LEADS Act Extends Important Privacy Protections, Raises Concerns
Written by Greg Nojeim
Today, Senators Orrin Hatch (R-UT), Chris Coons (D-DE), and Dean Heller (R-NV) introduced legislation that would preclude the use of U.S. warrants to obtain communications content stored outside the U.S. unless the content is in the account of an American. The Law Enforcement Access To Data Stored Abroad Act (“LEADS Act”) may garner support from tech and telecom companies, including Microsoft, which has challenged a warrant that purports to compel it to disclose communications content it stores in Ireland. While CDT has some specific concerns with the bill, which we discuss below, we applaud the bill’s overall thrust and we commend Senators Hatch, Coons, and Heller for taking on one of the most difficult and important issues affecting the global Internet.
We applaud the bill’s overall thrust and we commend Senators Hatch, Coons, and Heller for taking on one of the most difficult and important issues affecting the global Internet.
The underlying premise of the bill is two-fold: That U.S. law enforcement agencies should be able to compel service providers to disclose customer communications only with a judicial warrant issued under the Constitutional standard of probable cause, and that U.S. warrants should normally only reach content stored in the U.S. The bill would allow U.S. warrants served on providers in the U.S. to reach content stored outside the U.S. when the content is in an account held by a “U.S. person” (meaning, in the case of an individual, a citizen, or permanent resident alien). In all other cases, when seeking content stored abroad, even on servers owned by U.S. companies, the U.S government would have to comply with the law of the country in which the data is stored.
Requiring warrants for all content stored in the U.S. would mark a significant step forward for privacy. The codification of the warrant-for-content rule has been a goal of CDT and the Digital Due Process coalition for many years. By introducing this bill, Senators Hatch, Coons, and Heller join Senators Patrick Leahy (D-VT) and Mike Lee (R-UT) as leaders in the movement to bring the Electronic Communications Privacy Act into the 21st Century.
Requiring warrants for all content stored in the U.S. would mark a significant step forward for privacy.
Under the Hatch-Coons-Heller bill, the government, when it does obtain content with a warrant, would have to provide to the user notice of such disclosures (but notice could be delayed). Currently, when the U.S. government uses warrants to compel service providers to disclose the stored emails of their customers, there is no requirement that the government provide notice of the seizure to the person whose emails are disclosed. The notice requirement in the Hatch-Coons-Heller bill represents a wise and balanced approach.
CDT believes that U.S. warrants are necessary, but not sufficient to compel disclosure of content that a U.S. provider stores abroad. Rather, the U.S. government must also secure the cooperation of the foreign government – whether through a mutual legal assistance treaty (MLAT) or, in the absence of such a treaty, through informal cooperation of the foreign government.
However, it is widely admitted that the MLAT process for trans-border access does not work very well now. Basically, it is under-resourced and too slow. Recognizing that the MLAT process is the best way to accommodate the interests of two governments when one country seeks data stored in another country, the LEADS Act includes a number of sensible improvements to the U.S. MLAT process; improvements that the U.S. can hold up as a model for other countries to emulate. The bill would require the Department of Justice to create an online intake form through which foreign governments could request mutual legal assistance, and it would permit the DOJ to give preference to requests made on-line. The bill also would require the DOJ to track and report on its processing of MLAT requests. These requirements are designed to make MLAT processing more efficient and transparent to the foreign government seeking the disclosures. The Department of Justice had already sought a $25.1 appropriation to hire more lawyers to handle MLAT requests it receives and makes. CDT supports this funding request and believes that, should the LEADS Act pass, MLAT funding should be increased to help DOJ implement the improvements in the bill.
The LEADS Act creates one exception to the principle that U.S. warrants are not sufficient to reach content stored abroad. The bill says that a U.S. warrant, served on a company in the U.S. can force that service provider to disclose email and other content stored outside the U.S. if the holder of the account is a “U.S. person” — a citizen or lawful permanent resident of the United States, or a company organized under the laws of the United States or of a state. A savings clause permits the service provider to seek a modification of the warrant if compliance would put the provider in the position of violating the law in the place where the data is stored.
The LEADS Act creates one exception to the principle that U.S. warrants are not sufficient to reach content stored abroad… This U.S. person exception gives us pause.
This U.S. person exception gives us pause. One way to look at it, and at the bill as a whole, is that it extends the warrant protection to all content stored in the U.S., regardless of citizenship of the account holder, and it extends the warrant requirement to all content of U.S. persons stored by U.S. companies abroad, while disavowing U.S. claims to unilaterally obtain the content of non-U.S. persons stored abroad.Looked at that way, the U.S. person exception is not an exception – it is a further extension of the warrant requirement. It will reduce the burden the bill would otherwise place on the MLAT process because MLATs would not be necessary for content stored abroad in an account a U.S. person had established.
On the other hand, the exception may be difficult to administer. Sometimes, the citizenship or residence of the account holder will be unknown, and when it is, does the warrant reach that stored content, or not? Also, the exception would seem to create some odd results. Consider, for example, two people working side-by-side in the U.S., one a citizen and one a foreign national. The LEADS Act would establish one rule (the extraterritorial warrant) for U.S. law enforcement to access content that a U.S. provider stores abroad on behalf of the American, and a different rule (the MLAT process) for the person who sits in the cubical next door, but who happens to be a non-citizen working in the U.S. on a temporary visa.
There is also a risk that the LEADS Act will increase the pressure for data localization mandates.
Also, we have to consider how foreign governments will react. Some adverse consequences would be mitigated because the LEADS Act would make it clear that data stored in the U.S. could be disclosed only with a warrant. Even if foreign governments copied the LEADS Act’s extraterritorial assertion of authority over data regarding their own citizens, those governments could not unilaterally force U.S. companies to disclose data stored in the U.S. ECPA already protects that data and requires compliance with the MLAT process, and the LEADS Act enhances that protection. However, all stakeholders need to think carefully about how the LEADS Act would affect the global balance of privacy versus government power with respect to data U.S. providers store outside the U.S. for account holders who are not Americans.
There is also a risk that the LEADS Act will increase the pressure for data localization mandates. The bill includes language that puts the Senate on record as opposing data localization, but it may not be enough.
Finally, it is not clear how the bill would apply to providers who move data to different data centers around the globe in order to balance the burden on their network and better serve their users. If a load-balancing provider stores a user’s data at one moment in India, the next in the U.K., and the next in the U.S., will the U.S. warrant reach the data because the data at some point comes to the U.S.?
These are difficult questions with which governments and civil society groups around the world must grapple. We do not purport to have all the answers. A global dialogue is needed. Kudos to Senators Hatch, Coons, and Heller for prompting that dialogue.
 The Senate Judiciary Committee reported the Leahy-Lee bill, the ECPA Amendments Act (S. 607), on a voice vote last year, but the bill has stalled over objections by the Securities and Exchange Commission, which is seeking an exception to the warrant requirement the bill would impose.