back to article US border cops harvest info from citizens' phones, build massive database

US Customs and Border Protection (CBP) "routinely conducts warrantless searches of Americans' devices," downloading from up to 10,000 phones a year texts, photos, call logs, and more into a central database where it's stored for 15 years and searchable by some 2,700 federal employees. This, according to US Senator Ron Wyden (D …

  1. Oliver Knill

    unconstitutional

    Clearly a breach of constitutional rights, at least if the phone breach is done to US citizens.

    1. veti Silver badge

      Re: unconstitutional

      Citizenship still has nothing to do with it. The 4th amendment makes no mention of citizenship, nationality or anything related to them.

      The 14th amendment, on the other hand, says that legal rights ("protection") must apply equally to "any person within [the] jurisdiction". It would be unconstitutional to exempt Americans from a process that can be done to foreigners.

      1. EnviableOne

        Re: unconstitutional

        the problem is at the border, you are not in the jurisdiction, CBP are the guard at the gate

    2. Falmari Silver badge
      Devil

      Re: unconstitutional

      @Oliver Knill "Clearly a breach of constitutional rights,"

      No it is not clearly a breach and that's the problem.

      Does the border search exception apply to phones? Well that depends on the court 9th or 11th circuit. As for the storing of the data in a massive database I don't think that is covered by the Constitution*.

      Now of course I think it is wrong, just it's not clear that it's a breach of constitutional rights.

      * Now I maybe wrong, as I am from the UK.

      1. This post has been deleted by its author

      2. Cliffwilliams44 Silver badge

        Re: unconstitutional

        The exception is unconstitutional and should be abolished.

        This sounds like more Patriot Act nonsense.

        Citizenship has nothing to do with this. the 4th and 14th apply to anyone within the US.

        1. lglethal Silver badge

          Re: unconstitutional

          Ah but at the border are you technically within the US?

          (I'm just showing that there will always be ways to weasel around even the clearest written law if someone in power wants it...)

          1. Irony Deficient

            Ah but at the border are you technically within the US?

            On the US side of the border, yes. (Further discussion on the topic can be found in other comments on that linked page.)

        2. Falmari Silver badge
          Devil

          Re: unconstitutional

          @Cliffwilliams44 "The exception is unconstitutional and should be abolished."

          If the exception was abolished then customs would be unable to search anyone's belongings at the border without first obtaining a warrant.

    3. Snake Silver badge

      Re: unconstitutional

      I'd still like to know how this is done: on both Android and iOS, if you have any form of screen lock activated then the phone's data should be encrypted and attempts to access the data should be revoked.

      So, the only way I can see this occurring, if USB security is as they say it is on these devices, is that the phone didn't have a PIN / password / FaceID / et al activated. So, err, well...it sounds like the owners didn't care? Am I missing something??

      1. This post has been deleted by its author

        1. tekHedd

          "With reasonable suspicion..."

          *Without* reasonable suspicion, they can also perform a detailed search, using special software to connect to and download everything from the device. It's just not legal. But they totally can; it's really not like we can stop them. :(

    4. fidodogbreath

      Re: unconstitutional

      Sen. Wyden: an "egregious violation of Americans' rights."

      CBP: "That's a feature, not a bug. And by the way, we all got a real kick from the contents of your Photos and Messages after your last international junket. I imagine it would be really embarrassing for you if those got out somehow."

  2. An_Old_Dog Silver badge
    Black Helicopters

    Safety First!

    Don't carry a phone or a laptop past any national border -- in either direction. And it's not just the US of A that's snooping.

    1. Jim Mitchell
      Black Helicopters

      Re: Safety First!

      Border? US CBP jurisdiction stretches 100 miles from the external border, covering a good chunk of the US population, even if they never cross an international border.

      1. aerogems Silver badge
        Big Brother

        Re: Safety First!

        Worse, it extends 100 miles from any PORT OF ENTRY. That includes any "international" airport. So you could have something like near where I grew up. A good couple hundred miles from the border with Canada, but close enough that there's an airport that has service to Canada, making it technically an international airport and thus the "border" extends for 100 miles around that airport covering the bulk of the state which is completely landlocked by other states.

