We Already Screen Cell Phones At The Border, Will Social Media Be Any Different?
Among a flurry of headlines this weekend, CNN is reporting that the White House may be taking tentative steps to explore what it would take to scan social media accounts and cell phone contacts of all visitors to the United States, making “social media screening” a part of the screening process to enter the country. Lost in all of the ensuing furor is that we’ve actually already done this for years, between customs searches and seizures of cell phones and laptops and NSA surveillance of social media – looking across the state of our surveillance world, what might we expect from the future of digital adjudication?
As the line between the digital and physical worlds continue to blur, an ever-greater percentage of our daily lives are carried out through digital intermediaries. Our phones and computers have become extensions of our memories, with our notes, phone calls, messages and even browsing history offering a remarkably detailed profile of who we are and what we are interested in. This makes our digital personas of particular interest when it comes to screening those entering the country to find terrorists or others who wish to do harm.
While the White House’s proposal is attracting substantial attention given its timing among other highly controversial actions, it is important to remember that even under the Obama administration, the US Customs and Border Protection and US Immigration and Customs Enforcement agencies had wide latitude to seize and search any digital device crossing the nation’s borders. Indeed, DHS published a 51 page Privacy Impact Assessment of this policy in Obama’s first year in office, noting that customs agents may search any electronic device being brought into the country “without a warrant and without suspicion.” This was upheld by the agencies throughout the Obama administration’s two terms in office and by the courts. Only when it came to seizing the devices for extended periods of time, such as days or even weeks, to copy all of the files on the device, did the courts draw something of a line.
Thus, it is important to remember that the concept of seizing and searching digital devices crossing the border has long-standing precedence and application under the former administration, including in many controversial and politically charged cases, such as that of Laura Poitras.
Thus, when several Canadians were allegedly forced to unlock their phones and hand them over to customs officers last week when trying to travel to the US for the inauguration, Canada’s public safety minister’s office confirmed that such actions were entirely legal and expected, much as customs might require a visitor to open their luggage to be searched.
Where the proposed new administration policy would appear to build upon this existing process is in extending it to social media accounts.
Gone are the days when a personal computer physically sat on a desk and was an isolated and standalone device largely used for word processing and number crunching. Today our cellphones, laptops, tablets, memory sticks and other electronic devices are extensions of ourselves, storing our most intimate communications and memories. Yet, in reality, most of those memories are no longer stored locally on the device itself, but rather in the cloud. In short, digital devices have morphed from storage devices with screens to being merely thin client gateways, portals to the ephemeral cloud. When we check our Gmail account from our cellphone, the phone communicates with a set of remote servers sitting in a data center somewhere on planet Earth and the emails we send and receive are stored not on the device itself, but on those remote servers (though in actuality local caching means some portion of your inbox is stored on the device for offline access).
Thus, seizing the physical device itself is far less useful today that it was 10 years ago. Advances in broadband speed and the rise of cloud storage and social media mean that searching someone’s laptop for illicit content is less likely to yield results than a search of the person’s online accounts. Someone who spends much of their day consuming and sharing terrorist videos a decade ago might have arrived in the US with a memory stick or laptop full of video files to share, while today all of those videos would be hosted on a cloud-based video service.
In this context, the administration’s proposal to expand searches to cloud accounts like social media is simply a modernization of this pre-existing policy that was widely utilized under the Obama administration. In essence, it represents nothing more than modernizing surveillance laws akin to evolving from intercepting a suspect’s postal mail to intercepting their emails. Even the potential for politicized searches has not changed, as under the Obama administration electronic device searches were allegedly routinely carried out on those suspected of being affiliated with or in contact with Wikileaks and other organizations in conflict with the government.
At the same time, evolving search from physical devices to social media seems more intrusive given how important social media has become to our personal and professional lives and how intimate and damaging the images, conversations, thoughts, ideas and views that we share on those platforms can be. Would the trade off in terrorists caught outweigh the rollback of privacy to the rest of society?
Facebook did not respond to a request for comment, while Twitter pointed to two tweets by one of its public policy spokespersons and a previous Intercept article stating that the company would not willingly assist law enforcement in compiling a “Muslim registry.” When asked whether Twitter has ever received a formal demand from any US Government agency requesting public or private information about a Twitter user for the purposes of visa or immigration review, the company did not deny or confirm whether it had, instead responding only with a link to its Transparency Report.
Given that terror organizations like ISIS have made heavy use of social media and other digital platforms to recruit, fundraise and communicate, would adding social media scanning to border screening have a huge impact on preventing future terrorism? In Twitter’s response above, it notes that users of its platform can adopt any username they wish, meaning John Smith does not have to tweet as @johnsmith, but rather could tweet as @abc123 or any other handle he wishes, meaning a customs officer can’t simply keyword search Twitter for the person’s name to find all of their posts.
