• • •

The rules around what information can be retained after CBP inspections—and for how long—aren’t entirely clear-cut.

A notice published in 2008 in the Federal Register, the government’s official journal, describes the main database CBP uses for traveler information. Here’s a non-exhaustive list of the kinds of data that the records system known as TECS—that’s not an acronym—hosts:

… full name, alias, date of birth, address, physical description, various identification numbers (e.g., social security number, alien number, I-94 number, seizure number), details and circumstances of a search, arrest, or seizure, case information such as merchandise and values, methods of theft.

In addition, if officials search an electronic device like a laptop or smartphone, they may create a copy of the device’s contents. Without probable cause, CBP can’t keep that data on record for longer than a week (although some circumstances allow the window to be extended to a month), except for information “relating to immigration, customs, and other enforcement matters,” according to an official privacy impact assessment released in 2009. A CBP spokesperson confirmed that this policy is still in place.

The list of data that CBP can keep doesn’t include “passwords” or “credentials,” but that doesn’t mean they aren’t gathered and stored. Hugh Handeyside, a staff attorney at the American Civil Liberties Union, says that customs officials can enter miscellaneous information into records submitted to the TECS system.

The CBP spokesperson said that the agency can hang on to a password to facilitate digital searches once a device has been detained. The spokesperson did not say whether the password would be deleted from a traveler’s record after the search is over.

Generally, once a piece of information has been entered into the system, it can stay there for a very long time. According to the Federal Register notice, data in TECS can be kept for 75 years—or for the duration of a “law enforcement matter” or any “other enforcement activities that may become related.”

One of the few laws that would constrain how CBP would collect, keep, and disseminate personal information is the Privacy Act of 1974, which regulates how federal agencies treat sensitive personal data. But the Department of Homeland Security, CBP’s parent agency, exempted TECS from that law since at least 2009. Instead, CBP considers requests from individuals who ask to access records about them—a right guaranteed under the Privacy Act—on a case-by-case basis.

“Any limits would have to be derived directly from the Constitution or international treaties, not from statutes or regulations,” said Edward Hasbrouck, a travel expert and consultant to The Identity Project. “I am not aware of any case law limiting retention of this sort of data.”