Who has the legal right to access your personal and private digital assets? The answer can be complex, and will depend on where you live, where you are traveling from and to, and whether or not you’ve been suspected of a crime. The rules governing personal digital access are evolving rapidly, and are often subject to creative, on-the-fly interpretations.
Digital Privacy is the Wild West
Consider the case of Sidd Bikkannavar, a US-born scientist who works for NASA. Last month, while returning from a vacation abroad, he was detained by Customs and Border Patrol personnel for reasons which are still unclear. During his detention, agents seized his phone and demanded that he provide them the access code to unlock it. Left with no other options, he complied, which allowed the agents unrestricted and unsupervised access to all of the data on his NASA-issued phone. Legally, the agents were within their rights to do what they did, as the border screening area isn’t technically in country and therefore the typical protections against unwarranted searches don’t apply. However, the fact that any CBP officer can demand access to – and possibly even download – the data of a U.S. citizen without cause raises some frightening possibilities.
In some cases, the demands for information may go beyond the data itself. There is a proposal – though not yet implemented – that could require incoming travelers or visa holders to surrender their social media login credentials before being granted passage into the United States.
The U.S. isn’t alone in this. Canada also reserves the right to demand access to your devices during an attempted border crossing, and as a Quebec man found out a couple of years ago, refusing to provide a device password is a crime in itself. Israel has had similar cases in the past, in which travelers were asked to log in to provide border agents access to their data. Word of these incidents has led some folks to create travel-only email accounts, or to simply leave their devices behind altogether.
Incidents like these aren’t limited to traveling. Some employers have demanded social media credentials of applicants and employees, although this practice is increasingly being banned by state legislatures. On the cloud storage front, it is possible for law enforcement agencies to execute a search warrant on cloud-stored data without informing the owner of said data, meaning that your data might have been searched and you have no legal right to be notified of the search.
In what might be the most unusual and complex case of digital privacy, a former police officer named Francis Rawls has been jailed for over a year amid allegations that he engaged in child pornography. However, Rawls is not being held on the child pornography charge; rather, he has been jailed indefinitely for failing to unlock two encrypted drives on which authorities suspect he has saved those illicit images (for his part, he claims to have forgotten the passwords). So far, the former police sergeant has not been charged with any crime, but there appears to be no urgency in either releasing him or moving forward with the child pornography charges without the evidence on the encrypted drives. If Rawls truly did engage in child pornography, I hope that the full weight of the legal system will do its business without mercy. However, the fact that the suspect is held without charges because of an unwillingness or inability to decrypt his own data speaks to a deeper quandary of data privacy.
The evolution of the legal system lags behind the pace of technological developments. In many ways, the laws and accepted practices regarding digital privacy – and the subjectivity of their enforcement – remains as tumultuous as the Wild West.
Author’s note: This post was originally published in my Data Geek Newsletter.