Risk
1/15/2010
03:08 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Laptop Search Documents Revealed

Though some travelers object to border agents reading their e-mail and viewing their digital images, the government insists "they're like pages in a book" and defends its right to review them.

Documents detailing nine months of searches and seizures of electronic devices by U.S. Customs and Border Protection (CBP) agents were released on Thursday by the American Civil Liberties Union, offering previously unavailable insight into border searches.

Last summer, the Department of Homeland Security released new rules governing searches of laptops and other electronic devices at airports and other border crossings. The rules, regarded as an improvement in terms of clarity, nonetheless continued Bush administration policies giving government agents the right to search electronic devices as if they were suitcases or backpacks, without cause.

In February, 2009, the U.S. Supreme Court let stand an appeals court ruling that laptops are like suitcases and can be searched at borders without reasonable suspicion.

Business travel groups and rights groups have objected to treating electronic devices like baggage, arguing that electronic information deserves a higher degree of privacy protection.

The U.S. government maintains that its search policy is necessary to fight crime and terrorism.

The documents, obtained through a Freedom of Information Act request, "show that the constitutional rights of thousands of travelers were put at risk and violated by the CBP's policy," said Catherine Crump, staff attorney with the ACLU First Amendment Working Group, in a statement.

The documents show that over 1,500 devices were searched over a nine month period, including 360 laptops and 560 cell phones. CBP agents copied files from searched devices and provided them to undisclosed government agencies almost 300 times.

The documents also include a variety of letters from citizens and government officials expressing concerns about border searches. Some of the letters present complaints about delays or unprofessional treatment.

One of the letters asks," If a CBP agent requests my password or encryption key and I refuse to provide it, willi be denied entry, will my laptop be seized, neither or both?"

The CBP's reply, on August 12, 2009, is, "The short answer is yes." This is followed by a lengthy explanation. It asserts that the CBP can be trusted with confidential business data.

"[T]o allay any concerns the business community or others may have that their personal or trade information might be put at risk by traveling with their laptops , I urge you to look at our track record," the CBP reply states. "Every day, thousands of commercial entry documents, shipping manifests, container content lists , and detailed pieces of company information are transmitted to CBP so we can effectively process entries and screen cargo shipments bound for the United States. This information is closely guarded and governed by strict privacy procedures. Information from passenger laptops or other electronic devices is treated no differently."

Also among the complaints is a letter charging that a traveler, after being searched, had his or her -- the names have been redacted -- baggage returned and found someone else's camera among his or her possessions.

Crump charges that the CBP's ability to take and view the personal files of any traveler fails to protect the personal data people store on their laptops and mobile devices.

"There's a meaningful difference between searching through someone's diary and searching through someone's shoe," she said in a phone interview.

Crump said the ACLU supports the government's right to conduct border searches of devices when there's a reason. The problem, she says, is what she calls "suspicionless searches."

On Wednesday, the Electronic Frontier Foundation said that another civil rights group, the National Association of Criminal Defense Lawyers, is seeking plaintiffs willing to challenge the search policy in court.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4720
Published: 2014-12-27
Hillstone HS TFTP Server 1.3.2 allows remote attackers to cause a denial of service (daemon crash) via a long filename in a (1) RRQ or (2) WRQ operation.

CVE-2012-1203
Published: 2014-12-27
Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action.

CVE-2013-4663
Published: 2014-12-27
git_http_controller.rb in the redmine_git_hosting plugin for Redmine allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the service parameter to info/refs, related to the get_info_refs function or (2) the reqfile argument to the file_exists function.

CVE-2013-4793
Published: 2014-12-27
The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.

CVE-2013-5958
Published: 2014-12-27
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a si...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.