Foreign Governments, Tech Companies, and Your Data: A Response to Jennifer Daskal and Andrew Woods

In a thoughtful August 1 piece in Just Security and Lawfare, law professors Andrew Woods and Jennifer Daskal urged Congress to embrace a legislative proposal by the US Justice Department to authorize US communications service providers to disclose their users’ Internet content to foreign governments under foreign laws less protective of civil liberties and human rights than those in the US Daskal and Woods make some good points, and we have both worked with them for some time on this issue.  However, while we believe that bilateral agreements between the US and other governments may be part of the solution to the difficult problem of cross-border law enforcement demands, the DOJ legislation does not provide adequate privacy protections.  We therefore must oppose this bill.

The Problem.

Criminal investigators in one country increasingly need communications content and metadata stored by a communications service provider in another country. Typically, the two countries enter into a Mutual Legal Assistance Treaty (MLAT) that establishes the parameters of cooperation in law enforcement investigations. The procedures they follow vary according to whether disclosure of content or metadata is sought.  The process for communications content sought from a US provider works this way:  A central authority in the requesting country sends a surveillance request with supporting documentation to the US Department of Justice.  If DOJ determines that sufficient evidence has been provided to meet the US probable cause standard, to establish that the conduct alleged to be criminal in the requesting country is also a felony in the US, and that disclosure would not violate a person’s human rights, DOJ applies to a US judge for a US warrant.  The judge issues a warrant if there is probable cause.  The DOJ serves the warrant on the provider; the provider discloses responsive content to the DOJ, which in turn forwards content relevant to the alleged crime to the requesting country.

This is a rights-protective process. Disclosure of content is made only when there is dual criminality (no speech crimes), when a high threshold of evidence of crime is met (probable cause), an independent judge has made the probable cause determination, and DOJ hasn’t found evidence that the information that would be turned over would be used to torture someone or otherwise deprive them of rights.

Foreign governments do not like this process for three main reasons.  First, it requires a threshold of proof — probable cause — that is higher than is required in all or most of the rest of the world.  When DOJ turns down content requests, it is usually because the facts provided by the foreign government don’t establish probable cause.  This, in our view, is not a “problem”, but an enhanced privacy protection for those who use US communications service providers and providers who store their data in the US  Second, it subjects demands of foreign law enforcement to a US process even when the demands relate to crimes that may have been perpetrated by their own nationals against their own nationals.  Third, it often operates too slowly — particularly when insufficient evidence to establish probable cause is initially provided. 

Metadata is treated very differently.  US law permits US providers to volunteer their users’ metadata (such as email logs, an email address, or a temporarily assigned IP address) to any foreign government that requests it. That is, while content is highly protected under US law when sought by a foreign government, metadata is unprotected.  In fact, foreign governments enjoy easier access to a subset of metadata — sensitive traffic data such as email logs — than does the US government.  The US government must obtain a court order or a warrant to gain access to traffic data held by a US provider; a foreign government need only ask for it.

The result is weak privacy protections for metadata, and frustrated foreign governments whose ability to obtain communications content to prosecute criminals is limited. To address this, some governments have threatened to impose data localization mandates, extraterritorial warrants, and are even looking to forbid end-to-end encryption. Any one of these efforts would be troubling for the future of the Internet. All of them put together are very problematic.

A Possible Solution

To address these problems, the DOJ has proposed legislation that would permit voluntary disclosure by US providers of communications content directly to foreign governments with which the US enters into an agreement, such as the agreement it has already negotiated with the United Kingdom.  While a framework of this kind could be part of the solution the growing scale of cross-border law enforcement demands, the problem of scale does not justify weakening of the strong protections that traditionally have applied to evidence stored in the US Yet, as detailed below, that is exactly what the DOJ’s proposed legislation would do.

Instead, Congress should view the problems with the current MLAT system as an opportunity to improve the process and set strong human rights standards for cross-border law enforcement demands.  It can use the carrot of more efficient cross-border data flows to encourage other countries to protect human rights by raising their surveillance standards.

The Problems with the DOJ’s Solution

In addition to missing the opportunity to raise privacy standards for millions of people around the world, the DOJ legislation simply doesn’t stack up against the current law when it comes to human rights and privacy protections. While we go into detail on some of these arguments below, it is also well worth reading the arguments articulated a couple weeks ago by the ACLU, Amnesty International, and Human Rights Watch.  The DOJ legislation:

Does not require judicial authorization

DOJ’s proposed legislation does not require that an independent judge authorize surveillance before it occurs.  Instead, it requires that the foreign government have a process by which a person could seek post-disclosure review by an independent entity.  This is no substitute.

Requires a much lower factual showing

To make things worse, the review would be conducted under a vague standard subject to differing interpretations in different countries’ laws:  Instead of probable cause – a strong factual threshold – foreign law would only have to require “a reasonable justification based on articulable and credible facts, particularity, legality and severity regarding the conduct under investigation.” This is an undefined and vague but unquestionably lower standard.

