CBSA laptop search documents

In late February, shortly after the story we posted about the Canada Border Services Agency delaying our request for documents on their policies on searching laptops and other personal electronics, a slim brown envelope arrived in our office. The response came just over two weeks after the extended deadline the CBSA set for itself had expired. The delay was frustrating, but not nearly as long as we’d feared given the abysmal state of access to information responses from other governmental agencies.

Image: jasonunbound on Flickr

Now that we’ve had a chance to go through the documents, there were few surprises. The documents provided by the CBSA were disorganized and still fail to provide a clear and complete picture of CBSA policies and practices on data search and retention. In the end, the documents raised more questions than they answered, but are fairly interesting in their own right, if only for the glimpse into the institutional culture of the CBSA they can provide.

Many categories of important information were completely redacted or exempted from disclosure. Some of the redactions were legitimate—legal opinions, for instance, would generally be covered by solicitor-client privilege. Other omissions were less convincing, and the practice of redacting in white rather than in black left it unclear whether information was missing or not. Some areas of the request were completely ignored or omitted. For instance, we asked for statistics on how many searches of personal electronics had been conducted. These statistics were not even referred to in the documents provided.

The BCCLA has filed another complaint with the Office of the Information Commissioner, this time regarding the exemptions and redactions from the documents provided by the CBSA in response to our request. For now, here’s a review of some of the highlights of the documents we have received:

The consistent:

  • CBSA policy states that “the difference between a paper document and information stored electronically is only the medium it is stored on” (A-2009-01850-Vol2 on p. 5). We can think of lots of other differences—the kind and quantity of information that is regularly brought across the border by travellers bringing their laptops and smart phones, for instance—but this fits with what we had learned about CBSA search practices.
  • The CBSA spends a lot of time thinking about child pornography. We’d always assumed this was the case, but the documents show that an entire chapter of the Customs Enforcement Manual is dedicated to the subject (A-2009-01850-Vol4).
  • The CBSA can and does perform laptop searches at random, but “will only scan or peruse a document to the extent necessary to either confirm or negate its association to an offence or intelligence concern” (A-2009-01850-Vol2 on p. 2).
  • Most screening is not at random, relying instead on various “indicators” including “known importers, exporters, known export locations (specific locations or geographical areas), the nature of the goods being imported (commodities known to be suspect) and/or information disseminated through regional or headquarters intelligence channels. … Officers should also be aware of high-risk geographical locations for child sex tourism” (A-2009-01850-Vol4 at p. 6). Specific indicators and suspect nations were redacted from the documents CBSA provided us. However, from court documents filed in the case of former Bishop Raymond Lahey, we know that “border officials flagged Lahey because he was a man travelling alone and his passport showed several trips to Southeast Asia, Germany, Spain and other areas known for child pornography”.
  • Screening also relies on various databases, including the Integrated Primary Inspection Line system (IPIL) and Integrated Customs Enforcement System (ICES) for primary screening, and Field Operations Support System (FOSS), the Canadian Police Information Centre (CPIC), National Crime Information Center (NCIC), the sex offender database, Treasury Enforcement Communications System (TECS), and Police Information Records System for secondary screening (PIRS) (A-2009-01850-Vol6 on p. 14).
  • The “Electronic Media Search Form” sets out a lot of what CBSA officers are looking for when they decide to search a computer. Officers will look for user accounts visible on the login screen, note the operating system, any encryption, and provides space for passwords provided, but also a box for “password not located”. There are also suggested image and keyword searches to guide officers (A-2009-01850-Vol6 on p. 6-8).

  • The CBSA has software to assist border agents with laptop searches. If, after an initial search, the border agent feels further scrutiny is required, he or she uses software called ICWhatUC to scan images stored on the traveller’s hard drive. ICWhatUC only works on Windows machines. It scans for image files on a computer, including images in the web browser’s cache, image files with strange file extensions (like .doc instead of .jpg) and files in the recycle bin. Deleted files and files in archives do not show up. We’ve purchased a copy of the law enforcement version of ICWhatUC and will be doing an analysis of its capabilities and limitations in another post this month.

