Skip to main content

Protect the Privacy of Cross-Border Data: Stop the DOJ Bill

DEEPLINKS BLOG
September 24, 2017

Because the global Internet carries data across international borders, police often seek digital evidence stored in another country. To obtain such cross-border data, police generally must gain approval from the government whose territory hosts the data, under an international web of Mutual Legal Assistance Treaties (MLATs).

Because of the global popularity of computing and communication services provided by U.S. companies, foreign police frequently take aim at digital content stored in the United States. When they do so, the MLAT system requires them to satisfy strong U.S. privacy safeguards. Most importantly, the U.S. Constitution’s Fourth Amendment requires a judicial warrant based on probable cause of crime, as set forth in the Sixth Circuit Court of Appeals’ watershed Warshak decision in 2010.

EFF has long supported the MLAT system, because it protects the privacy of cross-border data. We likewise oppose proposals to allow police to bypass the MLAT system, and seize foreign-stored electronic evidence directly from service providers, without satisfying the privacy rules of the nation that hosts the data.

The DOJ Bill And Its Opponents

In 2016 and again in 2017, the U.S. Department of Justice (DOJ) proposed legislation that would empower the U.S. executive branch to enter bilateral surveillance agreements with foreign nations. Under these agreements, police in both nations would have the reciprocal power to bypass MLAT—and each other’s privacy laws—and instead make direct demands to service providers for data located in the other nation.

EFF and a coalition of 20 other privacy advocates sent a letter to Congress opposing this DOJ bill. The other signatories are Access Now, Advocacy for Principled Action in Government, the American-Arab Anti-Discrimination Committee, the American Civil Liberties Union, Amnesty International, the Center for Democracy and Technology, the Center for Media and Democracy, the Constitutional Alliance, the Council on American-Islamic Relations, Defending Rights & Dissent, Demand Progress, Fight for the Future, the Government Accountability Project, Government Information Watch, Human Rights Watch, the National Association of Criminal Defense Lawyers, National Security Counselors, New America’s Open Technology Institute, the Project on Government Oversight, and Restore the Fourth.

Weak Privacy Safeguards

The coalition letter identifies many defects with the kinds of data disclosure orders that the DOJ bill would allow foreign police to use against U.S. service providers.

A weak standard. The bill would allow foreign police to seize U.S. content if there is “a reasonable justification based on articulable and credible facts.” This amorphous standard is weaker than the U.S. “probable cause” requirement.

No requirement of prior individualized review. The bill would allow foreign police to seize U.S. data based on “review or oversight” by an independent authority such as a judge. Such “oversight” might be generalized (as opposed to case by case), and might occur after the seizure (as opposed to before it). This is less protection than the prior individualized review required by U.S. law.

Wiretaps by foreign police. The bill would allow foreign police to compel U.S. providers to grant them real-time access to electronic communications content. Foreign police have never previously had this wiretap power over U.S. providers. Worse, such foreign wiretaps would not be subject to the privacy protections of the U.S. Wiretap Act that apply to U.S. police. These include a warrant requirement, a limitation to certain enumerated felonies, exhaustion of less intrusive investigative methods, minimization of interception of non-pertinent communications, and a suppression remedy.

Inadequate limits on types of crimes. The bill would allow foreign police to seize data from U.S. providers while investigating undefined “serious” crime. Further, unlike MLATs, the bill contains no “dual criminality” requirement, meaning foreign police could seize data from U.S. providers while investigating activity that is a crime in the foreign country but not in the United States.

No requirement of notice. The bill fails to require any notice to the target of surveillance that foreign police seized their data. Notice is a key human rights protection that allows the target to challenge the seizure in court. The bill does not even require notice to the U.S. government when a foreign government demands data stored in the United States from a U.S. company, to allow the U.S. government to recognize any patterns of abuse.

Reduced Privacy For U.S. And Foreign Citizens Alike

The DOJ bill would not allow foreign police to target U.S. citizens and permanent residents, or people located inside the United States. These limits do not diminish EFF’s opposition to the bill.

First, EFF supports digital privacy for everyone, regardless of their citizenship or residency, as a fundamental human right. Thus, EFF opposes any diminution in current privacy protections, under MLAT and U.S. law, enjoyed by foreign citizens residing in foreign nations as to their data located in the United States. In the words of the Necessary and Proportionate Principles: “where the laws of more than one state could apply to Communications Surveillance, the available standard with the higher level of protection for individuals is applied.”

Second, many Americans regularly communicate with foreigners, including their friends, family, and business associates. This is especially true for recent immigrants to the United States. As the coalition letter explains, when foreign police gather information about foreign citizens pursuant to the proposed bill, it is likely they will incidentally collect the communications of Americans, too.

Foreign police could then share much of this information with the U.S. government, even though they collected it without the safeguards of U.S. privacy law. Specifically, foreign governments could share any metadata (such as the “to” and “from” lines of an email) with the U.S. government, with no limits at all. Also, they could share communications content that “relates to significant harm, or the threat thereof, to the United States or a U.S. person.” This nebulous standard is far lower than the one the U.S. government must satisfy to obtain communications content on its own.

The Likely Spying Agreement with the U.K.

If the DOJ bill is enacted, it is likely that the United Kingdom will enjoy the first bilateral surveillance agreement with the United States to bypass MLAT and U.S. privacy laws. The United States and the United Kingdom are already negotiating such an agreement. Earlier this year, the U.K.’s Deputy National Security Advisor testified before the U.S. Congress in support of such an agreement.

This would be a step backwards for privacy, because U.K. law makes it easier than U.S. law for police to seize data from service providers. Specifically, the U.K.’s Investigatory Powers Act of 2016 empowers an executive official, the Secretary of State, to issue surveillance warrants. A Judicial Commissioner would review the Secretary’s decision under a highly deferential U.K. standard called “judicial review.” As the website of the U.K.’s judiciary explains, this standard concerns “the way in which a decision has been made,” and not “the conclusions of that process and whether those were ‘right.’”

The United Kingdom also lacks any comparable provisions for notification. Indeed, the long-standing tradition in the United Kingdom is to prohibit service providers from notifying anyone of an interception order, and to prohibit from court proceedings any evidence that reveals an interception has ever taken place.

This is a far cry from a warrant from a judge based on probable cause under the U.S. Fourth Amendment, and the right to challenge evidence in open court.

Potential Surveillance By Human Rights Abusers

The bilateral surveillance agreements authorized by the DOJ bill would not be limited to nations that, like the U.K., have a legal system that overlaps significantly with the U.S. legal system. Rather, the U.S. executive branch could enter bilateral surveillance agreements with virtually any other nation, even ones that now systematically abuse human rights. As the coalition letter points out, while the executive branch would have to “consider” such “factors” as adherence to “human rights obligations,” these factors are optional.

To make matters worse, the bill would bar any judicial or administrative review of whether the U.S. executive branch properly entered a bilateral surveillance agreement. Further, these bilateral agreements would not require any Congressional ratification. This places too much power in the hands of the U.S. executive branch to authorize foreign nations to seize U.S. data.

Finally, the bill does not bar foreign countries from requiring U.S. service providers to create back doors to circumvent encryption.

Next Steps

EFF is proud to stand with the many privacy advocates that oppose this DOJ bill, which would allow police to bypass MLAT and national privacy laws in their pursuit of cross-border data.

Anyone worried about police snooping on their electronic data should call or write to their U.S. Senators, and urge them to oppose the DOJ bill on police access to cross-border data.

 

JavaScript license information