Tomorrow, the Senate Judiciary Subcommittee on Terrorism and Crime, spearheaded by Senators Lindsey Graham (R-SC) and Sheldon Whitehouse (D-RI), will be holding a hearing on a topic of increasing importance to law enforcement’s ability to effectively detect and prosecute crime, the future of privacy rights, and the economic interests of the tech sector. The topic — Law Enforcement Access to Data Stored Across Borders: Facilitating Cooperation and Protecting Rights. According to the UK Embassy, this will be the first time ever a sitting UK government official has testified in Congress. And not just any official, but the UK Deputy National Security Advisor, Mr. Paddy McGuinness. If this doesn’t highlight the significance of the issue (at least to one of the nation’s key allies), I don’t know what does.
The hearing will primarily focus on two distinct, but interrelated issues:
First, the reach of US warrant authority pursuant to the Electronic Communications Privacy Act (ECPA) to access stored communications content, an issue I have previously addressed here and here. This is a weighty issue in the wake of the Second Circuit’s decision in Microsoft Ireland case, which held that the U.S. warrant authority extends only to data that is physically located within the territorial boundaries of the United States. As I explain in my testimony, it is a decision that is concerning on almost every relevant axis — with negative consequences for our security, our privacy, and our economy. In fact, just about everyone, including even the judge who wrote the Microsoft Ireland opinion, agrees that the current state of affairs is troubling, and that Congress should step in to fix it.
That said, a simple legislative reversal of the opinion is not a satisfactory answer. It fails to take into account the sometimes legitimate countervailing interests of foreign governments in limiting access to their citizens and residents data — something that the United States would and should want foreign governments to respect when seeking access to U.S. citizen and resident data. A simple legislative reversal also fails to grapple with the importance of perceptions. Rightly or wrongly, foreign customers of major U.S. tech companies are increasingly concerned about what they see as overbroad surveillance by the U.S. government; failure to address these concerns will have negative consequences for the competitiveness of a key sector of the U.S. economy.
In my testimony, I suggest concrete ways in which Congress can address these concerns, while also ensuring that law enforcement can, pursuant to a warrant based on probable cause, access data needed for legitimate investigations regardless of where the data happens to be at a particular point in time.
Second, the hearing will address problems facing foreign governments seeking access to data in the investigation of local crime when that data happens to be U.S.-held. (Hence, the interest of the UK.) This is due to other parts of ECPA that prohibits U.S.-based service providers (such as Microsoft, Google, and Yahoo!) from disclosing stored communications content, such as emails, to foreign governments. This, too, has negative implications for security, and ultimately privacy and our economy. Think about this from the perspective of foreign governments. If, for example, a suspected UK-based perpetrator of a London murder spree uses a UK-based provider, UK law enforcement can serve a UK court-approved order on the provider and get access his communications content within days, if not sooner. If instead the alleged perpetrator uses Gmail, UK law enforcement officials must instead direct the request to the US government, using what is known as the mutual legal assistance process. This is a laborious and time-consuming process, taking many months if not more. Meanwhile, the murder goes unsolved.
Foreign governments are understandably frustrated, and are responding with a range of concerning workarounds, including costly data localization mandates as a means of ensuring access; unilateral assertions of extraterritorial jurisdiction, which puts U.S.-based companies in the middle of competing legal obligations; and other surreptitious means of accessing sought-after data.
Notably, the U.K. and U.S. have a draft agreement that would permit the U.K. to bypass the mutual legal assistance process, so long as it is accessing the data of non-U.S. citizens and residents who are not located in the United States, and the requests for such data are targeted, particularized, and approved by an independent judge, among other requirements. This reflects the common-sense assessment that the U.S. has an interest in ensuring that U.S. rules apply to the collection of U.S citizen and resident data, but it need not insist that its particular substantive and procedural requirements apply when a foreign government is seeking access to the data of its own citizens and residents, so long as baseline substantive and procedural requirements are met.
But the U.S.-U.K. deal cannot be implemented without a change in the law to first authorize the executive branch to enter into these type of agreements. Such an amendment should set baseline procedural and substantive requirements that foreign governments must meet in order to be eligible for and take advantage of such agreements, including protections for U.S. person and resident data. This kind of change is exactly what the UK government – along with the Department of Justice – urges. It is something I support as well.
What is particularly noteworthy is how much agreement there is between the five witnesses – Brad Wiegmann, the Deputy Assistant Attorney General for the National Security Division at the Department of Justice (substituting for Richard Downing, who was initially slated to testify); Paddy McGuinness; Brad Smith, the President and Chief Legal Officer of Microsoft; Christopher Kelly, the Director of the Digital Evidence Laboratory at Massachusetts Office of the Attorney General; and me – all of whom come at the issues from different perspectives. (The hearing was initially scheduled for two weeks ago; once postponed, the previously submitted witness testimony was made publicly available.) All of us agree that the status quo is unworkable. All of us agree that relying on the mutual legal assistance process as the exclusive means of managing access to data across borders is an unacceptable solution. And all of us agree that Congress needs to engage.
There are of course some differences. The Department of Justice, for example, suggests that we should simply revert to the state of affairs pre-Microsoft Ireland, when the Department could compel, via a warrant, the production of data from a U.S.-based company regardless of location. I argue, however, that a simple legislative reversal is likely to have negative, down-the-road consequences for both privacy and our economy. I instead recommend the inclusion of additional provisions that will ensure law enforcement can access data pursuant to a warrant based on probable cause regardless of the location of the data, as the Department of Justice urges, while also mitigating some of these negative consequences.
But there also is common message from all five of us. We are facing a real problem here – with real-world consequences for security, privacy, and the economy. And it is not a problem that can be left to the courts. Only Congress can fix it.
For anyone interested in watching, the hearing will be live-streamed here, starting at 2:30 pm, on Wednesday, May 24.