        1. localzuk

          Re: Safety First!

          100 mile border is crazy. If that was applied in all countries, the majority of the planet would be "border".

          Great Britain would be in its entirety as its widest point is 300 miles, and there's at least 1 international airport in the middle of that line.

        2. Michael Wojcik Silver badge

          Re: Safety First!

          Worse, it extends 100 miles from any PORT OF ENTRY. That includes any "international" airport.

          That's certainly been claimed, and I'm sure CBP like to believe it, but is there evidence that they've actually exercised the border exception outside the territorial-border zone, other than in actual ports of entry (e.g. on airport grounds)? I didn't find any in a quick search.

          I'm not arguing that the border exception isn't abusive, or that CBP haven't routinely abused even the excessive powers it grants them. There's a ton of evidence for the latter. And even the territorial-border 100-mile zone includes about 2/3 of the US population. But the ACLU fact sheet on the border zone, for example, doesn't mention the airport extension.

          Incidently, someone else posted something about the PATRIOT Act. This 100-mile-border-zone thing, alas, goes back to the 1950s, as the ACLU fact sheet explains. Unfortunately, police organizations basically never voluntarily surrender any power, the Executive Branch has absolutely no interest in curtailing CBP, and while some in Congress have fretted about it on occasion and there have been some court challenges, neither of the other branches have done much about it.

      2. Aitor 1

        Re: Safety First!

        That includes international airports.. so most population.

    2. Frank Bitterlich

      Re: Safety First!

      While that is my instinctive reation to this as well (or to use a burner phone with just the necessary contacts etc for travel), some countries (including the US) see that as very supicious and may deny entry on that reason alone. So, Catch-22.

      For me that has been a deterrent to visit certain countries for some time.

      In East Germany, they had "Zwangsumtausch" (mandatory exchange of real money into their "money") for visitors; in more modern countries, they take your data for payment. That's called "digitization", I think.

    3. Agamemnon
      Devil

      Re: Safety First!

      1. Burner Phone with only what you Absolutely need.

      2. Ship DSDs in laptop ahead and run off a USB Stick in Read Only you'll cheerfully let them have.

      3. Know the passwords to your cloudy stuff.

      I haven't crossed the border {North or South} in done time, but I assure you that's how I'll be doing it.

      * Bonus points because they'll likely be Furious.

      1. An_Old_Dog Silver badge

        Re: Safety First!

        If they ask you why you have no cellphone with you, tell them truthfully that it won't work in country X. (Be careful, as this might not be true if you're travelling between Canada/USA/Mexico.)

        In addition to having your contacts vacuumed up, you run the risk that any device "examined" by the CBP or similar non-US agencies will have spyware planted into it -- nation-state-level spyware which lives in the Ethernet controller, the UEFI, or othet hardware locations and which will not be detected or removed by commercial malware scanners.

        Buy a burner phone off-the-shelf in the country you are visiting. Buy a cheap laptop off-the-shelf in the country you are visiting, and RDP-over-VPN to your "real" computer in your home country.

        Obviously, this won't work in countries you visit which have poor connectivity and/or laws against using VPNs.

  3. Anonymous Coward
    Anonymous Coward

    I left the US in 2001 due to health issues and because since 9/11 the place had gone absolutely nuts over the unlikely chance of another attack. Paranoia ran (and still runs) rampant, cop killings were increasing due to the tensions in society and because of the invasions of privacy, and I have absolutely NO desire to return or even travel through the US until they come to their senses and stop this gun-toting pseudo-Nazi nonsense.

    1. Yet Another Anonymous coward Silver badge

      You think it's going to be isolated to the USA?

      The only reason the UK doesn't do this is the difficulty of training the police.

      "No constable Savage you do not turn on an iPhone by hitting it with a truncheon - that's only Nokias"

  4. Winkypop Silver badge
    Thumb Down

    Travel to or through the US?

    Not bloody likely!

    Not any more.

    1. Joe W Silver badge

      Re: Travel to or through the US?

