A US citizen who works at NASA’s Jet Propulsion Lab (JPL) was stopped by Customs and Border Protection (CPB) when reentering the US shortly after the President’s Executive Order Protecting the Nation from Foreign Terrorist Entry Into the United States was issued. This is newsworthy because CPB officers asked the JPL engineer, Sidd Bikkannavar, who was returning to the US from Patagonia to turn over his Jet Propulsion Lab secured smartphone and his PIN to it (h/t: Gizmodo). Bikkanavar describes what happened in a Facebook post:
Sorry for the absence. On my way home to the US last weekend, I was detained by Homeland Security and held with others who were stranded under the Muslim ban. CBP officers seized my phone and wouldn’t release me until I gave my access PIN for them to copy the data. I initially refused, since it’s a JPL-issued phone (Jet Propulsion Lab property) and I must protect access. Just to be clear – I’m a US-born citizen and NASA engineer, traveling with a valid US passport. Once they took both my phone and the access PIN, they returned me to the holding area with the cots and other sleeping detainees until they finished copying my data.
I’m back home, and JPL has been running forensics on the phone to determine what CBP/Homeland Security might have taken, or whether they installed anything on the device. I’ve also been working with JPL legal counsel. I removed my Facebook page until I was sure this account wasn’t also compromised by the intrusion into my phone and connected apps. I hope no one was worried. JPL issued me a new phone and new phone number, which I’ll give out soon.
This is important and worrisome for several reasons. While the JPL issued phone was for unclassified information, it was issued so that Mr. Bikkanavar could access official – confidential, but unclassified – work material on it when traveling. That material, as he indicates in his Facebook post, has protected access. Even though it is unclassified government information only those who work for the government (civilians, uniformed personnel, and/or contractors) and who need to have access to it – need to know – may do so. Moreover, the instructions that come with the issuance of such devices are very specific about safeguarding the PIN and ensuring the device can be accounted for at all times. The rules for need to know access can be found here as part of the description for DL1.1.17. Need-to-Know.
A determination made by a possessor of classified information that a prospective recipient, in the interest of national security, has a requirement for access to, knowledge, or possession of the classified information in order to perform tasks or services essential to the fulfillment of an official United States Government program. Knowledge, possession of, or access to, classified information shall not be afforded to any individual solely by virtue of the individual’s office, position, or security clearance.
As Mr. Bikkanavar indicates in his post, the JPL security folks and legal counsel are now working on this. The Special Security Officer for JPL will have opened an investigation. Moreover, the Customs and Border Patrol Officers who demanded access to his phone, and got it, have now accessed information they did not need to know on a device they were not authorized to access. I would expect that part of JPL’s investigation of this will be an attempt to identify the CPB officers who did this. The slipshod manner of the implementation of this Executive Order, ostensibly issued to make Americans safer, has now led one or more Customs and Border Patrol officers to violate US government rules pertaining to access and need to know. If its found that tracking or monitoring software was placed on the device by CPB, then this will be elevated into an even more serious Interagency security breach investigation.
If you’re a Balloon Juice reader who works for the US government, is in the US military, or is a contractor working for the US government and are issued an official smart phone for your usage, please ensure you get guidance from your Special Security Officer about how to deal with Customs and Border Protection prior to traveling with it outside of the United States. We have now reached the point where one US government agency is now compromising another!