New lawsuit shows your phone is unsafe at American borders

CBP = Customs and Border Profiling

A recent case filed in federal court, in which an American woman had her iPhone seized and cracked by Customs and Border Protection in a New Jersey airport puts a whole new spin on the things we now need to worry about when leaving the country. It appears that now everyone's phones, despite country of origin or cause, are subject to nonconsensual seizure and search -- even if we refuse to give up our passwords.

If you're not caught up on the story, news hit this week that a Staten Island mom coming home from a February trip with her 9-year-old daughter from Switzerland had her iPhone snatched, kept for months and accessed for no given reason. Apple did not respond to a request for comment by publication time.

Rejhane Lazoja landed in Newark on her way home to Staten Island, New York, and found herself pulled into a secondary screening room by two CPB agents. They asked for her electronic devices, told her she didn't need a lawyer and proceeded to demand she unlock her phone.

According to the motion filed by her attorneys in a New Jersey federal court on Wednesday, the male agent asked her to unlock her iPhone but would not provide a reason. She declined, telling them there were communications with her attorney on her phone, as well as photos of her without a headscarf. The latter makes their continued demands even more creepy and violating for a Muslim woman.

The female CBP officer took her out of the windowless interrogation room and a second male officer asked Lazoja to unlock the phone. Lazoja said no again, and the female officer pressed, saying she understood the sensitivity of the personal photos — that without her hijab, Lazoja is undressed — but the female officer then also asked her to unlock the phone anyway. Despite their B-list "good cop, bad cop" act, Lazoja still said no.

So they searched all her physical belongings, questioned her some more, then took her phone and SIM card, "indicating the iPhone and SIM Card were 'Sent to DHS Lab'" said the filing. What happened afterward, according to the federal lawsuit, was DHS cracking and copying her iPhone's contents at a separate location, keeping it for four months and not saying a damn thing about what they've done with her photos, data and all the other information they got from her phone.

CBP Demonstrates New App For Expedited Passport Control And Customs Screening

"The agents never returned the iPhone 6S Plus, which was running iOS 9.2.1 (13d15)," reported Ars Technica, "and gave her a receipt instead. After they kept the phone for 90 days, she contacted attorneys at CAIR [the Council on American-Islamic Relations]."

One of Lazoja's attorneys, Albert Fox Cahn, of the Council on American-Islamic Relations (CAIR), told Ars, "They provided no justification for why they took the phone." He added, "They've never accused her of a crime." This is especially important because in January, CBP announced its updated policy on electronic-device search at borders. It states officers must have "reasonable suspicion" of illegal activity or show a national-security concern (and have supervisory approval) to conduct an advanced search of a device, defined as when they "review, copy, and/or analyze its contents." Which is what they did to Ms. Lazoja.

Lazoja's attorneys have filed what's known as a "motion to return property," normally used for physical property. "The seizure, retention, and any sharing of her property without reasonable suspicion, probable cause, or a warrant have violated Ms Lazoja's rights under the Fourth Amendment of the US Constitution, and are at odds with recent Supreme Court holdings as well as District Court and Court of Appeals decisions scrutinizing CBP's practices of seizing digital storage devices without a warrant," the filing reads.

Lazoja and her attorneys want to "order Defendants to return her Data, to expunge any copies made of the Data, to disclose all third parties who received and/or retain copies, partial or complete, of the Data, and to provide information about the basis for the seizure and retention of the Property." The filing's conclusion details:

Further, Ms. Lazoja respectfully asks that this Court declare that Defendants, their agents and employees violated the Fourth Amendment of the U.S. Constitution through their policy of searching, seizing, detaining, copying, and sharing with third parties digital storage devices without a warrant.

Finally, Ms. Lazoja respectfully asks that this Court enjoin Defendants from its practice of searching and seizing electronic storage devices without a warrant supported by probable cause.

Well, that would be great. It's hard not to be cynical considering how much light this suit just shined on what's happening right now with the search and seizure of Americans' electronics at airports.

Under the Trump administration, we learned in March 2017 that phone and digital-device searches by Customs and Border Protection agents at airport checkpoints had more than doubled. Those searches had expanded to include password demands. When the new Trump policies began, 5,000 devices were searched in February alone — that's around 180 people a day. Now we see that everything we worried about, and that people thought was too Orwellian to become true, is happening.

Basically, now if you're traveling internationally and won't give up your password to CPB brownshirts, they will actually take your phone away from you and break into it.

As an aside, I really, really want to know whose phone-cracking tools they're using. Is it crappy old Hacking Team tools or fancy-expensive Cellebrite wares? I just want to know. They're hackers, like the ones who go to Black Hat and DEF CON. Like people I know who get excited about the latest, previously-impossible attacks. Do they think of moms like Rejhane Lazoja, and her daughter, as an abstract concept? Or do they think what happened to her is funny, because they're smarter at security than she is, like guys I see talking about "dumb users" in infosec Twitter circles? Perhaps they're uncomfortable, like the workers at Microsoft who were sickened by the company's role in providing tech solutions for ICE.

I mean, this is the same CBP that Salesforce continues providing services to despite the urgings of 23 organizations including Fight for the Future, Greenpeace International, Free Press and The Icarus Project. "Salesforce CEO Marc Benioff," wrote Fight for the Future, "has claimed since the company's contract with CBP does not deal directly with activities at the US-Mexico border, Salesforce will not drop their contract."

One thing's for sure: Rejhane Lazoja's lawsuit is going to show us just how far Trump's CBP thinks it can take this free-for-all raid of Americans' rights.

Disturbingly, we'll also find out how much CBP plans on following its own rules -- or our country's own laws.

Image: Joe Raedle/Getty Images (CBP at airport)