Unless Congress stops it, foreign police will soon be able to collect and search data on the servers of U.S. Internet companies. They’ll be able to do it without a probable cause warrant, or any oversight from a U.S. judge. This is all happening because of a new law enforcement deal between the U.S. and the United Kingdom. And while it seeks to exclude purely domestic correspondence between U.S. citizens and residents, plenty of Americans’ data will get swept up when they communicate with targeted individuals located abroad.
This is all happening because, for the first time, the U.S. executive branch is flexing its power to enter into law enforcement agreements under the CLOUD Act. We’ve been strongly opposed to this law since it was introduced last year. The recently signed deal between the U.S. Department of Justice and the U.K. Home Office will allow U.K. police easy access to data held by American companies, regardless of where the data is stored. These U.K. data requests, including demands to collect real-time communications, do not need to meet the standards set by U.S. privacy laws or the 4th Amendment. Similarly, the deal will allow U.S. police to grab information held by British companies without following U.K. privacy laws.
This deal, negotiated by American and British law enforcement behind closed doors and without public input, will deal a hammer blow to the legal rights of citizens and residents of both countries. And the damage won’t stop there. The U.S.-U.K. Cloud Act Agreement may well become a model for further bilateral deals with other foreign governments and the United States. Earlier this month, Australian law enforcement agencies began negotiating their own deal to directly access private information held by U.S. Internet companies.
There’s still one possible path to put the brakes on this disastrous U.S.-UK deal: Congress can introduce a joint resolution of disapproval of the agreement within 180 days. This week, EFF has joined 19 other privacy, civil liberties, and human rights organizations to publish a joint letter explaining why Congress must take action to resist this deal.
No Prior Judicial Authorization
In the U.S., the standard for when law enforcement can collect stored communications content is clear: police need to get a warrant, based on probable cause. If police want to wiretap an active conversation, they have to satisfy an even higher standard, sometimes called a “super warrant,” that limits both the timing and use of a wiretap. Perhaps most importantly, stored communications warrants and wiretap warrants have to be signed by a U.S. judge, which adds an extra layer of review to whether privacy standards are met. At EFF, a core part of our work is insisting on the importance of a warrant in many different scenarios.
Judicial authorization is a critical step in the U.S. warrant process. When police search people’s private homes, offices, or devices, they must justify why the search for specific evidence outweighs the presumption that individuals remain free from government intrusion. Judicial authorization acts as a safeguard between citizens and law enforcement. Further, history has shown that police can and will abuse their powers for intimidation, or even personal gain. In colonial times, the British military used general warrants to search through colonists’ houses and seize property—actions that helped fuel a revolution, and formed the basis for the 4th Amendment to the U.S. Constitution.
Incredibly, the DOJ has just thrown those rights away. Instead of relying on probable cause, the new agreement uses an untested privacy standard that says that orders must be based on a “reasonable justification based on articulable and credible facts, particularity, legality, and severity.” No judge in any country has decided what this means.
Furthermore, it’s debatable whether UK law even satisfies that standard. As our coalition letter states, “U.K. law on the production of stored content data and live wiretaps do not raise to the standards in the U.S.-U.K. Agreement and indeed at points may be weaker, emphasizing the need for strong safeguards to be written into CLOUD Act Agreements.”
That’s why we believe any agreement should include prior judicial authorization. The current deal just says that the U.K. must have “review or oversight” by an independent authority. Oversight is much different than prior judicial authorization. That means when a U.S. tech software company is asked to hand over communications and other sensitive data to UK police, the police don’t have to go to an impartial third-party to first review and see if the request complies with the U.S.-UK agreement. This takes away an important check before data is turned over to make sure that privacy rights are not harmed. Importantly, this hurts the rights of non-U.S. people as well because it takes away protections and recourse under U.S. domestic privacy laws.
No Required Notice to People Under Surveillance
The U.S.-UK agreement also doesn’t create safeguards the provide notice to the target of a law enforcement order, or any other affected people.
Without notice, a person won’t be aware that they are under foreign surveillance, won’t be able to hire a lawyer, and won’t be able to examine the evidence against them. Further, the agreement allows U.K. police to request U.S.-based data under U.K. law. People subject to unlawful surveillance won’t be able to exercise legal or constitutional rights they have under U.S. law.
Unfair and Unequal “Minimization” Procedures
National police agencies are trying to soft-pedal their demand for this new power by pointing out that it won’t be applied to U.S. persons. But foreign police will be getting Americans’ data. First of all, U.K. police will inevitably scoop up the information of Americans who have been in contact with foreigners who are the official subjects of U.K. police requests. That’s why there are mandatory “minimization” procedures to make sure U.K. police don’t get too much data about U.S. persons, or distribute it too widely.
As for U.K. citizens and residents, what happens to their data under this agreement isn’t clear. When U.S. police go to British information providers, there are no clear requirements for how the U.S. should even perform minimization. The only requirement on the U.S. is that the agreement be reciprocal, including limitations on targeting people within British territory. But that doesn’t mean that the U.S. won’t still get information about U.K. persons, as long as they’re in communication with a non-U.K. target—just as U.K. police will get from the U.S.
U.K. Police Can Secretly Gather Evidence to Pursue Low-Level Crimes
U.S. Attorney General William Barr has claimed that offering extraordinary access to foreign police is the right thing to do because of the awful crimes they’re pursuing, citing terrorism and crimes against children.
However, the deal will allow U.K. police to comb through the data of U.S. companies for relatively low-level crimes, including fraud, assault, and simple theft. The only justification U.K. police will have to come up with is that they’re investigating a crime that holds at least a three-year prison sentence in their own country. They could even be investigating acts that aren’t crimes in the U.S. Again, the same holds true for U.S. law enforcement gathering information held in the U.K.—there’s no requirement that a similar crime exists in both countries. It’s worth noting that under U.K. law, a 10-year sentence can also be handed down for criminal copyright infringement.
No Safeguards for Free Expression
Under the current system, if a foreign law enforcement agent wants access to protected information in the U.S., both the DOJ and a judge will review the request to make sure it doesn’t violate human rights, or U.S. laws like the First Amendment. This review is a part of the long-standing mutual legal assistance process that lets governments access data stored in other territories, but with procedural safeguards. Under this agreement, there won’t even be a cursory review. In some situations, U.S. authorities won’t even be notified about the foreign agent’s request.
The CLOUD Act and U.S.-U.K. agreement specifically say that foreign governments shouldn’t be allowed to file requests that “impinge freedom of speech.” But “freedom of speech” has a different meaning in U.S. and in UK law. The U.K. has several laws that potentially violate article 19 of the International Covenant on Civil and Political Rights, as we pointed out last year in a letter signed by EFF and other free expression organizations.
Under this agreement, it will be up to U.S. tech companies to challenge requests that aren’t compatible with human rights or free speech. As we have seen time and time again, tech companies are not in the best position to understand the nuance of free speech law.
Congress didn’t give proper thought to the CLOUD Act when it passed last year, and it let fundamental U.S. privacy and speech protections fall to the wayside. Now, Congress shouldn’t double down on its mistake by letting an executive agreement negotiated behind closed doors pass through its halls without review. The 180-day clock is already ticking to protect our privacy. Congress should initiate a joint resolution of disapproval of the U.S.-U.K. agreement, as soon as possible.