Startups face the same phishing risks as big corporations

This week, we reported on TechCrunch how thousands of remote employees with health and workplace benefits through human resources giant TriNet received emails that looked like a near-perfect phishing attempt.

One recipient was so skeptical, they shared the email with TechCrunch so we could verify its authenticity. The message checked every suspicious box. In fact, when, we asked two independent security researchers to offer their assessments, each one thought it was a phishing email devised to steal usernames and passwords.

The fact that there was confusion to begin with shows that even gigantic companies like TriNet — a $3.7 billion corporation — are not doing enough to prevent phishing attacks. Had they proactively employed basic email security techniques, it would have been a lot easier to detect that the email was not in fact a phish, but a genuine company email.

But this problem isn’t unique to TriNet; it’s not even unique to big companies.

Last year, security firm Agari found only 14% of all Fortune 500 companies were using DMARC, a domain security feature that prevents email spoofing and actively enforces it. New data supplied by Agari to TechCrunch shows that figure has risen only one percentage point in the last year, bringing it to a meager 15%.

Phishing and impersonation are fundamentally human problems. The aim is to try to trick unsuspecting victims into turning over their usernames, email addresses and passwords to hackers who then log in and steal data or money. In some cases, scammers use an email impersonation scam to trick employees into thinking someone senior in the company needs certain sensitive files like banking information or employee tax documents.

Another US court says police cannot force suspects to turn over their passwords

The highest court in Pennsylvania has ruled that the state’s law enforcement cannot force suspects to turn over their passwords that would unlock their devices.

The state’s Supreme Court said compelling a password from a suspect is a violation of the Fifth Amendment, a constitutional protection that protects suspects from self-incrimination.

It’s not an surprising ruling, given other state and federal courts have almost always come to the same conclusion. The Fifth Amendment grants anyone in the U.S. the right to remain silent, which includes the right to not turn over information that could incriminate them in a crime. These days, those protections extend to the passcodes that only a device owner knows.

But the ruling is not expected to affect the ability by police to force suspects to use their biometrics — like their face or fingerprints — to unlock their phone or computer.

Because your passcode is stored in your head and your biometrics are not, prosecutors have long argued that police can compel a suspect into unlocking a device with their biometrics, which they say are not constitutionally protected. The court also did not address biometrics. In a footnote of the ruling, the court said it “need not address” the issue, blaming the U.S. Supreme Court for creating “the dichotomy between physical and mental communication.”

Peter Goldberger, president of the ACLU of Pennsylvania, who presented the arguments before the court, said it was “fundamental” that suspects have the right to “to avoid self-incrimination.”

Despite the spate of rulings in recent years, law enforcement have still tried to find their way around compelling passwords from suspects. The now-infamous Apple-FBI case saw the federal agency try to force the tech giant to rewrite its iPhone software in an effort to beat the password on the handset of the terrorist Syed Rizwan Farook, who with his wife killed 14 people in his San Bernardino workplace in 2015. Apple said the FBI’s use of the 200-year-old All Writs Act would be “unduly burdensome” by putting potentially every other iPhone at risk if the rewritten software leaked or was stolen.

The FBI eventually dropped the case without Apple’s help after the agency paid hackers to break into the phone.

Brett Max Kaufman, a senior staff attorney at the ACLU’s Center for Democracy, said the Pennsylvania case ruling sends a message to other courts to follow in its footsteps.

“The court rightly rejects the government’s effort to create a giant, digital-age loophole undermining our time-tested Fifth Amendment right against self-incrimination,” he said. “The government has never been permitted to force a person to assist in their own prosecution, and the courts should not start permitting it to do so now simply because encrypted passwords have replaced the combination lock.”

“We applaud the court’s decision and look forward to more courts to follow in the many pending cases to be decided next,” he added.

Jeanette Manfra, senior DHS cybersecurity official, to leave government

Jeanette Manfra, one of the most senior and experienced U.S. cybersecurity officials, is leaving government after more than a decade in the public sector.

Manfra, who served as assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), will join the private sector in the New Year. CISA is Homeland Security’s dedicated civilian cybersecurity unit set up a year ago to respond to help protect against threats to U.S. critical infrastructure and foreign threats.

In an exclusive interview with TechCrunch, Manfra said it was a “really hard time to leave,” but the move will give her successor time to transition into the role ahead of the upcoming 2020 presidential election.