Indeed, if you think about it, a terrorist heading to the US to conduct an attack would likely leave behind any cellphones or other electronic devices that had been used to plan or coordinate the attack and arrive either without any devices or with fresh devices that have never been used for illegal activity. They might also delete all of their social media accounts to ensure that there is nothing for even a diligent customs agent to find.
Of course, arriving without digital devices or with brand-new never-used devices might itself eventually become grounds for suspicion in this digital-drenched world. But, at the very least, it is unlikely in today’s world that a terrorist would hop a flight to the US with a backpack full of USB drives loaded with bombmaking diagrams and battleplans for an attack.
Instead of scooping up terrorists, the new policy is far more likely to net ordinary citizens who have expressed viewpoints suggestive of activism or controversial viewpoints or perhaps posted an ill-thought joke.
This raises the question of why, if digital devices are increasingly simply thin client portals to the cloud, does searching the device matter at all? One of the biggest lessons from the Snowden disclosures was just how vast the US intelligence community’s surveillance network is and how much of the daily heartbeat of the Internet it scoops up and stores in its massive data centers. It is known that the NSA had a special focus on Facebook and other social media platforms, exploiting numerous vulnerabilities to ingest reams of private data from them.
Assuming that this planetary digital trawling effort is still underway, one could imagine that even without Facebook and Twitter’s cooperation the NSA is able to scoop up a fair fraction of social conversations around the world, especially in countries of interest. They are also likely monitoring cellphone movements and conversations in those countries and compiling lists of all phones that have visited or contacted anyone in certain areas of Syria, for example.
Now imagine customs quietly installing Stringray or similar IMSI-catcher devices in the international arrivals areas of airports to capture the mobile number, device ID and other information from every phone (since many people turn their phones on upon arrival to make calls or check emails/social media before reaching the customs hall where phone use is banned). This data would then be run against the NSA database to see if this phone or any mobile IP address known to have been associated with it appears anywhere in NSA’s records of interest, with a match triggering actual physical inspection of the device.
Alternatively, users could be forced to unlock their phones and allow them to be connected to a phone forensic device that could rapidly scan the device for installed social media apps like Twitter or Facebook or browser history indicative of logging on or viewing certain websites. One could imagine a specialized version of such a tool identifying any social media accounts that appear to be under the control of the user and running these against the NSA and other databases for any hits of interest or any other accounts that have been logged into by the same people. Even if a visitor informs the customs officer that she does not use Twitter or that she does use Twitter and provides one of her two accounts, such a tool could readily provide all of the accounts under her control.
One has to imagine that government security agencies are already contemplating or implementing such systems and that the vast resources directed by NSA in the past towards social media platforms like Facebook are likely to have only grown as the platforms have increased in importance.
Of course, foreign governments are certain to reciprocate, meaning American travelers abroad would be subjected to the same digital intrusion. Further, as other countries, many of which have far weaker cybersecurity stances, start implementing biometric and digital scanning for visiting American citizens, hackers will start targeting those countries to access those biometric identifiers. Thus, even if the US Government maintains strong controls over biometric data or harvested social posts, American citizens visiting other countries that implement their own biometric scans for visitors will risk having their data stolen from those countries’ databases by hackers exploiting their weaker security.
Putting this all together, much of the uproar over the Trump administration’s proposed expansion of digital border screening misses that such screening was both heavily utilized and strenuously defended by the Obama administration. The new administration’s proposal merely updates and modernizes this preexisting authority for the cloud era in recognition that devices are becoming less important than cloud accounts. Yet, just as cellphone searches offered a more intimate look into someone’s life than a simple rummage through their luggage, so too will social media searches go further than ever before, posing troubling new privacy implications. It is likely that such searches will do little to catch terrorists given that most terrorists traveling to the US are unlikely to stuff their suitcases full of memory sticks with terrorist videos or bring with them the same cell phone they’ve been using to post ISIS propaganda for the past six months. Just as organizations like ISIS have adapted to increased surveillance by adopting encryption tools, so too will they certainly devise operational security guidelines for operatives entering the US, advising them to bring with them only clean digital devices acquired in Europe. Thus, modernizing digital border screening to the cloud era will likely do little to catch actual terrorists.
Most troubling though is that as the cloud becomes the center of our lives, the discussion of border screening will likely become less about scanning physical devices at the border and more about tying visitors to their cloud identities and screening them in secret before they ever get on the plane, using the NSA’s vast planetary data vacuum, meaning this is likely the last time we will ever even have a public conversation about border screening.
This article was written by Kalev Leetaru from Forbes and was legally licensed through the NewsCred publisher network.