The weird:

  • A Powerpoint presentation illustrates the physical size of media that it is possible to store on media of various capacities. For instance, “one meter (or close to a yard) of shelved books” is about 100 megabytes, while a “pickup truck filled with books” is about 500 megabytes of data (A-2009-01850-Vol7 on p. 4). A USB key could “contain a stack of paper (8.5×11), 35 feet higher than the CN tower” that “would take two years to print @ 24/7” (A-2009-01850-Vol7 on p. 1).
  • Another bizarre Powerpoint charts porn vs. time, showing that every second $3075 is spent on pornography, 28258 internet users are viewing pornography, and 372 people are typing adult search terms into search engines (A-2009-01850-Vol7 on p. 3). It follows this information up with statistics on youth viewing pornography, and then directly to statistics on seizures of child pornography (p. 4). This disingenuous attempt to link legal, adult pornography with the production and distribution of child pornography in its training materials may be part of the reason for CBSA’s continued targeting of legal materials it finds objectionable, like artsy queer films.
  • A chart breaks down the difference between “child pornography” and “not child pornography”, in case there was any confusion (A-2009-01850-Vol4 on p. 16). This chart seems to be common sense, but given some of the ridiculous accusations that have been made in the past, it’s probably a good thing that CBSA agents are provided with this handy cheat sheet:

A later document notes another example: “Japanese Anime – most not child porn” (A-2009-01850-Vol6 on p. 13).

The missing:

Five key areas were not addressed adequately (or at all) in the CBSA’s response to our request:

  1. Criteria for selection of individuals for device inspection. Information was referred to, and some information provided, but the contents of these sections were heavily redacted.
  2. Policies for copying and retention of electronic information. Some information was provided, but it only referred to cases where potentially criminal conduct was detected during the CBSA’s initial search. Further information is required here.
  3. Statistics on the number and kinds of devices inspected.
  4. Demographic information on individuals whose devices have been inspected.
  5. Policies for the distribution of electronic information copied from electronic devices to other government agencies.

These areas make up the substance of our second complaint to the Information Commissioner.

Overall, the CBSA’s lack of transparency on this important issue is discouraging. While their policies on searches appear to be quite similar, the CBSA has not been as forthcoming with information as even the secretive U.S. Department of Homeland Security, which has made its policy publicly available.

The documents:

As promised, we’ve made all the documents we received available online. Download them and have a look through them yourself. If you see anything of special note, have your own story of having your electronics searched at the Canadian border, or have something to add, please let us know in the comments or by email: [greg]@[bccla].[org]

Databases: We’ll show you ours if you show us yours

The Afghan detainee file has been taking up a lot of our time lately, but the BCCLA national security team hasn’t dropped the ball on other issues.

One area we’ve been watching is transnational data sharing, especially between Canada and the United States. Canada and the U.S. have been sharing police records since the Reagan era, and the relationship has only become cozier since 2001. An article in the USA Today illustrates just how close that relationship has become:

Thousands of times each day, Canadian authorities tap into sensitive U.S. government databases to check the criminal histories of U.S. citizens who are crossing the border or have been entangled in the Canadian criminal justice system, FBI records show.

During the Winter Olympics, Canadian authorities ran nearly 10,000 criminal history checks per day, more inquiries than some U.S. states perform each day, FBI records show.

Even more Canadian citizens receive similar scrutiny by U.S. officials with access to Canadian records, according to RCMP records. Since January, Canada has conducted 400,000 queries and the U.S., 1.4 million.

Systems used that widely have a gross potential for abuse. We wouldn’t just trust another nation to troll through our most sensitive records, would we? There must be some oversight built into the system, right? Wrong:

The U.S. has no independent authority to audit Canada’s use, Weise says, and Canada has no authority to police U.S. queries of its system. Weise and RCMP Sgt. Greg Cox say the two countries conduct regular internal audits of their own use.

Well, if it’s widely used and there’s absolutely no accountability, we shouldn’t be worried if we’ve nothing to hide, right? Wrong again:

Canada’s access to such detailed — and possibly outdated — personal histories of U.S. citizens, including decades-old misdemeanors, can result in wrongful detention, interrogation and foreign travel bans.

