Canada’s border agency violated the law by carrying out unduly invasive searches of personal digital devices, in one case viewing a traveller’s social media and online banking information, an investigation by the federal privacy watchdog has found.
Privacy commissioner Daniel Therrien looked into complaints against the Canada Border Services Agency concerning the examination of devices, such as cell phones, tablets and laptop computers, at ports of entry.
Therrien found the border agency contravened federal law and noted significant shortcomings in the agency’s overall practices related to digital devices.
Border officers cannot routinely examine such devices, and can only proceed in the event a number of indicators suggest a search would produce evidence of illegal activities.
Such signs could include a traveller’s behaviour, the way they answer a question, coding on a suitcase that doesn’t match the person’s itinerary or the fact a ticket was purchased at the last minute.
Therrien examined six complaints from Canadian citizens whose devices were searched upon returning home from abroad. Border officers accessed content including documents, text messages, photographs and, in one case, content on Facebook and banking details.
“Digital devices clearly contain vast amounts of personal, and sometimes sensitive, information about identifiable individuals,” the privacy commissioner’s investigation report says.
The commissioner accepts that border officers can search electronic documents stored on a device but not information that can be accessed remotely via an internet connection. As a result, officers are supposed to disable connectivity before examining a device.
Therrien found:
• Connectivity was not disabled – for instance, by switching a device to airplane mode – in at least four of the six cases;
• In one case, an officer improperly took photos of the content on the complainant’s phone;
• Certain information relating to examination of the complainants’ digital devices was destroyed in two cases despite the fact the Privacy Act and regulations require that such material be kept for at least two years;
• In all six cases, officers failed to record the indicators that led to searches of the digital devices, which areas of the devices were accessed or why those areas were searched.
The commissioner concluded the policies in place, on their own, had “not proven an effective means of ensuring that examinations and searches of digital devices respect individuals’ privacy rights.”
In addition, there were “insufficient training and accountability mechanisms” to help border officers meet the necessary requirements, Therrien’s report said.
“We therefore consider all six of the complaints to be well-founded.”
The findings are included in the commissioner’s latest annual report, recently presented to Parliament.
Therrien made several recommendations to the border agency and called for reform of the legal framework governing searches of devices at the border.
Specifically, he wants the border agency’s guidelines for examination of digital devices written into the Customs Act and says the threshold to trigger a search should be defined in law as “reasonable grounds to suspect” a crime or customs infraction.
The border agency agreed to take several steps, including mandatory training for officers, implementation of oversight measures, enforcement manual updates, an internal audit and publication of online guidance for travellers.
The office of Public Safety Minister Bill Blair said Tuesday the government is committed to respecting travellers’ privacy rights while protecting border security.
In a statement, the office said it is “carefully reflecting” on the commissioner’s proposals for legislative change.
The government intends to reintroduce a bill that died at last year’s election call to create an independent review body for the border agency, aimed at strengthening accountability and public trust, Blair’s office added.