In a lengthy post yesterday, Greg Nojeim and Ross Shulman take aim at the newly proposed legislation from DOJ that would permit the cross-border sharing of data for law enforcement purposes—as well Andrew Woods and my endorsement of these efforts. In several key respects, we all four agree. As Greg and Ross note, the problems faced by law enforcement officials in accessing data across borders is generating risks to both security and privacy; as they put it, it is leading foreign governments to pursue “data localization mandates, extraterritorial warrants, and . . . even looking to forbid end-to-end encryption.” Greg and Ross also point out that “bilateral agreements between the US and other governments may be part of the solution to the difficult problem of cross-border law enforcement demands.”
But if that’s the case – which I believe it is – than their pillorying of the DOJ-proposed legislation makes little sense. To be sure, the DOJ proposed legislation is not perfect, and some of Greg and Ross’s critiques provide fodder for reform. But their outright rejection of DOJ’s approach is both short sighted and ultimately harmful to the privacy rights that they seek to protect.
There are three key problems with the status quo—pursuant to which foreign governments must make diplomatic requests for data that is U.S-held, even if they are seeking the data of their own nationals in the investigation of local crime. First, the system is slow and inefficient – taking an average of ten months to fulfill foreign government requests for data; in the interim, crimes go unsolved. Second, these inefficiencies are causing understandable frustration, leading foreign governments to seek ways to bypass the system. Each of these responses – mandatory data localization requirements; assertions of extraterritorial jurisdiction; and the use of other, surreptitious means of accessing data – undercut privacy. These responses facilitate foreign governments’ access to sought-after data, but without any of the privacy-enhancing protections that DOJ seeks to require. Third, the current system makes little normative sense. Why should foreign governments have to get a U.S-judge issued warrant based on a U.S. standard of probable cause, when the only nexus to the United States is that the target’s data happens to be stored here? Even if this seems like a privacy win in the short-term, it is an unstable situation, as data location is highly manipulable and countries are increasingly rejecting and finding ways around the requirements that they seek U.S.-government approval in order to access data about local crime.
DOJ’s proposed legislation offers a much-needed attempt to respond to these problems. It would permit, on a case-by-case basis, governments that meet a list of human rights-compliant criteria to directly request data from U.S.-based companies, such as Google or Facebook, rather than being forced to go through the onerous Mutual Legal Assistance Treaty (MLAT) process. Each specific data request also must meet a long list of specifications: it must be particularized, authorized by law, based on “articulable and credible facts,” and subject to independent review. Importantly, foreign governments can not use this expedited system to access the data of a U.S. citizen, legal permanent resident, or any other person located in the United States; rather, foreign governments can only make such direct requests for data when the target is a non-U.S. nationals located outside the United States.
This is a sensible response to a significant problem. Most importantly, it is a privacy-enhancing response – one that begins to lay out, in a granular way, baseline procedural and substantive standards that ought to apply to law enforcement access to data, wherever such requests are being made. Were these standards to be applied worldwide, we would see a significant enhancement of privacy rights around the world. Now, of course, no one expects global acquiescence, or anything close to it, at least right now. But it seems likely that at least some countries will be incentivized to improve their laws and practices so as to benefit from the kind of expedited data access that this legislation would permit (and thereby avoid the kind of conflicts that unilateral demand for access would entail). That would be a privacy win.
Greg and Ross nonetheless object to DOJ’s efforts as a whole because they object to some of the specifics. But while several of their critiques suggest several places for improvement, none of them justify a whole-scale rejection of DOJ’s efforts. I describe and categorize their critiques below.
Room for Improvement
- Judicial Authorization: The draft legislation requires that requests for data be subject to “review or oversight” by a court, magistrate, or other independent authority. As Greg and Ross suggest, this language should be changed to require “authorization” by a court, magistrate, or independent authority – thereby ensuring advance approval and not just post hoc review.
