Are you one of the travelers to the US who’ve been stopped, questioned, and required to hand over your electronic devices for search?
Our apologies: there’s a good chance that we still have your data kicking around on a USB drive. Somewhere. Maybe. Unless we lost it, I guess.
The Office of Inspector General issued a report, published on the Department of Homeland Security (DHS) website earlier this week, that details how well US Customs and Border Protection (CBP) agents have been following standard operating procedures for searching travelers’ electronic devices, as authorized by the Trade Facilitation and Trade Enforcement Act of 2015 (TFTEA).
The findings: not so great.
CBP agents are allowed to carry out warrantless device searches at all 328 ports of entries in the US: they’re allowed to manually – i.e., visually – inspect travelers’ phones, laptops, tablets, thumb drives or other electronic devices as they look for content related to terrorism, child abuse imagery, or other material that smells of the criminal.
Beyond that, in a pilot program launched in 2007 in 67 ports, they’re also allowed to copy device data onto a USB thumb drive and upload it on a platform called an Automated Targeting System (ATS) so they can carry out more complex searches on travelers’ data.
The OIG found quite a few standard operating procedure (SOP) SNAFUs besides the unwiped drives, and they’re laying the blame on the CBP’s Office of Field Operations (OFO), which handles training manuals and conducts training sessions.
That’s the internet you’re searching, not my phone
One SOP that’s unfortunately not all that standard: agents aren’t always turning off the internet access of the devices they search. That’s a no-no, since search is supposed to be restricted to only the data that’s physically on the device, not information stored on a remote server who knows where.
In fact, even after an April 2017 memo was issued that required documentation of network connections having been disabled prior to a search, the OIG found that more than one-third – 14 out of 40 – searches had no documentation of internet access having been turned off, leaving the results of the searches “questionable.”
And that’s when the CBP could manage to carry out any searches at all: a situation that came to a grinding halt when…
Oops – I forgot to renew the license for the search software!
According to the report, it’s up to the OFO to manage the equipment used to search electronic devices. Well, somebody dropped the ball on that one: some manager somewhere forgot to renew the annual software license for the search equipment on time.
An OFO official blamed the budget. There’s no dedicated funding for the advanced searches of electronic devices, he said, which is only a pilot program.
That left a gap of about 7.5 months – between 31 January and 13 September 2017 – when agents couldn’t conduct any software-assisted searches. In the SNAFU soup of lacking earmarked funds, budgetary issues and getting elbowed aside by other funding priorities, the initial estimate to purchase the equipment expired, and the vendor had to scrape up a new estimate… which evidently took quite a while.
Leftovers on the thumb drives
Searches and seizures of travelers’ devices aren’t being properly documented, meaning that they could be lost or misplaced, the OIG found. But besides not taking care to document device seizure and to keep track of where they are, the CBP is having problems properly using their own USB drives.
This should sound familiar: Some of us have a USB drive kicking around the office. We use it to copy stuff and move it around. Some of us are not diligent about deleting the files from that thumb drive after we’ve plunked them where we want them to go.
Those somebodies are not supposed to be border agents who copy material from travelers’ electronic laptops, tablets, USB drives, phones and multimedia cards for inspectional purposes, but that’s exactly what they’re doing: leaving people’s content on thumb drives. Agents are supposed to use a thumb drive to copy material and transfer it to the ATS for search purposes, and then they’re supposed to delete the material – immediately.
Ain’t happening. The OIG inspected drives at five ports of entry. At three of them, the OIG found material copied from past searches – in other words, nobody wiped the drive.
That leaves travelers’ data susceptible to being disclosed should the drives be lost or stolen, the OIG said.
The upshot being… well, who knows?
While many travelers have been affronted by the CBP’s device searches, it’s worth noting, as the OIG does, that the program has led to at least a few success stories – in other words, dangerous or criminal individuals have been stopped from entering the country. One example: in March 2018, agents found images and videos of terrorist-related materials. In another incident, they found “graphic and violent” videos, including images of child abuse. Both travelers were denied entry.
But then there are the innocent travelers whose data is taken and who have found it impossible to get deleted. In August, for example, an American Muslim woman sued the CBP for seizing her iPhone at an airport, keeping it for 130 days, failing to explain why, and refusing to destroy whatever copies of her data that they might have grabbed, including photos of her when she wasn’t wearing a hijab, which she wears as an expression of her Islamic faith.
It wasn’t her physical phone that she wanted back. She got that back after 130 days.
Rather, she wanted assurances that copies of her data were deleted. She wanted the CBP to wipe out copies that were taken without the CBP explaining the reason for seizure and without her being charged with a crime.
How can anybody determine whether the CBP has deleted data? Unfortunately, even the CBP can’t tell how effective its electronics search is. While the pilot program is producing quantitative data, it’s impossible to tell if the searches are worth the trouble. That’s because the OFO hasn’t come up with any performance metrics.
Have these searches led to prosecutions? Convictions? Nobody can say. The OFO doesn’t track that information.
From the OIG report:
These deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit OFO’s ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.
The OIG has come up with a list of recommendations for the OFO, including proper documentation of searches; disabling of data connections when searching devices; expeditious software license renewal; immediate deletion of travelers’ data from thumb drives; and creating and implementing program performance metrics.
The OFO has agreed to implement the OIG’s recommendations.
By Sophos Naked Security News