Canadian Border Agents Also Routinely Demanding Passwords From Travelers And Searching Their Devices
from the slightly-more-apologetic-rights-violations dept
In sad but unsurprising news, Canada is no better than the US when it comes to ignoring its citizens’ rights at the border. The Canada Border Security Agency (CBSA) has also been given the green light to perform invasive, warrantless searches of people’s devices at the border. And, like its US counterpart, it seems to be using this power frequently.
The CBSA said that between November 2017 and March 2019, 19,515 travellers had their digital devices examined, which represents 0.015 per cent of all cross-border travellers during that period.
Whether or not these numbers are on the rise is still a mystery. The CBSA only began tracking this statistic in late 2017 after Canada’s privacy commissioner opened an investigation into this practice. Concerns were raised about the CBSA’s searches, which involved cloning devices for later examination and seizing devices if travelers refused to hand over passwords.
Unfortunately for the CBSA, it searched the wrong person’s device. A legal challenge is being raised by someone well-equipped to raise legal challenges, as CBC News reports.
“The policy’s outrageous,” said Toronto business lawyer, Nick Wright. “I think that it’s a breach of our constitutional rights.”
His thoughts follow a personal experience. After landing at Toronto’s Pearson Airport on April 10, he said the Canada Border Services Agency (CBSA) flagged him for an additional inspection — for no stated reason.
Wright had just returned from a four-month trip to Guatemala and Colombia where he studied Spanish and worked remotely. He took no issue when a border services officer searched his bags, but drew the line when the officer demanded his passwords to also search his phone and laptop.
Wright refused, telling the officer both devices contained confidential information protected by solicitor-client privilege.
The end result was CBSA agents confiscating Wright’s phone and laptop with the assurance they would be sent to a government lab in order to have their password protection cracked. Replacing them cost Wright $3,000.
Wright claims this is a violation of Canada’s charter of rights. Canadian courts, like those in the US, have decided no involuntary sacrifice of rights is too great when national security is on the line. The CBSA, for its part, has greeted the tech future by pretending it’s still 1975, and that searching a phone is no different than searching a briefcase or the trunk of a car.
For all of that, this is probably the right time to challenge this custom of customs officials. The nation’s top court has already drawn a distinction between briefcases and cellphones, saying the latter contains vast amounts of information that “touches a person’s biological core.” And at least one provincial court has declared Canadians’ rights are not null and void simply because they’re at a border crossing.
The CBSA’s statement to CBC News says these suspicionless searches that can result in the indefinite seizure of citizens’ devices are “reasonable and necessary” to keep Canada secure. But they seem to be neither. There’s nothing “reasonable” about invasive searches completely divorced from articulable suspicion. That’s the very definition of “unreasonable.” And as for necessity, all the CBSA has to offer is that 38% of its 19,000+ device searches “uncovered evidence of customs-related offences.” This means most searches don’t recover any evidence of anything and that things like undeclared goods are somehow threatening to the country’s security.
It’s time for border agencies to stop pretending the only way to secure a nation is to discard its citizens’ rights. And it’s time for courts to stop deferring to national security mantras and stick up for the rights they — and the rest of the government — are supposed to be protecting.
Filed Under: border searches, canada, device searches, electronics, passwords, privacy
Comments on “Canadian Border Agents Also Routinely Demanding Passwords From Travelers And Searching Their Devices”
Nothing to hide, nothing to fear. Privacy is as dead as copyright enforcement. Welcome to the brave new world.
Re: Re:
Utter bullshit.
Eh, copyright enforcement is alive and well. Privacy, on the other hand, is a thing of the past.
Same as the old world.
Re: Re:
Privacy is as dead as copyright enforcement.
So you’re saying privacy isn’t dead, then?
Briefcases
It’s one of those "give them [a centimetre] and they’ll take a [kilometre]" situations. They should never have been allowed to read documents in briefcases. Just open up the case, verify it contains documents and not knives or drugs, and let the person go. Same for phones: just make sure it’s nothing dangerous like a Samsung Note 7.
I wish these things would start being reported at the correct level of magnitude. We’ve been conditioned that anything under, say, 25% is negligible in most cases.
But this stat indicates that 3 out of every 20,000 people are forced to provide password access to CBSA for no declarable reason.
