Overview: CBP Device Search Authority
CBP claims broad authority to search electronic devices at the border under the "border search exception" to the Fourth Amendment. However, important limits and procedures govern these searches.
2026 Statistics
| Metric | Data |
|---|---|
| Device searches (FY 2025) | 55,318 |
| Percentage of secondary inspections | ~0.47% |
| Percentage of all travelers | <0.01% |
Legal Framework
Border Search Exception
The Supreme Court has held that the Fourth Amendment's warrant requirement does not apply at the border. However, courts have recognized that digital devices present unique privacy concerns.
Key cases:
- Riley v. California (2014) — Warrant required for cell phone search incident to arrest (not at border, but influential)
- United States v. Cotterman (9th Cir. 2013) — Advanced/forensic searches require reasonable suspicion
CBP Directive 3340-049B (2026)
The current governing policy distinguishes between search types:
| Search Type | Definition | Suspicion Required? | Supervisor Approval? |
|---|---|---|---|
| Basic Search | Manual review of local content | No | No |
| Advanced Search | Forensic extraction using external tools | Yes | Yes |
Basic vs. Advanced Searches
Basic Search
What it is: An officer manually scrolls through your device, reviewing:
- Photos and videos
- Messages and emails
- Contacts
- Social media apps
- Documents and notes
CBP authority: Can conduct without any suspicion
Your options: Limited — verbal refusal noted but search proceeds
Advanced Search
What it is: Connection of your device to external forensic equipment to:
- Copy entire device contents
- Decrypt encrypted files
- Systematically analyze data
- Recover deleted files
CBP authority: Requires:
- Reasonable suspicion of law violation
- Supervisor approval
- Documentation of basis
Cloud Data: Critical Protection
What CBP Cannot Access
Under Directive 3340-049B, CBP is prohibited from intentionally accessing data stored solely on remote servers:
| Protected | Examples |
|---|---|
| Cloud storage | iCloud, Google Drive, Dropbox |
| Cloud email | Gmail (web), Outlook.com |
| Social media feeds | New posts loaded from server |
| Enterprise data | Corporate network files |
Airplane Mode Requirement
CBP officers routinely require devices be placed in airplane mode before inspection to prevent cloud access.
Strategy: This protection works in your favor:
- Before crossing the border, move sensitive data to cloud-only storage
- Delete local copies
- CBP can only search what's physically on the device
Passwords and Biometrics
Can CBP Demand Your Password?
Yes — CBP officers can request passwords, PINs, and biometric unlocks.
Consequences of Refusal
| Status | Consequence of Password Refusal |
|---|---|
| U.S. Citizen | Cannot be denied entry; device may be seized; extended detention |
| LPR | Cannot lose status for refusal; device may be seized; extended detention |
| Visa Holder | Entry denial; visa cancellation; removal |
| VWP/ESTA | Immediate denial and removal |
Biometric Unlock
Courts are split on whether compelled biometric unlock (fingerprint, face) differs from compelling a passcode:
- Some courts treat biometrics as non-testimonial (compellable)
- Fifth Amendment protections may be weaker for biometrics
- Practical effect: CBP can likely compel biometric unlock more easily than PIN
Device Seizure and Retention
If you refuse to unlock or CBP wants forensic analysis:
| Duration | Authorization Required |
|---|---|
| Up to 5 days | Frontline officer discretion |
| 5-15 days | Supervisor approval |
| Over 15 days | Executive-level approval |
Protecting Your Privacy
Legal Data Minimization Strategies
| Strategy | How It Helps |
|---|---|
| Travel with a clean device | Nothing sensitive to find |
| Use cloud-only storage | Data not accessible at border |
| Delete sensitive apps | Can reinstall after entry |
| Factory reset before travel | Clean slate |
| Leave primary device home | Use a travel-only device |
What You Can Do
- Before travel: Back up everything to cloud, wipe local data
- Enable airplane mode before inspection
- Log out of all apps (forces cloud authentication)
- Remove sensitive apps (Signal, encrypted email, etc.)
- Separate devices: Keep employer devices separate from personal
What You Should NOT Do
- Hide data in encrypted partitions — may trigger advanced search
- Lie about data existence — federal crime
- Destroy data when asked — obstruction
- Use "panic passwords" — may constitute evidence destruction
Journalists and Attorneys
Special Protections
Directive 3340-049B includes protocols for privileged materials:
Attorney-client privilege:
- Affirmatively assert that device contains privileged communications
- Officer should pause search and seek clarification
- "Filter team" of uninvolved attorneys may be required
- Privileged files should be isolated
Journalistic materials:
- Assert confidential source protection
- Request escalation to Associate Chief Counsel
- Shield laws may provide additional state-level protection
Reality Check
Despite written policies:
- Journalists report frequent targeting
- Device seizures documented by Press Freedom Tracker
- Assertions may not prevent initial search
- Legal challenge may be only recourse
Best Practices for Journalists/Attorneys
- Separate devices: Work device vs. personal device
- Travel clean: No source materials on travel devices
- Cloud-only storage for sensitive communications
- Document assertions: Note badge numbers, time, what you said
- Employer protocols: Follow organization's travel security policies
After a Device Search
Request Return of Seized Device
If CBP retained your device:
- Get documentation — Form 6051D (Property Receipt)
- Note timeline — 5/15/15+ day limits apply
- Request return in writing
- File DHS TRIP complaint if unreturned
Request Data Deletion
Under the 2026 Directive:
- If no probable cause found, data must be deleted within 21 days
- You can request written confirmation of deletion
- File DHS TRIP if not complied with
Filing Complaints
| Agency | Purpose | Contact |
|---|---|---|
| DHS TRIP | Redress, device return | dhs.gov/trip |
| DHS CRCL | Civil rights violations | dhs.gov/crcl |
| DHS OIG | Officer misconduct | oig.dhs.gov |
Know Your Rights: Quick Reference
What CBP CAN Do
- Request password/biometric unlock
- Conduct basic manual search without suspicion
- Conduct advanced search with reasonable suspicion
- Seize device for further analysis
- Detain you during the search process
What CBP CANNOT Do
- Access cloud-only data
- Conduct advanced search without suspicion and supervisor approval
- Retain device indefinitely without authorization
- Deny entry to U.S. citizens for password refusal
- Revoke LPR status for password refusal
What YOU Can Do
- Place device in airplane mode
- Verbally state: "I do not consent to this search"
- Ask: "Is this a basic or advanced search?"
- Assert privilege if applicable
- Request documentation of seizure
- File complaints for violations
Practical Scripts
If Asked to Unlock
"I do not consent to a search of my device. Am I required to provide my password?"
If Search Proceeds
"I want to note for the record that I do not consent to this search. May I have the names and badge numbers of the officers involved?"
If Device Is Seized
"I would like documentation of this seizure. When can I expect my device returned? What is the process for requesting return?"
Asserting Privilege
"This device contains materials protected by [attorney-client privilege / journalistic source protection]. I am asserting that privilege and request you escalate to your supervisor before proceeding."