Early in 2018, Business Law Today published an article of mine dealing with the legal ethics implications of border search policies of the Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) relating to portable electronic devices. The article adverted to a then-recently filed lawsuit in federal court in Boston challenging the validity of these policies as a general proposition (i.e., not related to any issues of professional ethics). Nominally brought on behalf of 11 travelers whose smartphones and other electronic devices were searched without a warrant at the U.S. border, the case was funded by the ACLU, the Electronic Frontier Foundation, and the ACLU of Massachusetts.
The case was originally styled Alasaad v. Duke because the initial suit was filed against Elaine Duke, then acting secretary of DHS. Summary judgment was granted late in 2019 for the plaintiffs under the case name Alasaad v. Nielsen (because Kirstjen M. Nielsen had been substituted as secretary of Homeland Security (until earlier this year) pursuant to Fed. R. Civ. P. 25(d)).
Bear in mind that we are talking here about forensic searches of electronic devices, not the less intrusive manual searches. The latter have previously been upheld by federal appellate decisions in the 4th Circuit and the 9th Circuit. Alasaad is the first case to consider the question with regard to forensic searches.
Prior to summary judgment, the court denied the government’s motion to dismiss and in the process made several critical rulings about how the Constitution protects digital privacy and free speech at the border. The district court relied heavily on the Supreme Court’s 2014 decision in Riley v. California, which balanced the privacy interests in cell phones against the government’s interest in conducting warrantless searches incident to arrest, to wit: officer safety and preservation of evidence. Riley held that the Fourth Amendment requires police officers to get a warrant before searching an arrestee’s cell phones.
Privacy at the border, however, presents more difficult questions. The Fourth Amendment to the U.S. Constitution protects “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” Nevertheless, border searches of international travelers are a well-settled exception. It implicates the sovereign’s right to control who and what may enter the country and is justifiable from a number of different perspectives, including territorial integrity, national security, and interdiction of criminal conduct ranging from contraband to terrorism. The U.S. border is not a Constitution-free zone, however, and those sovereign interests must be balanced against individual rights, including the right to privacy.
On the privacy side of the balance, the Alasaad court explained that “electronic devices implicate privacy interests in a fundamentally different manner than searches of typical containers or even searches of a person.” U.S. District Court Judge Denise Casper quoted from the Riley decision extensively:
- “The sum of an individual’s private life can be reconstructed through a thousand photographs labeled with dates, locations, and descriptions . . .”
- A person’s internet browsing history, historic location information, and mobile application software (or “apps”) “can form a revealing montage of the user’s life.”
- “[A] cell phone search would typically expose to the government far more than the most exhaustive search of a house.”
Warrantless searches of a “particular category of effects” such as cell phones must be sufficiently “tethered” to the government’s interests, the Alasaad court concluded. At the border, the government’s interests in conducting warrantless searches are to collect duties and to prevent the entry of contraband and other harmful items. The key inquiry became whether warrantless searches of electronic devices sufficiently advance these interests. Agreeing with plaintiffs that there is an important difference between border officers conducting warrantless searches for “contraband” (where tethering is stronger), as opposed to conducting warrantless searches for “evidence” of contraband or other unlawful activity (where tethering is weaker), the court found unpersuasive the government’s claim that child pornography is a form of digital contraband that justifies warrantless searches of electronic devices.
The court then emphasized that border searches of electronic devices burden travelers’ First Amendment rights to free speech and association by exposing membership in organizations, unmasking anonymous speech, and intruding on freedom of the press. In light of these substantial First Amendment interests, the court held the government must prove a “substantial relation between the governmental interest and the information required to be disclosed.”
The court thus denied the motion to dismiss but left open the issue of the appropriate level of individualized suspicion a border officer must have before searching an electronic device: “reasonable suspicion” or a warrant based on probable cause. Resolution of this question had to await summary judgment.
In her November 2019 summary judgment opinion, Judge Casper held that border agents must have “reasonable suspicion” that a device contains digital contraband before searching or seizing the device. The traditional border search exception to the warrant requirement applies only to routine searches, but searches of personal electronic devices are nonroutine given the magnitude of the privacy and First Amendment interests at stake. The “reasonable suspicion” standard is a common-sense approach, the court held, and is met when border agents can point to specific, articulable facts—more than just a hunch—and the inferences reasonably to be drawn therefrom, suggesting that the device contains contraband.
As to relief, the court entered a declaratory judgment that the CBP and ICE policies violate the Fourth Amendment to the extent that they do not require reasonable suspicion that the devices contain contraband and that noncursory searches and/or seizures of electronic devices, without such reasonable suspicion, violate the Fourth Amendment. The court declined, however, to enter any nationwide injunctive relief.
With only one (thus far) decision at the trial court level on forensic border searches, where does that leave traveling with electronic devices containing confidential client information (CCI), which, as a lawyer, you have a special responsibility to safeguard?
The professional responsibility advice in the earlier article remains on point and is worthy of consideration. Here is a short recapitulation of the key suggestions, along with a few elaborations:
- If you can (especially if you are traveling for vacation), leave the devices containing CCI at home.
- Consider having a portable device designated for international travel that does not contain CCI. Mobile phones using the GSM standard (common in most countries) let you switch a SIM card from one phone to another, so you can keep your phone number while using a temporary travel phone. In addition, some laptop brands minimize the data stored on the device itself and are particularly easy to clear or reset.
