United States U.S. v. Cotterman: Appeals Court Curbs Border Agents’ Carte Blanche Power to Search Your Gadgets

MAJOR decision today in a fairly solid 8-3 vote! The entire decision (0.3MB PDF) can be downloaded below, or click here.

Wired / Threat Level: Appeals Court Curbs Border Agents’ Carte Blanche Power to Search Your Gadgets

A federal appeals court for the first time ruled Friday that U.S. border agents do not have carte blanche authority to search the cellphones, tablets and laptops of travelers entering the country — a “watershed” decision in the court’s own terms and one at odds with the policies of the President Barack Obama administration.​

​

The ruling by a divided 11-judge panel of the 9th U.S. Circuit Court of Appeals is the most significant privacy decision in the digital age following the Supreme Court’s ruling last year requiring authorities to get warrants to place GPS tracking devices on suspects’ vehicles. Under Friday’s ruling, for the first time digital devices are granted limited relief from the so-called “border search exception” of U.S. law that allows international travelers — including U.S. citizens and their luggage and vehicles — to be searched for any reason as they enter the country.​

​

“A person’s digital life ought not be hijacked simply by crossing a border. When packing traditional luggage, one is accustomed to deciding what papers to take and what to leave behind,” Judge M. Margaret McKeown wrote (.pdf) for the 8-3 court. “When carrying a laptop, tablet or other device, however, removing files unnecessary to an impending trip is an impractical solution given the volume and often intermingled nature of the files. It is also a time-consuming task that may not even effectively erase the files.”​

...

 

Casual searches on a whim are still permitted but forensic searches (e.g. breaking passwords & searching for deleted files) may require reasonable suspicion and a warrant; have to read the whole decision for the details.

How does this affect their request that you enter passwords?

In a nutshell these simple steps would appear to protect you from whimsical searches:

1. Laptops (at least those of the Windows variety): Install TrueCrypt and encrypt the entire drive.

2. Smartphones: Password protect the phone and remove the data-out pin from the 4-pin USB connector. Any search should then become a "forensic" search. Most people don't realize is that all it takes is a cable to turn their smart phone into a fancy RAM stick.

 

#2 not such a hot option IMO. But yes a wonderful wonderful ruling

 

95% or more of smartphone users only use the USB cables to charge their phones. The only lines needed for that are Vcc (+5V) and ground. Very few people actually use the data lines.

You can still do file transfers via 3G/4G and wireless after you enter the password to unlock the phone.

 

unless you manage to encrypt your phone's SD card, they can just remove that and read it directly. they don't need a USB cable.

 

But dismantling the phone is getting down to the level of a forensic search which should trigger the more stringent requirements because they have to employ additonal ("forensic") equipment to access it. The big plus, however, is now that we have U.S. v. Cotterman, folks can start suing the (expletive deleted) for these searches.

But I agree regarding encryption: We need much better encryption for mobile devices.

 

Even better writeup & analysis in TechDirt:

9th Circuit Appeals Court: 4th Amendment Applies At The Border; Also: Password Protected Files Shouldn't Arouse Suspicion

 

I'll plagiarize myself from over there and re-post my comments for our group:

I found the suitcase analogy to be interesting. If I read it correctly, the ruling states that border guards may search your possessions that you are attempting to bring across the border which includes your laptop. What they said required 4th Amendment protection was a much broader search of the contents of the laptop and even possessions that breaking into a laptop allowed them to discover.

Existence of a password seems equivalent to cops basing suspicion based on someone refusing to answer questions or produce an ID when not required. I hope this one sticks.

I think we also have a responsibility to protect ourselves. Most of us on overseas trips take care to make sure we don't cross borders either way with stuff that might be confiscated and get us in trouble. For example, my couple of maintenance drugs are always in their prescription bottles. I always eat that last banana on the way to the airport. I always pare down the files on my laptop, especially those files I don't need during my overseas trip. If you're in any sort of technology field, you have to be very careful not to bring any technical documents on your laptop that haven't been cleared for export. Crossing a border with this stuff in your laptop can be a violation of export laws such as ITAR.

We've got to make it harder for them to violate our Constitutional rights. Most of what we can do is pretty simple.

 

the cool thing is, this a governing ruling for the entire 9th circuit. so if you're traveling internationally, just ingress and egress from airports in that district. Janet, here my bras d'honneur right in your face!

 

It's an improvement, but reasonable suspicion is still a rather low hurdle.

 

But it does make the coerced border harassment a lot more difficult for CBP to pull off with knowledgeable people. In another recent decision (which I don't think has made it to the Supreme Court), you can't be forced to disclose an encryption password, since that would amount to self-incrimination. Combine that plus U.S. v. Cotterman and you basically can tell CBP to pound sand as long as you use strong encryption and your machine is powered down so there's zero chance of finding the key in RAM.

Now that these precedents are at least out in the appellate courts, I expect perhaps we'll see some efforts to make encryption more robust under those circumstances.

I'd love to see people crossing the border checkpoints with throwaway PC's dummied up with what looks looks to be kiddie porn but instead contain images of text messages not particularly flattering to the CBP thugs. Use PGP instead of TrueCrypt so the un-encrypted file names sucker them in. An image file named "julie_14yo.jpg" might turn out to contain the screenshot of Christopher Maston's page at Don't Date Him, Girl! and "cute_young_janie.jpg" might hold the front page of the autopsy report on one of CBP's murder or beating victims.

 

... tempting to modify a HDD to do just that.

 

I wouldn't go overboard, just a few "teaser" files to catch their attention & send them off on a wild goose chase to waste their time.

The forensic software that they use relies on computing & comparing hash codes, and it appears that they may use > 1 algorithm to compute multiple hashcodes per known image. It would be easy to dummy up one hashcode to match but not two or more. It you try to make it look like a massive porn collection, it probably wouldn't match the right sets of hashcodes, which would be a dead giveaway.

Better to make it look like your own personal, private and very selective collection.

 

Can you put that in English?

 

A hash code is a numerical value computed for a larger entity. For example, a 50KB porno pic would be turned into a 120- or 160-bit hash key. It takes a lot less time to look up the hash key in a database than it would take to compare with every possible file of the same size. Distributing tables of hash codes also means that you don't have to deliver a copy of the porn (esp. bad idea if it's kiddie porn) to all your customers, although there do seem to be plenty of teachers & cops, e.g. Anthony Mangione and Steven Metz who are into that stuff (not to mention a good number of TSA's smurfchen).