Individuals crossing the border or entering customs controlled areas, and their possessions, are subject to search without warrant. In the absence of modern legislation, this power, created long before mobile phones existed, automatically extended search authority to information contained on electronic devices and media. In the July 2018 revision of “Your privacy at airports and borders,” the Privacy Commissioner articulated the current situation:
“Canadian courts have generally recognized that people have reduced expectations of privacy at border points. In this context, privacy and other Charter rights continue to apply but are limited by state imperatives of national sovereignty, immigration control, taxation and public safety and security. The Canadian courts have not yet ruled on whether a border officer can compel a person to turn over their password and on what grounds, so that their electronic device may be searched at a border crossing.
While the law is unsettled, CBSA policy states that examinations of personal devices should not be conducted as a matter of routine; such searches may be conducted only if there are grounds or indications that ‘evidence of contraventions may be found on the digital device or media.’
If your laptop or mobile device is searched, it should be searched in line with this policy and, in that context, you will likely be asked to provide your password. If you then refuse to provide your password, your device may be held for further inspection. According to the policy, officers may only examine what is stored within a device, which includes, for example, photos, files, downloaded e-mails and other media. Officers are advised to disable wireless and internet connectivity, limiting access to any data stored external to the device, for instance, on social media or in a cloud.”
While CBSA has not published their policy, Operational Bulletin PGR-2015-31, Examination of Digital Devices and Media at the Port of Entry, is available on lexsage.com. In summary, the document makes it clear that CBSA officers should only search electronic devices for customs purposes in the presence of a “multiplicity of indicators.” It also directs officers to disable wireless connectivity, limit their search to data on the device, and, until further notice, not to arrest a traveler solely for refusing to provide a password, explaining, “Though such actions appear to be legally supported, a restrained approach will be adopted until the matter is settled in ongoing court proceedings.”
Beyond the lack of clarity as to whether CBSA officers have a legal right to compel passwords lies the larger issue of why data searches are being conducted in the first place. The Privacy Commissioner wrote, “Individuals entering Canada who are concerned about how this policy might be applied may wish to exercise caution by either limiting the devices they travel with or removing sensitive personal information from devices that could be searched. Another potential measure is to store it on a secure device in Canada or in a secure cloud which would allow you to retrieve it securely once you arrive at your destination.”
In other words, Canadian law has become so antiquated that the Privacy Commissioner is essentially advising people to protect their data by circumventing border officials. That’s a clear sign; legislative amendments are urgently required.
CBSA has the power to search data on phones and laptops. They do not have the authority to search data leaving or entering the country via the Internet. In effect, border searches target individuals who are less technologically capable or cannot afford to purchase clean devices for travel. Simply logging out of an email or social media account prior to travel will prevent that data from being searched. As a result, these searches will have virtually no impact on terrorists or organized crime.
In addition to being poorly aligned with the threats facing Canadians, pursuing this policy direction will likely result in new technology being designed to frustrate border officials. It is only a matter of time until someone develops a phone that stores all data in the cloud or on an easily removable memory card. Clearly, when it comes to data crossing international borders, we need to draw the line.
Have a security question you’d like answered in a future column? Eric would love to hear from you.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…