New Zealand has just passed a new law empowering their Customs Officers to levy fines of up to NZ$5000 (US$3400) if you refuse to provide your electronic device passwords on request.
Note that the fine doesn’t mean you then avoid having customs officials and who knows who else examining and sharing the data on your devices. They’ll still seize your devices then use special password bypass tools to access all your data. The fine is merely a penalty for not making it easy for them.
Other countries already impose obligations (although rarely penalties) on you to hand over anything and everything you have with you for inspection and a virtual electronic rape, when entering and also (little appreciated, but with equal force) leaving their country, too.
The role of Customs used to be very simple. For people entering a country, Customs officers were there to make sure that nothing illegal was brought into the country, and to levy and collect duty on such dutiable items as may be appropriate.
As part of their enforcement, they could inspect the items we brought with us to determine if they were lawful or not, if they were dutiable or not, and to assess how much duty, if any, would be collected.
We as travelers would self-report, on a Customs form, information about what we were bringing with us, and only occasionally would our belongings be searched, and usually in a most cursory manner, to ensure the accuracy and honesty of our declarations.
More recently, Customs procedures became even more permissive. In most countries there is no longer a need to fill out a declaration form and it is now possible to simply walk through a green “nothing to declare” lane, most of the time having no personal/direct contact with any Customs officials at all.
With most countries reducing the duties they levy on imported goods, there was no longer the financial motivation on the part of Customs to aggressively enforce duties, and their role shifted focus more to commercial smuggling of things such as drugs and large volumes of undeclared goods, rather than visitors or returning citizens with an undeclared extra bottle of something in their suitcase.
Customs and Computers – The Good Old Days
I remember, probably twenty years ago, having a major problem bringing my Dell laptop computer back into the US with me. It was a year or two old, and a bit battered and scratched such as happens after some use and travel, but it aroused the highly trained eye of a Customs inspector, who demanded that I prove I hadn’t purchased it during my travels overseas and was now trying to bring it back to the US, undeclared.
I pointed out to him that it was a US brand of computer, and that it was clearly far from new, but he dismissed such protestations as mere artifice on my part. I also observed that in my experience, computers were generally less expensive, by a large margin, in the US than in the UK, where I was returning from, and so it would have been unusual for me or anyone else to choose to buy a computer, new or used, in the UK, rather than the US. These further comments were also of little interest to him.
He told me there was only one way he would be persuaded of the origins of the computer, and that was if I could show him an official US Customs form proving that I had taken the computer with me when I left the country, a week or two prior.
I pointed out to him that the leaving the country process in no part involved an interaction with any of his colleagues such as to allow such a form to be obtained. He conceded that was so, but said there was a special Customs office in some far away part of the airport to which I should have made a special trip and obtained the necessary paperwork.
The fact that the special office was open normal 9 – 5 pm hours, and I had been on a night flight to Britain was also of little relevance to the necessity of obtaining the stamped form to allow me to bring the computer back. The fact that the form would have recorded the external nature of the computer, but not the components, meaning I could take an old computer out of the country, then replace its processor, memory, hard drive, etc, and untraceably bring an almost new one back, while still in compliance with the form, was also of no interest.
I asked him how much duty he wished to assess on the computer, at which point he said that, because he was a reasonable and nice guy (!) he’d make a special one-off exception and allow me to bring the computer into the country this time, but next time, I should be sure to have the appropriate paperwork with me.
Although this was an annoying encounter, there was mercifully one thing that neither he, nor I, gave any second thought to – the actual data on the computer. Why should he, after all? Data isn’t dutiable. It is an intangible thing electronically stored on the computer’s hard drive.
This is no longer the case. The Customs mission has massively changed.
The Pen is Now Mightier than the Sword
The Customs Service now seems to be more focused on border security rather than the goods that people bring in to the country. And the notion of security is spreading beyond making sure we don’t have any weapons or explosives in our luggage, to now wanting to be able to see if we might have any incriminating data, about anything at all, on our electronic devices. Data has apparently become more ‘dangerous’ than destructive devices.
Ten years ago, that might have made sense. But nowadays, although more of our lives are now abstract and electronic, less of this is actually resident on the devices we carry with us – phones, tablets, computers.
As you probably do yourself, these days much/most of our email and even our data files is kept somewhere on the internet rather than on our computer, directly. If you use Gmail, or Yahoo Mail, or the various Microsoft mail services, your email is not on your computer, it is on their computers. Whether it is iCloud, OneDrive, Drive, or any of a wide variety of other online storage and backup services, it is possible to have no data on your device at all, and not even a hint of what might be stored somewhere in the ‘internet cloud’. Google even sells Chrome computers with no data storage – all data is kept in the cloud and nothing on the actual computer itself.
Customs officials are not being stealthy about their growing interest in the data on devices. There have been public announcements and policy statements about the circumstances that will trigger the search of electronic devices, and how the searches will be conducted.
Which means there are now two types of people passing through the Customs halls in the international arrivals sections of airports. Ordinary people, unprepared to have their devices seized and searched, and those with guilty consciences, people who have prepared for such encounters.
Locks – and Security – Only For Honest People
Ordinary people have their devices full of personal information, sufficient to delight any identity theft, or any blackmailer. Who among us doesn’t have something we’d prefer not to share in uncontrolled circumstances, whether it be personal financial data, medical records, sensitive trade secrets and valuable business data, or private emails and photos, or something/anything else at all?
But if someone truly does have something to hide – if they are an international terrorist – don’t you think it a total certainty that they’ll offload that data to some cloud storage somewhere, and delete their browser history and caching so there is absolutely no hint or trace of the data on their devices. The terrorists will be the ones happy to hand over their devices for inspection, with confident honest smiles on their faces.
Sure, we’re told that Customs Officers must have clear articulable suspicion before they can require us to surrender our devices and our passwords, but that’s a minimal hurdle that any Customs Officer can vault over without breaking a sweat, while trotting out their articulable suspicion. The person “looked suspicious” or “acted nervously” or “seemed anxious”. Or seemed too calm and unresponsive. The person “was talking too much” or “only answering in monosyllables”. The person avoided looking them in the eyes, or perhaps fixed them with a challenging gaze.
Not to mention, of course, the irrefutable extra credibility asserted by the officer “based on my training and experience…..”. Plus the “computer generated random compliance audits” where no reason at all is offered.
In New Zealand’s new legislation, the Customs Officer must have “reasonable suspicion” but does not need to tell us what that reasonable suspicion is!
Indeed, in New Zealand, a Customs spokesman says that they’ll only search our devices in “flight mode” and will make a point of not going to access any of our cloud accounts. Assuming this is true, it makes the entire exercise even more pointless, and the smiles on the faces of the bad guys even broader.
Remember, these will be the same officials who wanted to levy duty on my battered old Dell laptop when I was returning to the US, because I couldn’t prove I’d not bought it in the UK the week before. And while we’re told they’ll respect our data and our privacy, as long as we have physical objects stolen out of our suitcases and carry-ons, including credible allegations not just against baggage handlers out of view, but TSA agents who take stuff in plain sight, as long as we continue to read of officials being arrested for smuggling drugs and weapons and in other ways breaking the laws themselves, we have to consider the integrity and security of our data to be similarly at risk.
The worst part of this is looking at the smug smiles on the faces of the truly nefarious people with information they wish to hide, because they have indeed hidden it. But the Customs officers won’t see that, because they’ll be too busy searching the devices of innocent people.
Does any part of this make us safer? And, how long will it be before they next trot out technology to ‘mind scan’ us?