- If a separate device is not possible, and you bring with you one or more devices containing CCI, try to scrub them of the CCI (using software professionally designed by IT experts for that purpose and not merely by pressing the “delete” button) or better yet, have a teenager do it. If you will have reliable internet access where you are going, you will not need to bring the CCI on your device. Be aware, however, that moving data to the cloud is not a panacea: border agents or other government officials may try to search your cloud data without your knowledge by dealing directly with the service provider (but if they do, in all likelihood under the Electronic Communications Privacy Act and relevant case law, such demands will be subject to a higher legal standard (i.e., a warrant based on probable cause) than a border search.
- Encryption of CCI is not sufficient to comply with your ethical obligations. Border agents may demand that you provide password or other decrypting information, and failure to do so can lead to unpleasantness for you and, at a minimum, your device being seized and detained for a period of time.
- Familiarize yourself with, and stay up to date on, ethics rules and opinions relating to:
- confidentiality (cf. Model Rule 1.6)
- professional competence on technology matters (cf. Model Rule 1.1)
- disclosure obligations to clients (cf. Model Rule 1.4)
- supervisory responsibilities for ethical compliance by subordinate attorneys in your law firm or corporate law department (cf. Model Rule 5.3)
in the jurisdiction(s) in which you are admitted. Be mindful as well of pertinent ABA ethics opinions. If you are too busy (as many lawyers are) to do this research yourself, ask your firm’s general counsel or a legal ethics expert for assistance.
- If any of your clients or the firm’s clients or any jurisdiction in which you are admitted requires you to take extra steps to safeguard the confidentiality of information on a portable electronic device, be sure you have fully complied with those requirements in advance of travel.
Beyond that, here are some additional helpful pointers:
- If the device(s) in question are not your property but belong to your employer, consult the appropriate person about data security and relevant policies. A border agency may be (slightly) more sympathetic if you can honestly say that the data belongs to your employer and your employer prohibits access by anyone else.
- Back up the data on your device before you leave. If you don’t and your device is seized, you may experience difficulties in obtaining access to critical information for the duration of the seizure.
- As a matter of both professionalism and common sense, be polite to border agents. They have a difficult (and frequently thankless) job, and most of them are doing their best to protect all of us. Yes, you will encounter them when you’re tired and cranky after a long international journey—all the more reason to be conscious of the benefits of civility.
- If you are not a U.S. citizen, like many of the ABA’s wonderful foreign lawyer members, be aware that refusing to comply with a border agent’s demand that you unlock your device, provide your device password, or disclose your social media information may raise special concerns. If you are a foreign visitor, you may be more easily denied entry into the country. Even if you are a lawful permanent resident, you do not want to explore the government’s ability to challenge your continuation in that status.
- If you have traveled to certain countries regarded by the U.S. government as problematic (e.g., those connected to terrorism, narcotics trafficking, or sex tourism), you may draw additional scrutiny from border agents.
- If your international travel is frequent or of significant duration, you may be subject to added screening.
- Border agents may seek access to your device by demanding that you enter your password, furnish your password, or (if you use a fingerprint key) press your finger to the sensor, all of which will give them access to information stored on your device. They may also ask you to disclose your social media identifiers, with which they can examine your public social media content even when they do not have access to your devices. In advance of your trip, reflect, perhaps in consultation with your employer and/or with ethics experts, on how you should respond to such requests. In that regard, recall that under existing official policies, CBP agents (but not necessarily ICE agents) must consult with the CBP Associate/Assistant Chief Counsel’s Office before searching devices allegedly containing privileged or work product protected information.
- Be wary of implicit consent. If the border agent is vague about whether he or she is asking or ordering you to unlock your device, provide a password, or furnish social media identifiers, politely establish whether it is a request or a command.
- If the former, you have the ability to courteously but firmly withhold your consent.
- If the latter, inform the agent that you are complying under protest and that you do not consent; this is even more effective if you have someone with you who can be a witness. If you fail to protest, then in the event you subsequently seek to mount a legal challenge to the search, the government may claim that you consented.
- Under no circumstances should you lie to a border agent or seek physically to interfere with the agent’s performance of official duties.
- Do not succumb to the blandishments of “techies” or others who recommend concealing data on your devices by “hidden volume” features or other techniques designed to vary the data that will appear depending on the password that is used. Border agents may characterize this as making a false or fraudulent statement to them or obstructing their investigations or the proper administration of their duties, each of which is a serious federal criminal offense.
- If any of your devices is seized, you are entitled to a property receipt.
- If, in response to a demand, you provide any passwords or identifiers or other account credentials to a border agent, nothing requires you to leave them unchanged afterwards. If you do nothing, the government will have continued access to your accounts, and, for what it is worth, there is an article in the popular media that suggests they will use it. Therefore, promptly after re-entering the country you should change all such passwords, identifiers, and credentials.
In the valedictory words of the morning roll call on an iconic 1980s police drama, “Let’s be careful out there.”
The author, in addition to serving as BLT’s Executive Editor for Ethics & Professional Responsibility, has been the Business Law Section’s liaison to an ABA Border Search Task Force that was organized in 2017 by former ABA President Linda Klein. He also served on the ABA Standing Committee on Ethics and Professional Responsibility and was a former chair of the Section’s Committee on Professional Responsibility. The views expressed herein are, however, entirely the author’s own.