21 March 2015

Passwords and Devices at NZ Borders

The New Zealand Customs Service has released a discussion paper [PDF] regarding a review of the Customs and Excise Act 1996.

The paper proposes an amendment of the Act to give Customs personnel the power to require people to disclose passwords to their electronic devices when entering New Zealand, with failure to do so in the absence of a reasonable excuse would be an offence punishable with three months imprisonment. The rationale is that the power would be useful in 'helping detect objectionable material' and 'evidence of other offending, such as drugs offences'. It would also allow officials to verify an individual's travel plans, given that tickets and booking details are often held on computers and smartphones.

Officials would also be authorised to compel people to empty their pockets, currently not permitted unless those officials have "reasonable cause". The discussion paper indicates that it is rare for people to refuse to empty their pockets when asked, but "even a small proportion of people refusing to do so can present a significant threat to New Zealand".

Interestingly, enterprises would be permitted to hold their business records overseas with prior approval by Customs, something that would make it easier for "trusted businesses" to take advantage of overseas cloud computing services.

The paper states
When Customs does examine a person’s electronic device, the owner is not legally obliged to provide us with a password or encryption key to access the device. We have found that it is relatively uncommon for someone to refuse to provide this, but if they do refuse it can mean we have no way of uncovering evidence of criminal offending even when we know the device does hold this evidence.
If a person refuses to provide access, it is likely that Customs will seize the device for forensic examination and not return it immediately to the owner (unless there is nothing to suggest the device contains prohibited material). However, some devices cannot be accessed and examined by our Electronic Forensics Unit without password or encryption access. If Customs cannot require access to an electronic device, it is not possible to treat the device in the same way that we treat the examination of accompanying baggage. This undermines the purpose of examining electronic devices and is a barrier to us effectively investigating and prosecuting criminal offending.
The Anti-Money Laundering and Countering Financing of Terrorism Act 2009 empowers us to require a person to provide access (such as passwords, codes and encryption keys) to an electronic device in relation to the movement of cash in breach of that Act. The Search and Surveillance Act also imposes this obligation on owners of devices where a search is performed under that Act; however, searches under that Act usually take place only if criminal offending is suspected.
The paper goes on to discuss options -
Our preferred solutions
Examining electronic devices: Explicitly include electronic devices in the scope of routine baggage searches This option would include an explicit reference to electronic devices in the new Act. Customs officers would continue to be able to examine electronic devices as part of a routine baggage search (if required), but there would be greater transparency for the public. This option would continue the practice of performing an initial examination on electronic devices without a threshold having to be met. This would confirm that Customs treats electronic devices and their content in the same way as physical goods accompanying a person across the border. In our view, this would allow us to adapt to changing technology and new methods of concealing prohibited material, such as objectionable material.
This option would also continue the practice of only performing full forensic examinations of electronic devices and copying the material when evidence of prohibited material or illegal activities is discovered on the device. The search is then escalated to a full forensic search of the device (see the diagram on page 133 for the current escalation process). This aligns with our personal search powers, where there may be an escalation from a routine baggage search to a personal search.
Customs does not examine the content of electronic devices outside of a routine baggage or personal search, and this would not change under this option.
This option is consistent with similar powers available to customs agencies in Australia, Canada, the United States and the United Kingdom. However, developing law in other countries is beginning to place greater weight on the privacy implications associated with information contained on electronic devices, including at the border.
Passwords and encryption: Require a person to provide a password or encryption key on request
Under this option, a new power would be included in the new Act to authorise Customs officers to require access to an electronic device in order to examine that device effectively. Access is likely to be in the form of a password, encryption key, or identification access.
A new offence and penalty would be included for failing to provide the relevant access when required to do so.
This option is consistent with the powers that Customs has under the Search and Surveillance Act 2012, and also the Anti-Money Laundering and Countering Financing of Terrorism Act 2009, to require people to provide access to an electronic device. It also aligns with comparable countries, such as Australia, the United States, Canada and the United Kingdom.
Other solutions we are considering
Examining electronic devices: Allow for the examination of electronic devices but with a threshold
