Customs Officials Have Copied Americans' Phone Data at Massive Scale

SpzToid writes: U.S. government officials are adding data from as many as 10,000 electronic devices each year to a massive database they've compiled from cellphones, iPads and computers seized from travelers at the country's airports, seaports and border crossings, leaders of Customs and Border Protection told congressional staff in a briefing this summer. The rapid expansion of the database and the ability of 2,700 CBP officers to access it without a warrant -- two details not previously known about the database -- have raised alarms in Congress about what use the government has made of the information, much of which is captured from people not suspected of any crime. CBP officials told congressional staff the data is maintained for 15 years.

Details of the database were revealed Thursday in a letter to CBP Commissioner Chris Magnus from Sen. Ron Wyden (D-Ore.), who criticized the agency for "allowing indiscriminate rifling through Americans' private records" and called for stronger privacy protections. The revelations add new detail to what's known about the expanding ways that federal investigators use technology that many Americans may not understand or consent to. Agents from the FBI and Immigration and Customs Enforcement, another Department of Homeland Security agency, have run facial recognition searches on millions of Americans' driver's license photos. They have tapped private databases of people's financial and utility records to learn where they live. And they have gleaned location data from license-plate reader databases that can be used to track where people drive.

Right

[Kernel Kurtz]

adding data from as many as 10,000 electronic devices each year to a massive database they've compiled from cellphones, iPads and computers seized from travelers at the country's airports, seaports and border crossings...run facial recognition searches on millions of Americans' driver's license photos. They have tapped private databases of people's financial and utility records to learn where they live. And they have gleaned location data from license-plate reader databases that can be used to track where people drive.

On the bright side they are quite concerned about the security of your TikTok data.

Re: Right

[Kernel Kurtz]

Trump was. He wanted to ban TikTok. Republicans are concerned still which is why TikTok execs were hauled in front of congress today. Democrats however are not concerned. I wonder why?

Because your private data may be safer in China where CBP and DHS can't access it.

Re:

[Arethan]

I assume you were shooting for Funny here.

Re:

[Ed Tice]

Clearly the OP was shooting for Funny. CBP and DHS likely have a reciprocal agreement with the CCP.

Re:

[Kernel Kurtz]

I assume you were shooting for Funny here.

"It's funny because it is true" - H. Simpson

Re:

[youngone]

Trump was

No he wasn't.

Re:

[youngone]

That link is proof that you're a gullible idiot.

A proposal was produced that would have seen Oracle and Walmart owning a US entity of the service, and taking responsibility for handling TikTok's US user data and content moderation.

If there is one thing America's ruling class is united on, it is the sanctity of property rights, and if the president can declare something a threat to national security and turn it over to someone else with a wave of his hand, then who is next?

Nobody who was paying attention thought any of that was a good idea.

Re:

[Aighearach]

Property rights actually just means that if the government takes it, they have to pay for it.

Oh, right, you're that British idiot who named his account after a television idiot.

Re:

[youngone]

Oh good lord.
So did you forget the bit where the president of your stupid government used an executive order?
Jesus Christ, I'm the idiot? Also, not British. Idiot.

Re: Right

[pete6677]

Trump really should have banned TikTok as the national security risk that it truly is. The CCP is not gifting TikTok to the world for free just to be nice. They WILL use it against us.

Re:

[DJGreg]

I think they are quite concerned that your TikTok data will be locked away in a server in China where they can't access it. It has nothing to do with keeping your data safe.

The ability...

[Anonymous Coward]

"the ability of 2,700 power-tripping pigfuckers whose mothers should have had an abortion to..."

There! Fixed the summary!

Surprise!

[registrations_suck]

This is shocking and was completely unforeseeable.

I just can't believe it!

Re:Surprise!

[Brain-Fu]

I wonder how this database compares to the one Microsoft has built from all its spying on users of Windows 10 and 11.

