Sidd Bikkannavar, it should be noted, is chill.
I’m not sure if it’s because he’s from Southern California—Bikkannavar was born in Pasadena—or because his side hobby, racing solar-powered vehicles, requires a certain amount of calm. Whatever the source, over the course of our 30-minute conversation about his experience being detained by US Customs and Border patrol, his voice betrays frustration only once. And it’s not when he admits—only after I ask him—that this wasn't the first time.
“When there are random searches, I'll often get pulled into the random search,” said Bikkannavar. “That doesn't offend me. I know they need to search people and if it’s me, it’s me. You know, I know I have a foreign sounding name, I know my skin is a little darker, so if it makes me more likely to be searched so be it. I've really never taken issue with that or been offended by that.”
“But what happened this time,” he adds, “was different.”
Losing His Chill
What frustrated Bikkannavar, a self-described pretty private person, enough to make him talk to the press was this: “I've now compromised the privacy of my friends, and family, colleagues, contacts—anyone whose digital life kind of touched my phone.”
How did Bikkannavar betray his friends and family? He left the United States. Or, to be more precise, he returned.
The same weekend that President Trump signed an executive order restricting travel from certain countries, Bikkannavar arrived at the United States border in Houston, Texas. He’d spent two weeks racing cars down in the Patagonia Region of Chile. Chile was not on the list of countries outlined in the executive order, but even if it was Bikkannavar wouldn’t have automatically qualified for extra scrutiny.
To begin with, Bikkannavar is an American citizen. His father is of Indian descent, hence his name, but on his mother’s side his family has lived in the United States since colonial days. In fact, his grandparents worked at the Jet Propulsion Laboratory (JPL) just like Bikkannavar does now.
“When we’re working with spacecraft,” said Bikkannavar, “we're working with equipment that costs maybe billions of dollars or is highly dangerous, so there is a process to make sure that we are trustworthy and safe.”
JPL is part of NASA, but in addition to rocketry it does a significant amount of work for the Department of Defense. As a result, even low level employees at JPL undergo a background check invasive enough that employees once sued to stop it..
But even if Bikkannavar didn’t work for JPL, there's still the fact that he forked over $100 and underwent a background check to qualify for Global Entry—the “U.S. Customs and Border Protection (CBP) program that allows expedited clearance for pre-approved, low-risk travelers upon arrival in the United States.”
Despite a level of vetting that some might even call extreme, Bikkannavar was still detained and placed in a holding room at Customs and Border Patrol.
“There were some people asleep [in the room]. I arrived at 5am in the morning, so I'm assuming that those people who were in there sleeping on the recliners and the cots had already been there stranded,” said Bikkanavar. “Eventually I get called into an interview room and they explain to me that because I'm trying to enter the country they need to search my property to make sure that I'm not bringing anything dangerous in. And they gave me a slip of paper that explains their rights to do all of this stuff.”
That stuff included searching his phone. After hesitating, and explaining that the phone was his work phone, he complied.
“As soon as I gave them the PIN they sort of pulled the phone back, wrote down the pin, and left with my phone,” said Bikkannavar. “They returned me to the waiting area with all of my luggage, and they didn't search any of that. They didn't swab it for bomb stuff, they didn't even open it. They didn't check what was in my pockets. They were only interested in the phone.”
If they had gone through Bikkannavar’s luggage, that would have violated his privacy. But going through his phone? That violated the privacy of anyone who had texted, messaged, or otherwise contacted him since the last time he'd wiped the device.
“Not only is the privacy and the free speech rights of the device holder at stake,” said Sophia Cope, a staff attorney with the Electronic Frontier Foundation, “but also that of all of their associates.”
This may include people who have never set foot near a border, people who have never set foot in this country. That it’s considered a privacy issue is obvious—how happy would you be to have strangers flipping through your cell phone for no reason? But it’s also considered a free speech issue, because many argue that there’s no such thing as free speech without privacy. If your thoughts and words are closely monitored by the government, can you really consider yourself free?
“Free speech and privacy are considered human rights in international law,” said Cope, “So there's that issue of whether or not the US is going to uphold those international principles.”
Can They Do That?
If you’re wondering if this is legal, you’re not alone.
In theory, the fourth amendment of the US Constitution (which begins, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…") sounds like it protects us from, well, unreasonable searches and seizures.
“But the law,” said Cope, “is unfortunately fuzzy.”
Here’s what’s clear: within the United States, the fourth amendment prohibits unreasonable search and seizure. Pretty much every procedural court drama gets this part right. A government entity shows up in court, presents evidence that there was probably a crime, and that searching the item in question will confirm it. If the judge thinks that the evidence supports a reasonably high chance—say 60-70 percent—of criminal activity she will issue a search warrant. A warrant isn’t a carte blanche though. It’s “particularized” to the crime. If they’re searching your phone looking for a terrorist threat and discover that you’ve illegally downloaded the Rolling Stone’s entire back catalog, that’s a separate issue.
