A new decision from the First Circuit upholding the federal government’s authority to search the electronic devices of anyone entering the United States — in some instances without a warrant, probable cause, or even reasonable suspicion — presents various data-security challenges for companies and organizations of all sizes.
On February 9, 2021, in Alasaad v. Mayorkas, the First Circuit rejected constitutional challenges to the border search policies of the U.S. Customs and Border Protection (“CBP”) and U.S. Immigration and Customs Enforcement (“ICE”).1 Interpreting the border exception to the warrant requirement for government searches and seizures, the court held that “neither a warrant nor probable cause is required for a border search of electronic devices,” including cellphones, tablets, and computers.2
The policies at issue authorize CBP and ICE to bypass typical constitutional safeguards, allowing agents to:
- Conduct searches of electronic devices without a warrant or even reasonable suspicion;
- Search through electronic devices without obtaining the owner’s consent;
- Examine the device outside of the owner’s presence;
- Retain possession of confiscated devices for up to 30 days after the initial search; and
- Copy data from devices to share with authorized federal agencies.3
The CBP border search policy distinguishes between two types of search: “advanced” searches, and “basic” searches. An “advanced” search is defined as any search where an officer connects external equipment (or a wireless connection) to an electronic device “not merely to gain access to the device, but to review, copy, and/or analyze its contents.”4 Advanced searches require both “supervisory approval” and reasonable suspicion. In contrast, a “basic” search is defined as any non-advanced search and can be conducted “with or without suspicion.”5 CBP policy dictates that officers may only review data that is “resident upon the device” and that the device must be disconnected from the internet during the search.6
Interestingly, while the Ninth Circuit has found that these searches are only permissible when officers are looking for actual contraband, the First Circuit held in Alasaad that these searches can also include searches for evidence of contraband, thus expanding the power of border agents when they examine electronic devices.7 The Department of Justice has appealed the Ninth Circuit’s decision, and the petition for certiorari is awaiting review by the Supreme Court.8 If the Supreme Court were to hear the case and side with the government, customs officials nationwide would have the authority to search through electronic devices for evidence of contraband, which would lead to more intense scrutiny of the data stored in these devices.
The Alasaad decision highlights the data privacy challenges for companies and international travelers. In an increasingly interconnected global economy, employees often travel with confidential, privileged, personal, or proprietary data on their electronic devices. Warrantless searches and copying of data from travelers’ electronic devices could lead to the exposure of sensitive data to outside parties. This is particularly troublesome for a wide range of businesses, such as law firms and healthcare companies, that are obligated to protect certain data. Indeed, the far-reaching scope of those potentially impacted is exemplified by the various Alasaad plaintiffs. For instance, one plaintiff owned and operated a business selling security technology and was required to turn over his electronic devices despite the sensitive data he possessed. Another plaintiff was required to unlock his phone containing personal and professional data after returning from an internship with the Associated Press in Israel. And one plaintiff was a government employee at NASA’s Jet Propulsion Laboratory.
Although the border search policies are broad, there are steps that companies can take to protect their data when employees travel. For instance, the policies require that devices must be disconnected from the internet when searched. Companies can reduce the scope of data available during a search by encouraging employees to save information to a company network available remotely only through VPN, rather than directly on the device (e.g., on the desktop or in another local drive). The less employees save information directly to their devices, the less information that can be accessed during a border search. Given the variety of challenges that these policies pose to the security of corporate data, it may be worthwhile for companies to consider creating protocols for international travel into the United States. While some data may always be at risk of disclosure during a border search, it is possible to mitigate the impact of these searches into a manageable risk.
1 Alasaad v. Mayorkas, No. 20-1077, 2021 WL 521570 (1st Cir. Feb. 9, 2021).
2 Id. at *6.
3 Any data collected during a search that is later found not to be relevant to the commission of a crime must be deleted within a certain timeframe. Alasaad v. Nielsen, No. 17-CV-11730-DJC, 2018 WL 2170323, at *3 (D. Mass. May 9, 2018). Additionally, the agencies must confirm that any data they shared with another agency has also been destroyed (unless the other agency has independent authority to retain the data). Id.
4 Alasaad at *2.
7 United States v. Cano. 934 F.3d 1002, 1019 (9th Cir. 2019), petition for cert. filed (Jan. 29, 2021) (holding that the border search exception “is restricted in scope to searches for contraband”).
8 Alasaad at *2.