Slashdot Mirror

← Back to Stories (view on slashdot.org)

Border Agents Fail To Delete Personal Data of Travelers After Electronic Searches, Watchdog Says (gizmodo.com)

Posted by BeauHD on from the search-and-not-destroy dept.

The Department of Homeland Security's internal watchdog, known as the Office of the Inspector General (OIG) found that the majority of U.S. Customs and Border Protection (CBP) agents fail to delete the personal data they collect from travelers' devices. Last year alone, border agents searched through the electronic devices of more than 29,000 travelers coming into the country. "CBP officers sometimes upload personal data from those devices to Homeland Security servers by first transferring that data onto USB drives -- drives that are supposed to be deleted after every use," Gizmodo reports. From the report: Customs officials can conduct two kinds of electronic device searches at the border for anyone entering the country. The first is called a "basic" or "manual" search and involves the officer visually going through your phone, your computer or your tablet without transferring any data. The second is called an "advanced search" and allows the officer to transfer data from your device to DHS servers for inspection by running that data through its own software. Both searches are legal and don't require a warrant or even probable cause -- at least they don't according to DHS. It's that second kind of search, the "advanced" kind, where CBP has really been messing up and regularly leaving the personal data of travelers on USB drives.

According to the new report [PDF]: "[The Office of the Inspector General] physically inspected thumb drives at five ports of entry. At three of the five ports, we found thumb drives that contained information copied from past advanced searches, meaning the information had not been deleted after the searches were completed. Based on our physical inspection, as well as the lack of a written policy, it appears [Office of Field Operations] has not universally implemented the requirement to delete copied information, increasing the risk of unauthorized disclosure of travelers' data should thumb drives be lost or stolen." The report also found that Customs officers "regularly failed to disconnect devices from the internet, potentially tainting any findings stored locally on the device." It also found that the officers had "inadequate supervision" to make sure they were following the rules. There's also a number of concerning redactions. For example, everything from what happens during an advanced search after someone crosses the border to the reason officials are allowed to conduct an advanced search at all has been redacted.

48 of 89 comments (clear)

  1. Confirmation is nice but... by fustakrakich · · Score: 3, Informative

    Raise your hand if you didn't expect that one...

    The still untried solution awaits

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Confirmation is nice but... by rtb61 · · Score: 4, Insightful

      Let's all guess why they are keeping it secret. I'll bet pretty much anything, that a bunch of customs agents where going through attractive women's photo albums and pilfering images used for sexting, oh yeah and doing it a lot.

      --
      Chaos - everything, everywhere, everywhen
    2. Re:Confirmation is nice but... by Locke2005 · · Score: 1

      Don't be so sexist... I'm sure there are plenty of gay TSA agents too!

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    3. Re:Confirmation is nice but... by fustakrakich · · Score: 1

      It's a sad state of affairs as our worst tin hat paranoiac fantasies come true.

      Let this be a reminder that all those silly "privacy policies" out there are just as phony.

      --
      “He’s not deformed, he’s just drunk!”
    4. Re:Confirmation is nice but... by Jane+Q.+Public · · Score: 1

      At least a couple of federal courts have ruled that Customs needs a warrant to search your computer or phone.

    5. Re:Confirmation is nice but... by gweihir · · Score: 2

      They have no accountability, they do not get punished whatever misdeeds they do, they have wayyyy too much power. Of course they would do this.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:Confirmation is nice but... by Joce640k · · Score: 1

      Good luck enforcing that when you're facing the TSA at an airport and want to get somewhere.

      --
      No sig today...
    7. Re:Confirmation is nice but... by Joce640k · · Score: 1

      Let's all guess why they are keeping it secret. I'll bet pretty much anything, that a bunch of customs agents where going through attractive women's photo albums and pilfering images used for sexting, oh yeah and doing it a lot.

      Remember, these are the same people who steal the iphones and laptops from your checked baggage.