She did not say what her new job will be, only that she will take time off to be with her family in the meantime. She will leave her post at the end of the year.

Cyberscoop first reported her pending departure, citing sources.

Manfra’s departure from government will be seen as largely unexpected. At Homeland Security, she has served three presidents and worked on numerous projects to improve relations with the private sector, which are considered crucial partners in defending U.S. cyberspace. She also saw the agency double down on election security, threats to the supply chain, and efforts to protect U.S. critical infrastructure like the power grid and water networks from nefarious attempts by nation states.

At TechCrunch Disrupt SF this year, Manfra also talked candidly about the ongoing threats to U.S. cybersecurity, including a skills shortage and the risks posed by another global “WannaCry-style” cyberattack, which in 2017 saw thousands of computers infected by file-locking malware, causing billions of dollars worth of damage.

Manfra joined Homeland Security in 2007 under then-president George W. Bush, half a decade after the department was founded in the wake of the September 11 terrorist attacks. Manfra described the early years as a time when there weren’t “a lot of people talking about cybersecurity.”

“It definitely was not really on the national stage at the time. It was, you know, there was still a lot of debate as to whether ‘cybersecurity’ was one word or two words,” she said.

But in the years past and as internet access and tech companies continued to grow, she said the U.S. saw several “wake up” calls that brought cybersecurity into the public mainstream. The hack of Sony Pictures in 2016 and the WannaCry global ransomware attack in 2017 were two, and both were blamed on North Korea. Another, she said, was the 2015 data breach of the U.S. Office of Personnel Management (OPM), which saw suspected Chinese hackers steal more than 21 million sensitive background check files of government employees who had sought security clearance.

The department’s cybersecurity presence started out as a “very small, frankly relatively unknown group of people,” she said. A decade later it had become a major force in managing crises like the OPM attack, a breach that she said helped to push government to better prioritize cybersecurity.

“[The OPM breach] forced us to make some changes across the government that’ve been good,” she said.

In the aftermath, the government took steps to bolster its own systems and networks to lower its attack surface by removing Kaspersky from its networks citing fears about Russian intelligence, and taking the lead rolling out HTTPS website encryption and email security protections across the federal domains — an effort still to this day largely neglected by some of the world’s wealthiest companies.

Election security, she said, was another major wake-up call for the government. Russia waged a widescale disinformation — or “fake news” — campaign during the 2016 election to sow discord and exploit divisions in communities across the U.S. But there were also fears that hackers could break in and modify the tallies in voting machines, a concern that never came to fruition but one that security experts say remains a threat. Lawmakers have been pushing for the removal of paperless and electronic-only voting machines to reduce the risk of hackers manipulate the votes in favor of a particular candidate.

“In 2016, it was our best judgment that the Russians were looking to undermine confidence,” Manfra told TechCrunch. “The public confidence is important, and we need to be thinking within the government about the adversaries’ ability and willingness to use those against us,” she said.

Manfra said the department knew it had to work closer with state and local election boards to figure out their needs following the 2016 election. “We had a lot of honest conversations with [election boards] about what they need, what do we do, and how can we help,” she said. “It’s the fastest I’ve ever seen a sector come together.”

Those partnerships with local elections have given Homeland Security unprecedented visibility into the nation’s election infrastructure, she said, going from “some coverage” in 2016 to near-absolute insight across the country.

“If we ever did again get technical indicators that an adversary was trying to do something, we would be able to move more quickly and much more expansively across the country,” she said.

That effort paid off. Last year’s midterm election was remarkably quiet compared to 2016. Both the Justice Department and Homeland Security said there was “no evidence” to support foreign interference during the midterms.

It’s that running theme of public-private collaboration that Manfra looked back on with pride. “We don’t have all the answers and we can’t do it alone.” Those partnerships across the industry verticals — from elections to finance, energy and manufacturing — are “crucial to everything that we do,” she said.

“It’s really easy to say how important it is to have the government in the private sector working together,” she said. “But to do it well, it’s actually really hard.”

Manfra said the government had to be “willing to open itself” to build trust with its partners. “We now have some of the largest companies in the country that we built trusted relationships when they know that they can give us sensitive information — and we can take that and use it to protect other people, but we’re not going to abuse that trust,” she said.

