U.S. Senator Ron Wyden says his office was informed this summer that Customs and Border Protection (CBP) is building a massive database with content seized from Americans’ mobile phones at the border. Without warrants, the agency permits thousands of employees to search the database “for any reason,” the Oregon senator said.
The disclosure was made in a letter stamped Thursday to CBP Commissioner Chris Magnus, a former Arizona police chief appointed by President Joe Biden. In it, Wyden calls for immediate changes to the agency’s policy, specifically by halting the searches of Americans’ phones without a judge’s approval. Wyden asks Magnus for “a written plan” describing the steps the agency head will take to address the senator’s concerns.
“Innocent Americans should not be tricked into unlocking their phones and laptops,” Wyden said. “CBP should not dump data obtained through thousands of warrantless phone searches into a central database, retain the data for fifteen years, and allow thousands of DHS employees to search through Americans’ personal data whenever they want.”
It’s unclear how many Americans and foreign nationals the database’s information encompasses. The agency relies on an exception to the Fourth Amendment, Wyden says, which permits border officers to conduct “basic searches” of a traveller’s phone or laptop without a warrant. The issue here, however, is that CBP is now citing that same authority to use tools that, today, allow agents to scrape phones of all their contents — a far cry from the manual review of text messages by a single agent at the border. After CBP stores the data it collects, according to Wyden, an untold number of CBP employees can then repeatedly search it, for the next 15 years, under the agency’s current policy.
The Washington Post first reported the news.
The letter stated that Wyden’s office became aware through briefings that CBP practices included “pressuring travellers to unlock their electronic devices without adequately informing them of their rights,” and “downloading the contents of Americans’ phones into a central database, where this data is saved and searchable for 15 years by thousands of Department of Homeland Security employees, with minimal protections against abuse.”
It continues:
“In a June 20, 2022 briefing to my office, CBP estimated that it forensically examines and then saves data from ‘less than 10,000′ phones per year — which typically include text messages, call logs, contact lists, and in some cases photos and other sensitive data — in a central database. CBP confirmed during this briefing that it stores this deeply personal data taken, without a warrant signed by a judge, from Americans’ phones for 15 years and permits approximately 2,700 DHS personnel to search this data at any time, for any reason.”
Wyden, a 20-year veteran of the Senate Intelligence Committee, said that DHS employees are keeping no records describing the purposes of their searches, an oversight that engenders abuse and makes auditing the practice nearly impossible.
Additionally, he said that CBP had so far failed to provide any statistics on how many Americans are referenced in the database, or how often government employees use it.
In response to an inquiry, CBP sent Gizmodo a 1,840 word email, bullet-pointed, including what seems to be a collection of revised text pulled from a 4-year-old privacy impact report. (You can read the entire email here.)
The email opens by describing CBP’s broad search authority, which it says “extends to all persons and goods, including electronic devices, crossing our nation’s borders.” In a section describing its border search policy, CBP says its employees can conduct an “advance search” of a person’s device — using equipment that downloads its contents — with a supervisor’s permission. Reasonable suspicion can be used, but is not a requirement, it says. CBP employees can instead have a “national security concern.”
It’s not immediately clear what a “national security concern” is or why DHS differentiates it from “reasonable suspicion,” an already low evidentiary standard, well below what police and prosecutors need to view the contents of a phone. (The American Civil Liberties Union was likewise perplexed by the term when DHS started using it in conjunction with mobile phone searches, writing it is “not clearly defined in the policy and potentially vague enough to cover a wide array of scenarios.”)
On “concern” alone, CBP can also review content ripped from a device using an Automated Targeting System (ATS), the agency’s email says. Based on the government’s description of how an ATS works, this practice would evaluate the downloaded content, including contact lists, against scores of internet and external databases, such as those used to identify terror suspects or locate individuals with outstanding warrants — without a warrant or reasonable suspicion that a crime has occurred.