Re:

[Locke2005]

Microsoft has cameras on the badge readers of every door to their offices. They are using their own employees to train their facial recognition software, and by working for Microsoft, you consent to your face being used to train an AI! On the bright side, this gives them a pretty diverse set of faces to use for training the AI, so it's less likely to fail to recognize black faces like facial recognition has done in the past.

Re:Surprise!

[Required Snark]

Surprise!

The lack of diversity in the tech workforce means that Microsoft using it's employees as test subjects reinforces bias in training based biometric algorithms. When the test set is primarily a bunch of white guys what else do you expect?

The Problem of Bias in Facial Recognition [csis.org]

NIST found that demographic factors had a much larger effect on false positive rates—where differences in the error rate between demographic groups could vary by a factor of ten or even one hundred—than false negative rates—where differences were generally within a factor of three. Differences in false positive rates are generally of greater concern, as there is usually greater risk in misidentifying someone than in having someone be incorrectly rejected by a facial recognition system (as when your iPhone doesn’t log you in on the first try). NIST found that Asians, African Americans, and American Indians generally had higher false positive error rates than white individuals, women had higher false positive rates than men, and children and the elderly had higher false positive rates than middle aged adults.

Re:

[Arethan]

Nuh uh! They already trained a different AI on how to apply blackface to all those input photos!

Re:

[Plugh]

No to mention the MS AI watching every keystroke you type into Outlook mail. It wants to correct your grammar, and helpfully predict your next words. Fuck MS and its AI

Re:

[Arethan]

Greeting, good sir.
Let me (re)introduce you to Pine.
https://en.wikipedia.org/wiki/... [wikipedia.org]

May the evil automation thingies never haunt you again.

Dr Mr Wyden

[usedtobestine]

Please join your colleagues in congress and emasculate DHS and CBP by allowing them to only interact with non-citizens, and restrict them to 2 miles of US land borders with other countries, and 2 feet from the customs windows at international airports located within the U.S.

Re: Dr Mr Wyden

[mars-nl]

Never understood why Americans ("citizens") think basic human rights only apply to them and not to those other couple of billion humans ("non-citizens") that are not born in the land of the free.

Re:

[bugs2squash]

CBP seem to have a growing role as an army on the streets of the US though, look at Uvalde; the high speed chase, the people even the hyper-militarized police force call in when they want to "go in heavy"

Re: Dr Mr Wyden

[pjt33]

Simple: they consider all foreigners to be sub-human. It's the same way that a bunch of slave-owners could sign a document proclaiming it self-evident that liberty is an unalienable right of all men.

Re:

[radarskiy]

While the American theory of government is that governments have enumerated powers and people have unenumerated rights, there are in fact a few legal distinctions between citizens and non-citizens in the US. Most relevant to the current topic, under American law an American citizen cannot be denied entry into the United States.

Re:

[Surak_Prime]

Some do, and there's some truth to the allegations of racism in the other replies you've gotten. For others, such as myself, it's more of a recognition that, however noble our intentions might be, our government's authority should stop at our border, authorized foreign bases, our flagged ships at sea, etc. I personally think that we should protect *human* rights inside our borders, whether the people involved are citizens or not. I'd also LIKE for other countries to do the same for their citizens... but tha

Only concerned about their own data

[bustinbrains]

There's plenty of criminal activity done on the cellphones of those serving in Congress. That puts "raised alarms in Congress" in a whole new light.

Re:

[Brain-Fu]

That's the way it's gotta be though. All politicians are always evil. It's in the nature of the job that good people get pushed out right at the gate. So, the best thing we can do is keep them invested in the consequences of their decisions, so that things that harm us harm them too. And, of course, transparency as to their activities.

equivalence?

[sound+vision]

"if you aren't burglarizing anyone, you have nothing to worry about with them imaging your phone."

--Slashdot commenters in the article about the lady's rape kit DNA being kept

Re:

[quenda]

"if you aren't burglarizing anyone, you have nothing to worry about with them imaging your phone."

