Under the policy, a border search can legally include any downloaded text messages, contacts or notes on a device. But it forbids any search that would require a border official to request data from a remote server — that is, social media accounts, online storage services or other cloud-based applications.

The letter from CBP Acting Commissioner Kevin McAleenan is dated June 20. Wyden's office said it received the letter June 24 and released it in advance of a nomination hearing for McAleenan that was supposed to take place Thursday but was postponed.

AD

AD

“In conducting a border search, CBP does not access information found only on remote servers through an electronic device … regardless of whether those servers are located abroad or domestically,” McAleenan wrote in response to questions Wyden sent in February. “Instead, border searches of electronic devices apply to information that is physically resident on the device during a CBP inspection.”

The number of border searches of electronics has steadily risen in recent years. Between 2008 and 2010, CBP searched the devices of 6,500 people — roughly half of whom were U.S. citizens, according to a Freedom of Information Act request by the American Civil Liberties Union. In fiscal year 2015, CBP searched more than 8,500 people’s devices, and more than 19,000 in fiscal year 2016, according to NBC.

Those inspection practices have been the subject of mounting scrutiny this spring over reports that some travelers, including U.S. citizens, have been asked to hand over their devices or unlock them for border agents. Officials have also shown greater interest in travelers' social media accounts, with U.S. Homeland Security Secretary John F. Kelly telling lawmakers in February that foreign travelers should be prepared to surrender their social media passwords. That proposal appears to be pending, analysts say.

AD

AD

The reports have contributed to uncertainty over what searches are and aren't beyond the pale. The ACLU and other privacy advocates said they have received “a lot of questions” over the issue. Different rules for citizens and noncitizens have also complicated matters.

In general, years of case law have helped make the country's border area a place where even the typical constitutional protections for U.S. citizens are weaker. For example, authorities do not require a warrant to search goods or materials entering the country. Citizens may legally refuse to unlock their smartphones for border officials, McAleenan reiterated in his letter to Wyden, and the officials cannot deny entry to U.S. citizens — but their electronic devices can legally be detained.

In April, CBP issued an internal reminder that cloud-based data was off limits in border searches, according to McAleenan's letter. The agency's memo, he said, "remind[ed] its officers of this precise aspect of CBP's border search policy."

AD

AD

Privacy advocates welcomed McAleenan's clarification but warned that, unlike law, the CBP rules can easily be changed to a more intrusive policy.

“Furthermore, this policy is at odds with recent broad expansions of CBP collection of social media information, which can enable the agency to access, store and analyze a significant amount of data on travelers and their connections, revealing highly personal information,” said Drew Mitnick, policy counsel at the digital rights organization Access Now. “Moreover, if CBP officers are not permitted to seek data stored in the cloud, it makes the case even weaker for them to seek travelers' passwords, as Secretary Kelly has proposed.”

Wyden, along with Sen. Rand Paul (R-Ky.), have been leading Senate opposition to what they view as an overly expansive search power by the government at the border. The pair have introduced a bill that could make it a crime to search electronic devices at the U.S. border without probable cause.