Our work is cited in an article today by Kaveh Waddell in The Atlantic, “How Long Can Border Agents Keep Your Email Password? Some data gathered from travelers going through customs can stay in a Homeland Security database for 75 years.”

The article in The Atlantic highlights several recent incidents in which international travelers have been asked or ordered to tell US Customs and Border Protection inspectors the passwords to their electronic devices and/or online accounts. As in many encounters with law enforcement officers or other government agents, the distinction between a request and a command at an airport or international border is often unclear.

In one of these incidents, a Canadian would-be visitor to the US provided CBP with the password to his phone, but balked at providing the password to his accounts with LGBT dating apps and websites. He forfeited his ticket, and left the US “preclearance” site at the airport in Vancouver without boarding his intended flight to the US. A month later, when he tried again to fly to the US, carrying the same phone with the password unchanged, he found that CBP had recorded his phone password in their permanent file about him in the CBP “TECS” lifetime international travel history database.

This sort of data collection and data retention is wrong, but it’s also routine and should be expected.

For more than a decade, since DHS first disclosed the existence of its “Automated Targeting System” database, we’ve been providing forms you can use to request the files about you from TECS and other government databases, helping travelers interpret the (redacted and incomplete) responses from CBP, and reporting on what we’ve seen in the responses and how these dossiers are used in pre-crime profiling and control of who is “allowed” to fly and how they treated when they fly.

We’ve sued to obtain our travel records from CBP and information about how these databases are mined and shared by CBP and other government agencies.

After ignoring our requests for three years, DHS exempted the system from most of the requirements of the Privacy Act, including limits on data retention, when the agency realized we were about to sue.

Any disclosure to us of the government’s permanent files about our travel is now a matter of “discretion”, not a right, if we are US citizens, and expressly forbidden by an Executive Order of President Trump for anyone other than US persons.  As we told The Atlantic:

“Any limits would have to be derived directly from the Constitution or international treaties, not from statutes or regulations,” said Edward Hasbrouck, a travel expert and consultant to The Identity Project. “I am not aware of any case law limiting retention of this sort of data.”

Here’s what our experience and our research confirms: CBP officers are not your friends, and their job is not to help you. They are law enforcement officers. Their job is to find evidence of violations of the law, and/or reasons to deny you entry to the US. Anything you say to them can be retained and used against you at any time in the future, just like anything you say to any other law enforcement officers. You should expect that anything you have with you, anything you say, and anything you do at an international border, airport, or CBP checkpoint can and will be recorded. That information can and will be retained by DHS for the rest of your life. You could be questioned about it in any future encounter with CBP or other law enforcement or government agents, even many years later, and have it used against you or anyone else in court at any time, perhaps in ways you could never anticipate.

We’ve seen all sorts of information — irrelevant, inappropriate, and potentially subject to derogatory interpretations or giving rise to guilt by association — in CBP travel dossiers. We’ve been questioned at a US border crossing, years later, about completely inconsequential and legal events at another airport years earlier, because those were being recorded in the TECS database even during primary screening on a routine entry to the US by a US citizen.

What can you do, and what should you do, if you are asked to tell CBP agents any of your passwords?

We agree with all the lawyers consulted by The Atlantic: US citizens should not voluntarily provide passwords to US border guards or inspectors at airports.

Unless there is legitimate doubt as to your citizenship, the US government has to let you enter or leave the US. That is your right pursuant to Article 12 of the International Covenant on Civil and Political Rights, a treaty ratified by and binding on the US. CBP inspectors can detain and delay you (case law is unclear on how long is permissible), but eventually they have to let you go. They can’t make you answer questions beyond the required customs declaration and sufficient information to establish and resolve any doubts about your US citizenship.

This blog is not legal advice. But if you are a US citizen seeking to enter or leave the US, most lawyers would give the same advice that they would give in any other encounter with law enforcement officers:

1. Do not consent to any search. (You and your belongings will still be searched, but it will be a nonconsensual search, which may limit it and/or give you a basis for later legal challenges.)
2. Remain silent (other than providing your passport and confirming your identity, US citizenship, and written and signed customs declaration). Do not answer questions about your activities, associates, itinerary, etc.
3. Leave as soon as you are told you are free to go.
4. If detained, ask to be allowed to leave as soon as possible, and ask to talk to a lawyer before answering any other questions.
5. If government agents want to search or seize or want you to give them the password to any device that contains any photos or documents that you intend to distribute publicly — for example, photos taken on your phone, some of which you might post on Facebook or Twitter — or related materials, invoke your rights under the Privacy Protection Act. (Most CBP officers have probably never heard of the Privacy Protection Act, and don’t realize the scope of its protections. So you need to be proactive in asserting your rights under this law.)

People who aren’t US citizens face a more difficult dilemma: You don’t have to answer questions, but if you don’t answer questions, the US can deny you entry. As in the latest legal cases challenging the #MuslimBan executive order, the US government claims that people who aren’t US citizens have no rights (so much for “human” rights that don’t depend on citizenship) and that decisions on the entry of people who aren’t US citizens are not subject to judicial review. This highlights the danger of asking for other info such as social media identifiers (which began last year), even if the questions are ostensibly “voluntary”.