Privacy commissioner investigating Canada Border Services Agency over electronic media searches
Wednesday, Mar. 15, 2017
OTTAWA — Canada’s federal privacy commissioner has launched an investigation into the Canada Border Services Agency’s practice of searching the electronic devices of travellers at the Canadian border.
The investigation comes amid mounting concerns over whether CBSA’s U.S. counterparts are not just searching travellers’ devices, but also downloading their contents for later examination and even cloning and mirroring the devices.
Border agents from both countries operate in a legal grey zone. Canadian courts recognize “reduced expectations of privacy at border points” for people dealing with Canada’s border authorities, who are able to search and examine possessions, including devices, without warrants, said Valerie Lawton, a spokeswoman for the Office of the Privacy Commissioner of Canada. People must provide their passwords if asked, or risk having the device “held for further inspection.”
“It is possible that issues related to retention may be examined during our investigation,” Lawton said, saying she couldn’t reveal further details about the investigation or the complaint that prompted it. Little is known about when, and how often, CBSA retains data collected from devices, where it’s held and for how long.
The CBSA does not collect statistics on electronic device searches, spokeswoman Line Guibert-Wolff said, and data may only be collected for “customs purposes.” Information can only be disclosed to other agencies if it meets guidelines in the Customs Act, which states information must relate to criminal proceedings, immigration or national security, among a few other categories.
She did not directly answer a question as to whether CBSA retains data from the electronic devices it searches.
Examinations of devices “do not require reasonable grounds to suspect or believe that a contravention has occurred,” she said, but CBSA policy states such examinations “should only occur where there is a multiplicity of indicators” or if undeclared, prohibited or falsely reported goods are discovered.
“Initial examinations of digital devices and media should be cursory in nature and increase in intensity based on emerging indicators,” Guibert-Wolff said. “The CBSA is committed to maintaining the balance between an individual’s right to privacy and the safety and security of Canadians.”
“There’s an enormous amount of uncertainty in what feels like a no-privacy zone,” said University of Ottawa law professor Michael Geist. “There’s a sense that customs officials are empowered to do whatever they see fit .… But the lack of transparency associated with these processes is enormously disturbing.”
“We can’t hold them to account as a society if it’s not clear what the rules are, or how they’ve been told to interpret them,” said Brenda McPhail, director of the privacy, technology and surveillance project at the Canadian Civil Liberties Association. “We’re treating devices that provide a portal into our lives the same way that we treat a suitcase, and they’re not equatable.”
As the privacy commissioner’s investigation of the CBSA gets underway, privacy experts are raising concerns about the access to travellers’ personal devices that American border officials have in situations where visitors can’t say no. Statistics released by the U.S. Customs and Border Protection Electronic show media searches by U.S. border authorities increased five-fold in 2016 over 2015, and appear to be increasing even more under the Trump administration. From the beginning of October 2015 to the end of September 2016, five times as many electronic media searches — 23,877 — were conducted by U.S. agents than the year before, Long confirmed. That’s still a fraction of the total number of arrivals (390 million in 2016) but NBC reported this week 5,000 searches were conducted in February alone.
Anyone travelling to the United States can have their computers, disks, drives, phones, cameras and other devices searched by U.S. Customs and Border Protection. If a device is locked and a traveller doesn’t provide the password, they can be refused at the border or detained.
“Keeping America safe and enforcing our nation’s laws in an increasingly digital world depends on our ability to lawfully examine all materials entering the U.S.,” spokesman Dave Long said in an email.
Agents can look at data that helps identify someone’s admissibility and “intentions upon entry,” Long explained. They’re also empowered to look for information about terrorism, national security, smuggling, contraband, child pornography and all manner of financial and commercial crimes. Any information gathered may be shared with other agencies as evidence.
Lawton said the privacy commissioner is aware officials in the U.S. have “broad inspection powers.” But “with respect to the retention of data, we are not privy to information about whether or how often this occurs.”
It’s McPhail’s understanding, however, that Americans are “probably downloading information” when they seize phones — “including forensic examination of a device, which is a deep dive into the data.”
Long wouldn’t confirm or deny whether border officials have the ability to copy information from devices. But a May 2015 privacy assessment from the Department of Homeland Security implies that as of a couple of years ago border authorities were already employing the practice.
Trained officials can use tools to “create digital images of electronic media … seized under border search authority.” The tools are used to “image the media, creating a mirror copy to use as a working copy,” then “index the information and extract files and other data points,” the assessment says.
While it acknowledges “more data may be collected than is necessary to further an investigation,” the assessment says rules mitigating privacy concerns don’t apply at the border. Agents there can “search, detain, seize, retain, and share electronic devices, or information contained therein, with or without individualized suspicion.”
Adam Schwartz, with the Electronic Frontier Foundation, a privacy rights group in San Francisco, said it is known that agents have Cellebrite devices, which can be plugged into devices to harvest information.
“We’ve heard a lot of reports, for example, of a traveller unlocking (the phone), handing it to the agent, the agent takes it out of the room for 10 minutes. It’s possible during those 10 minutes they’re plugging a Cellebrite device or another forensic tool into the traveller’s phone and copying information.”
A source in the intelligence community told the National Post that border officials may not have the language ability to assess all the data on someone’s phone right away, so making copies could help officials continue investigating even after someone has had their device returned to them.
Schwartz and his colleagues published a white paper on border security last week, which indicates U.S. border agents can look at all cloud data in addition to what’s downloaded to a device. It also says agents have sophisticated enough forensic software that data recently deleted from devices may still be retrieved.
There are protocols around documenting searches, the retention of information and the destroying of information if it doesn’t contain any evidence.
Big loopholes exist, however, that make destruction less likely, the paper says — if there’s information related to “immigration matters” writ large, or “terrorism information,” authorities can keep and share it. People whose data is held by the U.S. government won’t be notified if their data is deleted or not, but they can try filing freedom of information requests.
From the beginning of October 2015 to the end of September 2016, five times as many electronic media searches — 23,877 — were conducted by U.S. agents than the year before, Long confirmed. That’s still a fraction of the total number of arrivals (390 million in 2016) but the number is increasing. NBC reported this week 5,000 searches were conducted in February alone.
“It does appear that in the beginning of this presidency that there has been more than a doubling in the frequency of border device searches,” Schwartz said. “We do not know whether this is a directive from the top to do more, or whether or not this is a cultural change reacting to the perception of agents about what the administration wants them to do.”
“I think the only real restraint that governments have is negative publicity when they get caught doing things to their own citizens,” said privacy lawyer Shaun Brown, at the nNovation firm in Ottawa. “But when it comes to other citizens, there’s no one really out there to lobby or create a lot of negative pressure when you’re spying on non-citizens, people from another country.”