--Slashdot commenters in the article about the lady's rape kit DNA being kept

A false equivalence. The burglar scum was caught by her ID. The airport equivalent would be retaining your fingerprints, which the US has been doing for 20 years.

Retaining phone data would be more like if rape victims homes were searched routinely for stolen property, but that is not remotely what happened.

Re:

[quenda]

A false equivalence. The burglar scum was caught by her ID. The airport equivalent would be retaining your fingerprints,

p.s. nothing I said should be interpreted as defending the use of victim DNA for prosecution. Both are wrong to me.
But the two cases are sufficiently different that I can respect the opinions of those who disagree.
GP (sound+vision) should be able to make a better argument, rather than just mocking others.

Re:

[argStyopa]

Objectively, not wrong.

You know what they say

[Locke2005]

Customs officials always have the best porn!

Good thing most entering the US these days.

[oldgraybeard]

Never encounter a Customs Official. The data is safe.

These types of things is why..

[luvirini]

.. one of the companies we work with have separate travel laptops and phones that people are to take when they go abroad.

Re:

[Canberra1]

I have 2 sacrificial external drives where 12v is wired to the data pins. The PC has lcd screen inverter tied to usb ports. A fake 2TB usb stick completes the garbage trick. So far, my Goodwill bin sale laptop has never been examined. I know the epoxy resin will make the disk drive hard to remove!

unconstitutional

[e**(i pi)-1]

I hope somebody will have the cash to sue them until it reaches the supreme court. Scanning luggage of course makes sense but copying data from the phone is the analog of photocopying documents stored in a suitcase.

Re:

[TheGratefulNet]

supreme court?

you really want to risk going to THEM?

I dont. I want no cases put before them. not for the next, oh, 50 or so years.

Re:

[awwshit]

It is legal in border areas.

https://www.aclu.org/know-your... [aclu.org]

Re:

[awwshit]

https://www.aclu.org/other/con... [aclu.org]

22 replies?

[znrt]

if this was about china doing this, who does this routinely and never ever hid the fact that they massively do this, i would expect 3 digit post numbers and several flame subthreads.

but it's about the us government, which is all about civil and individual rights, and about american citizens, and nobody seems to give a fuck ...

mmmmmkaaaaay ...

Re:22 replies?

[evil_aaronm]

It seems like every iteration of government eventually reverts to fascism. Fascism is the simplest, lowest maintenance form of government. In America's case, we're willingly devolving, and though a handful of us recognize what's happening, too many are blissfully ignorant, or, worse, are willingly applied as useful idiots to speed the process.

In the 1770s, the Founding Fathers said, "This is some gnarly bullshit, man, and we need some cool rules!" And thus they established the Constitution, with its 4th Amendment specifically outlawing this kind of behavior. They specifically guarded against unwarranted searches and seizures because the English were notorious for just breaking into a household, and swiping whatever, and arresting whomever they wanted. "Due process? Lol. Fuck that." And the people said, "Lo! This Constitution is good and will protect us from abusive government." But it didn't last long because it never does. As time goes by, the impetus, the underlying reason for these Amendments are forgotten, or some good and honest souls on the Supreme Court decide that the government should have the benefit of "just this one little loophole. It's for the greater good." And pretty soon, it's just, "Fuck the Constitution," and we end up in a fascist state, again. Tell me we're not largely there already. The cops can do just about anything - reminiscent of Red Coats - and they get a free pass from any accountability due to "qualified immunity," which is something made up by the SCOTUS in 1967.

Like I said, some of us recognize this, but we're a leaf against the tide. And it's a testament to the power of propaganda that you can get a person to loudly complain about those evil Chinese doing nefarious things like this, while applauding the same behavior from their own government. Useful idiots are the lubrication that aids gravity in pulling every government back down to it's lowest form.

