The Council on American-Islamic Relations (CAIR) recently filed complaints against U.S Customs and Border Protection (CBP) for, in part, demanding social media information from Muslim American citizens returning home from traveling abroad. According to CAIR, CBP accessed public posts by demanding social media handles, and potentially accessed private posts by demanding cell phone passcodes and perusing social media apps. And border agents allegedly physically abused one man who refused to hand over his unlocked phone.
CBP recently began asking foreign visitors to the U.S. from Visa Waiver Countries for their social media identifiers. Last fall we filed our own comments opposing the policy, and joined two sets of coalition comments, one by the Center for Democracy & Technology and the other by the Brennan Center for Justice. Notably, CBP explained that it was only seeking publicly available social media data, “consistent with the privacy settings the applicant has set on the platforms.”
We raised concerns that the policy would be extended to cover Americans and private data. It appears our fears have come true far faster than we expected. Specifically, we wrote:
It would be a series of small steps for CBP to require all those seeking to enter the U.S.—both foreign visitors and U.S. citizens and residents returning home—to disclose their social media handles to investigate whether they might have become a threat to homeland security while abroad. Or CBP could subject both foreign visitors and U.S. persons to invasive device searches at ports of entry with the intent of easily accessing any and all cloud data; CBP could then access both public and private online data—not just social media content and contacts that may or may not be public (e.g., by perusing a smartphone’s Facebook app), but also other private communications and sensitive information such as health or financial status.
We believe that the CBP practices against U.S. citizens alleged by CAIR violate the Constitution. Searching through Americans’ social media data and personal devices intrudes upon both First and Fourth Amendment rights.
CBP’s 2009 policy on border searches of electronic devices is woefully out of date. It does not contemplate how accessing social media posts and other communications—whether public or private—creates chilling effects on freedom of speech, including the First Amendment right to speak anonymously, and the freedom of association.
Nor does the policy recognize the significant privacy invasions of accessing private social media data and other cloud content that is not publicly viewable. In claiming that its program of screening the social media accounts of Visa Waiver Program visitors does not bypass privacy settings, CBP is paying more heed to the rights of foreigners than American citizens.
Finally, the CBP policy does not address recent court decisions that limit the border search exception, which permits border agents to conduct “routine” searches without a warrant or individualized suspicion (contrary to the general Fourth Amendment rule requiring a warrant based on probable cause for government searches and seizures). These new legal rulings place greater Fourth Amendment restrictions on border searches of digital devices that contain highly personal information.
As we recently explained:
The U.S. Court of Appeals for the Ninth Circuit in U.S. v. Cotterman (2013) held that border agents needed to have reasonable suspicion—somewhere between no suspicion and probable cause—before they could conduct a “forensic” search, aided by sophisticated software, of the defendant’s laptop….
The Supreme Court held in Riley v. California (2014) that the police may not invoke another exception to the warrant requirement, the search-incident-to-arrest exception, to search a cell phone possessed by an arrestee—instead, the government needs a probable cause warrant. The Court stated, “Our holding, of course, is not that the information on a cell phone is immune from search; it is instead that a warrant is generally required before such a search, even when a cell phone is seized incident to arrest.”
Although Riley was not a border search case, the Riley rule should apply at the border, too. Thus, CBP agents should be required to obtain a probable cause warrant before searching a cell phone or similar digital device.
Both Riley and Cotterman recognized that the weighty privacy interests in digital devices are even weightier when law enforcement officials use these devices to search cloud content. A digital device is not an ordinary “effect” akin to a piece of luggage or wallet, but rather is a portal into an individual’s entire life, much of which is online.
The Ninth Circuit wrote:
With the ubiquity of cloud computing, the government’s reach into private data becomes even more problematic. In the “cloud,” a user’s data, including the same kind of highly sensitive data one would have in “papers” at home, is held on remote servers rather than on the device itself. The digital device is a conduit to retrieving information from the cloud, akin to the key to a safe deposit box. Notably, although the virtual “safe deposit box” does not itself cross the border, it may appear as a seamless part of the digital device when presented at the border.
And the Supreme Court wrote:
To further complicate the scope of the privacy interests at stake, the data a user views on many modern cell phones may not in fact be stored on the device itself. Treating a cell phone as a container whose contents may be searched incident to an arrest is a bit strained as an initial matter…. But the analogy crumbles entirely when a cell phone is used to access data located elsewhere, at the tap of a screen. That is what cell phones, with increasing frequency, are designed to do by taking advantage of “cloud computing.” Cloud computing is the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself. Cell phone users often may not know whether particular information is stored on the device or in the cloud, and it generally makes little difference.
The Riley Court went on to state:
The United States concedes that the search incident to arrest exception may not be stretched to cover a search of files accessed remotely—that is, a search of files stored in the cloud…. Such a search would be like finding a key in a suspect’s pocket and arguing that it allowed law enforcement to unlock and search a house.
Thus, the border search exception also should not be “stretched to cover” social media or other cloud data, particularly that which is protected by privacy settings and thus not publicly viewable. In other words, a border search of a traveler’s cloud content is not “routine” and thus should not be allowed in the absence of individualized suspicion. Indeed, border agents should heed the final words of the unanimous Riley decision: “get a warrant.”
We hope CBP will fully and fairly investigate CAIR’s grave allegations and provide a public explanation. We also urge the agency to change its outdated policy on border searches of electronic devices to comport with recent developments in case law. Americans should not fear having their entire digital lives unreasonably exposed to the scrutiny of the federal government simply because they travel abroad.