About half of the arrest records in the system have not been updated to reflect convictions, dismissals or acquittals, Weise said, adding that local law enforcement agencies are responsible for giving the FBI updated information.

So to sum up: Border agents in Canada and the United States have unlimited access to the other country’s criminal databases. There are no checks and balances to ensure that U.S. use of the Canadian system is appropriate, and vice versa. Even if our border guards are using their database access appropriately, the information in the database is wildly inaccurate and out of date, often resulting in wrongful detention, embarrassing interrogations and searches, or even travel bans.

Despite these enormous problems, we’re still rushing to share even more information between our nations. This week, BCCLA Policy Director Micheal Vonn is off to Ottawa to appear at a parliamentary committee meeting discussing the Passenger Protect Program and plans to bring the U.S. No-Fly List to Canada. We’ll have more on that when she reports back.

CBSA delays laptop search Access to Information request

The BCCLA has been following reports of searches of laptops, smartphones, and other electronic devices by the Canada Border Services Agency (CBSA) for some time now. We’ve come across a lot of stories (see here, or here, or here for just a few examples) detailing the experiences of travellers who have had their devices searched or detained, and recommendations from business associations and lawyers concerned with securing confidential or privileged information.

What we haven’t come across are official policy statements from the CBSA describing how they deal with electronic devices. The CBSA has no public policy on the search and detention of electronic devices or the copying and retention of data from these devices.

Waiting to cross the border into Canada. Photo: Aaron Gustafson

On October 21, 2009, the BCCLA filed an Access to Information request with the CBSA, hoping to clarify CBSA policy on the search of electronic devices. The BCCLA request asked for CBSA records on:

  • Policies pertaining to the search and inspection of Electronic Information;
  • Statistics on the number and kinds of electronic devices inspected;
  • Methods of search and inspection of the contents of electronic devices;
  • Training materials on performing inspections of the contents of electronic devices;
  • Criteria used to select individuals for device inspection;
  • Demographic information on individuals whose devices have been inspected;
  • Policies for requesting or demanding passwords to access Electronic Information from individuals at the border;
  • Policies for handling a refusal to provide a password to access or decrypt Electronic Information;
  • Policies for the copying and retention of Electronic Information;
  • Policies for the inspection and retention of confidential or privileged Electronic Information;
  • Policies for the distribution of Electronic Information copied from electronic devices to other Government agencies;
  • Policies for the destruction of Electronic Information copied from electronic devices; and
  • Documents considering the Charter and other legal implications of the search and inspection of the contents of electronic devices.

The CBSA acknowledged that request on November 4, 2009. The Access to Information Act requires a response within 30 days of receiving the request. That response was received on November 30, 2009, when the CBSA notified the BCCLA that an additional 60 days would be required to process the request, as allowed by ss. 9(1)(a) and 9(1)(b) of the Access to Information Act:

9. (1) The head of a government institution may extend the time limit set out in section 7 or subsection 8(1) in respect of a request under this Act for a reasonable period of time, having regard to the circumstances, if
(a) the request is for a large number of records or necessitates a search through a large number of records and meeting the original time limit would unreasonably interfere with the operations of the government institution,

(b) consultations are necessary to comply with the request that cannot reasonably be completed within the original time limit, or  …

That time extension made the new deadline for response February 1, 2010, 60 days after the initial deadline. We filed a time extension complaint with the Information Commissioner, then waited patiently to see what would come.

February 1 came and went with no response. We waited another week to see if Canada Post was the problem. Still no response. Three months after the original request was filed, the CBSA remains unwilling or unable to provide a single document in response to our request.

What now? To start with, we will amend our complaint with the Information Commissioner to reflect the continued failure of the CBSA to meet its obligations under the Access to Information Act.

In the coming weeks, we’ll post more about the work we’ve done on border searches of personal electronics, including why searches of electronic devices should matter to Canadians, and what we do know about CBSA policy. Once we get some documents from the CBSA, we’ll post those too.

Laptop search documents: