The CBP is searching more devices than ever and ramping up an "extreme vetting" program that includes biometric scans, demands for social media account passwords, and more intrusive searches across the board. As the number of device searches continues to increase, the agency's technical chops and and internal oversight aren't keeping pace.
That's according to recently-released Inspector General's report [PDF], which finds little to like about the CBP's search processes and policies, other than they occasionally manage to catch criminals attempting to enter the US. The CBP's Office of Field Operations is supposed to be taking charge of device searches, ensuring they're done effectively and intelligently. So far, it appears the OFO has taken a hands-off approach to management, resulting in bad practices and worse security.
[B]ecause of inadequate supervision to ensure OFO officers properly documented searches, OFO cannot maintain accurate quantitative data or identify and address performance problems related to these searches. In addition, OFO officers did not consistently disconnect electronic devices, specifically cell phones, from networks before searching them because headquarters provided inconsistent guidance to the ports of entry on disabling data connections on electronic devices. OFO also did not adequately manage technology to effectively support search operations and ensure the security of data.
Here's the kicker: the OFO is so laid back it still hasn't begun to address a problem raised by the Inspector General more than a decade ago.
Finally, OFO has not yet developed performance measures to evaluate the effectiveness of a pilot program, begun in 2007, to conduct advanced searches, including copying electronic data from searched devices to law enforcement databases.
Considering the pace of technology development, the OFO has managed to put the CBP more than a decade behind. Playing catch up now will probably bring them to five years behind schedule sometime within the next couple of years and ahead of the office's baseline expectations sometime around never.
These device searches can be intrusive. In some cases, devices are held for months as the agency performs forensic searches and analyzes the data. These intrusions need to be justified, but the IG found CBP officers can hardly be bothered to do the paperwork.
We reviewed 194 EMRs [Electronic Media Reports] and identified 130 (67 percent) that featured one or more problems, which totaled 147 overall.
The DHS's own search policies say device searches will be limited to data at rest, unless a deeper search can be justified. The OIG says none of the 154 EMRs compiled before the DHS reiterated this rule in April 2017 contained any evidence data connections were disabled before searches were performed.
This lack of care undercuts one of the arguments the DOJ offered when fighting against a warrant requirement for phone searches: that criminals could destroy evidence on a seized device using remotely-triggered software. The CBP either doesn't think this is a possibility or it sincerely doesn't care if it's jeopardizing its own searches. Either way, it does nothing to give the government's overdramatic assertions any more credibility.
The list of bad news goes on and on. The CBP failed to renew licenses for forensic software, resulting in the inability to perform advanced searches for period of months. It also ignored retention policies, allowing data copied from people's devices to sit around on external storage devices indefinitely. As the OIG points out, this isn't just a policy violation. It's also a security issue. Agents could peruse communications and data they have no business looking at and the theft of a storage device could result in unauthorized disclosures of travelers' data.
If there's a silver lining, it's that the CBP concurs with the IG's determination that it sucks. There's been no pushback from the agency -- only vows to make the needed improvements. But that's tempered by the fact the CBP still hasn't begun to address issues raised by the OIG in 2007. These recommendations will likely put the agency even further behind the technological curve, raising the chance of criminals and terrorists escaping detention and increasing the risks posed to travelers that their data might be abused by the CBP, or worse, some rando who happens to walk off with an unguarded USB stick.