Risk
1/15/2010
03:08 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Laptop Search Documents Revealed

Though some travelers object to border agents reading their e-mail and viewing their digital images, the government insists "they're like pages in a book" and defends its right to review them.

Documents detailing nine months of searches and seizures of electronic devices by U.S. Customs and Border Protection (CBP) agents were released on Thursday by the American Civil Liberties Union, offering previously unavailable insight into border searches.

Last summer, the Department of Homeland Security released new rules governing searches of laptops and other electronic devices at airports and other border crossings. The rules, regarded as an improvement in terms of clarity, nonetheless continued Bush administration policies giving government agents the right to search electronic devices as if they were suitcases or backpacks, without cause.

In February, 2009, the U.S. Supreme Court let stand an appeals court ruling that laptops are like suitcases and can be searched at borders without reasonable suspicion.

Business travel groups and rights groups have objected to treating electronic devices like baggage, arguing that electronic information deserves a higher degree of privacy protection.

The U.S. government maintains that its search policy is necessary to fight crime and terrorism.

The documents, obtained through a Freedom of Information Act request, "show that the constitutional rights of thousands of travelers were put at risk and violated by the CBP's policy," said Catherine Crump, staff attorney with the ACLU First Amendment Working Group, in a statement.

The documents show that over 1,500 devices were searched over a nine month period, including 360 laptops and 560 cell phones. CBP agents copied files from searched devices and provided them to undisclosed government agencies almost 300 times.

The documents also include a variety of letters from citizens and government officials expressing concerns about border searches. Some of the letters present complaints about delays or unprofessional treatment.

One of the letters asks," If a CBP agent requests my password or encryption key and I refuse to provide it, willi be denied entry, will my laptop be seized, neither or both?"

The CBP's reply, on August 12, 2009, is, "The short answer is yes." This is followed by a lengthy explanation. It asserts that the CBP can be trusted with confidential business data.

"[T]o allay any concerns the business community or others may have that their personal or trade information might be put at risk by traveling with their laptops , I urge you to look at our track record," the CBP reply states. "Every day, thousands of commercial entry documents, shipping manifests, container content lists , and detailed pieces of company information are transmitted to CBP so we can effectively process entries and screen cargo shipments bound for the United States. This information is closely guarded and governed by strict privacy procedures. Information from passenger laptops or other electronic devices is treated no differently."

Also among the complaints is a letter charging that a traveler, after being searched, had his or her -- the names have been redacted -- baggage returned and found someone else's camera among his or her possessions.

Crump charges that the CBP's ability to take and view the personal files of any traveler fails to protect the personal data people store on their laptops and mobile devices.

"There's a meaningful difference between searching through someone's diary and searching through someone's shoe," she said in a phone interview.

Crump said the ACLU supports the government's right to conduct border searches of devices when there's a reason. The problem, she says, is what she calls "suspicionless searches."

On Wednesday, the Electronic Frontier Foundation said that another civil rights group, the National Association of Criminal Defense Lawyers, is seeking plaintiffs willing to challenge the search policy in court.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.