Re:

[Zak3056]

they get a free pass from any accountability due to "qualified immunity," which is something made up by the SCOTUS in 1967

I agree that qualified immunity is a ridiculous construct created by the supreme court (and completely at odds with existing federal law) but as awful as qualified immunity is, it's not what you claim. It is not a "free pass from any accountability" but rather prevents law enforcement officers who violate your rights in ways that are not "clearly established" violations (which is even more fucked up) cannot be sued personally for civil damages.

Contrary to popular belief, qualified immunity does not protect

Re:

[evil_aaronm]

Contrary to popular belief, qualified immunity does not protect cops from criminal liability, nor does it shield their employer (city / county / whatever) from civil liability.

https://www.cpr.org/2022/09/15... [cpr.org]

So, do you s'pose we'll see a criminal indictment announced soon? Why was the cop allowed to resume patrol so shortly after this unnecessary shooting? I'd like to believe your sentiment, but we see far too many of these killings, and far too little accountability. Prosecution and actual jail time are a rare thing, such that they are newsworthy in themselves.

Re:

[Zak3056]

I don't disagree with you here about police accountability, but the problem you're describing has nothing to do with qualified immunity. The problem is with prosecutors who simply don't indict police officers for conduct that is absolutely criminal.

Re:

[0xG]

But this is to *protect children* so it's OK, right?
If you don't think so you are a pedophilia...

Re:

[0xG]

But this is to *protect children* so it's OK, right?
If you don't think so you are a pedophile...
ps fuckn autocorrect

Apple should buy Customs

[thesjaakspoiler]

then Customs can just access Apple's iCloud backups straightaway.

The data lifetime

[Anonymous Coward]

CBP officials told congressional staff the data is maintained for 15 years.

Which is as long as the program has been running: since iOS phones became a thing in 2007 and Android the year after.

Next year the retention period will be 16 years. They don't have any processes in place to actually clean up and expunge this data, they just keep adding to it.

10,000 per year

[WoodstockJeff]

10,000 electronic devices each year

So, this is just a small amount that a big deal will be made of, because it is a government agency involved. This would seem to be a TARGETED attack, rather than a general-purpose one, since more than 10,000 people pass through customs PER DAY.

Granted, it's interesting, but it is a rather specific number of people involved. Was someone who is important to the congressman involved?

Re: 10,000 per year

[JoeRobe]

This. 2.9 million passengers pass through US airports every day. 927 million annually. 10,000 per year is one in every 100,000 passengers. That's extremely targeted.

https://www.bts.gov/newsroom/f... [bts.gov]

Re:

[Zak3056]

GP is correct that this is not a general collection, but your numbers are wrong and probably off by at least an order of magnitude. Of those 2.9 million passengers, the vast majority are domestic and not international, and of the international travelers, only those coming into the US interact with CBP--the US does not do exit visas.

Re: 10,000 per year

[JoeRobe]

Yeah good point and I realized too late that TFA actually has the most relevant number: ..."more than 179 million people traveled that year [2021] through U.S. ports of entry."

So not off by an order of magnitude, but much less than 900 million. Nonetheless your chances of being in the 10,000 group is really small.

Given *how* targeted it is, I would be more interested in knowing what about those 10,000 devices made CBP want to steal/store their data. E.g. were these people whose passports had been flagged f

Share your experiences and stories. Threat model?

[jago25_98]

I sometimes have to fly via places like the USA and it's always a debate as to what to do about my data.
I mean, we all carry phones and even in the airport, we're going to need that phone.

Is it feasible to wipe the phone on every border crossing? Is it feasible to have a quick wipe option before handoff? Is it more practical to reduce what data is actually on the phone? What's the best practice here for passing through China, for example?

- logout of your password manager, for example
- logout of any apps tha

Re:

[Ed Tice]

If this is a real question, one should use a disposable dumb phone for every international trip. I am guilty of not always doing that and, so far, to the best of my knowledge, have not had my devices imaged. Well they haven't been imaged at the border by US CBP or the equivalent in any country I've visited. Whether somebody broke into my hotel room at night to image my devices, I don't know. But likely not since I'm not very important.