And if there IS a reason, CBSA is not required to disclose it, which means there’s no way to minimize your chances of this happening to you, beside not having confidential information present on your devices in the first place.
It’s probably worth noting that CBSA is not supposed to gain access to data stored outside the devices — the first thing they’re supposed to do after logging into your phone is to turn on airplane mode.
Re: Re:
This made me start thinking… it should be possible to do reverse 2FA, and set your phone to a mode where it has to call home to a remote system before it will unlock.
Microsoft already does something like this; for iOS Office apps, you can set them so that you must be online for authentication in order to open the app and decrypt its stored data.
The MS solution is the only way to make it feasible to comply with both GDPR and US/Canadian customs.
Re: Re: Re:
I hope you’re reading this thread Apple/Android engineers: should be pretty simple. Add a feature to Airplane mode where, once you’ve toggled Airplane mode, you need to connect back to the Apple/Google account before the phone will unlock the next time — essentially a shared secret required for decryption would get erased when entering Airplane mode.
So if you enter Airplane mode while the device is unlocked, you’re fine until you next lock the device. If you leave Airplane mode while locked, you’ll need network access to decrypt. If you are in Airplane mode and locked, you can’t get into the phone’s encrypted data and can only do things normally accessible from the lock screen.
Re: Re: Re: Re:
Not good enough, because the UK border guards might arrest you if you refuse to decrypt it for them. A better system would ensure you cannot comply, perhaps by requiring you to use a kiosk away from the airport.
Re: Re: Re:2 Re:
Hmm… maybe you could add in airport WiFi hotspots (before passing through security), and if it sees them, it won’t connect to anything? This gets more complicated though.
Re: Re: Re:3 Re:
How about one password that unlocks your phone normally and another that opens in "jailed" mode where your phone looks like a brand new device with no data on it at all. Just say you had to reset your device right before heading for the airport.
Re: Re: Re:2 Re:
I think the easiest option is to make sure you have a backup in the cloud, then wipe your phone when you’re getting close to the border. Once through, find a Wifi hotspot and do a restore. Make sure all your pictures and stuff is already backed up into the cloud.
Want to look at my phone, there you go, it’s not even password locked. have at it.
Hope this goes somewhere
All of this security theatre does nothing to help. Pointless invasions of privacy need to be stopped rather than expanded. Like seriously what exactly are these people searching for at the border? What legitimate need is there?
Re: Hope this goes somewhere
"Like seriously what exactly are these people searching for at the border? What legitimate need is there?"
A reason to exist and keep their jobs.
Re: Hope this goes somewhere
According to CBSA, they’re searching for the following, in this order of priority:
Child Porn
Planned acts of terrorism
Evidence of trafficking (human or drugs)
Copyright Infringement (seriously)
Evidence of illegal import/export
These are the only things that fall under their remit. If they find evidence that you sped, that you buy drugs but don’t import/export them, have a porn fetish that doesn’t involve children or smuggling, etc. they are to ignore that and move on.
Re: Re: Hope this goes somewhere
"These are the only things that fall under their remit. If they find evidence that you sped, that you buy drugs but don’t import/export them, have a porn fetish that doesn’t involve children or smuggling, etc. they are to ignore that and move on."
And their mission creep stops at this point; it will go no further. Ever. Honest.
Re: Re: Hope this goes somewhere
So, if you’re planning to blow up a building—but not for terrorism, just because you’re a pyro—all is fine?
Re: Re: Re: Hope this goes somewhere
Are you prepared to give up all your privacy so that they can determine that you are not breaking any laws.
NSA/CIA told CBSA to get his data. Canada doesn’t know why or how but they know to do what their bosses tell them !
Worker for an international company for 20 years. Been through customs US and foreign a thousand times or more.
The best advice is take as little with you as possible, especially books, magazines, and electronics.
What you consider normal and benign some wacko custom agent somewhere will consider counter band.
Books have psychology and culture; magazines have pictures, and electronics have it all with it all being bad.
The wrong psychology, the wrong picture, or the wrong files in the middle east and off to jail you go.
Jail being some tin roof building with you shackled to the floor with the good news being it only gets to be 120F or so in the summer outside.
Inside it may reach 140F in the day.