Speaking of her time at Homeland Security, Manfra said she was most proud of her team. “A lot of them have been with me since we started,” she said. “They could be working out in the private sector making a ton of money, but they’re dedicating their lives here,” she said.

But she said she was “forcing” herself to have no regrets during her time in government.

It’s not yet known who will replace Manfra or will take on her responsibilities. But her advice for her eventual successor: “Trust your team, trust your partners, and stay focused,” she said. “It’s such a broad mission. It’s easy to lose focus.”

Related stories:

Uber reports a sharp rise in government demands for user data

Uber says the number of legal demands for riders’ data made by U.S. and Canadian authorities has risen sharply in the past year.

The ride-hailing company said the number of law enforcement demands for user data during 2018 are up 27% on the year earlier, according to its annual transparency report published Wednesday. Uber said the rise in demands was partly due to its business growing in size, but also a “rising interest” from governments to access data on its customers.

Uber said it received 3,825 demands for 21,913 user accounts from the U.S. government, with the company turning over some data in 72% of cases, during 2018.

That’s up from 2,940 demands for 17,181 user accounts a year earlier, with a slightly higher compliance rate of 73%.

Canadian authorities submitted 161 demands for data on 593 user accounts during 2018.

Uber said that the rise in demands for customer data presents a challenge for the ride-hailing company, previously valued at $82 billion, which went public in May. “Our responsibility to preserve consumer privacy while meeting regulatory and public safety obligations will become increasingly complex and challenging as we field a growing number of government requests for data every year,” said Uttara Sivaram, Uber’s global privacy and security public policy chief.

The company also said it disclosed ride information on 34 million users to U.S. regulators and 1.8 million users to Canadian regulators, such as local taxi and transport authorities. Uber said it is mandated to give over the information to regulators as part of the “bespoke legal and regulatory requirements to which we are subject,” which can include pickup and drop-off locations, fares, and other data that may “identify individual riders,” the company said.

Uber isn’t the only company fielding a record number of demands from governments. Apple, Amazon, Facebook, and Twitter have all reported a rise in government demands over the past year as their customer base continues to grow while governments become increasingly hungry for companies’ data.

But Uber’s figures only offer insight into only the largest portions of its businesses — its consumer and business ride-hailing services, food delivery, and electric scooters — and only covers the North America, despite operating in hundreds of cities around the world.

Despite the rise in overall law enforcement requests, Uber said it “has not received a national security request” to date.

Such disclosures are rare but not unheard of. Most national security demands, such as orders issued by the Foreign Intelligence Surveillance Court and FBI-issued subpoenas, are coupled with secrecy rules that prevent the companies from disclosing anything about the demand. By proactive posting these so-called “warrant canary” statements, companies can quietly reveal when they have received such orders by removing the statements from their websites.

Apple famously used a warrant canary in its first transparency report in the wake of the NSA surveillance scandal, as revealed by whistleblower Edward Snowden. In 2016, Reddit quietly removed its warrant canary suggesting it had received a classified order.

Although the First Amendment protects government-compelled speech, the legality of warrant canaries remain legally questionable.

Macy’s said hackers stole customer credit cards — again

For the second time in as many years, Macy’s customers have been hit by a data breach involving countless numbers of credit cards.

In a filing with the California attorney general, the retail giant said hackers siphoned off customers’ names, addresses, and phone numbers, but also credit card numbers, card verification codes, and expiration dates by inserting malicious code on its website and quietly sending the stolen data back to the hackers.

Macy’s said the breach lasted a week, between October 7 and October 15. The retail giant did not say how many customers were affected, but the breach is likely to affect thousands of customers.

It’s the latest example of hackers breaking into websites and installing credit card skimming malware. It’s not known who was behind the credit card theft, but a hacking group known as Magecart has been behind some of the largest credit card skimming efforts in recent years — including the American Cancer SocietyBritish AirwaysTicketmasterAeroGarden and Newegg.

Last year, Macy’s admitted a months-long breach that saw hackers steal credit card data and passwords about 0.5% of its customer base — on both its website and Bloomingdale’s site, which Macy’s owns. The breach resulted in a class action suit, which accused Macy’s of “lackadaisical, cavalier, reckless, and negligent” security practices.

Macy’s is one of the most popular websites in the U.S., according to Alexa rankings.