      Well, this has been going on for years, so nothing new. And no, I do not really plan to go to the US, though I miss my friends there, and I would really love to see some of the national parks. I dislike, however, the way the country went under the past administration, and I am deeply worried about some developments - but let's not get political here. I usually had my laptop with limited personal data on it, and ditto a pretty clean cell phone (still do that, it is not running my life, thank you), though that is not always an option.

      I did travel to the US quite often in my past job (so much I usually messed up the "when were you last in the US?" first question when entering - dude, you are looking at the stamps, there's a bunch, I'm a regular visitor, as should be noted in your computer as well). I have usually been treated very professionally, so I won't say anything against the people I interacted with. They have also been very helpful when we did have a very tight connection (due to delays), opening a fast line for those passengers.

      Only once, when I was traveling through the US to Canada, and had to make a connecting flight, and was still a student on a student visum, I was questioned in a small room. I'd say it was still respectful enough, and I did make the connection. But actually it was none of their business - I was going to Canada after all. I guess it was because I'm a physicist, had a pilot (for real planes, i.e. gliders, no engine to cover your mistakes) license, and it was September 2002...

      1. SundogUK Silver badge

        Re: Travel to or through the US?

        Because they do have engines, powered aircraft are not designed to fly without them. It's when a powered aircraft loses it's engines that you discover who the real pilots are.

        1. Aitor 1

          Re: Travel to or through the US?

          A stone with a powerful enough engine/propeller and control surfaces would fly.. agree with you

          1. Anonymous Coward
            Anonymous Coward

            Re: Travel to or through the US?

            Isn't that the premise behind most modern combat jets?

            Although you missed out the computer, as I seem to remember most new fighters are inherently unstable in flight (they rely on it to be able to perform seemingly unpredictable manoeuvres) and without the computer controlling the control surfaces, thrust vectoring etc are totally unflyable

      2. veti Silver badge

        Re: Travel to or through the US?

        Last time I transferred at a US airport was in December 2001. It was chaos. When I've got off a 12-hour flight and have another one to look forward to in about three hours' time, I really don't enjoy having to spend those hours queuing, filling in forms that don't apply to me, and being interviewed by unsmiling immigration officials who threaten to throw me out of the country because I don't have an address.

        "Look, I'm getting on another plane, I'll be out of the country in a few hours" - was the answer, but their form didn't have a box for that. They'd only just changed the rules to say that international transfer passengers must go through US immigration, and immigration officials weren't used to seeing people in this situation. Why they made that rule change, or how it was supposed to make the country safer, is something I don't understand to this day.

        1. AnAnonymousCanuck

          Re: Travel to or through the US?

          > They'd only just changed the rules to say that international transfer passengers must go through US immigration,

          No rule change, it has always been that way, since the mid 1950's I believe.

          YMWNV (Your mileage will not vary, not with US Customs.)

          AAC

        2. Someone Else Silver badge

          Re: Travel to or through the US?

          Why they made that rule change, or how it was supposed to make the country safer, is something I don't understand to this day.

          Oh, that's easy; I can explain it in two words: Security Theater.

          1. Yet Another Anonymous coward Silver badge

            Re: Travel to or through the US?

            >Security Theater.

            I wouldn't mind that, but did it have to be Brecht ?

        3. MachDiamond Silver badge

          Re: Travel to or through the US?

          ""Look, I'm getting on another plane, I'll be out of the country in a few hours""

          When I was traveling and had stops in countries for a couple of hours, I'd tell the Customs person the reason for my visit was "in transit". They seemed to always understand that and not bother me. At most, they'd ask when my next flight was leaving and it's destination.

          1. veti Silver badge

            Re: Travel to or through the US?

            Yep, that's what usually happens. Since then I've transited through Thailand, Dubai, Malaysia, Hong Kong, South Korea (the common thread being "go nowhere near the US"), and not had a moment's problem in any of them.

            And to be fair, it probably happens in the US most of the time. But not in December 2001.

      3. Anonymous Coward
        Anonymous Coward

        Re: Travel to or through the US?

        "Well, this has been going on for years, so nothing new"

        one of the links is to a similar ElReg story from Jan 2018

  5. Little Mouse

    GDPR?

