A month ago, the legislative text of “Visa Investigation and Social Media Activity Act of 2017” (VISA Act) was released. The bill requires, among other things, that background checks for visa applications of alien admission to the U.S. include “a review of the alien’s publically available interactions on and posting of material to the Internet (including social media services).”
The legislation, on its face, is markedly less aggressive than what the White House had reportedly been considering. During the Administration’s first week, CNN reported that the “White House is discussing asking foreign visitors to disclose all websites and social media they visit, and to share the contacts in their cell phones.” In more recent congressional testimony, DHS Secretary John Kelly doubled down on the proposal, noting that foreign travelers to the U.S. could be required to provide the government with passwords to their social media accounts before entering the U.S.
The VISA Act does not directly address the obligation to provide passwords, but does include a provision indicating that when DHS or a consular officer requests “additional information” in relation to the application, it may not be approved unless all of the additional information is “provided in a complete form” before the deadline. This would seem to open the door for consular officers to demand passwords and deny requests for entry until such information was provided.
Senator Ron Wyden had previously sent a letter to the DHS Secretary expressing the Senator’s alarm over “reports of Americans being detained by U.S. Customs and Border Protection (CBP) and pressured to give CBP agents access to their smartphone PIN numbers or otherwise provide access to locked mobile devices.” Wyden intends to introduce legislation to require law enforcement obtain a warrant prior to searching devices and “prohibiting the practice of forcing foreign travelers to” disclose online account information and passwords.
Wyden’s proposal could close any loopholes created by the VISA Act by banning coercive practices like requiring the provision of a password to proceed with an application. Notably, the Obama Administration had floated a similar proposal back in August, albeit one that was far more limited in scope and emphasized the genuine voluntariness of providing the information.
It is worthwhile considering the combined effects of the proposed legislation and executive action—to effectively mandate disclosure of passwords by visa applicants and tourists—since implementing the password and tourism requirements at the executive policy level is entirely consistent with the VISA Act. Put simply, this legislation could serve as a step towards that policy and not a step back, despite the more reserved language in the legislation.
During my years as an NSA lawyer, I regularly reviewed data-gathering proposals that could support the country’s counterterrorism efforts. If I had been asked to approve this proposal, I would have said no. There are numerous potential legal issues and it is both bad policy and an unwise use of resources unlikely to produce usable intelligence information.
The Proposal Raises Legal Issues
There are many differences between the world of immigration law and intelligence operations, but there is enough similarity that the constraints on NSA are a useful framework for comparison. In that vein, I’ll offer a few thoughts on the reported EO from the perspective of a former intelligence community lawyer. While it is impossible to undertake comprehensive legal analysis without knowing the precise ways it will be implemented, even the scant information available here raises a number of red flags.
First, there are problems to the extent the government action relies on legal consent. When the White House says it plans to “ask” foreign visitors to share their password information, the term is a euphemism. According to CNN reporting, White House policy advisor Steven Miller has said that, “If the foreign visitor declines to share such information, he or she could be denied entry,” which means that this is a condition of entry. Indeed, if the VISA Act codified anything, it is the non-voluntariness of the request for a password. If asked, an alien can either provide the password or terminate the immigration process. The same would, presumably, be true of the foreign tourist ready to pass through border control.
Then there is the question of legal authority. The President has broad authority to secure the border, particularly as it relates to non-citizens. Senator Wyden notes, however, that there are reports of U.S. persons being asked to produce information related to passwords or PIN codes. In determining the legality of any program, the first question government lawyers ask is, “Where is my grant of authority?” The second is, “How is that authority constrained?” Senator Wyden’s letter asks this of DHS directly. First, authority: “What legal authority permits CBP to ask for or demand, as a condition of entry, that a U.S. person disclose their social media or email account password?” And second, constraint: “How is CBP use of a traveler’s password to gain access to data stored in the cloud consistent with the Constitution or with statutory constraints such as the Computer Fraud and Abuse Act?”
Although the President’s authority to secure the border is broad, it is hard to conceive that it is broad enough to cover collection of intrusive information from the 77 million people who travel to U.S. each year. The Ninth Circuit’s recent opinion in Washington v. Trump makes clear that restrictions on travel are reviewable by courts. A program of this scope would, in practice, almost certainly be carried out in ways that implicate First and Fourth Amendment rights for at least some of those travelers. (It could also, depending on how it was implemented, implicate the First and Fourth Amendment rights of other individuals whose information is swept up in this collection.)
These, of course, are only the threshold issues. Executive Order or policy guidance will raise further questions related to the application of the First and Fourth Amendments and the legal thicket related to properly storing, handling, and minimizing information once it has been collected.
The Proposal Raises Policy Issues
Beyond the legal obstacles, there are a number of reasons why requiring all visitors to the US to provide this kind of information would have seriously detrimental policy effects. This kind of aggressive program sends a message to foreign countries that can have significant negative consequences.
