Data capture by border agencies can and will happen – are your on-the-road employees prepared?

Does your company have a travel policy that instructs and supports employees traveling internationally for business with direction regarding comportment and cooperation? This isn’t a trick question. To have a travel program that provides employees with anticipated scenarios, and to provide them with unique devices for international travel, is a significant investment of resources both physical and monetary.

The revelation that U.S. Customs and Border Protection (CBP) routinely downloads the content of devices of individuals who are entering the United States should attract the eyes and attention of every CISO. The fact that the CBP routinely captures device contents is not new; indeed, several lawsuits over the years have challenged the CBP’s authority, which has always been upheld as lawful.

Handling secondary interviews at the border

When one digs in further, they find that these data capture events occur as part of a secondary inspection/interview by a CBP officer prior to the individual being allowed entry into the United States. That timing and place are important, as the CBP officer makes the determination if the individual standing before them is to be allowed to enter the US or rejected and asked to depart without officially entering the US. While physically in the airport and in the CBP zone, until you are passed through by the CBP officer, you are not technically in the United States.

The immediate question all should be asking is, is it the same everywhere?

The short answer is, yes. Every country has a secondary screening process in place. I have been placed into secondary screening in Australia and the UK as my travel pattern prior to arrival was odd (even for me). In my case, it was a five-minute discussion after they had emptied my bags onto the table and determined I was whom I said I was, doing what I said I was there to do, and my device (I had a cellphone and a thin client tablet, both powered up.) I was not asked to open either device, but had they asked, I would have acquiesced as the devices were “travel devices” – that is, they were void of any data other than the connection to the VPN and secured cloud environment where the data I needed for my work resided.

Border zones have unique rules

CISOs need to be aware that international border zones be they at an airport, port, train station, or land crossing, are opportunities for intellectual property to be fleeced by governments with an eye or interest in the employee or the company. For example, in 2019, The New York Times did an expose on China’s surveillance of tourist phones. In this case, the situation was far more draconian than an inspection and data dump at the airport. Rather, the authorities required the installation of a specific application that allowed for real-time surveillance of individuals.

In a 2017 Kasperky report on border crossings, they shared statistics on electronic devices being inspected at various international points of entry. Though dated, the numbers provide perspective. In Frankfurt, the number of devices was seven percent, while in Paris 48% of individuals who were processed in secondary had their device information captured.

The recent spotlight placed upon CBP came about when Senator Ron Wyden (D-OR) sent a letter to CBP on September 15, 2022 which called into question the practice of searching US persons’ devices. In his letter, Wyden notes that CBP does not “keep statistics on the number of basic vs. advanced searches, the number of times CBP downloads data into its central database, nor the number of times it searches this database for ‘national security’ purposes.” He continues that the CBP had briefed that the information stored was accessible to 2,700 DHS personnel to search and was available for 15 years.

Preparing employees for cross-border travel

How can companies prepare their employees for international travel, understanding that the rules that apply in the United States are not the rules that will apply in China, France, Russia, or any other country? The ACLU has published a “know your rights” primer which is most useful in helping companies formulate their policy and guidance to employees crossing international borders.

For Americans, failure to answer questions asked of an individual may delay entry, but entry will not be denied. Similarly, failure to unlock a device may get the device confiscated and a receipt provided to the traveler. If you are a foreign national entering the US, the results of non-cooperation may result in your being denied entry into the U.S.

Having a travel security program that includes devices configured and prepared for international travel is another dimension, which may reduce the risk that intellectual property is resident in CBP or any other country’s database which is populated from devices that had been subjected to a deep dive. CISOs should also ensure that their travel security program includes guidance from corporate legal and HR on comportment and processes during international border inspections to which employees may be subjected.

In summation, anticipate that your employees will be subjected to secondary inspection from time to time and that they will be asked to open their devices to a border/immigration inspector and prepare accordingly.