Earlier this month, The Wall Street Journal reported that the Trump administration was considering invasive search procedures for all visitors entering the country. Those requirements would include asking visitors to provide things like social-media accounts and passwords, or even hand over their phones and contact lists for border-security agents to inspect. The requirements, which have not been discussed publicly, have yet to be formally proposed, but are already encountering bipartisan opposition within Congress.
A couple of weeks ago, Democratic senator Ron Wyden of Oregon and Republican senator Rand Paul of Kentucky introduced the Protecting Data at the Border Act to the Senate. It was introduced in the House of Representatives by Democratic representative Jared Polis of Colorado and Republican representative Blake Farenthold of Texas. The bill addresses exactly what the name implies. Citing the unanimous 2014 Supreme Court decision in Riley v. California, which determined that law enforcement requires a warrant to search an electronic device, the bill “recognizes the principles from that decision extend to searches of digital devices at the border,” per its press release.
As anyone knows, searching someone’s phone is significantly different from searching someone’s suitcase. Because the internet is, well, a network, searching a phone means searching someone’s email contacts, browsing history, digital identity on remote servers, and a host of other things.
Compounding the worry around these measures is that they might not even be effective or useful. April Doss, who previously led intelligence law at the National Security Agency, has argued that such measures may be illegal, ineffective, and yield bad intelligence.
What follows is an edited transcript of that conversation.
Why are these sorts of border searches bad policy?
The first thing I would say about the proposal that has come out of the administration is that we still don’t have a lot of detail about what exactly the administration would like to see as a broad-based policy of intelligence collection or information collection at the border. What we know from a legal perspective is that the president has very broad authority to secure the borders. That’s probably where the president’s authorities have the greatest scope, but that doesn’t mean that there are no limits on that authority.
What’s been concerning, I think, in Washington and in the language coming out of the White House since January — coupled with some of the reports that have been published about things happening at the border — is that there seems to be at least some real thought being given toward having widespread, indiscriminate requirements for anybody entering the U.S., whether for purposes of a work visa or temporary residence or simply for tourism.
Under the Supreme Court case Smith v. Maryland we know that the fact of communication is generally not protected under the Fourth Amendment. But we also know that, generally speaking, contents of communications do have a Fourth Amendment expectation of privacy.
[Note: Smith v. Maryland ruled that logging the phone numbers someone called was not the sort of search that required a warrant, as opposed to a wiretap, which does. In modern parlance, it helped distinguish between the collection of metadata — phone numbers, email addresses — and actual message contents.]
You’ll have to bear with me a little bit, the legalities are actually really complicated. So, the Bill of Rights of the Constitution, broadly speaking, protects U.S. people anywhere in the world, and they protect the rights of people within the U.S. When you’re talking about people who are getting ready to cross the border, some of those people will be U.S. people, who have at least presumptive rights under the Bill of Rights, and the most important right coming into play would be the Fourth Amendment right to be free from unreasonable search and seizures. And the First Amendment right not to have their right of freedom of association or expression or religion infringed upon.
So imagine that you’ve got a foreigner who comes for two-week vacation at Disney World, and they have to unlock their phones; give up their passwords to Facebook and Twitter and any other media that they use; their web-browsing history gets reviewed, and not just their public postings, but all of their private messages get revealed; and all of their contact lists are reviewable. Somewhere in all of that, it is highly likely that some of the other people whose information is swept up in that are going to be U.S. [citizens], or might even be people [currently within] the U.S. Maybe the tourist coming into the U.S. for two weeks to go to Disney World because they have a friend who lives in Orlando. So that friend in Orlando clearly has constitutional rights under the First and Fourth amendment.
This doesn’t mean necessarily that any data collection at the border is improper or illegal. Again, [the laws] have been really clear in saying that the president has broad authority. But we know from the Ninth Circuit cases on the first executive order, the first travel-ban order — we know from that case that it’s pretty clear that the president’s authority is not uninhibited.
If you think about it, as a practical matter, we know that in 2016, there were 77 million visitors to the U.S. If we’re indiscriminate — insisting that all of those 77 million visitors to the U.S. unlock their phones, turn over their contacts, turn over their web-browsing history, turn over their direct messages and their social-media history and all that kind of stuff — there’s no practical way that either officials overseas, who are issuing visas, or customs agents at the border could actually look through all of that data in any meaningful way.
