts accordingly.

  27. 27
  28. 28
    El Cid says:

    Isn’t it enough evidence of sedition that a person would even want to have lots of “information”?

    People who know a lot can be troublesome, and people who want to know a lot are even worse.

  29. 29
    HeartlandLiberal says:

    There is one flaw in your argument for rejoicing. The law enforcement (so-called) authorities in this country will simply ignore this ruling. Or the SCOTUS will overturn it. Or both.

    Welcome to 21st Century America, foreseen by George Orwell over sixty years ago.

Trackbacks & Pingbacks

Comments are closed.