- Process for Determining Which Countries are Eligible for Expedited Data Access: DOJ’s proposed legislation includes a long list of criteria that should be considered when deciding which countries should be eligible for the expedited data sharing procedures that the legislation permits. As Greg and Ross point out, some of those criteria (i.e, that the partner government “respect the rule of law”) should be elevated to “requirements” – and not just “factors” to consider. I also agree with Greg and Ross that there should be some mechanism for reviewing the executive branch decisions to enter into specific agreements. The best approach; advance notice to Congress, coupled with a mechanism for Congress to block the proposed agreement.
- Anti-Data Localization Requirements: Greg and Ross make the good point that the legislation does not bar the very thing it is meant to prevent: data localization mandates by partner governments. Partner governments should be obliged to disavow data localization requirements as a condition of entering into those agreements.
Misplaced Critiques
- Factual Showing: Greg and Ross object that the factual showing required– “articulable and credible facts. . . regarding the conduct under investigation”—is an “unquestionably lower” standard than probable cause that the data sought is evidence is of a crime. But it is not at all obvious that this is the case. The Supreme Court has defined probable cause a “flexible, common-sense standard” that can be satisfied based on anonymous tips and dog sniffs, It does not even require a finding that the search will “probably” seek the relevant information. Is this really that much higher, if at all, than a requirement of articulable and credible facts? Moreover, the terminology “probable cause” – an American legalism – is hardly the kind of clear, precise formulation that ought to be exported around the globe. It does not even have a clear definition in U.S. case law – police and criminal procedure professors define it by a common word: “confusing.” It would thus make little sense to demand that others adhere to it.
- Notice Requirements: Greg and Ross critique DOJ’s failure to require that foreign government notify the targets of their investigation. But this is hardly the step back that they suggest. Even under U.S. law, targets are not entitled to notice when the government accesses their data via a warrant issued to their electronic service provider. (This and related issues are in fact at heart of pending litigation between the government and Microsoft.) Perhaps that is something to rectify in U.S. law; but it does not fit the thesis that things will be worse.
Greg and Ross also object to the fact that these agreements would extend to wiretaps. As I (along with Andrew) have written previously, I am not persuaded by these critiques, particularly given the increasingly blurring of the lines between stored and live communications. Nor am I convinced that the authority will be particularly useful to foreign governments, given the rise of end-to-end encryption. Nonetheless, it seems to me that a much more sensible response would be to oppose the inclusion of wiretaps, rather than outright objection of the effort as a whole.
In addition, Greg and Ross suggest that the legislation should set standards for what they call traffic data – certain non-content information like to/from lines on emails. U.S. law enforcement agents need to show “specific and articulable facts” that there are “reasonable grounds to believe [that the data sought is] relevant and material to an ongoing criminal investigation” in order to access such data. In comparison, there are no procedural or substantive requirements to govern the sharing of traffic data with foreign governments. This dichotomy is hard to justify. Foreign law enforcement officials should, like the U.S. law enforcement officials, be required make a showing akin to what is required under U.S. law to get this data. (That said, foreign governments should be permitted to make this showing directly to the companies; any requirement that all requests be routed through the MLAT system would merely exacerbate the problem the legislation is trying to solve.) But again, this is not a reason to oppose the legislation. Rather, it suggests the value of supporting it – and using it as a vehicle for making additional improvements to the law as well.
Conclusion
This legislation provides a unique opportunity for the United States to set the norms for cross-border data requests—and in so doing protect privacy, security, and US business interests alike. If I were in Greg and Ross’s shoes, I would suggest improvements – and then embrace it. I would think about the alternatives – and realize that the U.S. now has a unique, and potentially fleeting opportunity, to set the procedural and substantive standards for these kinds of requests, and thus enhance the privacy protections that would otherwise apply. At some point, foreign governments will figure out ways around U.S. standards (whether via data localization, unilateral assertions of jurisdiction, or other means) and this leverage will be lost. Then, the United States will have no say in the kinds of privacy protections employed — or not.