      --
      No sig today...
    8. Re:Confirmation is nice but... by rickb928 · · Score: 1

      And, most importantly, when they've gathered this information, they think it is THEIRS.

      And that is what needs to be changed.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    9. Re:Confirmation is nice but... by gweihir · · Score: 1

      Indeed. Very much so.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    10. Re:Confirmation is nice but... by Audguy · · Score: 1

      Why not both?

  2. Two out of Five ain't bad... by bobbied · · Score: 3, Interesting

    I'm surprised that two out of the five actually did delete the data.

    I wonder how much of this is "Quick Format" and "Hey we found old data here!" kind of things?

    But I think we buried the lead here. What really concerns me is that the documentation about the searches and why they where conducted is woefully lacking (see page 6 of the PDF). Seems that this process is ripe for abuse and that the controls in place for keeping this on the up and up are being ignored.

    Think of it this way.. IF nobody is documenting why and when this is being done, there is no real proof and no real way to get it to stop if it really is out of hand.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:Two out of Five ain't bad... by Joce640k · · Score: 1

      Lets be realistic. They search the cute foreign girls on 'advanced' mode and keep the thumb drives to bring home to search for nudes at night.

      You know it's happening.

      This.

      Just like they make cute girls go through the body scanner a second time and call all their friends over to make really sure she's not hiding anything.

      --
      No sig today...
  3. Re:When will people wake up? by ArylAkamov · · Score: 2

    Only when the average man becomes extremely uncomfortable. So not for a long time.

  4. WTF by Anonymous Coward · · Score: 1

    The USA is actually hard copying data from travelers phones? Jesus I'm glad I stopped flying through the US 5 years ago.

    1. Re: WTF by Anonymous Coward · · Score: 1

      We're glad too.

  5. Why would they. by wolfheart111 · · Score: 2

    They can sell it :(

    --
    [($)]
  6. Re:When will people wake up? by mermeid007 · · Score: 1

    Damn bullies. I'll get you if its the last thing I ever do! (shakes fist)

  7. Not so Random search... by sarren1901 · · Score: 1

    Well of course every hot chick is a potential security threat...

  8. So... by Locke2005 · · Score: 3, Interesting

    What's to stop you from removing the Micro SDHC card from your phone before the search? They're not getting their hands on MY MP3 files!

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
    1. Re:So... by wonkey_monkey · · Score: 4, Informative

      What's to stop you encrypting your data and storing it somewhere on the internet instead of taking a physical copy through a checkpoint?

      If a terrorist wants to bomb a plane, he's going to need to smuggle a bomb past security, so checking people for bombs isn't exactly a stupid idea (whether the balance between safety, security, privacy, and theatrics is good is a whole different matter). But if he's got some "terrorist data" to move around, why would he physically carry it?

      --
      systemd is Roko's Basilisk.
    2. Re:So... by Anonymous Coward · · Score: 1

      With wifi just about everywhere and the possibility of setting up VPN tunnels back to private storage, why is there any reason to keep anything on your phone at a border crossing? upload before crossing, Wipe the device, redownload once you're across.

    3. Re:So... by AHuxley · · Score: 2

      The US gov is not after "company documents, tax documents, industrial documents". The NSA/MI6/GCHQ/CIA can get all that for free in real time globally.

      The US gov wants a person to lie directly when asked a simple question.
      The US mil and its support in other nations already know who is entering the USA and what they did globally while on "holiday".
      The questions and search at the international border allows for people tracked globally by the US mil/CIA to be questioned as a very random "event".
      Such people who support banned groups, have funded banned groups then have to lie about such support to the US gov.
      No further "methods" get exposed. That one lie revokes the ability to enter the USA. The "lie" can start a formal investigation without having to show what the US mil found the person doing in another nation.

      Its not about "company documents". The US wants to find images of people supporting banned groups, been in contact with criminals.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:So... by Anonymous Coward · · Score: 1

      One more reason not to travel to the US, even to tourism.

