A recent 9th Circuit Court of Appeals decision giving U.S. customs agents nearly unfettered ability to search electronic files should have businesses rethinking what risks employees create by taking electronic devices and files with them on international trips.
The Senate Judiciary Committee's subcommittee on the Constitution met on June 25, 2008, to address concerns stemming from recent court decisions, such as U.S. v. Arnold, which have expanded the ability for customs agents to search electronic devices and storage media. Although seemingly odd bed fellows, supporters of business rights and individual freedoms came together to testify against the potential dangers cases like Arnold can cause. The discussion centered on the murky issue of whether a laptop is the same as a suitcase or briefcase. As Senator Brownback of Kansas noted, information regarding the September 11, 2001 attacks was on one of the conspirator's laptop. However, he also noted that he was uneasy about customs agents scanning his own BlackBerry. As he noted, "I got a lot of things on there. I don't know what all is on there, in some cases. I don't want people looking at that randomly."
While this debate seems to center on personal liberties compared with business concerns, the leeway granted by courts may pose new risks for an employee and employer on that person's return home. As the law stands, an employee who takes his or her laptop or personal digital assistant (PDA) out of the country may have to show customs agents every email, file or attachment on such devices, and such messages and files may include sensitive corporate data or trade secrets. Regardless of whether the trip is for business or pleasure, businesses should pay attention to what is included in an employee's luggage.
Understanding U.S. v. Arnold
On April 21, 2008, the 9th Circuit issued its decision in U.S. v. Arnold, confirming the expansive right customs agents have to search electronic devices. Michael Arnold, a U.S. citizen, was returning through LAX after a three-week vacation in the Philippines. Along with his luggage, Mr. Arnold had a laptop computer, a separate hard drive, a flash drive and several CDs. After having Mr. Arnold boot up his laptop, the agents, along with special agents from the Department of Homeland Security, searched and copied the files on the external hard drive, flash drive and CDs. After finding several files that contained what appeared to be child pornography, Mr. Arnold was arrested and charged with possession of child pornography.
A district court granted Mr. Arnold's motion to suppress this evidence on grounds of search without reasonable suspicion. But, the 9th Circuit overturned this decision, holding that reasonable suspicion is not necessary for searches of such electronic devices at U.S. borders. The court, citing the U.S. Supreme Court, stated that "searches made at the border are reasonable simply by virtue of the fact that they occur at the border." The court rejected Mr. Arnold's argument that a laptop is more like one's home or mind, rather than one's luggage, citing that this was not an invasive search, which typically involves one's body (and questioning if even that distinction has a place in border searches). In short, the court was satisfied "that reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border."
Concerns for Businesses and their Employees and Agents
On its face, this opinion seems to merely follow the general principle that a traveler's luggage can be searched for contraband or other illegal materials. But, it presents some troubling scenarios for corporations and their employees. According to Arnold, when crossing back into the country, agents can search everything in a person's "electronic luggage" without reasonable suspicion. Furthermore, this extends to many types of devices, including, as in Mr. Arnold's situation, a laptop, external hard drive, flash disk and CDs. However, corporate management may face other risks relating to its business information. Specifically,
- Trade Secrets and other Confidential
Information. The greatest threat to a business is
the loss of secrecy. There is a concern that, if trade
secrets are on an employee's computer or disk, and an
agent views this material, this could relinquish the trade
secret status of that information. Although a company could
argue it did as much as it could to protect its secrets, it
is unclear if that argument would stand. Regardless of the
status as a trade secret, the greater issue would be that any
information would no longer be secret. If an agent opens a
file in the middle of an airport security area, not only
could that agent see the file, but potentially any other
passenger standing around could, too. Although legal
protections may be available, a business risk exists if
information leaks outside of the company, and that
confidentiality can never be regained. In addition, since
agents would be allowed to copy files, a business may lose
even more control over this information. Granted, agents
should only copy files which are relevant to some potential
security or criminal concern, but, as with any copy of a
file, protocols and methods for protecting that copy of a
company's information would be outside of the control
of the company.
- Privileged Information. In addition to
information carried by employees, businesses should also be
concerned about information carried by professionals and
agents with privileged information. This information, which
is afforded very high protections, can now be viewed and
copied by any number of agents. For a company's
attorneys, a greater risk exists because, under the rules of
evidence, having a third party, such as an agent, view
privileged information could be considered a waiver of that
privilege. Therefore, an opposing party in litigation could
potentially gain access to previously privileged information
simply because an attorney had a particular email or
attachment on his or her BlackBerry.
- International Protocol. Finally,
although a longer-term issue, this expanded access to
information may also set forth a dangerous precedent at the
borders of other countries. Although information viewed and
copied by U.S. agents may be subject to protections and
limitations under U.S law, it is unclear how foreign courts
would treat this access to information. Furthermore, if other
countries take a similar approach, there is no guarantee that
a business' information will be protected, especially
if it is copied by a foreign border agent.
What a Business Can Do to Protect Information
Currently, a business likely has two options for protecting its information. The first, and most obvious, is to simply not take such devices overseas. Have all information needed emailed to the traveler and have a laptop available in the foreign destination that will remain in that foreign destination. The logistical costs of this are greater, however, in addition to the hassle a traveler and business must endure to utilize this method. Additionally, there is an inherent risk of transmitting sensitive data to overseas locations as some governments routinely intercept and review such data.
A second option is to invest in a strong encryption program. This is the most common suggestion of many in the information technology world. Encryption programs allow a user to protect his or her data by password or "keys" which do not allow another user to view the information contained therein. Currently, a decision by a Vermont magistrate judge held that a person need not turn over encryption passwords or keys to a customs agent, but that decision has been sent to, and is currently pending in, a Vermont district court. Therefore, it is uncertain if this will prove a long-term solution, depending on the final outcome of that case and similar cases.
The Bottom Line
At this point, the best course of action is to keep a keen eye on developments regarding this issue. As the Subcommittee's hearing showed, this issue will not prove to be a quick decision. There will almost certainly be a lengthy debate and decision process before any legislation is passed, assuming any legislative action is taken at all. Similarly, given the potential risks to information, as discussed above, juxtaposed with the generally expansive view taken by the courts regarding customs agents' rights to search, lawsuits on these issues are almost certain. However, it is equally likely that courts may differ on interpretations of these laws, sparking a long series of appeals and debates which will make the already lengthy court process even longer.
What this means is that both legal and legislative actions will take a significant amount of time, so the immediate future will likely remain unclear. While it may not be an effective solution for businesses to revamp their electronics policies from the ground up and purchase vast amounts of encryption software and support, corporate management should understand what risks searches such as those permitted under Arnold pose both conceptually and realistically. This involves balancing the risks of certain parties viewing data with the convenience of having access to these devices overseas and the practical realities of how airport security functions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.