    There must be a GDPR angle to this too, Shirley?

    It's not only US citizens whose details are being stored with questionable justification.

    1. doublelayer Silver badge

      Re: GDPR?

      GDPR exempts government entities. Now I don't think they bothered to exempt non-EU governments, but if it really came to it, the U.S. government could say that the exceptions for governments applied to them anyway. The court could decide either way.

      That is if it got there, which it wouldn't. In order to have GDPR consequences, a European data authority would have to investigate and fine the U.S. government, then sue them when the U.S. refused to pay. There's no chance they will investigate, assess a fine, or sue a government, and if they did all of that, the U.S. would say it wasn't chargeable under EU laws and refuse to do anything in that country. They'd have an argument under international law to back up that statement. Only if the entire government of some EU member was willing to start a diplomatic war over the issue could you get anywhere. They're not.

      1. Malcolm Weir Silver badge

        Re: GDPR?

        It's not just GPDR, but any domestic laws (treating the EU as a single entity for considering whether it's domestic!).

        If it were not so, any country could pass a law saying it's illegal to speak with a funny accent, or be rude about the French, or whatever and expect to have the USA (or indeed any other country) respect and probably enforce their weirdo laws.

        Bottom line: GPDR only has bearing when you have "long-arm" situations involving individuals located within the EU: Google storing stuff in the USA from activities inside the EU, and so on... but not Google storing stuff about EU citizens within the US, as there's no nexus with EU territory.

      2. Anonymous Coward
        Anonymous Coward

        Re: GDPR?

        "GDPR exempts government entities."

        I don't believe this is factually correct.

        GDPR has exemptions based on things like national security laws and other (national) laws but in the simple form "government entity" does not equal "automatically exempt".

        Any entity (whether government or not) would have to have to be subject to a specific law in order to have an exemption, e.g. your bank can indicate "lawful obligation" as a lawful basis/condition for processing your data as they are legally required to share some of their customer data with HRMC, law enforcement etc in specific circumstances/for specific reasons, i.e. anti-money-laundering laws.

    2. Anonymous Coward
      Anonymous Coward

      Re: GDPR?

      "There must be a GDPR angle to this too, Shirley?"

      Why would there be?

      The (EU) GDPR covers the processing of the personal data of individual in the EU. It does not cover the processing of personal data of EU Citizens, it covers that of *anyone* present in the EU, so if an American is in EU for a 2 week holiday then in theory GDPR applies to any processing of their data during that period.

      People seem to wrongly think that if they're a EU citizen then the (EU) GDPR protects their personal data as they roam around the world, and also that visitors to the EU are not protected by (EU) GDPR as they're not EU Citizens...

      If you're at the US Border you're obviously not in the EU and so the (EU) GDPR does not apply...

      Relevant (EU) GDPR extracts:

      "(14) The protection afforded by this Regulation should apply to natural persons, **whatever their nationality or place of residence**, in relation to the processing of their personal data."

      "(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects **who are in the Union** by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment."

      "(24) The processing of personal data of data subjects **who are in the Union** by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour **takes place within the Union**."

  6. Anonymous Coward
    Anonymous Coward

    Easy to counter

    We've been aware of that risk for a long time, so our gear is set up in such a fashion that the confidential elements vanish inside of 10 seconds without a trace. That leaves a device that is ostensibly still in use (otherwise it looks suspicious, never reset your phone before you cross such a border), but from which no confidential material can be obtained.

    It's not just the US border that is a risk here, there's also China and Russia, although I'd imagine that last border gets crossed a lot less these days. China also has some interesting legislation with respect to encryption that you have to be careful with.

    1. very angry man

      Re: Easy to counter

      oddly

      i went to China recently, arrived with out a visa, everything was handled at the airport very quickly, less than an hour, they didnt take my phone, the only thing i had to do was book a room couse they needed an adress, and they helped with that( not to expensive)

      China is not set up for tourests so is HARD, need a local tour guid and take your passport everywhere

      1. Anonymous Coward
        Anonymous Coward

        Re: Easy to counter

        what you're saying is _peculiar_, as I have heard, from a few reasonable sources (people who have visited China within the last 3 years or so), that they search EVERY phone at EVERY Chinese border. Possibly diplomatic passport holders are excluded, but no exception otherwise. Well, I guess there would be exceptions like "I don't have a phone' and no, he doesn't have a phone, after thorough inspection, or 'here's my trusty nokia...', although I imagine that 3G networks in China are already a thing of the past.

