U.S. border officers aren't allowed to look at any data stored only in the "cloud" — including social media data — when they search U.S. travelers' phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News.
The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, D-Ore., and verified by Wyden's office, not only states that CBP doesn't search data stored only with remote cloud services, but also — apparently for the first time — declares that it doesn't have that authority in the first place.
In April, Wyden and Sen. Rand Paul, R-Ky., introduced legislation to make it illegal for border officers to search or seize cellphones without probable cause. Privacy advocates and former Homeland Security lawyers have said they are alarmed by how many phones are being searched.
The CBP letter, which is attributed to Kevin McAleenan, the agency's acting commissioner, is dated June 20, four months after Wyden asked the Department of Homeland Security (PDF), CBP's parent agency, to clarify what he called the "deeply troubling" practice of border agents' pressuring Americans into providing passwords and access to their social media accounts.
McAleenan's letter cites several laws that he contends allow officers to search any traveler's phone without probable cause when the traveler enters or leaves the United States. The agency says the practice protects against child pornography, drug trafficking, terrorism and other threats.
But the question of whether that broad authority extends to data linked to on remote servers but not physically stored on a phone had remained unclear, according to privacy advocates like the American Civil Liberties Union and the Electronic Frontier Foundation.
McAleenan's letter says officers can search a phone without consent and, except in very limited cases, without a warrant or even suspicion — but only for content that is saved directly to the device, like call histories, text messages, contacts, photos and videos.
"Therefore, border searches conducted by CBP do not extend to information that is located solely on remote servers," he wrote. That would include apps for email and social media services like Twitter, Instagram and Facebook, among others.
"With my concurrence, CBP's Office of Field Operations issued [guidelines] in April 2017 reminding its officers of this precise aspect of CBP's border search policy," McAleenan wrote — adding that he wouldn't make those guidelines public because they're "law enforcement sensitive."
Travelers don't even have to unlock their devices or hand over their passwords when asked — but if they refuse, officers can "detain" the phone, McAleenan wrote.
Homeland Security has published numerous documents (PDF) detailing what it touts as its progress in decoding password and PIN protection on most devices.
Notably absent from the letter is a response to a request for statistics detailing how many cellphone border searches are conducted at the request of other government agencies, like the FBI, the Drug Enforcement Administration, the National Counterterrorism Center and others — which would otherwise need warrants if they were conducting the searches.
"CBP is assessing whether further data collection can assist in administering the careful use of this authority in the future," McAleenan wrote.
A spokesperson for Wyden told NBC News that the senator "will continue to push both for an answer to that question and a statistic on the number of Americans searched" at McAleenan's confirmation hearing to be CBP's permanent director, which is scheduled for Thursday morning.
In general, McAleenan wrote, cellphone searches of U.S. citizens are "exceedingly rare." CBP data show that the number of travelers overall who have been asked for their phones at the border has risen sharply since 2015 — tripling from October 2015 to October 2016 and rising slightly again by last March.
That doesn't include searches of departing international travelers or searches conducted by other components of Homeland Security, like Immigration and Customs Enforcement.
Two senior intelligence officials, who spoke to NBC News on condition that they not be identified, said in March that the more aggressive tactics were sparked by a string of domestic incidents in 2015 and 2016, in which the terrorism watch list system and the FBI failed to stop U.S. citizens from conducting attacks.
The Homeland Security inspector general's office says it expects to release an audit of CBP's electronic search practices at the end of the summer.