About a year ago, I wrote here that the mutual legal assistance (MLA) regime – the legal system that regulates government-to-government requests for evidence in criminal investigations, including personal data – was badly in need of reform. Today, the Global Network Initiative is releasing my report on the subject. The report outlines some of the key reforms that can and ought to be implemented by states in the next year to improve the MLA process. (The report is being launched at the Center for Strategic and International Studies (CSIS) in DC at 1pm EST today and will be live streamed here.)
Many of us live much of our lives “online” – meaning that we store our personal data on internet-connected servers, which are very often located in far away locations. As a result of our peripatetic lives, our data is flung across a number of different jurisdictions. When governments seek access to this data – perhaps in connection with a criminal investigation – they increasingly find that it is beyond their jurisdictional reach. (This is the problem raised by the much–discussed Microsoft Ireland case.)
If you care about privacy, you might think this is all good because it means that the government has a harder time getting access to the digital goods. But this view badly misunderstands the tradeoffs associated with the MLA regime. Embracing the fact that MLA tends to prevent governments from gaining lawful access to personal data is both shortsighted and dangerous.
When governments do not get access to data through MLA, they occasionally try other tactics that do not have the same built-in due process constraints that MLA provides (tactics, in other words, that might make those of who care about privacy prefer MLA). When governments feel they cannot get access to data through the MLA process, they might assert that their laws apply extraterritorially – as the US has done in the Microsoft Ireland case – or they might demand that communications companies store data locally on servers (the easier to raid).
Even worse: they might turn to surveillance. A few months ago, I spoke with a salesman from a company (I will not name) who was selling a tool that allows states to intercept their citizens’ communications. I asked him if he had ever heard of the mutual legal assistance treaties. He grinned and said: “MLAT! I love MLAT! States buy my product because MLAT doesn’t work!”
It is no longer a surprise to learn that governments turn to surveillance to gain unwarranted access to citizen data. Here, however, we are talking about data that might be warranted, but the government does not have the patience or felt the need to go through the MLA process to prove that their access is in fact justified. For example, an Italian judge may issue a warrant for data only to discover that the data controller – perhaps a foreign company or a domestic company with data stored abroad – will not submit to its jurisdiction. Local law enforcement agencies can then request MLA from the country with the authority to compel the data and wait 9 or 10 months for the response. Or they can buy off-the-rack software and get the data now.
If any of these alternatives bothers you, you should be urging your government to improve its handling of MLA requests, both outgoing and incoming. That is the thrust of the report being released today.
The report highlights a number of important reforms that ought to be implemented by governments in the next year. These include: creating an electronic system for making and processing MLA requests (which are sometimes still done in paper); better training for government officials as to how to file and process MLA requests; and more staffing at justice departments around the world for the oncoming wave of MLA requests that is likely to materialize in the next few years.
These reforms are low-hanging fruit. The report says little about the much larger and more intractable problems that arise from an Internet that spans multiple jurisdictions. For example, the report is silent on how to determine the scope of a state’s jurisdiction. Needless to say, this is the subject of much debate. (Again, see the Microsoft Ireland case for evidence of this controversy.) Nor does the report attempt to resolve the deeper “conflict of laws” questions that arise when two states do not agree about the legality of the conduct in question. For example, if France asks the United States for data in connection to speech that constitutes a crime in France but not in the U.S., what should the U.S. government do? And what if the suspect is French, the harm is felt in France, and there is no tie to the U.S. but for the location of the data or the location of the company managing the data?
There are some who think that in order to resolve these deeper issues, we need a completely new regime to regulate government access to personal data. That may be the case. But for now, let us fix the MLA system we have.