U.S border searches of electronic devices

Picture this:   You’re travelling across U.S. borders, heading home from a client meeting abroad.  However, unlike other trips, this time a Customs and Border Protection agent requests that you unlock and hand over for inspection your computer and cell phone — full of client confidential information.  You’ve been concerned about this issue, and so you’ve had your IT department encrypt all of the sensitive data on your devices.  Will that protect you client’s information from disclosure?

Ethics duties at the border

We wrote here last year about the ethics issues with border searches of e-devices, including the New York City Bar Association’s July 2017 opinion on how to deal with the duty of confidentiality in that scenario.

The NYCBA ethics committee advised that you may of course ethically comply with lawful government orders, but also that you should not comply “unless and until” you “undertake reasonable efforts to dissuade border agents from reviewing clients’ confidential information or to persuade them to limit the extent of their review.”

The concern about this issue was heightened by a sharp uptick in border searches of e-devices.  Customs officers searched an estimated 30,200 cellphones, computers and other electronic devices of people entering and leaving the U.S. last year — an almost 60 percent increase from 2016, according to Homeland Security Department data.

Most recently, in January 2018, the CBP revised Directive No. 3340-049, which includes procedures for searching information subject to attorney-client privilege.  Section 5.2 calls for segregating privileged material to ensure that it is “handled appropriately.”

Encryption – it’s no panacea

What about encrypting the client information on your e-device to make sure it stays confidential and won’t be revealed during a potential border search? That approach may be of limited use.

Section 5.3.3 of the revised CBP directive provides that if border officers can’t inspect your device “because it is protected by a passcode or encryption,” they may detain it and convey it (or a copy of its contents) to third parties who can supply “technical assistance.”

This is an indirect reference to the various U.S. intelligence agencies that are authorized pursuant to Section 2.6 of Executive Order 12333 to provide technical support and assistance to the CBP.  This aid may be derived from the National Security Agency, which leads the federal government in cryptology, or from the National Media Exploitation Center which consists of representatives from multiple intelligence agencies that are  responsible for decrypting, translating and analyzing documents and electronic devices in the federal government’s possession.

If CBP officers seek to decrypt and access the confidential information on your device, they likely have the authority and the technical resources, through federal intelligence agencies, to do so.

The magnitude of the risk, and what to do

Even though the 5,000 devices searched in February last year sounds like a lot, it’s only a tiny percentage according to CBP’s Office of Public Affairs. The agency says that in FY 2017, only about .007 percent of arriving international travelers screened and processed by CBP officers were required to submit to an e-device search.  That possibly points to a low risk for any one lawyer who might be returning from international travel.

But given the breadth of your ethics duty, and the limits on the ability of encryption to protect confidential client information on your devices, it would be a best practice to heed the advice that the NYCBA gave last year:

  • Depending on the circumstances, including the sensitivity of the information, you should consider not carrying any client confidential information across the border.
  • Rather than exposing your client’s information to disclosure in a search, you should securely back up client information and cross the border only with a blank “burner” phone or laptop.
  • And before coming back across the border, you should also turn off syncing of cloud services, sign out of web-based services, and/or uninstall applications providing local or remote access to confidential information.

Lawyers and their firms should consider incorporating these measures into their data security policies and practices. It’s what the times, and your ethics duties, would seem to call for.

The ACLU and the Electronic Frontier Foundation have sued the Department of Homeland Security to block U.S. Customs and Border Protection personnel from searching travelers’ electronic devices without warrants.  This has implications for lawyers who cross in and out of the U.S. with phones and laptops  containing confidential client information.  The CBP’s policy, which the ABA also has questioned, currently authorizes such searches even without a suspicion of wrongdoing.

We first wrote about the issue last month, when the New York City Bar Association published an ethics opinion raising the client confidentiality issues and advising that in some circumstances lawyers should consider using “burner” phones, and avoid taking client confidential information across borders.

The ACLU and EFF’s lawsuit, in Massachusetts district court, alleges violations of the First and Fourth Amendments on behalf of 11 plaintiffs whose electronic devices were searched as they reentered the U.S.  None were subsequently accused of any wrongdoing.

