I have nothing to declare but my password

As a frequent international traveler with a smartphone, tablet, and laptop computer, I am routinely frustrated by the need to extract all the devices from my pockets and carry-on luggage and submit them for scrutiny (single item only, one layer per bin) by airport X-ray machines — several times on a trip from Wellington to Washington, for example. However, once I land at my final destination, I can usually breathe a sigh of relief and keep my technology pouches zippered as I pass through the customs and immigration checkpoint, as I almost never have anything significant to declare — though I have been tempted on occasion when asked about any explosive materials in my possession to confess to having digital copies of my more controversial research papers and AEI blogs concealed in my devices.

via REUTERS

In the past, any comment made in jest about the reception to my work would have been treated in the spirit in which it was delivered. However, it is unclear whether, following the granting of new powers at the beginning of October, New Zealand Customs officials will be so kindly disposed to such humor. Rather, I could be exposing myself to the risk of undergoing what has been described as a “digital strip search.”

The new custom

The New Zealand Customs and Excise Act that came into force on October 1 specifies that a customs officer with reasonable cause to suspect that an offense is being committed now has the power to make a “full search of a stored value instrument,” including the power to “require a user of the instrument to provide access information and other information or assistance that is reasonable and necessary to allow a person access to the instrument.” That is, when asked, I am compelled to provide all the password(s), codes, encryption keys, and any related information that enables access to an electronic device. Failure to comply incurs a fine of NZ$5,000 (US$3,200). The act also empowers customs to review and copy the data on the device. The device must be returned to the owner undamaged once the search is complete, unless “evidence of relevant offending is found,” in which case a court order for confiscation of the device can be sought. Any copies made must also be destroyed, unless required as evidence.

While it is common for customs officials in other countries to detain individuals, as well as confiscate and search their devices (the US Department of Homeland Security is reported to have undertaken 25,000 such searches in 2016), the New Zealand law is thought to be the first that specifically states the obligation to hand over passwords. Understandably, civil liberties advocates find these powers to be “grossly excessive,” “disproportionate,” and “a grave invasion of privacy,” and they are concerned that the powers can be exercised “without offering justification or appeal.” New Zealand Council for Civil Liberties Chairman Thomas Beagle identified that police and intelligence agencies face much tougher hurdles than customs officers do when it comes to demanding passwords from suspects. Some fear that device owners may be required by law to reveal data relating to third parties that a device owner is required to keep confidential under privacy law — for example, a doctor may be compelled to reveal passwords enabling customs officers to view medical records held on a laptop.

In defense of the powers, New Zealand Customs spokesperson Terry Brown said the changes were necessary to clarify officers’ powers if they suspected an offense had been committed. Privacy Commissioner John Edwards likened providing access to the content of digital devices to opening one’s suitcase on request. Officials do not expect that the new rules will lead to an increase in the number of searches currently made. In 2016, New Zealand Customs made 537 searches while welcoming 6.6 million international visitors.

Too little, too late?

However, this begs the question of whether the technology horse has bolted long before the customs legislation was passed.

The New Zealand law enables customs officers to request the keys to access data actually stored on the digital device. There is no power for customs officers to search (or compel revelation of passwords and encryption keys for) material that is accessible from the device but not stored on it — for example, data stored in the cloud or on a remote server. If the law is intended to prevent the importation into New Zealand of data related to pornography, child exploitation, terrorist activity, and the like, then it is unlikely to be successful. No rational “data smuggler” would now take the risk of actually carrying it on a digital device. It is far easier and much less risky to transmit the content across international borders using entirely digital means, thereby effectively bypassing physical scrutiny by customs officials.

Arguably, the digital search powers in New Zealand’s Customs and Excise Act — like much of the search and other scrutiny undertaken at airports — are more a signal that the government is “doing something” about a perceived risk than a means of detecting actual criminal activity.

But just to be sure, from now on when traveling internationally, I will ensure all my explosive content is stored in the cloud, so like Oscar Wilde, I will have nothing to declare except my (debatable) genius — and most certainly not my password(s).