This option would include an explicit reference to electronic devices in the new Act, as with our preferred option for examining electronic devices. But it would only allow Customs officers to examine electronic devices once a threshold has been met (rather than as part of a routine baggage search).
It is likely that this threshold would be similar to that currently provided for invoking our personal search powers, which is a reasonable suspicion that a person is hiding certain material on or about their person. In this case the threshold could instead be reasonable suspicion that an electronic device holds certain material. We believe that having a threshold that must be met before we can examine an electronic device does not allow us to meet the changing risks that electronic goods pose at the border. Under this option, electronic devices would not be treated in the same way as physical goods accompanying a person across the border; instead they would be treated in the same way as people suspected of hiding prohibited goods on their person.
A more practical alternative may be to limit a threshold to escalated searches. For example, a preliminary or cursory search of a device could be conducted as part of a routine baggage search, but any further search, such as cloning, forensic analysis, and copying of the content on the device, could be subject to a threshold. This threshold would probably be based on what material is found on the device during the preliminary examination.
Passwords and encryption: Apply the Search and Surveillance Act to Customs’ powers to examine electronic devices
This option would extend the scope of section 130 of the Search and Surveillance Act 2012 to apply to Customs’ examinations of electronic devices at the border. That particular section places a duty on a person to assist with access to an electronic device when required to do so by an officer exercising a search power that relates to data held on the device. This section does not currently apply to Customs’ examination of goods powers.
This option would extend section 130 to cover whichever option is adopted for the examination of electronic devices. This would enable Customs to require a person to provide the relevant access to the electronic device without the need for a separate provision in the Customs and Excise Act.
The offence for failing to comply with this obligation without reasonable excuse would also apply, and, if convicted, the person would be liable to a maximum prison term of three months.
Reporting requirements also accompany the search powers in the Search and Surveillance Act: any person who exercises a warrantless search power (such as searching an electronic device) must report in writing on the search as soon as practicable. Customs’ chief executive would also be required by that Act to report on the exercise of these powers in every annual report to Parliament under this option.
However, these reporting requirements would create unrealistic obligations for Customs, as there could potentially be electronic device examinations a number of times each day. When the Search and Surveillance Act was passed, Parliament deliberately did not extend that Act to all of Customs’ powers because the border environment is unique. If this option is adopted it may be possible to exclude the reporting requirements from Customs’ use of this power.
Status quo
Retaining the status quo would mean that Customs would be hampered in responding to changing risks related to technology. Because the Customs and Excise Act does not explicitly refer to electronic devices, it can be difficult for the public to identify when Customs can search these devices.
This option would not restrict Customs from continuing to examine electronic devices as part of routine baggage searches at the border. But we would not have the power to require a person to provide access to that device, and there could be a lack of transparency for the public.
Currently, there are costs and other impacts associated with us not being able to require access to electronic devices, both for Customs and for the device’s owner. These include: prolonged questioning by Customs officers; devices being seized for extended periods; and Customs being unable to examine the devices efficiently to identify evidence of criminal offending. In some cases, searches may be escalated unnecessarily because a person has refused to provide a password.
Who would be affected by change
The issue of access to electronic devices mainly affects international air passengers.
Most people voluntarily give Customs access to their electronic device when requested, and options involving legislative change would target the handful of people who refuse to provide access. However, the number who refuse may increase as technology continues to develop.
Customs recognises that accessing a person’s smartphone or laptop can be a sensitive and personal matter, as many people will have personal items such as family photos or emails on their devices. The options we have identified raise issues of individual privacy and the need for protection against unreasonable search, and those considerations need to be balanced against the need to protect the community from harm.
Whichever option is adopted, the power to examine electronic devices will continue to be constrained by the protection in the New Zealand Bill of Rights Act 1990 against unreasonable search. The collection or use of any personal information will also continue to be governed by the Privacy Act 1993. Specifically, personal information collected from electronic devices will be used only for the purposes for which it was collected. This is achieved by limiting any initial examination to a cursory screening, rather than a full forensic analysis.