  7. GrahamRJ

    Beaver State?

    There's more than one way to get that designation, surely...? And it's only now I discover that El Reg has removed the Paris Hilton icon. :(

    1. Someone Else Silver badge

      Re: Beaver State?

      And it's only now I discover that El Reg has removed the Paris Hilton icon. :(

      Damn! Thanks for the heads up, GrahamRJ. So what are they going to replace it with? Maybe a "Zuck you" icon?

  8. Yet Another Anonymous coward Silver badge

    National security

    Now that Britain has a king (with 3rd in his name) then the risks of a repeat of the revolutionary war / traitorous rebellion are very real.

    So we need to check everyone's phone in case they are hiding redcoats in it

    1. Anonymous Coward
      Anonymous Coward

      Re: National security

      Luckily y'all ditched Boris before he could style himself Lord Protector

      1. Mike 16

        Lord Protector

        I once read that the drafters of the U.S. Constitution were very aware of Cromwell, and what he wrought.

        Some saying about it being "written by 39 men and a ghost" (Cromwell). Some other bits of wisdom on the web indicate 55 delegates, but the votes to adopt were only 39 of them. We still have the ghost, of course, for those paying attention. Most are too busy to care.

  9. tim292stro

    I thought we all knew to never take a personal device across a border more than a decade ago... Isn't everyone else using a sterile burner phone for international travel? Nothing to snoop, no personal details involved. Certainly never take a personal or work laptop across a border - we've know that US DHS/Customs will take a machine they are interested in behind a curtain or into another room and clone a disk drive and any portable media carried.

    Anyone with proprietary, confidential, or private information they'd prefer to keep non-public is much better served on encrypted data-at-rest hardware hosting acces to it on a VM behind a Firewalled-VPN in a locked room they own/control and then logging in remotely after verifying the local burner device's integrity. It's not just the USA, you have to worry about every other contry's government's throughts on the issue.

  10. Il'Geller

    Such the practice can be harmful and dangerous for society, if giant BERT-type models are used to structure obtained by the US Customs and Border Protection (CBP) data. These models, if they are made according to the right methodology (like GPT-3), contain manually annotated texts and other data, which help to structure, in their turn, any data at all. Then it becomes possible to make "lexical clones" on real people, their individual AIs; there these clones contain and can supply all kinds of personal information without any warnng.

    This practice is indeed an extraordinary threat to our Democracy, opening the way to the creation of a totalitarian regime, whch litterally can control thoughts...

  11. MachDiamond Silver badge

    Don't keep records

    "CBP doesn't keep records on the number of basic versus advanced searches, how many times its agents download data into its central database, nor how frequently Homeland Security searches this database."

    Never keep records about something you don't want to divulge. I couldn't say of my own knowledge that there has been tampering with the elections in the US, but the States claiming there is no fraud is outrageous. They don't look for any just in case they find some. When private entities find that many people that have died are still on the roles years after the worms have had their turn and the states didn't notice, it's on purpose. One state in the 2020 Presidential election had over 1/2 million voters with a unique surname. I'll admit that it's statistically possible, but I'd wager it's highly improbable.

    More import than how many times Homemade security searches the database is how many other TLA's they share it with. The whole premise behind the agency was to coordinate intel between the various domestic, international and specialty spy agencies.

    1. Someone Else Silver badge

      Re: Don't keep records

      Well, there have indeed been some documented (and prosecuted) instances of fraud in the last election.. Can't help but notice, though, that all instances found, and prosecuted, thus far have been committed by Republicans.

      Psychologists have a word for this. It's called "projecting".