TriNet sent remote workers an email that some thought was a phishing attack

It was the one of the best phishing emails we’ve seen… that wasn’t.

Phishing remains one of the most popular attack choices for scammers. Phishing emails are designed to impersonate companies or executives to trick users into turning over sensitive information, typically usernames and passwords, so that scammers can log into online services and steal money or data. But detecting and preventing phishing isn’t just a user problem — it’s a corporate problem too, especially when companies don’t take basic cybersecurity precautions and best practices to hinder scammers from ever getting into a user’s inbox.

Enter TriNet, a human resources giant, which this week became the poster child for how how to make a genuine email to its customers look inadvertently as suspicious as it gets.

Remote employees at companies across the U.S. who rely on TriNet for access to outsourced human resources, like their healthcare benefits and workplace policies, were sent an email this week as part of an effort to keep employees “informed and up-to-date on the labor and employment laws that affect you.”

Workers at one Los Angeles-based health startup that manages its employee benefits through TriNet all got the email at the same time. But one employee wasn’t convinced it was a real email, and forwarded it — and its source code — to TechCrunch.

TriNet is one of the largest outsourced human resources providers in the United States, primarily for small-to-medium-sized businesses that may not have the funding to hire dedicated human resources staff. And this time of year is critical for companies that rely on TriNet, since health insurance plans are entering open enrollment and tax season is only a few weeks away. With benefit changes to consider, it’s not unusual for employees to receive a rash of TriNet-related emails towards the end of the year.

But this email didn’t look right. In fact when we looked under the hood of the email, everything about it looked suspicious.

This is the email that remote workers received. TriNet said the use of an Imgur-hosted image in the email was “mistakenly” used. (Image: TechCrunch/supplied)

We looked at the source code of the email, including its headers. These email headers are like an envelope — they say where an email came from, who it’s addressed to, how it was routed, and if there were any complications along the way, such as being marked as spam.

There were more red flags than we could count.

Chief among the issues were that the TriNet logo in the email was hosted on Imgur, a free image-hosting and meme-sharing site, and not the company’s own website. That’s a common technique among phishing attackers — they use Imgur to host images they use in their spam emails to avoid detection. Since the image was uploaded in July, that logo was viewed more than 70,000 times until we reached out to TriNet, which removed the image, suggesting thousands of TriNet customers had received one of these emails. And, although the email contained a link to a TriNet website, the page that loaded had an entirely different domain with nothing on it to suggest it was a real TriNet-authorized site besides a logo, which if it were a phishing site could’ve been easily spoofed.

Fearing that somehow scammers had sent out a phishing email to potentially thousands of TriNet customers, we reached out to security researcher John Wethington, founder of security firm Condition:Black, to examine the email.

It turns out he was just as convinced as us that the email may have been fake.

“As hackers and self-proclaimed social engineers, we often think that spotting a phishing email is ‘easy’,” said Wethington. “The truth is it’s hard.”

“When we first examined the email every alarm bell was going off. The deeper we dug into it the more confusing things became. We looked at the domain name records, the site’s source code, and even the webpage hashes,” he said.

There was nothing, he said, that gave us “100% confidence” that the site was genuine until we contacted TriNet.

TriNet spokesperson Renee Brotherton confirmed to TechCrunch that the email campaign was legitimate, and that it uses the third-party site “for our compliance ePoster service offering. She added: “The Imgur image you reference is an image of the TriNet logo that Poster Elite mistakenly pointed to and it has since been removed.”

“The email you referenced was sent to all employees who do not go into an employer’s physical workspace to ensure their access to required notices,” said TriNet’s spokesperson.

When reached, Poster Elite also confirmed the email was legitimate.

This is not a phishing site, but it sure looks like one. (Image: TechCrunch)

How did TriNet get this so wrong? This culmination of errors had some who received the email worried that their information might have been breached.

“When companies communicate with customers in ways that are similar to the way scammers communicate, it can weaken their customer’s ability over time to spot and shut down security threats in future communications,” said Rachel Tobac, a hacker, social engineer, and founder of SocialProof Security.

Tobac pointed to two examples of where TriNet got it wrong. First, it’s easy for hackers to send spoofed emails to TriNet’s workers because TriNet’s DMARC policy on its domain name is not enforced.

