U.S. Senator Ron Wyden says his office was informed this summer that Customs and Border Protection (CBP) is building a massive database with content seized from Americans’ cellphones at the border. Without warrants, the agency permits thousands of employees to search the database “for any reason,” the Oregon senator said.
The disclosure came in a letter dated Thursday to CBP Commissioner Chris Magnus, a former Arizona police chief, appointed by President Biden last year. In it, Wyden calls for immediate changes to the agency’s policy, beginning with halting the searches of Americans’ phones absent a judge’s approval. Wyden asks Magnus for “a written plan” describing the steps his agency will take to address the senator’s concerns.
“Innocent Americans should not be tricked into unlocking their phones and laptops,” Wyden said. “CBP should not dump data obtained through thousands of warrantless phone searches into a central database, retain the data for fifteen years, and allow thousands of DHS employees to search through Americans’ personal data whenever they want.”
The letter offers fresh details and context for CBP’s electronic searches, as well as its monitoring of Americans’ activities specifically. The figures it includes paint an unsettling image of the surveillance technologies being rapidly deployed, testing the limits of constitutional safeguards at an agency routinely plagued by data-security problems.
It’s unclear how many Americans and foreign nationals the database’s information encompasses. The agency relies on an exception to the Fourth Amendment, Wyden says, which permits border officials to conduct “basic searches” of a traveler’s phone or laptop without a warrant. These searches can be done without suspicion of wrongdoing, and anyone crossing the border may be targeted.
The issue here is that CBP is now citing that same authority when using tools that can, today, enable agents to scrape a phone dry. And that’s a major leap from a scenario in which a single border agent manually reviews a traveler’s text messages. The contrast is made more stark by the fact that, according to Wyden, CBP believes it has legal authority to store all the data it scrapes, and allow employees to rummage through it for up to 15 years.
The Washington Post first reported the news.
The letter stated that Wyden’s office became aware through briefings that CBP practices included “pressuring travelers to unlock their electronic devices without adequately informing them of their rights,” and “downloading the contents of Americans’ phones into a central database, where this data is saved and searchable for 15 years by thousands of Department of Homeland Security employees, with minimal protections against abuse.”
“In a June 20, 2022 briefing to my office, CBP estimated that it forensically examines and then saves data from ‘less than 10,000' phones per year — which typically include text messages, call logs, contact lists, and in some cases photos and other sensitive data — in a central database. CBP confirmed during this briefing that it stores this deeply personal data taken, without a warrant signed by a judge, from Americans’ phones for 15 years and permits approximately 2,700 DHS personnel to search this data at any time, for any reason.”
Wyden, who is a 20-year veteran of the Senate Intelligence Committee, said that DHS employees are keeping virtually no records describing the purposes of these searches, an oversight that commonly engenders abuse, and makes auditing the practice impossible. CBP had so far failed to provide any statistics on how many Americans are referenced in the database, or how often government employees use it, Wyden said.
In response to an inquiry, CBP sent Gizmodo a 1,840 word email, bullet-pointed, including what seems to be a collection of revised text pulled from a 4-year-old privacy impact report. (You can read the entire email here.)
CBP’s response opens by describing its broad search authority, which it notes “extends to all persons and goods, including electronic devices, crossing our nation’s borders.” In a section describing its border search policy, CBP says its employees can conduct an “advance search” of a person’s device — using equipment that downloads its contents — with a supervisor’s permission. Reasonable suspicion can be used, but is not a requirement, it says. CBP employees can instead have a “national security concern.”
It’s not immediately clear what a “national security concern” is, or what differentiates it from reasonable suspicion, an already low evidentiary standard, far below what any ordinary police officer or prosecutors would require to search the contents of a phone. (The American Civil Liberties Union was likewise perplexed by the term when DHS started using it in conjunction with cellphone searches, writing it is “not clearly defined in the policy and potentially vague enough to cover a wide array of scenarios.”)
On “concern” alone, CBP can also review content ripped from a device using an Automated Targeting System (ATS), the agency’s email says. Based on the government’s description of how an ATS works, this practice would evaluate the downloaded content, including contact lists, against scores of internet and external databases, such as those used to identify terror suspects or locate individuals with outstanding warrants — without a warrant or reasonable suspicion that a crime has occurred.
Advanced searches—which involve using forensic tools to download rather than manually review cellphone content—began as a pilot program in 2007, under a project called Document and Media Exploitation. Since that test-run, the program has expanded from four to 133 points of entry, according to a 2021 report. Information from this growing “advanced search” database is routinely shared with Immigrations and Customs Enforcement (ICE), state and local law enforcement agencies, and the FBI, as the Washington Post reported.
The number of device searched in the past 10 months alone has so far exceeded the total for the entire previous fiscal year, according to CBP’s own disclosures. From October to July, the agency searched no fewer than 38,567 devices, either through “basic” or “advanced” means. The figures indicate that CBP has been steadily scaling up the searches, alongside government audits uncovering flaws in its practices.
ICE, too, has been investing heavily in cutting-edge surveillance, spending roughly $2.8 billion on tracking technology since 2008. Financial disclosures in April revealed the agency had recently spent upwards of $7.2 million on a contract with an absurdly named facial-recognition vendor: Trust Stamp.