Laptops, smartphones are fair game for Customs

Has your IT policy ever considered the coercive powers available to Customs and Border Protection officials to seize and examine computers and mobile phones at the Australian border?

If it doesn’t, it most certainly should.

Laptops and smartphones, and the data contained on them, were fair game for UK border officials when they seized the devices of David Miranda, the partner of Guardian journalist Glenn Greenwald last week, as was the case with Australian professional footballer Paul Gallen when his phone was seized on return to Australia from a match in New Zealand.

Your IT policy should consider that the Australian Customs and Border Patrol Service (ACBPS) has an unfettered legal right to seize your possessions, without requiring a warrant, when you enter Australia.

“This includes the power to examine and seize mobile phones and other personal electronic devices at the border,” an ACBPS representative responded to my inquiries.

While this power assumes the ACBPS official has been tipped off by an external agency or harbours suspicion that you may be in breach of a law, that assumption isn’t entirely necessary. An ACBPS officer has the authority to arbitrarily search digital devices, on a whim.

“There is no threshold test or requirement that must be met to enable a Customs officer to exercise this power,” noted an Ombudsman’s report into these coercive powers in 2010.

The scope of these powers was once limited to the specific role Customs officers played under the Customs Act 1901 around the importation of goods. It was broadened in the late nineties to help tighten Australian immigration.

Today, under the pretext of counter-terrorism, the ACBPS can be asked to seize devices under a wide range of laws outside of the Customs Act.

When seizing and examining devices, Border Protection officials are not compelled to tell an individual what law they are suspected of breaking.

According to a Customs response to a 2010 Ombudsman’s report:

“It will be inappropriate to inform a passenger of the law enforcement or national security purpose for which the documents were being copied. In many instances, disclosure of the reasons for copying a document would serve to alert a traveller to the fact that they were of law enforcement or national security interest or would disclose methods and procedures used by Customs and Border Protection and other relevant agencies for the purposes of preventing, detecting or investigating breaches of the law. Such disclosures would not be in the public interest.”

The law allows an ACBPS officer to do “whatever is reasonably necessary to permit the examination of the goods concerned”, including keeping devices for up to 14 days for forensic examination, without any requirement on the part of the ACBPS to prove the owner of the device has broken any law.

When a device is seized, the ACBPS gives the owner a B390 form (receipt of seized goods), which on the reverse side contains a sticker that notes:

“Electronic devices held for forensic examination under Section 186 of the Customs Act will be retained for no longer than 14 days, provided there is no content on any device retained which renders the device subject to seizure under Customs-related laws.  If any device is subject to seizure, the examination of any associated retained devices may take longer than 14 days.  Information about travellers’ definite itineraries, the impact on legitimate livelihoods or the need to contact family members will be taken into account when prioritising the examination.  Cooperation from travellers regarding access to devices will assist in expediting the examination but without that cooperation the examination may take longer than 14 days.”

The ACBPS is free to share data retrieved off the device with external agencies, but can only copy the data if satisfied that it is of relevance to an offence under the Customs Act. If the data is found not to be relevant, the ACBPS is compelled by law to delete the copy. But the ACBPS is not required to chase down and delete copies sent to external agencies (such as the AFP, for example).

Precedent

The United States’ Department of Homeland Security has had the power to seize devices for an indefinite period of time and copy data from those devices since 2008. The DHS’ right to do so was upheld by US courts as recently as 2011.

To its credit, the US Government provides its citizenry reports on how many devices it has seized. The DHS seized 5000 mobile phones and laptops in 2012 alone.

The ACBPS hosts a fact sheet for travellers and reports how many bags are inspected each year, which also features data on how often the service finds prohibited goods.

But there is no way to discern the number of seized smartphones and laptops in this mix versus the more common problems of the import of prohibited foodstuffs or excessive cash - and the ACBPS does not intend on trying:

“Statistics relating to the number of cases where documents are copied is not currently collected. Customs and Border Protection is not in a position to report on the number of cases where documents copied prove not to be relevant to Customs and Border Protection or another agency with an interest at the border. Copied documents often form part of an ongoing law enforcement or national security operation to which Customs and Border Protection may not be privy and/or which may not yield results for a significant period of time.”

Can Customs and Border Protection use device seizure to gain access to your network? How should these powers impact your security policies? Read on….