      With dozens already to choose from, what's one more? Only a fool would willingly set foot in that sh!thole of a country.

    5. Re:So... by pipedwho · · Score: 2

      Moral of the story, never remove the SD card from your phone before crossing the border. This manoeuvre is probably far more painful if there's nothing for them to find, and yet they keep looking.

    6. Re:So... by morethanapapercert · · Score: 2
      And yet, there have been those on this site who argue that making a copy isn't "theft" because the owner isn't deprived of their copy.

      In this case, for foreigners with sensitive business documents, the CIA and NSA would be seriously remiss in their duties if they didn't try to mine such info at every opportunity and analyse it 6 ways from Sunday to give the US any edge in security (and lets be honest, any edge in prosperity too)

      Terrorists, at least, tech savvy terrorists, wouldn't have sensitive data on mobile devices coming across the border. As others have said, it only makes sense to use cloud storage for that sort of thing. BUT, what the hypothetical terrorist might have on his device is traces of the address of their chosen cloud storage, encryption keys needed and so on. (probably not log in/authentication credentials, those are usually memorized.) If a bad actor forgot the encryption keys were on his system, DHS would have a nice invitation to access every thing he could.

      In theory, what happens is your sensitive business info gets slurped onto a thumb drive and then sent to the DHS central database and some automatic screening goes on. If you have nothing that raises red flags, it gets archived in that massive NSA storehouse and you are free to go. Unless it becomes relevant to a case, your data never gets looked at by a human being and likely never gets re examined by software either.

      --
      I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
    7. Re:So... by drinkypoo · · Score: 2

      And yet, there have been those on this site who argue that making a copy isn't "theft" because the owner isn't deprived of their copy.

      That's because it isn't theft. Theft is where you take someone from someone and they are subsequently deprived of it. Copying someone's data without their permission is not theft, it is violation of copyright. We have an entire separate body of law for copyright specifically because it is different from theft. Were it otherwise, we could simply have different sentencing guidelines under the existing laws governing theft to cover theft of data. But it isn't, so we don't, because you can't.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    8. Re:So... by DontBeAMoran · · Score: 1

      Theft is where you take someone from someone and they are subsequently deprived of it.

      No, that's called kidnapping.

      --
      #DeleteFacebook
    9. Re:So... by drinkypoo · · Score: 1

      No, that's called kidnapping.

      Touche. Although in my defense, it's also called a typo.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    10. Re:So... by couchslug · · Score: 1

      "But if he's got some "terrorist data" to move around, why would he physically carry it?"

      Because sneakernetting doesn't get you a JDAM visit in the middle of the night. Taliban used sneakernet for that very reason.

      The internet cannot ever be considered secure (let's not pretend otherwise) so using it is asking to get whacked.

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  9. Re:When will people wake up? by ShanghaiBill · · Score: 5, Informative

    The Constitution only applies to U.S Citizens.

    No it doesn't. The Constitution does not confer rights. It places restrictions on the government. The First Amendment says: "Congress shall make no law.... It doesn't say "no law except on foreigners". No where in the Bill of Rights does it say they only apply to citizens.

    These searches are applied to non citizens trying to gain entry to our country.

    Wrong. Anyone, citizen or non-citizen, is subject to search when crossing a border, or within the border area.

  10. So... by TheDarkMaster · · Score: 4, Insightful

    So the border guards can steal your data without having to give any explanation and without having to fear consequences. And I'm not talking about "MP3 files", I'm talking about company documents, tax documents, industrial documents, all sorts of perfectly legal information that is private property of a company or an individual.

    One more reason not to travel to the US, even to tourism.

    --
    Religion: The greatest weapon of mass destruction of all time
  11. Why not? by AndyKron · · Score: 1

    Why should they? They do whatever the hell they want. Who's going to stop them? Who's going to jail?

