Border Patrol Says It's Barred From Searching Cloud Data On Phones

According to a letter obtained by NBC News, U.S. border officers aren't allowed to look at any data stored only in the "cloud" -- including social media data -- when they search U.S. travelers' phones. "The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, (D-Ore.), and verified by Wyden's office, not only states that CBP doesn't search data stored only with remote cloud services, but also -- apparently for the first time -- declares that it doesn't have that authority in the first place." From the report: In April, Wyden and Sen. Rand Paul, R-Ky., introduced legislation to make it illegal for border officers to search or seize cellphones without probable cause. Privacy advocates and former Homeland Security lawyers have said they are alarmed by how many phones are being searched. The CBP letter, which is attributed to Kevin McAleenan, the agency's acting commissioner, is dated June 20, four months after Wyden asked the Department of Homeland Security (PDF), CBP's parent agency, to clarify what he called the "deeply troubling" practice of border agents' pressuring Americans into providing passwords and access to their social media accounts. McAleenan's letter says officers can search a phone without consent and, except in very limited cases, without a warrant or even suspicion -- but only for content that is saved directly to the device, like call histories, text messages, contacts, photos and videos.

Re:Misdirection

[Kjella]

CBP: "That's right folks. Store your data in the cloud because that is where it is most secure." Well played but no thanks.

What would you rather want, a ruling that they can? Also, remember that "the cloud" is not a legal term - if they can legally access your Dropbox/Facebook account, they can also access your personal Linux server you saved the ssh password for. Besides this fully makes legal sense, border control has the right to search the data you are trying to bring into the country. Data on a remote server you may potentially never access from or bring to the US should obviously not be part of the border search. I know many people here don't like concept of an electronic search at the border at all, but if you want that limited to a physical search for contraband the law needs to change. Until then use one of the many obvious ways to not have your private data accessible at the border.

Re:Look At The Other Hand

[Miamicanes]

Bonus points if you intentionally craft the phone/laptop's browser history with embedded Javascript to pwn the agent's own computer when s/he goes to view it using some badly-written viewer that naively renders it straight into an IE window. And plenty of JPEG cat images crafted to exploit buffer overflow vulnerabilities.

Or, if you just want a free ticket to Defcon next year as a speaker, make an image backup of your hard drive & any embedded firmware onto immutable media (like BD-R) prior to passing through customs, let CBP have fun installing malware on it, then diff your homemade honeypot against that backup when you get home and reverse-engineer any changes they made.