Travelers heading to the US have many reasons to be cautious about their devices when it comes to privacy. A report released Thursday from the Department of Homeland Security provides even more cause for concern about how much data border patrol agents can pull from your phones and computers.
In a Privacy Impact Assessment dated July 30, the DHS detailed its US Border Patrol Digital Forensics program, specifically for its development of tools to collect data from electronic devices. For years, DHS and border agents were allowed to search devices without a warrant, until a court found the practice unconstitutional in November 2019.
In 2018, the agency searched more than 33,000 devices, compared to 30,200 searches in 2017 and just 4,764 searches in 2015. Civil rights advocates have argued against this kind of surveillance, saying it violates people's privacy rights.
The report highlights the DHS' capabilities, and shows that agents can create an exact copy of data on devices when travelers cross the border. According to the DHS, extracted data from devices can include:
- Call logs/details
- IP addresses used by the device
- Calendar events
- GPS locations used by the device
- Social media information
- Cell site information
- Phone numbers
- Videos and pictures
- Account information (user names and aliases)
- Text/chat messages
- Financial accounts and transactions
- Location history
- Browser bookmarks
- Network information
- Tasks list
The policy to retain this data for 75 years still remains, according to the report.
That data is extracted and saved on the DHS' local digital forensics network, and transferred to PenLink PLX, a phone surveillance software that helps manage metadata taken from devices.
"Collection of this data will be based on a law enforcement/investigative purpose related to authorities [US Customs and Border Protection] is responsible for enforcing. Legal authorities such as a Search Warrant, Consent, Border Search or other Fourth Amendment exceptions will be used to gather the data that will be inputted into PLX," a DHS spokesman said in a statement.
PenLink is used by police across the US to intercept text messages, phone calls and GPS data from devices.
But it also analyzes data from social media and tech platforms, according to its website.
On its free trial offer, PenLink tells potential customers that it can map collected data including Snapchat geolocations, Facebook logged locations and Google's geofenced data. The company didn't respond to a request for comment.
"USBP uses the information it gathers using these tools to develop leads, identify trends associated with illicit activity, and further law enforcement actions related to terrorism, human and narcotic smuggling, and other activities posing a threat to border security or national security or indicative of criminal activity," the DHS report stated.
The detailed list of how much information your phone can give about you came several days before the National Security Agency advised its staffers of the best practices for keeping their device data private. They include turning off location services and advertising permissions, and deactivating Bluetooth and Wi-Fi.
The DHS said the privacy risks of using the tools are low because only trained forensics technicians will have access to the tools, and only data relevant to investigations will be extracted.
That assurance is in stark contrast from what lawyers from the American Civil Liberties Union and the Electronic Frontier Foundation found, after a lawsuit revealed that agents had searched through travelers' devices without any restrictions, and often for unrelated reasons like enforcing bankruptcy laws and helping outside investigations.