CAVEAT: I’m not a lawyer, this is not legal advice.
British police arrested someone this week for refusing to hand over passwords.1 Scarier to me (because I live in the US), it looks like US C&BP is doing the same thing to foreigners – they keep hassling this one Canadian after reading his dating app chats.2 Worst of all is C&BP overstating the law to Americans reentering the country.3
If you’re a diplomat life is easy; anything stamped with your country’s flag and appropriately sealed can become a diplomatic pouch. So you just slide your iphone in the pouch next to your cigarettes and you’re home free.
If you’re like me and don’t have access to the legal protection of a sovereign state you may still be in luck. The congress passed in 1986 an amendment to 18 USC 1030 that we’ve come to know and love as the CFAA. This law criminalizes unauthorized access to a computer system ‘which is used in or affecting interstate or foreign commerce or communication’. AKA your cellphone.
So is defending against mandatory password disclosure as simple as putting your cell phone in a manilla envelope stamped ‘authorized personnel’? Read on.
What does ‘unauthorized’ mean?
Judges have defanged the worst interpretations of the statute.
- ‘Unauthorized’ doesn’t cover every TOS violation (US v Drew 2008)4
- The statute seems not to cover stealing something you’ve been granted access to, although you’re still breaking the law by stealing (US v Aleynikov)4
- Doesn’t cover checking facebook on your work laptop (Lee v PMSI 2001)4
- Seems to cover emailing somebody a lot (Pulte Homes v Laborers’ 2011)5
- The word computer may cover every digital device; the 8th circuit quoted Woz saying ‘Everything has a computer in it nowadays’6
Most interesting for our situation is US v Nosal (9th circuit 2016):
The panel held that the defendant, a former employee whose computer access credentials were revoked, acted “without authorization” in violation of the CFAA when he or his … co-conspirators used the login credentials of a current employee …
Dissenting, Judge Reinhardt wrote that this case is about password sharing, and that in his view, the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.7
My read of this is that just possessing a password doesn’t count as authorization. If that password is obtained via a form of duress, we’re probably in interesting territory. The old chestnut that ‘possession is 9/10 of the law’ doesn’t apply, at least according to the 9th circuit, to passwords.
Do ‘no trespassing’ signs apply to police?
US v Nosal may not matter at all because police who are doing their job are subject to different rules than ex-employees.
Potentially useful case law is a 2013 case from Florida. The court said yes, ‘no trespassing’ means ‘no search’. Interesting excerpt that we should all say out loud once a day:
An invitation to engage in canine forensic investigation assuredly does not inhere in the very act of hanging a knocker.8
If you click the footnote the volokh blog has more discussion, but the summary I understand from it is that a no trespassing sign, while it may not stop a salesperson or a census taker, does indeed stop police from performing a warrantless search.
If this SCOTUS ruling is indicative of the ability to mark a bagged cell phone as ‘unauthorized’, that’s promising.
The CFAA itself tries and fails to carve out an exception for law enforcement:
This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency9
I think there are a few questions a court needs to ask about this line:
- is ‘lawfully authorized’ the same as ‘authorized’ elsewhere in section 1030?
- given that some degree of warantless search seems to be authorized by C&BP near the border, the state will argue that the CFAA doesn’t apply to border searches. But the whole point of this statute is to make tampering with computers a different class of activity than tampering with physical goods. C&BP’s apparently unlimited warrantless search powers shouldn’t be applied to digital information without judicial review.
- given the ease of transmitting digital information cross-border, and the ease of encrypting / hiding it on a device, and the lack of forensic sophistication in a quick border search, no sophisticated adversary would ever be caught with bad secrets on their phone, especially after a few high-profile arrests of this kind. Is there any purpose to digital search other than hassling travelers?
- given the ease of obtaining a warrant if law enforcement cared to fund a few more courts, why do we ever want to permit warrantless searches? (this is a bigger question)
Does the CFAA protect foreigners?
The case law on border searches has been generous to law enforcement. Here’s one:
The Government’s interest in preventing the entry of unwanted persons and effects is at its zenith at the international border. Time and time again we have stated that searches made at the border … are reasonable simply by virtue of the fact that they occur at the border.10
It’s worth noting that two layers of appeals courts found the government’s action in this case egregious and absurd based on a plain reading of an earlier ruling, US v Montoya de Hernandez. The supreme court, which is foolishly and inappropriately supportive of federal law enforcement, overturned.
US v Ickes Jr in 2005 has a similarly broad perspective on border searches and is specific to digital documents (in this case bad porno):
it is undisputed that Ickes’s computer and disks were being transported by his vehicle. We are unpersuaded that these particular transported goods are somehow exempt for the ordinary definition of ‘cargo’. To hold otherwise would undermine the long-standing practice of seizing goods at the border even when the type of goods is not specified in the statute.11
But in neither of these cases was a password compelled and in neither case were the digital files marked as ‘authorized personnel only’.
How does the CFAA come into this? The statue as written protects ‘foreign commerce and communication’, doesn’t specify that the protected computer is owned by an American, and doesn’t carve out rights for warrantless search by law enforcement nor for border searches.
Sounds to me like congress either intended to protect digital documents from all forms of eavesdropping and tampering or didn’t understand the question.
Let’s say hypothetically the foregoing argument stands up in court, and someone figures out a way to resist or at least refuse a border search without getting their ass beaten, and still enter the country so they can go to court.
What’s to stop congress from repealing the CFAA?
Only answer I can think of: you are. Call your elected representatives now to complain about bullying tourists for their password, call them later to tell them if they sign laws permitting these searches they’ll be out of a job next time out.