New Bill That Would Give Foreign Governments a Fast Track to Access Data

For decades, U.S. policies on international data sharing have balanced privacy, principles of comity (respect for the jurisdiction of other countries), and respect for Congress’ power to regulate foreign affairs. Foreign countries seeking data held by U.S. companies generally must follow a process laid out in Mutual Legal Assistance Treaties, or MLATs, which are agreements between governments that facilitate cooperation in investigations. Increasingly, however, countries have complained that the MLAT process in the U.S. is slow and that it allows the U.S. government to act as a gatekeeper when other governments seek electronic data, since the majority of major internet providers are located here.

A new bill, the CLOUD Act, seeks to provide an avenue for certain governments to circumvent the MLAT process. The legislation has been justified by arguments that the MLAT system is laborious, time-consuming, and ill-suited to contend with increasing demands.

Support for this measure has come from several quarters: the U.S. Department of Justice, which is eager to ensure that American law enforcement can access data stored abroad without going through the MLAT process and which stands to benefit from access to more data stored abroad; foreign governments, which are frustrated with the time-consuming nature of the MLAT process, want expanded wiretapping capabilities, and often object to being forced to comply with U.S. legal standards; and some technology providers that are increasingly pressured to turn over data to foreign governments but are foreclosed from doing so outside of the MLAT process under current law.

However, the alternative it proposes eliminates important privacy and human rights protections and undermines congressional authority in the process. Despite the pressure from companies and law enforcement to pass this measure, Congress must reject the proposal is in its current form.

The benefits of MLAT

MLAT agreements are generally negotiated by the executive branch and must be ratified by Congress. This ratification process provides a critical check on executive power, preserving the ability of Congress to intervene in cases where the executive branch seeks to enter into an agreement that would be contrary to the interests of the United States or jeopardize human rights.

Under MLATs, countries seeking data from U.S. providers submit requests to the DOJ, which, after reviewing the request, can seek a warrant from a judge for the content. This process ensures that both DOJ and the courts have a role in ensuring that the human rights and the private information of the warrant’s target are appropriately protected. This means that countries with deficient domestic law in these areas must at least meet the U.S. probable cause standard, helping to protect both the rights of foreigners abroad and those of any Americans who may be party to the communications sought.

Further, the current MLAT process ensures an individualized assessment of whether a particular request is appropriate or not. Courts have held that they can decline to issue warrants under MLAT if there is credible evidence that it may lead to an egregious violation of human rights, such as torture, which would run awry of the Constitution. Such an assessment is particularly important in cases where countries may have a mixed human rights record or where changing circumstances heightens human rights concerns.

Finally, the MLAT process reflects Congress’ determination that wiretapping poses a greater threat to civil liberties than accessing stored content, and thus should be restricted. As a result, MLAT agreements only permit access to stored communications, and not real-time interception.

The problem with the CLOUD Act

Undoubtedly, the CLOUD Act could have implications for the outcome of United States v. Microsoft, also known as the Microsoft Ireland case. In that case, the Justice Department served Microsoft with a U.S. warrant demanding the company turn over data stored in Ireland. Microsoft refused, arguing the warrant doesn’t apply to data stored abroad, and the case is now before the Supreme Court. The first part of the CLOUD Act would resolve the question in that case by changing the law to ensure that U.S. law enforcement can get data stored overseas through the U.S. process.

The second part of the bill, however, seeks to appease foreign governments that want the same thing: to access data held in the U.S. by relying on their own domestic process. It would allow certain countries who enter into agreements with the United States to bypass the MLAT process. These countries could submit requests directly to companies, who could respond without any additional review by the DOJ or by a U.S. judge. While both parts of the bill raise concerns, we seek here to specifically highlight the privacy, civil liberties, and human rights threats posed by the second part of the bill.

The proposed framework places too much power in the hands of the executive branch, at the expense of congressional oversight. Unlike in the case of MLATs, the bill would allow the executive branch to enter into agreements with foreign governments without ratification by the Senate, which must approve MLATs. To stop an agreement from going into effect, Congress would have to enact a joint resolution within 90 days, with enough votes to overcome a likely presidential veto. This obstacle would effectively help insulate executive branch decisions from congressional review, compounding the absence of judicial oversight that the law creates.

The bill would also give the attorney general and the secretary of state broad discretion to enter into agreements with foreign governments with problematic human rights records. The bill lists various ambiguous “factors” the executive branch must consider in assessing whether to enter into an agreement, but does not require that countries meet baseline human rights standards. The executive branch is required only to consider whether a country “demonstrate[s] respect” for human rights ­— but it does not need to explicitly find that it does. There will likely be strong pressure to enter into agreements with countries that have mixed human rights records.

In such cases, there is a very real risk that data requests could be used to facilitate human rights abuses like torture or improper detention. The bill does not require prior authorization from an independent decision-maker (like a judge) for requests — a signatory could satisfy this legal requirement with after-the-fact review from a neutral party in that country.  This fails to protect individuals because often it is too late to fully protect someone’s rights once their information has already been handed over. The bill also does not do enough to require that countries meet a high burden of proof to justify data demands. Instead, countries must offer only a “reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.” At best, this standard is vague, confusing, and ambiguous — and will be interpreted differently by different countries. It leaves ample room for interpretations that do not meet international human rights standards.

Third, the bill also gives foreign governments more surveillance power inside the U.S. The CLOUD Act grants countries wiretapping powers inside the U.S. for the first time, and on a much lower showing than the U.S. Wiretap Act requires. Under the bill, these countries would be able to go directly to U.S. providers and obtain assistance with wiretaps without complying with restrictions in the Wiretap Act, like limits on duration or requirements that notice be provided to the target.

If the bill become law, U.S. persons and residents could get caught up in surveillance by other countries, with few protections. Proponents say that the bill requires “minimization procedures” — protections designed to reduce unintended collection and retention of Americans’ personal information. But the minimization requirements are so watered down as to be potentially meaningless. They need only “to the maximum extent possible, meet the definition of (FISA) minimization procedures.” It is vague beyond reckoning.  Even more, these procedures and the language in the bill do not require an equivalent level of protection for immigrants who reside in the U.S., but are not citizens or green card holders. Moreover, foreign governments that obtain the information of people in the U.S. without meeting a warrant standard have ample room to voluntarily pass this information back to the U.S. government. Thus, these agreements encourage a race to the bottom, whereby governments establish expansive information-sharing agreements that circumvent their own existing law.

Ultimately, the bill makes it impossible for an internet user to predict what laws apply to their data. A foreign citizen could have their information turned over under the legal process of any country that the U.S. enters into an agreement with.

The CLOUD Act claims it’s trying to solve a new problem that has emerged in the digital age. In reality, however, the legislation would give governments only extremely low hurdles to access private information; no need to conform with human rights obligations, no need to pre-access independent oversight, no need to minimize use of Americans’ data. In failing to do more, the CLOUD Act would exacerbate the problems MLAT was designed to solve, and deal a blow to human rights around the world.

Commander of the U.S. Cyber Command and Director of the National Security Agency Navy Adm. Michael Rogers testifies during a hearing before the Senate Armed Services Committee on ‘Encryption and Cyber Matters.’ (Alex Wong/Getty Images)

 

About the Author(s)

Jennifer Granick

Surveillance and Cybersecurity Counsel at the ACLU's Project on Speech, Privacy and Technology Follow her on Twitter (@granick).

Neema Singh Guliani

Legislative Counsel with the American Civil Liberties Union Washington Legislative Office Follow her on Twitter (@neemaguliani).