Second, the inconsistent use of domain names is confusing for the user. TriNet confirmed that it pointed the link in the email — posters.trinet.com — to eposterservice.com, which hosts the company’s compliance posters for remote workers. TriNet thought that forwarding the domain would suffice, but instead we thought someone had hijacked TriNet’s domain name settings — a type of attack that’s on the increase, though primarily carried out by state actors. TriNet is a huge target — it stores workers’ benefits, pay details, tax information and more. We had assumed the worst.

“This is similar to an issue we see with banking fraud phone communications,” said Tobac. “Spammers call bank customers, spoof the bank’s number, and pose as the bank to get customers to give account details to ‘verify their account’ before ‘hearing about the fraud the bank noticed on their account — which, of course, is an attack,” she said.

“This is surprisingly exactly what the legitimate phone call sounds like when the bank is truly calling to verify fraudulent transactions,” Tobac said.

Wethington noted that other suspicious indicators were all techniques used by scammers in phishing attacks. The posters.trinet.com subdomain used in the email was only set up a few weeks ago, and the eposterservice.com domain it pointed to used an HTTPS certificate that wasn’t associated with either TriNet or Poster Elite.

These all point to one overarching problem. TriNet may have sent out a legitimate email but everything about it looked problematic.

On one hand, being vigilant about incoming emails is a good thing. And while it’s a cat-and-mouse game to evade phishing attacks, there are things that companies can do to proactively protect themselves and their customers from scams and phishing attacks. And yet TriNet failed in almost every way by opening itself up to attacks by not employing these basic security measures.

“It’s hard to distinguish the good from the bad even with proper training, and when in doubt I recommend you throw it out,” said Wethington.

‘Magic: The Gathering’ game maker exposed 452,000 players’ account data

The maker of Magic: The Gathering has confirmed that a security lapse exposed the data on hundreds of thousands of game players.

The game’s developer, the Washington-based Wizards of the Coast, left a database backup file in a public Amazon Web Services storage bucket. The database file contained user account information for the game’s online arena. But there was no password on the storage bucket, allowing anyone to access the files inside.

The bucket is not believed to have been exposed for long — since around early-September — but it was long enough for U.K. cybersecurity firm Fidus Information Security to find the database.

A review of the database file showed there were 452,634 players’ information, including about 470 email addresses associated with Wizards’ staff. The database included player names and usernames, email addresses, and the date and time of the account’s creation. The database also had user passwords, which were hashed and salted, making it difficult but not impossible to unscramble.

None of the data was encrypted. The accounts date back to at least 2012, according to our review of the data.

Fidus reached out to Wizards of the Coast but did not hear back. It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.

Bruce Dugan, a spokesperson for the game developer, told TechCrunch in a statement: “We learned that a database file from a decommissioned website had inadvertently been made accessible outside the company.”

“We removed the database file from our server and commenced an investigation to determine the scope of the incident,” he said. “We believe that this was an isolated incident and we have no reason to believe that any malicious use has been made of the data,” but the spokesperson did not provide any evidence for this claim.

“However, in an abundance of caution, we are notifying players whose information was contained in the database and requiring them to reset their passwords on our current system,” he said.

Harriet Lester, Fidus’ director of research and development, said it was “surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts.”

“Our research team work continuously, looking for misconfigurations such as this to alert companies as soon as possible to avoid the data falling into the wrong hands. It’s our small way of helping make the internet a safer place,” she told TechCrunch.

The game maker said it informed the U.K. data protection authorities about the exposure, in line with breach notification rules under Europe’s GDPR regulations. The U.K.’s Information Commissioner’s Office did not immediately return an email to confirm the disclosure.

Companies can be fined up to 4% of their annual turnover for GDPR violations.

LA warns of ‘juice-jacking’ malware, but admits it has no cases

Los Angeles’ district attorney is warning travelers to avoid public USB charging points because “they may contain dangerous malware.”

Reading the advisory, you might be forgiven for thinking that every USB outlet you see is just waiting for you to plug in your phone so it can steal your data. This so-called “juice-jacking” attack involves criminals loading malware “on charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users,” it reads. “The malware may lock the device or export data and passwords directly to the scammer.”

But the county’s chief prosecutor’s office told TechCrunch said that it has “no cases” of juice-jacking on its books, though it said there are known cases on the east coast.When asked where those cases were, the spokesperson did not know. And when asked what prompted the alert to begin with, the spokesperson said it was part of “an ongoing fraud education campaign.”