If you die so what: you are a criminal.
Some other parts of the world almost as bad, especially Africa.
Re: Re:
I’m in the same boat; they still flagged me for having a bottle of water that I bought inside security and planned to toss before exiting security at the other end of my trip.
So if they want to get you, they will. And the reasons for doing so cover pretty much everyone who flies.
Holy cow Batman, a Techdirt article I can agree with.
When I used to have my online radio station and traveled the world broadcasting figure skating events from October to March, I always wiped my devices before entering Australia, Canada, or the USA, because of the invasive device search policies of those countriiez.
With my phone it was matter of encrypt and reset. The decryption key is a random one that lost when the phone is reset. Rendering the data previously there unusable. Just encrypt, reset, and you are good to go.
The right wiping tools will never have their use detected, so there was no way any evidence could ever be obtained for either an SoX prosecution 8n the USA or perverting the course of justice in Britain.
Also,, as an Australian citizen, doing this in Australia, where my station was located, I was not subject to U.S prosecution even though I have American citizenship as well, since I was only subject to Australian laws when doing that on Australian soil.
Re: Re:
Kim Dotcom would like to have a word with you.
Re: Re: Re:
That is different. His servers were in the USA, so that did make him subject to USA laws.
However, when was living in Australia, and running my station from there, I only recognized Australian and EU jurisdiction as my station was in Australia and the stream servers were in France.
When I went to Malaysia to cover a figure skating event in 2003, I often ate at restaurants at the Melia Kuala Lumpur which was nearby the arena. Even though all Melia hotels are on a blacklist, under Helms Burton, because of their business dealings in Cuba, that did not apply to me because I used an Australian passport to enter and depart Malaysia and paid for my meals with Australian money. That made the prohibition on US citizens patronizing any restaurants in that hotel not applicable to me
Because I entered and departed Malaysia using an Australian passport, what I did in Malaysia was not subject to American.laws, including the prohibition on US citizens doing any business with Melia hotels anywhere in.the world.
However, my point is that if you use right wiping tools, CBP, CSBA. Australia Bordet Force. HM Customs, etc. will never know you used it.
It is laws like Sarbanes Oxley that put Evidence Eliminator out of business, as better products, whose use cannot be detected, came on the market.
Re: Re: Re: Re:
Partially correct, partially not. Having servers in Virginia allowed the USA to target him without the need for any reciprocal government agreements, such as the recent drama over Hauwei’s executive being arrested in Canada for allegedly violating US laws while in China.
Re: Re: Re:2 Re:
China has some of the best hackers in the world.
Arrest warrants are computerized. I would not surprised if China has tasked its hackers to break into warrants computers in the USA and erase warrants for any other Huawei executives.
The vulnerable part of the system is server level database, which has to exposed to the Internet for programs that need it to work, leaving them vulnerable to Chinese hackers.
Once those warrants are removed from the computers, police agencies, such as CBP, will never know there are any warrants, since they can only go on what their computers say.
when you are pulled over, and a cop checks for warrants, he can only go on what his computer says. If there is nothing in the computers, he has to let you go.
I would not be surprised if hackers in China are trying this. Chinese hackers are among the best in the world, and they could pull it off, if the Chinese government, or Hauwei, tasked them to do it.
This means...
"And as for necessity, all the CBSA has to offer is that 38% of its 19,000+ device searches ‘uncovered evidence of customs-related offences.’ This means most searches don’t recover any evidence of anything and that things like undeclared goods are somehow threatening to the country’s security."
No, this means that the CBSA spouts whatever nonsense they wish to "justify" their need to violate citizens’ rights, knowing they can’t be called to task to "prove" their claims.
CBSA "Routinely" Searching Devices
Hold on. CBSA is examining the digital devices of 0.015% of cross-border travelers? That means 99.985% of travelers are not having their devices examined. How much of that tiny percentage involves Canadian citizens or landed immigrants versus foreign visitors? How much more selective should/could CBSA be in exercising their authority to protect the nation?
Of the persons whose devices were searched, 38% of the time the result was the discovery of a violation. While that may be less than half, it’s a greater success rate than all but the most elite of baseball players.
I daresay, it seems to me that CBSA is doing a pretty darn good job of balancing privacy rights and enforcement authorities.