On December 3, 2018 the Office of the Inspector General (OIG) published the findings of its audit of U.S. Customs and Border Protections’ searches of electronic devices at U.S. ports of entry. The OIG found that officers were inadequately supervised to ensure that searches were properly documented. As a result, the OIG further found that officers “cannot maintain accurate quantitative data or identify and address performance problems related to these searches.”

Additionally, the OIG found that CBP’s technology was inadequately managed “to effectively support search operations and ensure the security of data.”

When a traveler’s device is searched, CBP first conducts a “manual search,” which involves an officer using the device to observe any data stored on it. An “advanced search” is more thorough, involving a specially trained officer and external equipment connected to a traveler’s device. The external equipment copies the information stored on the device and a CBP officer then uses this information to search the “Automated Targeting System” (a CBP database).

Two details in the OIG’s report are particularly alarming. First, CBP uses thumb drives to store your data (which is supposed to be deleted). The OIG described the data mirroring procedure for advanced searches. First, the external device is connected to the travelers device to make a copy. Then, a thumb drive is connected to the external device to make another copy. An officer then transfers the thumb drive to a PC and uses the data to search the Automated Targeting System.

At three out of five ports of entry that the OIG inspected, it found that data remained on CBP’s thumb drives even though it should have been deleted after the search. Frighteningly absent from the OIG’s report is any discussion of an inventory system for these thumb drives. The audit report simply contains no discussion of whether and how CBP tracks the thumb drives that it uses for imaging and searching a traveler’s device.

Second, CBP allowed its “DOMEX” software licensing agreement to lapse, according to CBP’s response. “DOMEX” (for those, like me, who don’t know) stands for “document and media exploitation.” The Department of Justice has a procedural summary of document and media exploitation, if you are interested in what CBP’s software does with your data.

According to an officer that the OIG interviewed “there is no dedicated funding for external equipment.” This same officer told the OIG that “due to the lack of dedicated funding and the combination of budgetary issues and other funding priorities, the initial vendor estimate for the purchase expired.” As a result this officer had to obtain another vendor estimate “which caused a delay in promptly submitting the license renewal documentation.”

In summary, the OIG’s findings suggest the possibility that if your device is subject to an advanced search, it will be copied to a thumb drive, even though CBP can’t even run the search because the software licensing agreement has lapsed. The thumb drive storing your (and criminals’) data can simply disappear without accountability.

According to an “April 2015 memorandum, an OFO officer may only conduct an advanced search if the traveler [REDACTED].” Consents to the search?