The plaintiffs include journalists, students, an artist, a NASA engineer and a business owner — but no lawyers.  Despite the absence of lawyers from the roster of plaintiffs, the client confidentiality issues are obvious, and have received a lot of notice.  See here for the New York Times story on the lawsuit, and here and here for commentary on the N.Y. City bar ethics opinion.

I’d be interested in hearing whether lawyers have personal experience with border searches of their electronic devices.

Stay tuned for additional developments on this issue.

Travelling abroad for work?  What should you do if a Customs and Border Patrol agent, claiming lawful authority, demands that you unlock your computer or thumb drive or cell phone — full of client confidential information — and hand it over to be searched as you cross the U.S. border?

New York City bar association ethics opinion issued on July 25 offers some practical tips, and spotlights the ethical duties of confidentiality and client communication involved in this increasingly-common scenario.

Cause for concern

The confidentiality concern is more than hypothetical.  According to the Department of Homeland Security, in February 2017 alone, CBP agents searched more than 5,000 cell phones, laptops and other devices.  That’s as many searches as in all of 2015.  CBP policy apparently permits U.S. customs agents to review any information that physically resides on travelers’ electronic devices, with or without any reason for suspicion, and to seize the devices pending inspection.

The ABA voiced concern in May, requesting that the Department of Homeland Security revise CBP’s procedures in order to better protect client confidential information from search or seizure at border crossings.

Evasive tactics necessary?

Under every state version of Model Rule 1.6, you have an ethical duty to safeguard the confidentiality of client information in your possession, and “few principles are more important to our legal system,” the opinion notes.

The thoroughly-reasoned and detailed New York opinion concludes that Rule 1.6, coupled with Rule 1.1 (Competence), raises obligations before a lawyer approaches the U.S. border; at the border when an agent seeks access to a device; and after an agent has reviewed clients’ confidential information.

  • Before crossing the border, Rule 1.6(c) and its comments, which require “reasonable efforts to prevent … unauthorized access to” client confidential information, means that you must take reasonable precautions in advance to avoid disclosing such information unless authorized by the client (which is unlikely).  Depending on the circumstances, including the sensitivity of the information, these efforts may include not carrying any client confidential information across the border.  If so, the opinion suggests:  securely backing up client information and then crossing the border with a blank “burner” phone or laptop; turning off syncing of cloud services; signing out of web-based services; and/or uninstalling applications providing local or remote access to confidential information.
  • At the border, Rule 1.6(b)(6) and its comments come into play.  It permits lawyers to disclose confidential information to the extent reasonably believed to be necessary when required “to comply with other law or court order,” including “a governmental entity claiming authority pursuant to … law.”  But, the opinion cautions, disclosure is not “reasonably necessary” to comply with law if there are reasonable lawful alternatives to disclosure.  The opinion concludes that “it would be an unreasonable burden” to require a lawyer to forgo entering the U.S. or to allow herself to be taken into custody or litigate the lawfulness of a border search. But the opinion also says that lawyers have a duty not to comply “unless and until” the lawyer “undertakes reasonable efforts to dissuade border agents from reviewing clients’ confidential information or to persuade them to limit the extent of their review.”  To facilitate that challenge, you should carry ID confirming that you are a lawyer, notify agents that your device has client confidential information on it, request that the agents limit their review, and ask to speak to a superior officer, says the opinion.
  • After a search or seizure of client confidential information, Rule 1.4 (Communication) requires that you notify affected clients about what occurred and the extent to which their confidential information may have been reviewed or seized.  That communication will let the client decide on possible responses, including a potential legal challenge.

Globe-trotting implications

Tennessee ethics lawyer Brian Faughan shared his comments on this opinion under the headline “Practicing law like it’s espionage.”  The ways to carry out the potential duty to avoid taking confidential information across U.S. borders, as well as the other recommendations in the New York opinion, indeed make me think of spy craft, and to wonder if we are entering the world of novelist John LeCarre.  That’s an uncomfortable thought — but under the reasoning of this opinion, such considerations are necessary as a matter of ethics.