  12. Re:When will people wake up? by AHuxley · · Score: 3, Informative

    Once a non US citizen is in the USA they get all the expected human rights that the US gov has set and accepts.
    Food, water, health care, visits by their embassy.

    People just have to stop supporting/funding banned groups when outside one the USA.
    Been part of a banned group and not mentioning that fact when asked is a crime.
    Supporting a banned group and related funding is a crime when asked about any such activity.
    Traveling in a nation that supports banned groups and not telling the US gov about that extra "holiday" when asked is a crime.
    Having images taken with wanted criminals who are active members of a banned group .... and not mentioning that to the US gov..
    Creating a fake identity to hide past that had a person supporting banned groups.
    Banking for banned groups.
    Transferring tech and money to nations that have sanctions imposed.

    No loss of rights for a non citizen/illegal migrant. When the US gov asks questions when entering the USA, don't hide past events and expect to be allowed in.

    Thats why the search of digital data/images/gps is so important. It finds people who support banned groups outside the USA. People who then lie to the US gov.

    --
    Domestic spying is now "Benign Information Gathering"
  13. Thumb drive prophylaxis by pipedwho · · Score: 4, Insightful

    So let me get this straight.

    Some random customs officer takes a USB stick and puts it into someones laptop. A laptop with total control of its own I/O systems, peripheral ports, and software execution environment. Maybe they try to run some custom software that exists on the USB stick. Maybe they try to boot your machine off their USB stick, or have it somehow run something from the USB stick before you host OS takes control.

    Then they take out the USB stick, hopefully wipe it off, and put it into someone else's laptop and do the same thing?

    And they think this is a good idea?

    I'll leave it up to the reader to see if they can find the problem with this.

    1. Re:Thumb drive prophylaxis by joe_frisch · · Score: 1

      I'd assume that a machine CBP touched should be immediately destroyed. I have no faith that they haven't installed something or that they may have made security mistakes that allowed the machine to be compromised. I'd probably tell them to keep it.

    2. Re:Thumb drive prophylaxis by morethanapapercert · · Score: 4, Interesting
      That could be the plot of a decent movie. DHS decides to spend a LOT more attention on tourists coming in and out of Las Vegas during the Black Hat conference. Licking their chops in anticipation of all the grey and black hats they're gonna catch. But word of this plan leaks and attendance to the Con spikes massively as hacker and cracker folk from all over the world rush to Las Vegas in hopes of scoring the major coup of being the one who provided the poison pill mobile device that brought the DHS system down. Security checkpoints buckle under the unexpected load, supervisors calling in everybody for unscheduled overtime, the whole thing blowing up and social media, some grey hats going through security over and over, with ever decreasingly plausible disguises to see what it takes to make the overwork slobs on the front lines go "wait a second..." And then, when misery is at its peak, someone's carefully crafted data finds a weakness in the data upload system and brings down the DHS-NOC links for every customs point in America and a few in other countries.

      TALK ABOUT BRAGGING RIGHTS. It's xkcd's Bobby Tables gone hard core.

      (innocent look) Does any one know if DHS sanitizes its data inputs?

      --
      I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
    3. Re:Thumb drive prophylaxis by morethanapapercert · · Score: 1

      I probably have the time (retired) but I doubt I have the technical chops to make it plausible nor the writing chops to make such a work saleable.

      --
      I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
    4. Re:Thumb drive prophylaxis by Anonymous Coward · · Score: 1

      I've heard from security folks that standing policy for Dutch govt. Officials is to only use disposable devices when going into China any Russia. I think they've extended that to the USA. For the EU defense industry the US was already off limits for hardware across the border after a few incidents in the late 90's.

      If I ever travel to the USA or China, my phone will be clean. Facebook... I will close it soon. Have to go to China next year and they also like to grab a copy of your info.

      Twitter is no problem. I keep that "corporate clean". Anything else I think I'll review over Christmas.

