Border Searches: What's in Your Laptop?
If you are traveling on business, you will likely take a laptop (or several electronic devices) with you on the trip. If you travel outside of the United States with these devices, you should know that the U.S. Department of Homeland Security (DHS) has recently issued revised and sweeping guidelines on how its field personnel will conduct border searches of “electronic devices.” These devices can include laptops, thumb drives, CD-ROMs, DVDs, cell phones, SIM cards, digital cameras, BlackBerrys (and similar personal data devices), and any other device capable of storing electronic information. Business travelers should understand what type of searches are lawful, how certain types of “sensitive” material will be treated by border officials, and what process will be used if the device is detained by officials at the border. Further, employers should consider adopting some standard compliance procedures for how confidential data (if any) should be stored on company laptops, as well as advising employees on procedures to follow if stopped by border officials with a request to examine such devices.
This area has become the subject of renewed interest given recent public guidance (known as “Directives”) by U.S. Customs and Border Protection (CBP)1 and U.S. Immigration and Customs Enforcement (ICE).2 In addition, DHS (which is the parent agency of CBP and ICE)3 has attempted to address privacy concerns by issuing a lengthy “Privacy Impact Assessment.”4 In issuing all three documents within a one-week period, DHS appears to be signaling that it has definitively addressed a significant number of concerns that have been raised by the business community and privacy advocates. Anecdotal evidence suggests that such searches are becoming more commonplace and, given the release of these new Directives, such searches are certain to increase at major U.S. ports of entry.
Cooperation Is Paramount
It may surprise business travelers to learn that when a traveler presents himself at any U.S. border (airport, seaport, or road crossing), he has implicitly consented to a search of his person and his belongings (including any bags or other items, carried or checked). There is significant legal precedent establishing that such examinations may take place at the border without a warrant and “without suspicion.” While border searches are primarily aimed at finding information related to inadmissibility (for immigration purposes) or illegal entry of goods (for Customs purposes), the scope of such searches can be wide-ranging. DHS includes within its mission the investigation of terrorism; money laundering; export control violations; child pornography; human smuggling; smuggling of narcotics, weapons and other contraband; financial crimes; violations of intellectual property rights; and economic espionage. CBP and ICE provide little information on what characteristics of a traveler will prompt a search, so it can be very difficult to understand why a given person has been chosen for inspection.5 Regardless, the most important advice to the business traveler is to cooperate with a request to search your personal electronic devices. Do not tell an investigating official that they have to obtain your consent to the search – they don’t need it and they know they don’t need it. Setting a cooperative tone can go a long way towards easing the tension inherent in such a situation. How difficult the official makes the search often depends on the reaction the official receives. Calm and cool beats outraged and antagonistic every time.
What Is the Search Likely to Entail?
Border officials can examine the electronic device with or without you present. They can copy material from the device or they can “detain” the physical device. Once they examine the device, they may (i) allow you to leave with the device; or (ii) give you a form (a CF 6051D) as a receipt for the device, and allow your entry into the U.S. without the device. The CF 6051D details the items detained, a CBP “point of contact,” and information on how property will be returned (if it is not seized as discussed below).
Of great concern to business travelers is how these officials will treat “sensitive” materials. The new Directives go into some detail on how investigating officials are to operate once they encounter such materials during a search. For example, if information being reviewed is “business confidential,” then CBP/ICE have agreed to treat it under existing agency rules and federal statutes governing treatment of such information.6 If the official encounters information which is labeled “Attorney-Client Privileged” or “Attorney Work Product” (or which appears to be that type of information), then the CBP/ICE officer involved must consult with his agency’s legal counsel or the local U.S. attorney’s office before proceeding with his examination. The Directives also recognize two other categories of “sensitive materials” – medical records and “work-related information carried by journalists.” Again, reviewing officers are directed to consult with their agency’s legal counsel regarding review of such records. Therefore, to the extent you are travelling with electronic files (or emails) which contain information that would fall under one of these categories, it is advisable to label them as such (for example, in a file’s title). Additionally, it would be prudent to advise the investigating official that you do have documents which fit within these categories stored on the device, which will at least put the official on notice that the documents should be reviewed under these procedures provided in the Directives for “sensitive” documents.
What Can You Expect if Your Electronic Device Is “Detained”?
In the recent Directive, it states that if your electronic device is detained by CPB officials and you are told that it will be returned to you at a later time, detention of devices should ordinarily not exceed five days from the date of detention, unless extenuating circumstances exist. If at any time the device is referred to ICE for investigation, the timeframe for return is extended to 30 days from the date of detention, unless extenuating circumstances exist. Be advised that information obtained from border searches can be shared with other federal and state agencies, such as law enforcement personnel, the Internal Revenue Service and other agencies with enforcement powers. Ultimately, unless the device is seized, DHS has committed to getting the device returned to the owner as soon as possible, although this process is guaranteed to take some time.7
Obviously, from the perspective of the business traveler whose laptop has been “detained,” possibly for 30 days or longer, the procedures contained in these new Directives provide cold comfort. Assuming the laptop (or other device) does not contain evidence of criminal activity, there is a significant inconvenience of being without the device (and any work stored in it) while the administrative process takes place. For this reason, U.S. companies with a workforce that travels internationally should consider adopting laptop travel procedures. At a minimum, companies would be wise to advise their workforce about these new rules, provide suggestions on how to prepare a laptop for travel and how to appropriately respond to a search, and create policies to limit the impact on work productivity if the laptop is detained (such as requiring creation of redundant files on a hard drive that can be accessed without the laptop).
A Check and Cleanup Before Crossing the U.S. Border
Additionally, companies may want to work with their IT department to develop a set of software tools to check and “clean” a laptop to make it travel-ready. For example, they could develop pre-travel protocols to check laptops for documents, pictures, Internet data, etc., to ensure that no company-sensitive information of any type remains on the laptop. Such a check and “cleanup” should not stop with existing files but should include deleted files, temporary files and any “Internet cache” retained on the laptop. This check and cleaning should be done both before the travel begins and immediately prior to the employee’s return to the U.S. Sensitive business data that is needed can be placed on the company’s servers to be accessed or sent via email once the employee has arrived at the travel destination.
The bottom line is that you can’t stop a border laptop search, so you should know what’s in your laptop before you go, rather than having border officials find out for you.
1 CBP Directive No. 3340-049, issued Aug. 20, 2009 (superseding 2007 and 2008 Directives on the same subject).
2 ICE Directive No. 7-6.1, issued Aug. 18, 2009.
3 CBP exercises an inspectional and patrol function while ICE is primarily an investigative agency. However, the two agencies exercise concurrent border search authority and agents from either agency may conduct border searches.
4 DHS Privacy Impact Assessment for the Border Searches of Electronic Devices, issued Aug. 25, 2009.
5 While there are some parameters for likely searches (questionable travel documents, a name that matches a “person of interest” in a U.S. enforcement database, or travel from certain destinations), some searches are the result of random selection by CBP officials.
6 It should be noted that CBP and ICE have experience with this category of material because their current regulations allow submissions to the agencies to be marked “business confidential” when public release of the information meets an exemption from release under the Freedom of Information Act (FOIA), or is otherwise protected by federal law.
7 Seizure occurs when the investigating agency determines that there is “probable cause” to believe that a violation of law has occurred and that the device will be used as evidence. In the event that CBP or ICE decides to seize the device, a formal administrative proceeding, including written notice to the owner of the reasons for the seizure, will occur under the auspices of the CBP Fines, Penalties and Forfeiture Office.