The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Warrantless device searches at the border are rising. Privacy advocates are suing.

with Bastien Inzaurralde


If you’re traveling abroad this month, be careful what devices you bring across the U.S. border.

Customs and Border Protection searches of cellphones, laptops and other electronic devices have spiked dramatically over the past two years, and they’re expected to rise in the August vacation season.

Privacy advocates worry that these searches, if conducted without a warrant or suspicion of wrongdoing, could expose people’s financial information, location data and other intimate details to border agents who do not have a good reason or legal justification to see the data. And they've filed a bevy of lawsuits challenging the constitutionality of those searches.

“All of us who have crossed border are used to the idea that you‘ve got to hand over your bag” so agents can search for contraband, said Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation. “But it shouldn’t be about going through cells or laptops that contain many gigabytes of information of the most sensitive nature.”

“We’re packing more and more of our most sensitive data on to these devices,” he told me. “Every year, when agents look into our devices, it’s a bigger window into the soul, so to speak.”

Authorities are allowed to search devices people carry across the U.S. border in much the same way they search luggage, and they don’t need a warrant to do it. Device searches at the border climbed steadily for several years but jumped by 11,000 — nearly 60 percent — in the last months of the Obama administration and in President Trump’s first year in office. Border agents searched 30,200 devices in the 2017 fiscal year, up from 19,051 the year before, according to the most recent CBP statistics.

Border officials say devices are increasingly viewed as critical sources of information for national security threats, as my colleague Nick Miroff has reported. Agents search certain devices to check admissibility of some foreign visitors or screen for possible terrorist links, child pornography or other criminal activity. 

But privacy advocates say increasing searches across the board violates people's Fourth Amendment rights against unreasonable searches and seizures and are demanding that border agents get a warrant in such instances or at least show that a person is suspected of wrongdoing, for example, being on a terrorist watch list. They say innocent people have been searched illegally -- in one case, border agents demanded a NASA engineer's password and searched his phone without a warrant as he returned from a trip to Chile. 

Privacy advocates cite two types of problematic searches when the person isn’t suspected of a crime. One is a manual search in which a border agent opens a phone and goes through its contents as a normal user might. The other is a forensic search, in which agents use software to review all of a phone’s data — including web browsing history, emails, contact lists and even precise location data. 

“The government argues that the border is different. And the border may be different, but so are smartphones because they reveal all these important details,” said Faiza Patel, director of the nonpartisan Brennan Center’s Liberty and National Security Program.

And lawsuits challenging device searches are bubbling up through the federal court system. The EFF is representing a group of 10 American citizens and one lawful permanent resident whose smartphones and other electronic devices were searched without a warrant. They notched a key victory in May when a judge rejected the government’s request to throw out the case. “Electronic device searches are, categorically, more intrusive than searches of one's person or effects,” U.S. District Judge Denise Casper wrote in the ruling. “The ability to review travelers' cellphones allows officers to view 'nearly every aspect of their lives — from the mundane to the intimate.' "

Other similar cases are farther along. In the past year, three federal appeals courts have handed down diverging opinions in cases involving warrantless device searches at the border. That means the issue could be headed toward the Supreme Court in the near future. 

“When these searches were isolated and fewer people were affected, the momentum really hadn’t reached a peak,” Patel told me. “Now it seems there is a good body of instances where these searches are undertaken, and they seem to be suspicionless and there doesn’t seem to be a reason for CBP to be conducting them. … It creates an atmosphere where these cases will be moving forward.”

As the number of searches has risen, so has the public outrage. “There is growing frustration by a growing number of people” who have had devices searched, Schwartz told me. “We get calls all the time from travelers who are very upset.”


PINGED: “The Pentagon announced Monday that it is putting new restrictions on U.S. troops carrying electronics, following revelations early this year that information they were sharing online could be collated to determine the locations of U.S. bases and units abroad,” The Washington Post's Dan Lamothe reported. “U.S. troops and civilian Defense Department employees are now prohibited from using geolocation features or functionality on government-issued and personal devices while in locations identified as 'operational areas,' according to a new memo signed by Deputy Defense Secretary Patrick M. Shanahan. The policy applies to fitness trackers, cellphones, smartwatches and other electronics that can be tracked using GPS technology.”

Shanahan wrote in a memo that the use of devices that enable geolocation could threaten Defense Department personnel. “These geolocation capabilities can expose personal information, locations, routines, and numbers of DoD personnel, and potentially create unintended security consequences and increased risk to the joint force and mission,” Shanahan wrote in a memo dated Aug. 3 and released on Monday. Dan also reported that it is unclear what consequences those who don't abide by the new restrictions would face. “There was little clarity Monday on how the new policy banning U.S. troops from using geolocation will be enforced,” my colleague wrote. “Army Col. Rob Manning, a Pentagon spokesman, said potential penalties will be determined on a case-by-case basis by commanders in the field.”

PATCHED: Homeland Security Secretary Kirstjen Nielsen on Monday warned in a column on that “our very way of life” is at stake as cyberattacks against U.S. critical infrastructure could cause extensive damage. “Our adversaries' capabilities online are outpacing our stove-piped defenses,” Nielsen wrote. “In fact, I believe that cyber threats collectively now exceed the danger of physical attacks against us.” Nielsen also said the government and businesses must do a better job of coordinating how they respond to cyberthreats.

