Thank you very much.
I'm Esha Bhandari, and I'm a staff attorney with the American Civil Liberties Union. We appreciate the opportunity to provide testimony before the committee today.
I will address two topics. The first is privacy at the border, and specifically searches of electronic devices. The second is the President's executive order stripping Privacy Act protections from non-U.S. persons.
Regarding searches of electronic devices at the border, the current position of the U.S. government is that a regime of suspicionless searches is permissible per U.S. Customs and Border Protection Policy. This policy, dating from 2009, allows the government to search any and all travellers, regardless of citizenship status, and search specifically their electronic devices without a warrant, probable cause, or any suspicion whatsoever. This claimed authority has not yet been ruled on by the Supreme Court of the United States. There are a handful of lower court cases addressing this, but it remains in an area of legal uncertainty, and specifically with respect to whether U.S. constitutional limitations provided by the fourth amendment would apply here. The ACLU's position is that border agents should not be able to search electronic devices without probable cause at a minimum, but that a warrant is in fact constitutionally required.
The nature of searches happening at the border can vary. There may be manual or cursory searches, which happen on site when a traveller arrives at the border. Those searches could include searches of information contained on the device. They could also include searches of cloud-based data that is accessible through the device, including through social media and email applications. Our concern is that when border patrol agents ask individuals for the passwords for their devices, they have access to an unlimited trove of information through these Internet-connected cloud-based apps. While U.S. citizens or lawful permanent residents may be able to refuse to provide passwords to their devices or their cloud-based applications, visitors risk being turned away if they refuse to do so.
The other type of search that is happening is a forensic search. When this happens, U.S. Customs and Border Protection will seize the device, whether it's a cellphone or a laptop, and most often transport it to another location to be hooked up to a device that allows a full forensic search of the device. This is essentially a computer strip search. It gives the government access not only to everything that is in fact stored on the device but also to metadata and deleted files that the traveller may not have even been aware were still accessible through the device.
When a device is seized in this way, CBP is supposed to retain it for only five days initially, but per its policy, this can be extended in seven-day increments. We have heard stories of individuals having their devices seized for up to weeks at a time. According to the government's policy, any information that can be retained must be that information relating to “immigration, customs, and other enforcement matters if such retention is consistent with the privacy and data protection standards of the system of records in which such information is retained.” However, we're very concerned about information such as that belonging to journalists and their sources and attorney-client privilege information, which the policy does not adequately protect. Individuals may assert that this type of information is contained on their devices before they are searched, but apart from a requirement to consult with a supervisor, there is no limit on the U.S. government searching even this privileged information.
While we have heard of an anecdotal rise in the number of searches, we are also aware of a statistically documented rise. In fiscal year 2015, the U.S. government reports that it searched 8,503 electronic devices at the border. In fiscal year 2016, that number went up to 19,033. While these numbers represent a small percentage of overall travellers to the United States, the steep rise in numbers between 2015 and 2016 is concerning, as is the lack of any constitutional protections of “suspicion” being imposed on these searches.
There is still a greater need for transparency. We do not know how many of these searches are conducted with respect to U.S. citizens or with respect to non-citizens and, if the latter, which countries' individuals are being searched and for what reason.
I will now speak about the executive order from the President's stripping of Privacy Act protections from non-U.S. persons. President Trump's executive order stripping Privacy Act protections essentially means that every non-U.S. person, meaning anyone who is not a U.S. citizen or a lawful permanent resident, is no longer entitled to the Privacy Act protections. These protections include the ability for individuals to access their records, correct their records, and limit the dissemination and collection of information by agencies, subject to exceptions that were previously mentioned, including law enforcement use.
As a matter of long-standing practice, many U.S. agencies had extended Privacy Act protections to include the personally identifiable information of non-U.S. persons, including the many visitors and students and business people who travel to the United States from Canada. Those agencies included the State Department, the Department of Homeland Security, the Department of Justice, and the Department of Health and Human Services. In particular, in 2007, when the Department of Homeland Security adopted the policy of extending Privacy Act protections to all individuals, it noted that doing so would have the benefit of supporting data integrity, advancing cross-border information sharing, facilitating trade and travel, and encouraging protection of U.S. persons' privacy overseas.
When the executive order was signed, the ACLU sent a letter to all federal agencies, arguing that implementation of the memo as written would be contrary to law, including procedural and substantive legal roadblocks. We also wrote to the European Parliament and the European Commission, letting them know that U.S. assurances underpinning the privacy shield agreement and the U.S.–EU umbrella agreement to permit data sharing between the two regions would now be called into question by this executive order.
Nonetheless, at least the Department of Homeland Security has released guidance thus far, in April, indicating that it intends to go ahead with the terms of the executive order. This guidance from the Department of Homeland Security has made it clear that non-U.S. persons, including immigrants and non-immigrants, can only request their records through the Freedom of Information Act rather than through the Privacy Act, and that there will now be a balancing test that weighs the public interest in the information when deciding whether to disclose those individuals' personal information. That includes potential disclosure to third parties requesting information about immigrants and visitors to the United States.
Visitors to the United States and immigrants to the United States who are not U.S. persons may not amend their records through the Privacy Act anymore. Instead, the Department of Homeland Security has said that it will now apply the fair information practice principles to non-U.S. persons' information. It is unclear what this will mean, practically speaking. A large concern remains that non-U.S. persons' private information, sensitive information about immigration status, and health information may now be subject to public disclosure because the Privacy Act protections no longer exist.
I will end my testimony there. I welcome any questions.
Thank you.