From the Washington Post:
Federal agents may take a traveler’s laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed.
Also, officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement.
The policies cover "any device capable of storing information in digital or analog form," including hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes. They also cover "all papers and other written documentation," including books, pamphlets and "written materials commonly referred to as ‘pocket trash’ or ‘pocket litter.’ "
We have known for some time that the border agents have the authority to search a laptop without probable cause and as part of the routine border inspection. But the detention, for an unspecified period of time, without any suspicion or probable cause may raise some eyebrows, especially from business travelers, who often carry not only a laptop full of confidential company information, but also flash drives (encrypted or otherwise), cell phones, Blackberries (often with sensitive information) or even sensitive company plans printed on paper.
Attorneys who travel internationally are also concerned by the new revelation - confidential and sensitive client information is often stored on mobile devices, and the detention, discovery and sharing of such information may have devastating consequences for a client’s case or the confidentiality of such information.
We have written in the past about the freedom of border agents to search laptops at the border crossing points.
A new opinion (PDF) in United States v. Arnold by the Ninth Circuit Court of Appeals dated April 21, 2008, confirms this trend by holding that customs officers may examine electronic contents of a passenger’s laptop without reasonable suspicion.
The Facts. Arnold, a 43-year old arrived at Los Angeles International airport from the Philippines. At Customs, he was asked for secondary inspection, where the officer asked him to turn on his laptop to determine whether it was functioning. Once the computer booted up, the desktop showed folders named "Kodak Pictures" and "Kodak Memories." The agents opened the folders and noticed pictures of nude women. The agents then questioned Arnold about his computer, his trip, and upon review of the images, determined that there are several images which the agents believed were child pornography.
The Opinion. After a district court granted Arnold’s motion to suppress evidence, the Ninth Circuit reversed. The Ninth Circuit based its opinion on Supreme Court precedent which held that the right of the United States to protect its border is paramount; however, such authority is not unlimited. The two major exceptions for border searches without reasonable suspicion are searches which cause "exceptional damage to property" or if the search was conducted in a "particularly offensive manner." The Ninth Circuit held that the record did not support finding on either of the two exceptions and therefore the search was proper.
I resisted writing about the British Tax Authorities’ blunder disclosed last week when they lost two CDs full of sensitive information (bank accounts and social benefits information) of 25 million UK families. The story received enough mainstream press attention and I was afraid that many of our readers are starting to suffer from "breach fatigue" - hearing all too often about security breaches and missing personal information.
The fundamental reason why the breach occurred are all too common these days - e-mails released by the U.K.’s National Audit Office have confirmed that officials at the Revenue and Customs, did not want to remove sensitive information from child benefit data sent to the auditors because doing so would cost extra (although some experts have said that the cost of "sanitizing" the data could have cost less than the equivalent of $10,000).
Anyway, I could not resist writing about the recent development from the UK for a different reason. As a response to the initial breach, the Revenue & Customs decided that it owed an apology to the families affected by the breach. So it decided to mail them a personalized apology letter. The letter, however, was too personalized - it included name, address, national insurance and child benefit numbers. The information contained in this letter is all that is needed by identity thieves to open bank accounts, claim benefits or even apply for passports on behalf of somebody else.
The UK authorities urge people who received the letters to destroy them after they receive them and read them. But there are a large number of families who will never receive their - either because they moved or because somebody ‘conveniently’ picked the letter out of their mailbox on their behalf.
So what follows next? A second apology letter to apologize for the loss of the CDs and the first apology letter? No, instead the Revenue & Customs authorities are shifting the blame to the concerned citizens who did not receive the letter by saying that they should have updated their mailing address.
"The Treasury Inspector General for Tax Administration reports that its inspectors were able to get IRS employees to improperly disclose their user names and passwords over 61% of the time. 60,000 of the IRS’s 100,000 employees and contractors thus are susceptible to computer hackers, putting personal taxpayer information at risk for unauthorized disclosure, theft and fraud. ‘Only eight of the 102 employees contacted either the inspector general’s office or IRS security offices to validate the legitimacy of the caller … The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.’"
A congressional report scheduled to be released on August 3 but reported by the Washington Post alleges that the U.S. government’s main border control system has many security weaknesses, placing at risk of theft or manipulation the data of millions of passengers, including passport, visa, Social Security numbers, and biometrics, such as fingerprints.
The US-VISIT system has been in place for several years and it is considered one of the first lines of defense aimed at stopping terrorists or other unauthorized persons from entering the United States at hundreds of airports, seaports, and land crossings. The system collects passengers’ personal information and stores it in a massive database which can be data-mined for various border control and immigration purposes. The US-VISIT system is said to store facial images and fingerprints of 90 million individuals and is used to vet 54 million border crossings each year. Adding the biometric information on top of the detailed personal information stored in the system, it makes it a pretty attractive target for cyber criminals or hostile foreign governments.
According to the report, "[w]eaknesses existed in all control areas and computing device types reviewed."
"These weaknesses collectively increase the risk that unauthorized individuals could read, copy, delete, add, and modify sensitive information," GAO investigators said in the report.
It is not hard to imagine the possible national security and individual privacy consequences that a breach of this vast system may have. Let’s hope that the vulnerabilities are closed quickly.