      It used to be paranoid to think like this :/

    5. Re:Thumb drive prophylaxis by Anonymous Coward · · Score: 1

      ... and they've never shown any interest in any of my devices.

      I would be insulted by this. This should make you take a step back and review how you're living your life.

    6. Re:Thumb drive prophylaxis by MiniMike · · Score: 2

      A "bad actor" could also copy whatever was available on the DHS USB drive from previous scans, in hopes of getting useful into/pics/method to embarrass DHS. If there's a high value (or hot) target, they could even just get in line behind them in hopes of getting this data.

  14. Re: Define 'Crossing The Border' by Anonymous Coward · · Score: 1

    They can and they do. You might be able to challenge it in court though, but donâ(TM)t expect that to be easy.

  15. I wonder... by morethanapapercert · · Score: 1
    I wonder if the private data coming from the device of an attractive woman makes any change to the odds of it being "accidentally" left on the USB? A local tech shop has had to fire a few employees over the years because they would make a point of skimming through the hard drives of attractive women, hoping to score some nude selfies.

    Plus, is anyone making sure that these thumb drives aren't growing legs? The DHS doesn't have a good track record there. There has been apparently a lot of cases of valuables were mysteriously disappearing while in DHS custody

    --
    I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
  16. Re:Kill them all by morethanapapercert · · Score: 1

    sadly, your IP has probably been noted, correlated with all your other traffic and this post is what put you over the top to get flagged on the NSA servers. If the US goes full fascist, guys like you will disappear in Night and Fog II electric boogaloo..

    --
    I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
  17. Re:When will people wake up? by morethanapapercert · · Score: 5, Insightful

    The irony of someone promoting this sort of thinking while using the handle AHuxley is just staggering. You do know that Aldous was on the left side of the political spectrum right? He was a humanist, cherished the value of human beings over the systems humans create to serve their needs.

    --
    I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
  18. Re: CBP is tasked to protect against any illegal i by Anonymous Coward · · Score: 2, Interesting

    It's a gotcha procedure, and has nothing to do with protecting anyone or anything. It's simply about catching people in an arbitrary violation of rules in order to extort money or exert power.

    That sort of arbitrary game playing is the very essence of government corruption, it's simply a matter of scale and scope. They get away with the little shit they pull, and keep pressing the boundaries until the gotcha games exceed some critical threshold - either populist in nature, or someone with sufficient power and money gets irritated.

    Gotcha games should be identified and eliminated by their essential qualities, instead of citizens having to play along. In fact, that's kinda the whole fucking point of the U.S. constitution. These things are only possibly because the core principles have been irrevocably buried in two centuries of corrosive minutiae.

    The solution is the modern digitization, review, simplification, and constitutional ratification of all federal law. Fat chance of that ever happening, when known loopholes and ever more nebulous, incoherent laws allow essentially unlimited abuse by the ruling class.

  19. So... better to not carry devices at all then. by visigoth · · Score: 1

    I don't travel often and generally refuse to fly when I do, seeing how air travel has devolved to treating passengers like livestock over the past couple decades. Is there even a "safe" way to travel in and out of the U.S. with any devices (laptops, cellphones) at all? Seems one would be better served by carrying *nothing*, and procuring necessary (disposable) devices when at destination, and discarding them before return trip. If I have nothing on me or in my luggage that has digital content at all, then nothing to search, right?

    Seems highly inconvenient, but no way would I be willing to submit so a search of my hardware, for all the many reasons noted elsewhere in this thread...

  20. Re:When will people wake up? by AHuxley · · Score: 1

    AC re "foreigners that go bankrupt after accidents and hospital bills in US." That is a US gov problem how? Buy some medical "travel insurance".
    AC that "right to not being frisked" has been before many a US court over generations and decades. The US gov finds it can have a secure border.

    --
    Domestic spying is now "Benign Information Gathering"