  12. MachDiamond Silver badge

    Back up

    It's always a good idea to have a back up mobile phone that you can swap to if your one takes a swim or crashes to the ground with the greatest of ease. When you travel, put your SIM in that mostly blank phone. If you must risk your life with apps, put your main phone with the battery out (if possible) in your checked bag. Put a post-it note on it that states a problem so it looks like it needs to be recycled or taken to a repair shop. The idea is to have a phone you carry and can hand over that has next to nothing on it. Only Sync a subset of your telephone numbers rather than your whole phone list to cut down on connections that just cause problems. I have friends and family tagged in my contact list on the computer and can choose to just sync that list to my phone if I want. I have another list that is professional contacts and then there is the whole thing that it usually on the phone.

    One aerospace company I worked for had a manual for traveling abroad. Since some of what we did was subject to "International Trade in Arms Restrictions" or ITAR, certain work products couldn't go with us on our devices and other things needed to be hidden from border checks to prevent them from being harvested and put in a government database (didn't matter whose). The company didn't want contact lists walking across borders either but we did need them so methods were devised. Joke 'em if the can't take a F___.

    1. Anonymous Coward
      Anonymous Coward

      Re: Back up

      trouble is, anything that looks somewhat suspicious, including what seems to be a temp phone, can make the border official escale his 'reasonable suspicion' to the point that they decide to give you a 'proper' inspection, or if you're lucky, you'll be send back home on the next available flight. Or, within 7 days of free, though somewhat basic, accommodation being offered in the meantime. Flight back at your own cost too. Plus, quite likely, a ban to enter the Land of the Free for x-number of year, with a guarantee of a THOROUGH inspection when you turn up again. Unless you happen to be the lucky (?) holder of the US passport, which might include further unpleasantries onshore.

  13. Anonymous Coward
    Anonymous Coward

    What We All Really Need......

    .....is some way of having TWO identities:

    (1) The one where the real person lives and works.....and where all our messaging and data is totally innocuous (say "Jane Smith")

    (2) The other one, the one with the burner phone, the one with a different valid credit card, the one using TOR....and so on (say "Howard Beale")

    Identity #2 is a completely bogus construct, with an SSN, a bank account, a credit card, and an address at the local UPS mailbox store.

    Identity #2 prefers cash!

    Identity #2 is never used from the real person's home or work.

    Identity #2 is never used AT THE SAME TIME as identity #1.

    When Jane crosses a border, none of the "Howard" stuff travels with her........

    Perhaps there's a marketing opportunity here......someone with the right connections can manufacture the "Howard" identity and equip "Howard"....perhaps for a few thousand dollars? Of course, that would have to be a few thousand dollars in cash!

    1. MachDiamond Silver badge

      Re: What We All Really Need......

      ".....is some way of having TWO identities:"

      Forget having bogus official documents. They nail you to the outhouse wall just for having them if caught.

      I have two main personas. One of them is anonymous. I pay with cash. I don't give out my real phone number if one is required (but it rings if tried). I use a false name and all of that other stuff. I make it a habit to lie to anybody where lying isn't an indictable offense.

      Debit and credit cards are convenient for paying bills. I get that. I use them for bills that are tied to me such as utilities. I also use a prepaid debit card often times for purchases where I don't want a record kept. When traveling, it's often not too hard to book a mom/pop motel or BnB by pre-payment or to just show up and pay cash claiming you had your wallet stolen or don't have a credit card. If you haven't cultivated a look that's on the radical side and seem ok, they don't seem to mind. I also like to camp and campgrounds with showers can be pretty cheap and take cash just fine. They'll also accept a temporary ID such as you would have if you had your's stolen and were waiting to get the one with the photo and everything in the mail.

      It's hard to juggle two identities. Just ask Dread Pirate Roberts. If you instead have a gazillion that you choose at random in addition to being as anonymous as possible, it's easier to not slip up.

  14. Anonymous Coward
    Anonymous Coward

    are not promoted to record

    not promoted, or not prompted? Or promoted having prompted?

  15. razorfishsl

    The fact that it's just been disclosed that the FBI has been tagging parents with a Monika used to identify terrorists

    means that these people would be on that potential target list every time they fly.

    Funny how the pieces fit together is in ton?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like