“Between government and the private sector, we have the data needed to disrupt, prevent and mitigate cyberattacks,” she wrote in her column. “But we aren't sharing fast enough or collaborating deeply enough to keep cyberattacks from spreading or to prevent them in the first place.” Additionally, she praised the creation of a National Risk Management Center, which was announced last week, as a way to improve how the public and private sectors work together to protect critical infrastructure. “We will bring to bear the full expertise of the federal government,” Nielsen wrote. “The Center will provide the private sector with a one-stop shop to access programs from all departments and agencies and coordinate defenses against cyber threats that can affect all sectors.”

PWNED: Facebook is seeking financial information about customers of several banks with the goal of expanding the reach of its messaging app, according to the Wall Street Journal. “Facebook increasingly wants to be a platform where people buy and sell goods and services, besides connecting with friends,” the Journal's Emily Glazer, Deepa Seetharaman and AnnaMaria Andriotis reported on Monday. “The company over the past year asked JPMorgan Chase & Co., Wells Fargo & Co., Citigroup Inc. and U.S. Bancorp to discuss potential offerings it could host for bank customers on Facebook Messenger, said people familiar with the matter.”

Facebook is looking for information such as checking-account balances and card transactions, and one bank has withdrawn from the discussions out of concerns about data privacy. The social network said it isn't looking for financial information for advertisement purposes. “'We don’t use purchase data from banks or credit card companies for ads,' said spokeswoman Elisabeth Diana,” the Journal reported. “'We also don’t have special relationships, partnerships, or contracts with banks or credit-card companies to use their customers’ purchase data for ads.'”


— Some election security experts are questioning the viability of West Virginia’s plan to allow its voters who are serving abroad in the military to participate in the midterm elections in November via a mobile app developed by Boston-based company Voatz, CNN reported Monday. Here is how the process works, according to CNN’s Donie O’Sullivan: “Anyone using it must first register by taking a photo of their government-issued identification and a selfie-style video of their face, then upload them via the app. Voatz says its facial recognition software will ensure the photo and video show the same person. Once approved, voters can cast their ballot using the Voatz app.” West Virginia Secretary of State Mac Warner as well as Voatz said the app is secure, O’Sullivan reported, and state officials will let counties decide whether or not to allow mobile voting in the midterms for West Virginians who are serving overseas.

— “Tabitha Isner, the Democratic candidate in Alabama’s 2nd Congressional District, said Monday that Russian hackers appeared to have made more than a thousand attempts to break into her campaign website last month,” the Associated Press reported. “Isner said there were 1,400 attempts to break into the website over two days in July. The attempts were discovered after the web hosting company reported a sudden surge of traffic to the campaign website around the time of the GOP runoff in the district.”

— More cybersecurity news from the public sector:

670 ballots in a precinct with 276 voters, and other tales from Georgia’s primary (McClatchy Washington Bureau)

Russian Meddling Prompts States to Impose Online Ad Rules (Bloomberg News)

Defense bill includes rejection of low-cost considerations praised as cybersecurity win by industry (Inside Cybersecurity)

FCC's Ajit Pai Blames Former CIO for Bogus 'DDoS' Attack Claims—Also Obama (Gizmodo)

Watchdog: Agency CIOs Still Don’t Have Mandated Authorities (Nextgov)


Apple, Facebook and other tech companies delete content from Alex Jones (Craig Timberg, Elizabeth Dwoskin and Hamza Shaban)

Cyber report details tricks used by hackers to target critical infrastructure (The Hill)

Cramming Software With Thousands of Fake Bugs Could Make It More Secure (Motherboard)


Verizon Didn’t Bother to Write a Privacy Policy for its ‘Privacy Protecting’ VPN (Motherboard)


— Just because hacker groups have targeted the energy sector in the United States doesn't mean that the lights will could go out any second, according to Selena Larson, a technical writer at Dragos, a cybersecurity company focusing on threats to industrial control systems (ICS). “Adversaries have not placed 'cyber implants' into the electric grid to cause blackouts; but they are infiltrating business networks – and in some cases, ICS networks – in an effort to steal information and intelligence to potentially gain access to operational systems,” Larson wrote in a post on Dragos’s blog on Monday. “Overall, the activity is concerning and represents the prerequisites towards a potential future disruptive event – but evidence to date does not support the claim that such an attack is imminent.”

— More cybersecurity news from abroad:

A Generation Grows Up in China Without Google, Facebook or Twitter (New York Times)

India asks telcos to find ways to block Facebook, WhatsApp in case... (Reuters)


Coming soon

  • Black Hat USA security conference tomorrow through Aug. 9 in Las Vegas.
  • DEF CON security conference Aug. 9 through Aug. 12 in Las Vegas.

Late-night hosts on Trump's attacks on LeBron James on Twitter:

President Trump questioned basketball star LeBron James's intelligence in a tweet. Watch what late-night hosts Seth Meyers, Trevor Noah and others had to say. (Video: The Washington Post)

The science behind your terrible selfies:

Here's why the camera makes us look different from how we see ourselves in the mirror. (Video: Daron Taylor/The Washington Post, Photo: Daniel Mich/The Washington Post)

Three things to know about “Snapchat dysmorphia”:

Plastic surgeons have noticed a rise in patients wanting to look like their edited selfies. The phenomenon is known as “Snapchat dysmorphia.” (Video: Amber Ferguson/The Washington Post)