I mean, an individual human being is just not gonna have the scope of knowledge to be able to say, “Oh, look, in this person’s 250 contacts in their phone, this one contact appears suspicious.” Or, “This one website they went to is one that we’re concerned about.” I don’t believe that there are any capabilities right now, in DHS or elsewhere, that would allow — that would make it possible to take all that data from all those couple hundred thousands of visitors a day and instantly review it by comparing it against known databases.
If I’m right about that assumption, about the state of our current sort of analytics, then what that means is — in order for the searches to be effective — the government would collect and store all that information. So in other words, they wouldn’t just be looking at the traveler’s phone or laptop or tablet. They would actually be downloading all this information and saving it for further analysis. Well, by definition, once they’ve done that, if they’ve let the traveler into the country, now that person does have First and Fourth amendment protections. If the government wants to move forward with this in a really open-ended, broad-based way, it’s my belief that a lot of people who get swept in, who do have cognizable constitutional rights that should be protected, would be violated by this.
In terms of data retention, in the NSA, was there a general limit to how long you could retain data, for something like browsing history?
It really depends on the type of data. If you look at things like the intelligence community’s minimization procedures that have been publicly released, there’s some kinds of data that can be held for two years, and some kinds of data that can be held for five years. Here, again, I would think it would make sense to try and do a data-driven analysis of this, right? To have people who work in border security and homeland security areas work with, for example, academics or researchers to say, “Okay, let’s do some data modeling here. Let’s try and figure out how quickly does information become stale?”
Here’s what you don’t want for effective intelligence: You don’t want to collect all the data. What you want is the useful data. And you don’t want to keep the data forever. You want to keep it while it’s useful. Good intelligence practice aligns with privacy protections in those regards, right? Collecting only what you need and only keeping it while it’s useful are privacy protectors, as well as just sort of good intelligence practice.
Is there any difference between collecting someone’s alphanumeric password and taking their fingerprint to unlock their phone? Or are those the same thing?
That’s another area that gets pretty complicated under the law. There has been some cases that have suggested that having to provide a password is something that a person can decline to do if, for example, they think providing it would incriminate them under the Fifth Amendment. Or they don’t want to cooperate under the Fourth Amendment. But typically, things like fingerprints have not been viewed, in a criminal-law context, as the kind of thing that the police need a warrant for, right? I mean, if you think about it, they go to a crime scene and they just lift prints. And then when the person gets arrested, they take your fingerprint.
I think that’s one of the areas that’s evolving in this kind of data gathering and mobile device kind of context because the amount and kinds of information that are stored on people’s devices have really exploded so quickly in the last few years that the law hasn’t quite had time to catch up. I think the short answer is, it’s an unsettled area of law.
If I show up at the airport and claim that I don’t have a Facebook account, and I claim to not have a phone and don’t carry one on me, is that ever a useful legal justification that somebody can use to look into me more?
I’m not personally aware of that being been used as justification in the past. I would think that the mere fact of not having an online persona is not in itself indicative of anything. That would be my guess. But certainly that could, when combined with other things, raise a flag.
Very often, there is a perfectly reasonable explanation, right? Maybe somebody doesn’t have an online system because they’re elderly, from a generation that wasn’t making much use of social media, and they really never got into it, and they don’t do email. Or they’re from a part of the world where use of the internet is highly regulated and restricted. Or they decided proactively, “You know what, I think my private information is vulnerable online, and I just don’t want to go there.”
Now, it could also be that somebody has made a deliberate decision to sort of obscure their online history because what they’re doing online is illegal, or it’s a threat to national security in a way, or that kind of thing. I think that’s exactly the kind of question that, in upcoming months and years, courts are going to need to look at.
If at some point the government says, “Well, I don’t see any online profile for you, which makes me suspicious,” and then they arrest the person — or they stop them at the border, or they take their laptop away from them, or whatever — and then a legal challenge is brought, I would expect that would be exactly the kind of thing that courts will have to rule on in upcoming years.