Customs and Border Protection can’t search travelers’ cloud data at the border, according to a new statement by acting commissioner Kevin McAleenan that was obtained by NBC News. The statement was provided in advance of McAleenan’s Senate confirmation hearing, in response to a set of questions by Sen. Ron Wyden (D-OR).

In the letter, McAleenan draws a sharp distinction between data stored locally on the device and cloud data stored on remote servers. Customs has a fundamental mandate to search cargo as it enters the country, a mandate that McAleenan says extends to local disk drives:

Just as CBP is responsible for inspecting luggage, vehicles and cargo upon arrival to the United States, in this digital age, CBP must also conduct limited and targeted inspections of electronic devices to determine whether they contain contraband (such as child pornography)…or information that could present a threat to national security.

However, the letter also makes it clear that authority does not extend to data on remote servers.

CBP authority to conduct border searches extends to all merchandise entering or departing the United States, including information that is physically resident on an electronic device transported by an international traveler. Therefore, border searches conducted by CBP do not extend to information that is located solely on remote servers.

“Border searches ... do not extend to information that is located solely on remote servers.”

In broad strokes, this is consistent with earlier CBP policy statements that have emphasized the agency’s right to inspect locally stored data rather than cloud accounts. McAleenan also describes an agency-wide communication sent out in April reminding border agents of this policy, although the precise contents of the document are classified.

While McAleenan’s testimony draws a sharp distinction between devices and the cloud, the division is often less sharp in practice. The letter’s phasing leaves room for border searches of recent email and social media messages, provided the information is accessible on a traveler’s phone at the time of the search (that is, not “solely” on a remote server).

Social media searches have grown more aggressive under the Trump administration, as border agents seek more information about travelers’ online activities. Even visa-holding non-citizens can be denied entry to the US if agents perceive them as a threat, so travelers are often willing to hand over passwords rather than be turned away at the border.

Notably, McAleenan reserves the right to request passwords from travelers, as part of commissioning their assistance in conducting a search.

“This assistance may occur by CBP requesting that the traveler open the manual lock on his or her suitcase, or unlock or otherwise make accessible the traveler’s accompanying electronic device,” the letter reads. “It is important to understand that CBP does not condition entry of U.S. citizens based on the provision of a password.”

McAleenan’s full letter to Senator Wyden is embedded below: