Skip to main content

Reforms Abound for Cross-Border Data Requests

DEEPLINKS BLOG
December 27, 2015

Access to data stored in the United States presents an especially important question for other countries because of the prominence of U.S. Internet companies. Currently, law enforcement officials in other countries must pursue access to data in the U.S. through the Department of Justice (DOJ)-run Mutual Legal Assistance Treaty (MLAT) process, which has been rightly criticized as slow and inefficient. 

Recently, academics Jennifer Daskal and Andrew Woods have focused the discussion on the issue by proposing a new U.S. legal regime. The proposal contains important ideas, and we're thankful for concrete thoughts around lawful access to data; however, it doesn't address what we view as the actual solution: reforming the MLAT process. 

We Need MLAT Reform

A serious attempt to reform the MLAT process must happen before we create yet another legal regime for access to data stored outside a country's border. Such reform is necessary because the MLAT process is a system that ensures privacy, protects users, and requires countries seeking messages to abide by one of the highest legal standards (probable cause) in the world. It also needs reform because a foreign law enforcement officer should not have to wait anywhere between 6-13 months—the current time frame for receiving data through an MLAT request—for data necessary to her local investigation. 

MLAT reform goes beyond adding more funds or staff. It involves training and co-operation between law enforcement so that their work can meet the probable cause standard to expedite their request. And it may require restructuring key offices at the Justice Department to facilitate faster responses. The DOJ must make a good-faith attempt to prioritize such changes and commit to finding solutions in the literature about how to reform the MLAT process.

How the Alternative Proposal Works

Under the Stored Communications Act (SCA), U.S. providers may not disclose stored communications content to anyone (including foreign governments) unless an exception applies, such as user consent or a warrant based on probable cause. Daskal and Woods propose an interesting alternative to the MLAT process by amending the SCA so that U.S.-based companies can respond directly to foreign government requests for stored data. The foreign government must state that the data belongs to a non-U.S. person located outside the United States and that the data is relevant and material to the crime at hand. Under the Daskal and Woods’ proposal, only countries that follow certain human rights standards will be able to use this alternative track. Daskal and Woods contemplate that this arrangement will be reciprocal: the United States would be able to directly receive data from a foreign-based provider under analogous rules.

Elimination of U.S. Probable Cause and the Creation of a Two-Tier World

The Daskal-Woods proposal suffers from two principal flaws: it appears to lower the current legal standard for accessing data within the United States, and then applies that lower standard to a subset of the world's Internet users.

Currently, all countries must meet the U.S. legal standard of probable cause before obtaining communications from U.S.-based companies. The proposal seems to lower this standard by mandating requests be "relevant and material" to the crime under investigation. While it’s our understanding that the proposed language is meant to approximate the U.S. probable cause standard without using the words “probable cause,” the elasticity of “relevance” (as seen in U.S. debates over the scope of Section 215) is a red flag. 

We don’t doubt that the global popularity of U.S.-based services has sharply increased the volume or scale of cross-border data requests from foreign governments, and we recognize that foreign governments are placing tremendous pressure on U.S. providers to accede to these requests, but the United States should not lower its legal standards as a result. When it functions properly, the current MLAT regime ensures users everywhere are given probable cause protection for access to their messages if they choose to store them with U.S. companies. The popularity of American Internet companies means the U.S. can export more protective legal standards for access to personal data around the world. This is a badge to be worn proudly.

The second knotty aspect of the Daskal-Woods proposal is for a human rights assessment of a country before accepting it into this proposed regime. That might be an understandable trade-off, if such a balancing act could be objectively and independently determined. At present, we’ve yet to see how that could be done. We fear that a real-world implementation would inevitably pass control of such a whitelist to the U.S. executive branch, which has its own interests in rewarding and punishing foreign nations—distinct from users’ interests in privacy and civil liberties. Our caution about a previous attempt (the Global Online Freedom Act) to divide the world into “good” and “bad” Internet nations makes us skeptical that the criteria would remain truly objective.

There's also an outstanding question as to what the United States would think of such a proposal if roles were reversed. For example, assuming that a country's human rights record should relate to local law enforcement access to data, would the U.S. detention facilities in Guantanamo Bay or disclosures found in the recently declassified Torture Report be able to pass another country's human rights assessment? Countries with high standards of human rights often fail to live up to those standards within a particular prosecution.

The Necessary and Proportionate Principles are useful when analyzing proposals like the one offered by Daskal and Woods. The Necessary and Proportionate Principles declare:

Mutual legal assistance treaties (MLATs) and other agreements entered into by States should ensure that, where the laws of more than one state could apply to Communications Surveillance, the available standard with the higher level of protection for individuals is applied… States may not use mutual legal assistance processes and foreign requests for Protected Information to circumvent domestic legal restrictions on Communications Surveillance. 

If the Daskal-Woods proposal does not require the functional equivalent of probable cause (combined with “particularity” requirements), it would offer certain foreign countries a lower standard of access for communications content than is available to U.S. law enforcement. Privacy reforms should aspire to the highest standard, applied in a non-discriminatory fashion.

Important Components to Any Legal Regime

The proposal catalyzes important questions for countries’ access to data outside their borders. We think any proposal must account for scenarios where a foreign data request may involve U.S. citizen data, since U.S. persons’ Fourth Amendment rights should be accounted for in any legal regime. Similarly, a proposal should also include a notice provision, or at least contemplate how the Fourth Amendment's notice requirements may interact with the new legal regime. There's no doubt that a target—and people communicating with the target—should be notified of a governmental search. And it remains unclear to us how users whose communications are collected by foreign governments can hold those foreign governments accountable for rights violations.   

Reform is Real, but MLAT Problems Must Be Solved First

The need to reform how foreign countries can access data held by U.S. companies is real. U.S. companies are feeling tremendous pressure from countries expressing frustration that they cannot obtain evidence in a timely fashion from U.S. companies. Some fear that the inability to back a reform proposal may create a race to the bottom where countries will demand that personal data be kept locally, where it may be reached with lower legal standards than America's probable cause standard. We are sympathetic towards such arguments, but such threats do not necessitate the creation of an entirely new regime for lawful access. Many countries that are threatening localization requirements will continue these threats under a new regime.

We should not trade away the best elements of the current system—its high legal standard—in an effort to head off such threats. Instead, we should identify serious proposals for MLAT reform and fix the current system for everyone before creating yet another—potentially flawed—legal regime for the few. 

JavaScript license information