US border agents aren't deleting travelers' data after device searches

In addition, CBP agents also didn't carry out any software-assisted searches for more than seven months because a manager forgot to renew a license agreement.
Written by Catalin Cimpanu, Contributor

A US government report says border agents have not been following proper procedures for the past two fiscal years when it came to searching travelers' electronic devices, which has led to situations where user data was not deleted from USB thumb drives following device searches.

This is just one of the multiple conclusions listed in a report from the Office of Inspector General (OIG) published on the Department of Homeland Security (DHS) website earlier this week.

The report was carried out to evaluate how US Customs and Border Protection (CBP) agents have been following standard operating procedures (SOP) for searching travelers' electronic devices, as authorized by the Trade Facilitation and Trade Enforcement Act of 2015 (TFTEA).

Also: Twelve US states join for the first time to file multistate data breach lawsuit

According to this law, CBP agents are allowed to carry out warrantless device searches at all 328 ports of entries in the US.

Agents are allowed to manually (visually) inspect any travelers' devices, such as smartphones or laptops, without a reason, and they're supposed to look for suspicious content related to terrorism, child pornography, or anything that might hint of a crime.

In 67 selected ports, since 2007, CBP agents are also allowed to copy device data onto a USB thumb drive and uploaded it on a platform called an Automated Targeting System (ATS) on which more complex searches are carried out against the user's copied data.

But according to the OIG report, CBP agents haven't been deleting user data from these USB thumb drives after they've loaded the data onto the ATS, as standard procedure dictates.

"We physically inspected thumb drives at five ports of entry," the OIG report said. "At three of the five ports, we found thumb drives that contained information copied from past advanced searches."

This is a big personal privacy and security no-no. This means CBP agents could still access the user's sensitive information even after he/she's been released to enter the US.

According to the OIG report, to blame is with the CBP's Office of Field Operations (OFO), the management division tasked with writing CBP manuals and carrying out training sessions. OIG officials say OFO has failed to lay out proper rules in the handling of USB thumb drives, but also in other procedures.

For example, CBP agents are also failing to turn off a searched device's networking connection. This results in situations were CBP agents are viewing information that loads over the Internet and isn't actually stored on the device, wrongly incriminating users.

Further, CBP agents haven't always filed proper reports about the devices they've searched.

"We reviewed 194 EMRs [electronic media reports] and identified 130 (67 percent) that featured one or more problems," OIG officials said.

"Without accurate and complete documentation of border searches of electronic devices, OFO cannot maintain reliable quantitative data, identify and address performance problems, and minimize the risk of electronic devices becoming lost or misplaced," the report concluded.

But more worisome is that CBP agents didn't carry out ATS-assisted device searches at all for a long period of time. According to the OIG report, this happened because CBP's OFO forgot to renew an ATS license in time.

"Software licensing agreements were not in effect from February 1, 2017, through September 12, 2017," the report said. "Without a valid software license, OFO officers could not conduct advanced searches of laptop hard drives, USB drives, and multimedia cards at the ports of entry. This deficiency limited OFO's ability to obtain evidence of criminal activity and to detect and deter illegal activities, such as child pornography."

Must read

The OIG recommended that the CBP OFO improve its procedures and train agents accordingly.

According to the OIG report, CBP agents processed more than 787 million travelers upon arrival into the US in fiscal years 2016 and 2017, but have only carried out 47,400 device searches, which amounts to the low figure of 0.005 percent of all incoming travelers. The OIG report on the CBP's failures may explain these low number.

Nonetheless, the CBP did say that manual and automated searches helped agents block entry into the US to a traveler with terrorist-related material on his device in March 2018, and another suspect on whose device they found graphic and violent videos, including child pornography.

7 Technologies that will transform Advanced Manufacturing in 2019

Related stories:

Editorial standards