The CIPP focuses on regulations and privacy rights. This mostly keeps the discussion in newly minted financial sector reform legislation or health care privacy rules. Most people simply assume the US Constitution & The Bill or Rights are sacred. So why is it that The Ninth Circuit Court of Appeals decided that an unprovoked search and seizure of a US citizen returning from International travel didn’t violate Michael Arnold’s rights?
Let’s start off with a little history. Forty-three-year-old Michael Arnold went on a vacation to the Philippines. On his July 17th 2005 return flight to Los Angeles, he had a laptop computer, an extra hard drive, a USB thumb drive, and a half dozen CD’s in his carry-on bag. After the 23 hour plane ride, he went through customs.
If you’ve ever traveled internationally, you know that while in customs, bomb/drug/food sniffing dogs walk around the lines searching for contraband (yes, it’s illegal to bring several types of foods back into The States – nothing like having a dog scratch at your luggage and the agents pulling out an orange), and your checked bags are typically thrown on a conveyor belt for automated screening. Your carry-on items may receive a little extra attention. This happened to Mr. Arnold – he was selected for a secondary screening and asked by the customs agents to turn on the computer to see if it was working. It was handed to another customs official who began checking through folders, including one marked “Kodak Memories”, and one labeled “Kodak Pictures”. There was one picture of two nude women. This was enough to confiscate the hardware and retain Arnold for questioning. Almost surely a complete image of the laptop’s hard drive was taken. There was no warrant issued until two weeks later.
During the two weeks, federal agents investigated the laptop, and eventually found multiple images depicting what they believed to be child pornography. He was arrested and charged with numerous crimes including trafficking in child pornography. I’m not saying he’s not a good or bad man. In my opinion, child exploitation constitutes the greatest crime – children are innocent and those who prey on them despicable. I didn’t see the pictures, so I’m relying on everything is as described. My concern is the random searching of laptops without rationale.
The Federal Judge who originally heard Mr. Arnold’s case barred admission of the computer evidence because his right were violated. The Ninth Circuit Court of Appeals overturned the ruling, citing:
“With respect to these searches, the Supreme Court has refused to draw distinctions between containers of information and contraband with respect to their quality or nature for purposes of determining the appropriate level of Fourth Amendment protection… Therefore, we are satisfied that reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border.”
That’s right, reasonable suspicion is not needed! Mr. Arnold is an American citizen, on American soil, and the Appeals court judge, citing the Supreme Court, doesn’t think there were any rights violations?
I work for an encryption company, know how cryptography works, and practice the benefits thereof. Because I employ file level encryption on my hard drive, does that automatically make me a person of interest for a search of my laptop? When I am chosen and asked what I’m hiding, do I then receive extra screenings and “special” treatment? Will my corporate laptop be imaged and forensically analyzed?
The best advice probably comes from the Electronic Frontier Foundation:
“Law firms, corporations and other entities that routinely deal with confidential information are handing their business travelers forensically clean laptops loaded with only what the traveler needs for that particular business trip. Leaving unnecessary data, like five years of e-mail, behind may be the best thing. Of course, if trade secrets or client information are the reason for the trip, this plan will not help.”
A couple of other possibilities? Try one of the secure xB computers on USB. Or a “fresh install” every time with a CD-ROM scenario, such as Knoppix. Or better yet, leave all the data on a remote data server service and do the demo across the web – that crypto thing works across the Internet. It’s called Transport Layer Security for a reason.