It would likely strain foreign relations and threaten to heighten diplomatic tension between the U.S. and its allies around the world. Because it represents a measure beyond the norms of international legal principles and because it would be widely viewed as a rather shocking intrusion on privacy, foreign governments may be compelled to take a stand against it.
It could chill the relationships among the international intelligence community. U.S. intelligence and law enforcement communities work closely with foreign partners to identify, assess, and address transnational threats. If those relationships come under additional strain, the U.S. could receive less intelligence information from foreign allies to the detriment of our own national security.
The program would undermine the business interests of U.S. multinational corporations. It will be viewed as confirmation of longstanding concerns in the European Union that U.S. laws do not adequately safeguard individual privacy, particularly when it comes to foreigners. This has been a sticking point in international commerce for years, heralding the collapse of Safe Harbor in 2015. Transatlantic commerce has only recently recovered from the Safe Harbor collapse with the new agreement on Privacy Shield. If this travel search proposal offers additional ammunition to the legal challenges to Privacy Shield, it will have significant economic consequences for U.S. companies.
Finally, these sorts of intrusive programs undermine public trust. The U.S. national security community already has a monumental task in gaining and preserving the trust of the American people regarding the integrity of national security work that remains, by necessity, largely out of sight. When the policies that are visible are both unwise and contrary to basic U.S. values, they undermine the credibility of the government’s claims that it only intrudes where necessary and legal; they further complicate the public dialogue; and they make it harder for the intelligence and law enforcement communities to do legitimately important work.
Critically importantly, as discussed below, all of these problems arise without producing any significant intelligence information in return.
The Proposal Will Waste Time and Resources
At NSA, I learned firsthand that good intelligence law and good intelligence practice are frequently aligned. There is not a lot of value in having all the information; what intelligence professionals need is the right information. There are two basic methods to pursue that: collect a lot of information and search for the nuggets, or only collect on a more targeted basis.
The first approach is more in line with what the White House has proposed thus far. Although bulk data collection is sometimes viable when it is coupled with strict access and usage controls, in this case, it is unlikely to be effective as proposed. The legislation governing visa applications and executive action governing non-visa travel would, taken together, allow for indiscriminate collection of all web browsing, social media, and contact information of some 200,000 visitors every day—a quantity of information that would drown useful analysis. Intelligence analysis is often compared to searching for a needle in a haystack. A program such as the one the administration has proposed would increase the size of the haystack by several orders of magnitude, but if the additional hay consists of online shopping and cat videos, it only makes the task of finding the needles more difficult.
Consider for a moment what that kind of data-gathering this proposal would entail and the practical steps required to accomplish it. Web browsing includes every search associated with any one of multiple digital profiles. Social media activity includes not only broadcast items like tweets or public posts but also the information listed behind access-limited Facebook pages or other profiles. The contacts in a phone will include not only frequent and close interlocutors, but also some larger number of passing acquaintances. Multiple the scope of all this data by even a fraction of the 77 million, the number of people who visited the United States in 2014 alone, and you are left with far too much noise to find a signal.
Human review of this data would be uninformed, time-consuming, and likely fruitless. No consular official or border crossing agent could possibly be expected to have the scope of knowledge needed to quickly assess this material. The VISA Act seems to anticipate this by directing DHS to prepare a plan for the “use of advanced analytics software” to detect immigration fraud and national security threats. But when applied to the volume of daily entry to the United States, it just isn’t realistic to think that sophisticated technology or comprehensive databases can do on-the-spot intake and processing of such an enormous quantity of unstructured data – data that will necessarily include countless unknown entities – to flag every potential human trafficker, arms dealer, or terrorist. The capabilities don’t exist to support an immediate-response program of this scope and scale. Consequently, we are talking about one of two options: human review of laptops and mobile phones, or long-term storage of the data for later automated and human review. The first would means massive staffing increases, constipated travel, and negligible odds of any useful intelligence insights. The second would more squarely implicate First and Fourth Amendment concerns.
Collecting lots of irrelevant information doesn’t just create more data to wade through, it also increases the occurrences of false positives. Running down false leads diverts resources needed to do meaningful intelligence work. Even the government has finite resources: limits on the number of people, the amount of money, and the computing resources that it can devote to any given problem. Diverting resources to unhelpful programs like this one necessarily detracts available resources from meaningful programs and make it harder, not easier, to detect real threats to the U.S.
Two final notes. First, The Economist reported recently that searches for travel to the U.S. have already dropped by 17%, and that the Global Business Travel Association is already pointing to a 3.4% drop in a business sector that pumps $246 billion into the U.S. economy each year. So, in addition to privacy concerns, the economic damage likely to result from this proposal is very real.
Second, the proposal seems to work against the Administration’s own stated purpose. According to Jake Tapper’s reporting, Steven Miller has “argued that the government needs to do a better job of making sure the people who come into the U.S. embrace American values.” America’s core values start with its Constitution and our Bill of Rights, where freedom of expression, association, and religion are enshrined as principle number one, and constraints on unreasonably intrusive overreach by the government follow not far after. It’s the proposed searches, not the travelers, that are at odds with American values.