How Long Can Border Agents Keep Your Email Password?

Homeland Security Secretary John Kelly pauses while speaking at a news conference at the U.S. Customs and Border Protection headquarters in Washington, Jan. 31.

Homeland Security Secretary John Kelly pauses while speaking at a news conference at the U.S. Customs and Border Protection headquarters in Washington, Jan. 31. Andrew Harnik/AP

Some data gathered from travelers going through customs can stay in a Homeland Security database for 75 years.

When you cross into or out of the United States, whether in a car or at an airport, you enter a special zone where federal agents have unusual powers to search your belongings—powers they don’t have elsewhere in the country. The high standard set by the Fourth Amendment, which protects people against unreasonable searches, is lowered, and the Fifth Amendment, which guards against self-incrimination and prevents the government from demanding computer passwords or smartphone PINs, is rendered less effective.

These special rules allowed a customs officer at the Houston airport to ask a NASA engineer to give up the passcode to his smartphone last month. The engineer, Sidd Bikkannavar, was reentering the U.S. after a two-week vacation in Chile, but the device he had on him belonged to his employer, NASA’s Jet Propulsion Laboratory. He routinely used the smartphone for sensitive work, so losing sight of it for a half hour was a “huge, huge violation of work policy,” Bikkannavar told me.

After he was released, Bikkannavar immediately got a new phone from his employer and changed his PIN. But what if he hadn’t, and then traveled internationally again? If he were selected a second time for questioning at the border, the officer interviewing him would check at the record from Bikkannavar’s last run-in with Customs and Border Protection—which may include the passcode he revealed to an agent.

The rules around what information can be retained after Customs and Border Protection inspections—and for how long—aren’t entirely clear-cut.

A notice published in 2008 in the Federal Register, the government’s official journal, describes the main database CBP uses for traveler information. Here’s a nonexhaustive list of the kinds of data the records system known as TECS—that’s not an acronym—hosts:

… full name, alias, date of birth, address, physical description, various identification numbers (e.g., social security number, alien number, I-94 number, seizure number), details and circumstances of a search, arrest, or seizure, case information such as merchandise and values, methods of theft.

In addition, if officials search an electronic device like a laptop or smartphone, they may create a copy of the device’s contents. Without probable cause, CBP can’t keep that data on record for longer than a week (although some circumstances allow the window to be extended to a month), except for information “relating to immigration, customs and other enforcement matters,” according to an official privacy impact assessment released in 2009. A CBP spokesperson confirmed this policy is still in place.

The list of data CBP can keep doesn’t include “passwords” or “credentials,” but that doesn’t mean they aren’t gathered and stored. Hugh Handeyside, a staff attorney at the American Civil Liberties Union, says customs officials can enter miscellaneous information into records submitted to the TECS system.

The CBP spokesperson said the agency can hang on to a password to facilitate digital searches once a device has been detained. The spokesperson did not say whether the password would be deleted from a traveler’s record after the search is over.

Generally, once a piece of information has been entered into the system, it can stay there for a very long time. According to the Federal Register notice, data in TECS can be kept for 75 years—or for the duration of a “law enforcement matter” or any “other enforcement activities that may become related.”

One of the few laws that would constrain how CBP would collect, keep and disseminate personal information is the Privacy Act of 1974, which regulates how federal agencies treat sensitive personal data. But the Homeland Security Department, CBP’s parent agency, exempted TECS from that law since at least 2009.

Instead, CBP considers requests from individuals who ask to access records about them—a right guaranteed under the Privacy Act—on a case-by-case basis.

“Any limits would have to be derived directly from the Constitution or international treaties, not from statutes or regulations,” said Edward Hasbrouck, a travel expert and consultant to The Identity Project. “I am not aware of any case law limiting retention of this sort of data.”

To better understand how CBP collects and retains data, Hasbrouck requested his own travel records from the agency in 2007. He received incomplete responses and eventually stopped hearing back, so in 2010, Hasbrouck sued DHS to compel it to turn over the records he requested.

The documents he won in the lawsuit—some of which went as far back as 1992—show the detailed notes CBP officials keep on travelers. Two records in particular showed the result of a pair of inspections Hasbrouck submitted to in 2009 and 2007.

In one instance, Hasbrouck was interviewed at Boston Logan airport on the way back from London, because he “verbally declared” he was carrying food. In the “inspection remarks” section, an official noted “1 APPLE WAS SEIZED. BREAD WAS INSPECTED AND RELEASED.” (The “remarks” section is likely where a seized password might be entered.)

That information probably won’t come back to haunt Hasbrouck the next time he flies internationally. But once it’s saved, it’s fair game for use in future border encounters. Hasbrouck says he’s been questioned about the findings of previous inspections even years after the initial incident. If his records had contained any more sensitive information, they could easily have caused him trouble every time he traveled.

In October, a Canadian man traveling from British Columbia to New Orleans was taken aside for questioning at the Vancouver Airport. There, a CBP officer demanded the password to his phone and computer, according to a recent report in the DailyXtra, a Canadian LGBT news site. The man, identified only by his first name, André, turned over his credentials, and waited for “an hour or two” as officers searched through his digital life.

When the officer returned, he began “grilling” André about his emails, apps and browsing history. The officer asked about André’s accounts on Scruff, a gay hookup app, and BBRT, a gay hookup website, in an episode the traveler described as “humiliating.” Ultimately, he chose not to enter the U.S. that day, and gave up his seat on the flight.

A month later, André tried to fly to New Orleans again. He was again singled out for secondary inspection at the Vancouver airport, where officers asked for his devices. But this time, DailyXtra reported, the officers didn’t ask for his passwords; they still had them saved from the previous inspection. They rifled through his devices again, and even though André had wiped them of most of his personal information, he said he was not let through and was told he was a “suspected escort.”

I asked several experts who study digital border searches whether they’d ever heard of a similar case. None were aware of a specific instance of a device or online password being retained—and reused—but each said he or she wouldn’t be surprised to learn CBP has a policy of retaining passwords.

“Based on the policy and reported incidents, my best guess is that CBP agents have broad discretion to keep login credentials if they think they will have a reason to use them in the future,” said Catherine Crump, a law professor at the University of California, Berkeley who has brought multiple cases against the government’s digital border search policy. “Bottom line: Change your passwords, people!”

For now, CBP is most likely interested mostly in passwords to physical devices, and not passwords to online accounts. Because the agency’s expanded authority to conduct searches is restricted to the border, lawyers say it wouldn’t cover a search of a traveler’s Facebook or Twitter profile. Doing so would request information from data centers located around the country or overseas—outside of the border zone—and would require a traditional subpoena, or some other type of court order.

But DHS Secretary John Kelly has proposed making social-media searches routine. At a hearing earlier this month, Kelly said he’d like to make it mandatory for visitors to the U.S. to turn over their browsing history and passwords to their social-media accounts. The proposal was met with intense opposition from human-rights groups and security experts, who say it would violate fundamental privacy rights, and could set a worrying precedent for other countries.

If such a policy were put into place, CBP could begin to compile the keys to travelers’ digital kingdoms, simply by asking for passwords at the border, jotting them down and keeping them. Unless travelers change their passwords after a search, they may find their input isn’t needed next time they’re stopped at the border.