Does not provide for notice

DOJ’s proposed implementing legislation does not require notice to the target of surveillance or to others’ whose communications have been intercepted.  Even notice after the fact, when it would not compromise an investigation, is not required.

Permits Internet Wiretapping By Foreign Governments

Perhaps worst of all, the proposed bill contemplates permitting US companies to turn over user data in real-time, rather than just retrospectively. This distinction is one that is important in US law. The Supreme Court and Congress have recognized for decades that real-time or prospective data collection is a greater privacy invasion than the collection of information from the past.  That is why US law contains requirements for prospective surveillance that go above and beyond the showings required for a warrant application for stored content. Title III court orders mandate minimization of information collected that is not relevant to the investigation, are strictly time-limited, are only available for certain (mostly) serious crimes, and must be an avenue of last resort to gain the evidence in question.

Some argue that these protections are anachronistic and that disclosure of years of stored content is a greater interference with privacy than is a 30-day wiretap.  While disclosure to governments of massive amounts of stored content is cause for concern, the particularity requirements of the Fourth Amendment serve to limit that sort of access in practice in the US To the extent it does not, this is an argument for raising the standards on stored content, not lowering those for wiretaps.

In addition, the Wiretap Act is rarely used in the United States to collect electronic communications. In 2015 there were only 32 electronic wiretaps (those targeting computers or networks) granted by the courts, including federal, state, and local requests. There has not been an explanation of why it is important to include such an invasive authorization in the agreements the US makes with other countries – especially in the case of countries like the UK that have substantially smaller populations than the US, have lower violent crime rates, and should have a substantially smaller need for wiretaps.

Does not impose a standard for traffic data

For all the problems with what is in the bill, what it leaves out is just as bad. While DOJ’s proposed implementing legislation aims to address problems related to the cross-border disclosure of content, it aims to ignore the problem that US providers have the authority to volunteer their users’ traffic data to foreign governments.  Instead, in order to gain access to this information, the foreign government should have to meet standards at least as strong as those the US government must meet. Under those standards, countries with which the US strikes a bilateral agreement would make direct demands for traffic data of US providers under their own rules, so long as those rules require authorization by a judge or other independent tribunal.

Lacks a credible process for determining which countries can make direct demands

Under the DOJ legislation, DOJ, with the concurrence of the US State Department, would decide whether the laws and practices of the foreign government adequately meet the standards set forth in the legislation for entering into a bilateral agreement.  DOJ’s decisions would be non-reviewable by a court or in any administrative procedure.  It could make its determinations based on information not available to the public.  The criteria for making the decision are vague and flexible, and are described as “factors” not “requirements.”  Its decision to enter into an agreement with a foreign government would not be subject to Congressional approval of any kind, even though MLAT agreements currently require a ⅔’s vote of the Senate.

Doesn’t Prohibit the Very Behavior It’s Attempting to Prevent

The proposed legislation also fails to prohibit other countries from engaging in the very practices that we identified above that threaten the operation of the Internet. Even after a country enters into the contemplated agreement, nothing in the legislation that we have seen forbids it from enforcing laws already on the books that threaten the free-flow of information on the Internet, or from adopting such laws later.

The DOJ’s proposed legislation does make a nod in this direction by limiting participant countries to those who “demonstrate a commitment” to Internet freedom and the “interconnected nature” of the network. What it does not do, however, is specify behaviors that should be prohibited nor provide a way to track those behaviors and rescind the agreement should the rules be violated. Countries who wish to enter into this type of agreement should forswear data localization mandates, nationalized routing requirements, extraterritorial warrants used against US entities, and attempts to mandate backdoors in, or otherwise weaken, encryption. If they cannot do that, many potential benefits of these agreements would not be realized, and DOJ’s finding that a country “demonstrated commitment” to the interconnected nature of the internet would be worth little.

Conclusion 

While we recognize the difficult constellation of issues surrounding cross-border investigations and government demands for users’ Internet communications, there is more at stake here than making criminal investigations more convenient. This moment is an opportunity to improve the civil liberties and human rights of people around the world. The implementing legislation DOJ has proposed misses that opportunity and instead, would walk human rights backwards across the world. If Congress is looking to improve the current procedures surrounding law enforcement access to digital evidence, it should start by passing the Email Privacy Act, which would finally require a warrant before law enforcement in the US can access stored content. After that, it could consider improvements to the system for fulfilling foreign governments’ cross border law enforcement demands, so long as those improvements do not diminish human rights, and indeed, respect them.  For all the above reasons we must oppose the DOJ’s proposed bill. 

About the Author(s)

Ross Schulman

Senior Policy Counsel at New America’s Open Technology Institute Follow him on Twitter (@RossSchulman).

Greg Nojeim

Senior Counsel & Director of the Freedom, Security and Technology Project at the Center for Democracy and Technology