This post is the latest installment of our “Monday Reflections” feature, in which a different Just Security editor examines the big stories from the previous week or looks ahead to key developments on the horizon.
On Friday, The Washington Post reported that the Brits and Americans are negotiating a new data sharing agreement that would permit UK-based law enforcement to request stored communications and live intercepts directly from US-based providers — as an alternative to the laborious Mutual Legal Assistance Treaty (MLAT) process and other less transparent means of accessing the data. As a general matter, this is a good thing. That said, the specifics — at least as reported — leave much to be desired.
As Andrew Woods and I (and many others, for example here and here) have written previously, the current system is untenable, and it is incentivizing a whole host of negative developments. Imagine, for example, UK law enforcement investigating a local crime involving a UK victim and alleged UK perpetrator. The UK seeks the emails of the alleged perpetrator. If the perpetrator had been using a UK-based provider, UK law enforcement officials can get the data directly from the provider, likely within days. If, however, the perpetrator uses Gmail, the UK can’t — thanks to the blocking provision in the Stored Communications Act — get the data from Google. Instead the UK government must make a diplomatic request to the US government (employing the MLAT system) and eventually get a US judge to sign off on the request based on a US standard of probable cause. This process takes an average of 10 months. The UK, as well as many other foreign governments, are understandably frustrated by this state of affairs. Why, after all, should the United States insist on this laborious process — requiring American standards and American warrants when the only connection to the United States is that the data happens to be located here?
Countries are responding in a number of concerning ways, including: requiring companies to store content locally so as to ensure access; demanding mandatory anti-encryption regimes as an end-run on the restrictions on access; asserting broad authority to access the data extraterritorially, thereby bypassing more stringent privacy protections that apply under the domestic law where the data is held; and subsequently harassing, indicting, and threatening with arrest employees or officers of local subsidiaries for refusing to turn over the requested data (even in situations where they are not technologically capable of doing so). Absent a solution, we are likely to see these trends continue.
Enter the US-UK discussions. The fact that the two governments are in dialogue about these issues is a positive development. An agreed-upon data sharing agreement provides a front door — and hence more transparent and accountable — alternative to back-channel methods of gaining access to the same evidence.
It also presents a possible, and much preferable, alternative to the UK claim — which is included in both current, albeit soon to expire, legislation as well as proposed new legislation — that UK law enforcement can compel the production of communications content from any provider that does business in its jurisdiction, regardless of the location or nationality of the target. By comparison, the draft agreement, at least as reported by The Washington Post, explicitly carves out US citizens and persons located in the United States from its provisions. If the UK wants to get data on a US citizen or legal permanent resident (wherever located) or a person located in the United States (whatever their nationality), it must still employ diplomatic channels and get a US-issued warrant based on probable cause under the terms of the reported agreement. If, however, the UK is seeking data of a foreign national located outside the United States — in cases where the only connection to the United States is that the data happens to be held here — then UK procedural mechanisms suffice. This distinction reflects the idea that US standards should continue to govern access to data of US citizens, legal permanent residents, and persons located within the United States (a group I will collectively call “US persons”) — whereas the United States has little justification in imposing these specific standards on foreign government access to non-citizen data located outside the United States.
All that said, the agreement, as reported, falls short. Even if US persons cannot be the direct targets of the request, such data will inevitably be collected, when, for example, the target is in communication with a US person. This suggests the importance of — and normative justification for — insisting on a set of baseline standards to apply when the UK (or any other foreign government) requests the data. These should include, at a minimum, a requirement that the request by made by an independent and impartial adjudicator; be targeted to a particular person, account, or device and narrowly tailored as to duration; and be subject to robust minimization requirements to protect against the retention and detention of non-relevant information. And these requirements should be coupled with transparency and accountability mechanisms designed to protect against collected data being used to violate the right to free expression or in other abusive ways. (Andrew Woods and I lay this all out with much more specificity here.)
Here’s where Congress comes in. Importantly, the executive branch can’t actually make any of this work without Congress. Allowing the UK, or any other foreign government official, to directly compel the content of stored communications from US-based providers requires an amendment to the Stored Communications Act. And allowing the UK, or any other foreign government official, to directly compel the content of live intercepts from US-based providers requires an amendment of the Wiretap Act. Congress thus has an opportunity to both help relieve the pressure in the system, but also insist that it is done right.
Congress should allow the executive to enter into new data sharing agreements, but should specify a set of minimum baseline protections that should apply. Specifically, it should amend the key statutes so as to authorize the executive branch to allow, on a case-by-case basis, rights-respecting foreign governments to directly compel the production of non-US person data from US providers. But Congress should also make clear that such agreements are authorized only when a set of minimum standards are met. The requesting country needs to comply with basic human rights standards. The requesting country has to have lawful jurisdiction over both the target and the crime being investigated. And the specific requests must meet specified criteria: They should be targeted and particularized; approved by an impartial and independent adjudicator; and subject to robust minimization procedures. In addition, foreign governments should, as a condition of entering into such agreements, be required to produce transparency reports on the number, type, and temporal scope of the data requests and to cooperate with periodic assessments of their system, so as to ensure, among other things, that requested data is not used to stifle right to free expression or other basic rights.
Two important additional issues:
First, stored communications versus real-time. There is an important difference here. Under current law, foreign law enforcement can get the content of stored communications held by US providers, albeit via the time-consuming MLAT process described above. No such equivalent mechanism exists for foreign law enforcement to access real-time communications (such as an E-chat between two UK nationals that is routed through the United States). There are of course other means for foreign governments to get this data — intelligence sharing and joint ventures are two such mechanisms that come to mind. But allowing the UK law enforcement to directly access live intercepts from US providers would be a significant change from the way things work now. On the one hand, the line between stored and live intercepts is increasingly blurring, and it becomes hard at some point to explain why — other than adherence to history — what is acceptable for stored communications is anathema when it comes to live. On the other hand, this history matters. Whether this should be permitted — and whether additional safeguards are needed — requires additional consideration.
Second, traffic data. One of the more incongruous aspects of the law in this area is the treatment of traffic data (or what we in the US often call transactional data), such as to/from lines on emails. Under the Stored Communications Act, US officials need a court order — based on a finding of “specific and articulable facts” showing reasonable grounds to believe that the contents of the sought-after data are “relevant and material” to an ongoing criminal investigation — in order get such data. No such requirements apply to foreign government access to traffic data. In fact, there are no statutory limits whatsoever on foreign government access to such data, even when they seek such data on US persons. Rather, it is the companies — and the companies alone — that determine when, and according to what standards, such data should be disclosed. This should change. At the same time that Congress gives the executive branch discretion to enter into the kind of agreements permitting foreign governments expedited access to content data, it should set some rules governing foreign government access to traffic data — especially if the foreign government is targeting US person data.
To sum up, there is a tremendous opportunity here: to relieve some of the negative pressure on the system, to halt concerning trends toward data localization, and to help set baseline human rights and privacy standards for all.