But there is some wiggle room.
If a police officer sees you stuff a pile of crisply-bound $100 bills into a duffel as you run out of a bank that’s sounding its alarm, that’s enough probable cause to seize you—i.e. arrest you. Checkpoints like the kind used to check for drunk drivers are another exception. After all, everyone gets checked whether or not the police officers suspect them of being drunk. The Supreme Court rules this is ok because the scope is narrow and it’s in the broader public interest.
“At the border,” said Cope, “the Supreme Court says there's a discrete interest in protecting the welfare and the safety of our nation.”
Basically, it’s in the national interest to make sure that we pay duties on the $3,000-dollar bottle of wine we picked up in Italy, that we don’t secretly bring in seeds that pose a threat to the American farm industry or drugs and weapons that pose a risk to the American people. So the Supreme Court ruled that routine searches at the border are permitted, even without a warrant or probable cause. This decision was made, however, before we were carrying around computers, never mind ones that contain the level of information contained in a smartphone.
“The problem now,” said Cope, “is that a piece of luggage contains nowhere near that type of personal information, sensitive information. Even if you have a diary or some sexy photos in your luggage that still does not equate to what is essentially your entire life, particularly on your smartphone.”
The decision also doesn’t take into consideration the fact with cell phones, it’s not just the person who crosses the border whose information is being searched and potentially cataloged, but anyone who has communicated with that person. It’s this that compelled Bikkannavar to speak out, and a thought that should give us all pause.
It’s also an act that chills speech. How freely would you speak (or text) if you knew all of your communications were being observed? You don’t even have to work very hard to see the difference—compare your text and email conversations to your public social media posts.
The directive that guides U.S. Customs and Border Protection (CBP) electronic seizure rules dates back to 2009—it’s called CBP Directive No. 3340-049. It was only released because of a Freedom of Information Act, or public disclosure request. And while lawsuits in recent years suggest that there have been policy changes, those changes have not been disclosed to the public. That makes it awfully difficult for citizens to know their rights.
In 2009, the year of CBPs publicly available guidelines, the iPhone was 2 years old. Most of us were using blackberries or a flip phone, and apps were few and mostly entertainment based. Now our phones contain personal photos, banking information, inside jokes…the shape and breadth of our lives. We are expected to entrust that information—without cause—to a department that, according to the The New York Times, recently found that over 10 years almost 200 employees and contract workers had taken nearly $15 million dollars in bribes. In 2015 police officers found 110 pounds of cocaine in a US Border Patrol agent’s car. One could be rightly concerned as to what an agent might do if they had access to banking information, blackmail fodder, or proprietary info from a border crosser's business life.
The policy as disclosed says that they can only search—not copy or hold onto the device—unless they see evidence of a crime.
“But we were hearing reports at the border of CBP officers writing down like names of people from contact lists and stuff,” said Cope. And in Bikkannavar’s case the phone was taken out of the room, making it impossible to know whether the contents were copied.
To be clear, what’s happening isn’t new. There are reports Customs and Border Patrol searching laptops and phones dating back to 2008. Hard data on searches is difficult to find (and PopSci will update if it becomes available), but anecdotes suggest that it is becoming more frequent.
And Cope argues that even one person is too many. Especially when you consider how many people are in your contact list.
The natural question, is how can we protect our information at the border?
Since technology, in part, created this problem, it can be tempting to turn to technology to resolve it. For example, it’s possible to partition a laptop’s hard drive to boot one way with one passcode and another way with a different one.
“You have to be careful,” said Scope. “If there is evidence that you are lying or misleading a government agent, that is itself a crime.”
At minimum, you should practice basic digital security: enable two factor authentication on your social media accounts. Disable any biometric locks—fingerprint locks in particular area notoriously easy to forge, and it’s not hard for a CPB agent to simply press your finger against your phone to make it unlock. Enable hard disk encryption.
None of that matters, however, if you unlock your device for an agent.
American citizens traveling to the United States have the right to return. You can’t be denied entry into your own country. So you can simply refuse to comply—though you do risk them taking the device.
Increasingly, customs and border patrol agents have been asking people—primarily foreign nationals—for the passwords to their cloud accounts. Americans don’t have to comply, and Americans do have the right to an attorney—but foreign nationals have less of a choice.
Bikkannavar said that the interaction between he and the CBP agents was unfailingly polite on both sides, but the situation itself intimidating, in part, because he didn’t really know his rights. So before you travel, make sure you know yours.
Cope suggests literally wiping the device before you're forced to hand it over. Or, if you’re an American citizen, encrypting the device in the strongest way possible and refusing to comply. They might take the device away, but at least you'll know they (probably) can't get at your information.
For those of us who travel a lot, our best option may be to use two sets of devices—one which we use in our everyday lives, and one which we use just for traveling and that we wipe each time we prepare to cross the border.
But the most important way to secure our devices isn’t at the border—it’s with the law. Until legislators or the courts clarify the law, we’ll all have to keep watching our devices.