Which begs the question — why?

Security researcher Kevin Beaumont tweeted that he hasn’t seen “any evidence of malware being used in the wild on these things.” In fact, ask around and you’ll find very little out there. Several security researchers have dropped me messages saying they’ve seen proof-of-concepts, but nothing actively malicious.

Juice-jacking is a real threat, but it’s an incredibly complicated and imperfect way to attack someone when there are far easier ways.

The idea, though — that you can plug in your phone and have your secrets stolen — is not entirely farfetched. Over the years there have been numerous efforts to demonstrate that it’s possible. As ZDNet points out in its coverage of the juice-jacking warning, the FBI sent out a nationwide alert about the threat after security researcher Samy Kamkar developed an Ardunio-based implant designed to look like a USB charger to wirelessly sniff the air for leaky key strokes. And just earlier this year, a security researcher developed an iPhone charger cable clone that let a nearby hacker run commands on the vulnerable computer.

LA recommend using an AC power outlet and not a charging station, and to take your cables with you. That’s sound advice, but it’s just one of many things you need to do to keep your devices and data safe.

Facebook says government demands for user data are at a record high

Facebook’s latest transparency report is out.

The social media giant said the number of government demands for user data increased by 16% to 128,617 demands during the first-half of this year compared to the second-half of last year.

That’s the highest number of government demands its received in any reporting period since it published its first transparency report in 2013.

The U.S. government led the way with the most number of requests — 50,741 demands for user data resulting in some account or user data given to authorities in 88% of cases. Facebook said two-thirds of all of the U.S. government’s requests came with a gag order, preventing the company from telling the user about the request for their data.

But Facebook said it was able to release details of 11 so-called national security letters (NSLs) for the first time after their gag provisions were lifted during the period. National security letters can compel companies to turn over non-content data at the request of the FBI. These letters are not approved by a judge, and often come with a gag order preventing their disclosure. But since the Freedom Act passed in 2015, companies have been allowed to request the lifting of those gag orders.

The report also said the social media giant had detected 67 disruptions of its services in 15 countries, compared to 53 disruptions in nine countries during the second-half of last year.

And, the report said Facebook also pulled 11.6 million pieces of content, up from 5.8 million in the same period a year earlier, which Facebook said violated its policies on child nudity and sexual exploitation of children.

Read more:

A US federal court finds suspicionless searches of phones at the border is illegal

A federal court in Boston has ruled that the government is not allowed to search travelers’ phones and devices at the U.S. border without first having reasonable suspicion of a crime.

That’s a significant victory for civil liberties advocates who have said that the government’s own rules that allow its border agents to search electronic devices at the border are unconstitutional.

The court said that the government’s policies on warrantless searches of devices without reasonable suspicion “violate the Fourth Amendment,” which provides constitutional protections against warrantless searches and seizures, the court said.

The case was brought by 11 travelers — ten of which are U.S. citizens — with support from the American Civil Liberties Union and the Electronic Frontier Foundation, who said border agents searched their smartphones and laptops without a warrant, or any suspicion of wrongdoing or criminal activity. But the travelers said the government was overreaching its powers.

The border remains a bizarre legal space, where the government asserts powers that it cannot claim against citizens or residents within the United States. The government has long said it doesn’t need a warrant to search devices at the border.

Any data collected by Customs & Border Protection without a warrant can still be shared with federal, state, local and foreign law enforcement.

Esha Bhandari, staff attorney with the ACLU’s Speech, Privacy, and Technology Project, said the ruling “significantly advances” protections under the Fourth Amendment.

“This is a great day for travelers who now can cross the international border without fear that the government will, in the absence of any suspicion, ransack the extraordinarily sensitive information we all carry in our electronic devices,” said Sophia Cope, a senior staff attorney at the EFF.

Millions of travelers arrive into the U.S. every day. Last year, border officials searched 33,000 travelers’ devices — a fourfold increase since 2015 — without any need for reasonable suspicion. In recent months, travelers have been told to inform the government of any social media handles they have, all of which are subject to inspection. But some have been denied entry to the U.S. for content on their phones shared by other people.

Earlier this year, a federal appeals court found that traffic enforcement officers using chalk to mark car tires was deemed unconstitutional.

A spokesperson for Customs & Border Protection did not immediately comment.