Re:

[flyingfsck]

You only need to use a burner phone/computer when you visit a police state like the US (they have about 15 different Federal police agencies, plus a few for every one of more than 50 states). Most everywhere else on the planet is fine.

Re:

[jago25_98]

This is the perfect example of not doing any threat modelling at all, and just lazily defaulting to the easy answer.

100 miles

[Slashythenkilly]

https://www.aclu.org/other/con... [aclu.org]

How much can they read?

[oldnuskeet]

From what I recall iphones security copy is encrypted and they couldnâ(TM)t open it without the apple accoun credentials +2 factor auth. I donâ(TM)t know how it works with android but I bet they canâ(TM)t make copies or canâ(TM)t read them if the phone uses iOS.

Re:

[Canberra1]

They can read everything. If they cant read it NOW, they can in a month or three, NSO keeps on coming out with zerodays every month - like clockwork - outstanding breaches, and some CVE's would win prizes and cash for ingenuity. I am sure NSO would sell a virtual phone emulator, and you just add data. As far as one is aware, Apple does not allow you to change your keys and re-encrypt your backup. Same for Android. Ideally you should be able to blank your private keys, go through airport customs - who could

Re:

[Ed Tice]

Zero days apply to *devices* and usually *operating systems*. They aren't coming out with zero-days that break the encryption of backups or at least not that we know of. So new exploits don't give access to old backups. That doesn't reduce the scope of the concern here, but we should at least be factually correct.

Re:

[Canberra1]

Just like your phone was unlocked and in their hand. With timestamped original messages, there is material to break encryption - after shortcuts have been added. https://googleprojectzero.blog... [blogspot.com] Factually correct means being aware. Strangely, Apple is now introducing a secure mode, perhaps a nod that the surface area is too huge to contain. There was also a patch to the closed blob binary of the phone modem for Android. This month was indeed, a true eye opener for security professionals.

Re:

[Ed Tice]

Knowing part of the plaintext does not (necessarily) lead to an easier to break encryption. If it does, the algorithm is flawed. What you are describing, though, is not a zero-day exploit. If the phone is unlocked in their hand, they don't need to break any encryption to get your data. And Apple even offers the option of unencrypted backup if you don't have health data. The zero-days are useful in that maybe they can be exploited for an information leak that helps with cracking an encryption algorithm.

Shocking!

[VeryFluffyBunny]

This is shocking, I say. Shocking! The idea that Chinese-owned corporations might do the exact same things as American-owned corporations is outrageous & unacceptable!

CBP think they are not bound by the law ...

[JasterBobaMereel]

....They have detained serving US military personnel whilst demanding access to military issue secure laptops that they have no right to access whatsoever ... ...and if they accessed they could be charged with espionage

Just refuse?

[bradley13]

If you are an American citizen, and customs say "let me have your phone" - surely you have the right to refuse? I mean, you are returning to your own country. They cannot (afaik) deny you entry. After they have checked your passport, legally you can "no thanks" to any further questions or processing, and walk past the checkpoint.

Of course, the tin-pot dictators will not want to accept that. Likely you will be forcibly detained for a few hours, just to assert their power. However, if some reasonable number

Re:

[flyingfsck]

Sure, you are free to enter into the jail cell over there.

Thanks for the article!

[wwphx]

I upgraded my iPhone to iOS 16 yesterday and had forgotten about the extreme privacy mode. After seeing the summary, I looked and found how to engage said mode. Now I just need to remember it the next time I travel and return internationally, not that I had a problem last time, but I won't give them the opportunity.

Virtual Papers

[Impy the Impiuos Imp]

Here's the context: You have a 4th Amendment right against searches of, among other things, your "papers", without a warrant. This is to stop the king from hassling enemies using the government's power of investigation. Such people tend to be more powerful and wealthy people themselves, and probably have violated some law or other if you look closely enough.

Which is the goal of the king: to hurt opponents.

But the government asserts a power to look through all the papers you carry when you enter the coun