I have generally supported the government's border search policies. But I am horrified by the recent DHS Privacy Office's approval of searches of electronic devices without suspicion. It is wrong for many reasons; from the constitutional to the logistical.
Government does have the right to conduct searches when there is even a slight reason for suspicion. I wouldn't want to impede the intuition of well-seasoned U.S. Immigration and Customs Enforcement officers. They are on the front lines, and it is reasonable to give them some latitude. But that doesn't extend to pulling someone out just because they feel like it.
Constitutionally, this policy has been examined by others more knowledgeable than me. Suffice to say that it is horrifying that a U.S. citizen on U.S. soil could be subject to illegal search and seizure on the basis of ... nothing -- no evidence, and not even a shred of suspicion.
Beyond that, though, there is the dubious opinion of the Department of Homeland Security's Privacy Office that searching electronic devices is no different than searching a briefcase or backpack. That is one of the most clueless statements to come out of the DHS. It is a simple matter to show that a person caught with physical contraband had the intent to carry that property. It's a lot harder to argue that all the data on a person's computer is there by the volition of that person. And searching a laptop computer is a much greater violation of one's privacy than searching a suitcase. Laptops often contain data that would never be physically carried by a traveler, such as bank records, health data and information about relatives and friends. And a corporate device could contain sensitive information, company secrets, data that the company is bound by law to protect. Do we really want ICE officers making copies of such information? If there was a legitimate suspicion to justify the search, I wouldn't object to any of that information being exposed to the searchers. But searching a computer without suspicion unnecessarily exposes a plethora of private information that would not otherwise be available to law enforcement authorities. Bureaucrats should always place themselves in the shoes of those they are regulating before writing policies. I would have liked to have seen the staff of the Privacy Office make their personal laptops available to the public before they made this ruling.
And here is a question to ponder: What type of crimes are you looking for when you conduct a suspicionless search? The interest of ICE officers presumably is to find information that protects the country from outside harm and to make sure that people properly declare information upon entering the country. But computer-related crimes are not abetted by being overseas. If a known criminal is entering the country with electronic devices in tow, I'd say go ahead and search the devices. In the absence of any suspicion at all, I'd expect restraint.
Finally, consider the logistics of laptop data searches. They take exponentially more time and training to perform than physical searches. An ICE officer who lacks the proper training for such searches is not going to find anything that an actual criminal wants to hide on his computer. Such a search is certain to be a waste of time. If the agency does come up with properly trained officers to do these searches, suspicionless searches will still be a waste of time -- just a lot more time. Pulling data off of a laptop takes a lot of time, even if the data is just being copied. And then there is the issue of losing access to your own data for an extended period of time,which I'll discuss below.
Suspicionless searches will also open the door to training searches. I have been subjected to random physical searches at airports many times because a new officer was in training. Those searches took only a minute or so and were not a major inconvenience. But a training search of a computer will be a time-consuming inconvenience that unnecessarily exposes data to untrained people.
More critical than wasting travelers' time, though, is wasting the time of agents. After the 9/11 attacks, airports implemented random searches. Among those searched back then were toddlers and former Vice President Al Gore. While Gore might have been upset with the manner in which he lost the 2000 presidential election, I don't think anyone seriously thought he could be a danger to a commercial airline. Other than the toddlers, I doubt that there was anyone in line who was a less imminent danger than Gore. But random searches were the order of the day, and officers were diverted from doing things that might have actually safeguarded the transportation system. Now, with suspicionless searches of electronic devices, agents will be diverted once again from doing searches that are motivated by legitimate cause. This is a problem because our resources are not limitless. We must use our limited resources as best we can, and that means at least limiting searches to those with suspicion.
So, let's say that your computer has been singled out for a search. What happens with the data? It is likely that the DHS will make copies of it. But the agents might decide to confiscate the computer, and they don't have to have a reason for doing so. They could even do it just for training purposes. What then? You should worry about that, because the DHS has a history of compromised data, meaning it has botched the handling of its own data, held on machines it was presumably familiar with. Should we expect the DHS, then, to handle your confiscated data any better?
The DHS would like to calm your fears with the promise that it will encrypt data, "where needed." This is an example of how clueless the DHS Privacy Office is. The statement presumes there will be instances when encryption is not needed. But given that the ICE is collecting data without suspicion, then by definition the ICE does not know what data these devices hold. Shouldn't, then, the default setting be to encrypt and ask questions later?
But if the DHS did decide that your data should be encrypted, should you take any comfort in that? I wouldn't. If your laptop is confiscated, the DHS would have to encrypt the entire device, where no encryption is likely to exist. Encrypting a laptop can be very complicated and, if not properly done, can destroy all the data. But assuming the DHS does manage to do the encryption properly, will you ever regain access to all your data? I have my doubts there as well. It just amazes me that the Privacy Office does not seem to understand all the issues that accompany data encryption.
And confiscation is another area where the Privacy Office's contention that this new policy is no different from what applies to backpacks is laughably suspect. If a backpack is confiscated, it can be easily and inexpensively replaced, and any information it contained is likely minimal. But a laptop is a major expense, not easily replaced. We all know we should back up our data, but most of us still don't do it as often as we should. And even those of us who are fanatical about backups tend to slack off when we're traveling. People whose devices are confiscated will therefore be denied access to their own data and could suffer drastic consequences. I'm talking about small businesses that are forced to close because they couldn't bear the expense of replacing a laptop and all its software licenses, or students who fail classes because they don't have access to their notes. Grim consequences for something done on the whim of an ICE officer.
How not to handle all this
This is a bad policy, but don't think the answer to it is to try to hide your data. Some people have advocated encrypting drives and then refusing to provide the password to customs officials. This is terrible advice that will surely lead to confiscation and arrest. Such unusual precautions to prevent the examination of your information will automatically justify suspicion. You can claim that you are attempting to protect your civil liberties, and good luck with that. The officers confronting you are not going to congratulate you on your knowledge of the Constitution. They are going to see you as someone who is employing the same tactics as criminals. In their eyes, you will look suspicious. That is their job.
The majority of ICE officers are well-meaning and do not want to inconvenience anyone unnecessarily. They take their jobs to heart and see their work as necessary to stopping clear and present threats to the country. I respect their intentions. That does not mean that I want them to have the ability to do whatever they want.
And as bad as all this sounds, remember that when you, a U.S. citizen, enter a foreign country, you have no rights at all.
Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site,www.irawinkler.com.
This story, "Suspicionless Laptop Searches Wrong for Many Reasons" was originally published by Computerworld.