On February 25 the House Judiciary Committee will hold a hearing on International Conflicts of Law Concerning Cross Border Data Flows and Law Enforcement Requests. Witnesses’ written testimony can be found here. CDT believes this is an important, complex issue and we compliment the Committee for taking it up. We ask that Congress ensure that any reforms adopted in this arena do not diminish the privacy and free speech rights of Internet users, and, indeed, encourage stronger protections for these rights.
In a nutshell, the Judiciary Committee will consider what rules should apply when two countries claim jurisdiction over the same piece of data – the communications content or metadata pertaining to an Internet user. Increasingly, one country’s law will require disclosure and another country’s law will prohibit it, or at least subject the disclosure to local rules that the requesting country may find difficult to meet. Because of the explosive growth of global communications and of communications service providers, and because of the increasingly central role that communications content and metadata play in law enforcement investigations worldwide, this problem is growing. Moreover, because the largest communications service providers are located in the US, the volume of data demands coming into the US from foreign governments far exceeds the volume of demands made by the US. Mutual legal assistance treaties (MLATs) – the mechanisms for for dealing with this problem in the context of criminal investigations – tend to work too slowly (the time between the making of a request and request fulfillment is on average 10 months, according to the President’s Review Group).
As a result, countries are resorting to problematic measures to gain access to Internet users’ stored communications content and metadata in criminal investigations. The United States takes the position that its warrants reach data stored by a US provider anywhere in the world. Microsoft has rejected this position (CDT agrees) and refused to turn over content stored in Ireland. The United Kingdom has passed a law authorizing the Home Secretary to issue warrants to compel disclosure of data held by providers outside the UK, exacerbating the conflicts of law problem. Other countries are passing, or considering, mandates to require companies to store data locally so that local authorities can access the data. This would make it hard for small and new communications service providers to serve customers worldwide, and, because it advantages local providers over them, it smacks of trade protectionism.
No silver bullet will solve this problem, but a number of ideas have been put forth that Congress should seriously consider. First, it should start by reforming the process by which MLAT requests are made of the US for data held by US providers, and by properly funding the reformed system. The MLAT reforms in the LEADS Act are a good start. They would require the Department of Justice to set up a system through which foreign governments could make their demands electronically in a consistent form and track them. DOJ should also increase its efforts to teach foreign law enforcement entities how to make MLAT demands that meet the requirements of US law. Without an increase in funding, these reforms will be impossible to implement properly, and Congress should approve the Administration’s request for such funding.
Second, it should consider whether to permit foreign governments with good human rights records and protective surveillance laws to make demands for stored content directly to US communications service providers, and to tighten the requirements for foreign governments’ demands for metadata. We approach this idea with caution: foreign governments’ demands for communications content are now governed by the “gold standard” under US law for government access: a warrant issued by an impartial judicial officer based on a finding of probable cause of crime. Proposals to replace this probable cause requirement with something different must be carefully examined; they can be structured to increase or diminish privacy and free speech rights.
The “straw man” proposal CDT published in September 2015 spurred such examination. The CDT straw man indicates that the US rules for foreign governments’ access to content could be altered to permit direct demands when the crime occurs on the foreign government’s soil and the victims and perpetrators are citizens of that country and located there. The requesting country would have to have strong surveillance standards drawn from the Necessary and Proportionate Principles supported by hundreds of civil society groups around the world. Currently, metadata demands by foreign governments are treated differently under US law: communications service providers can disclose them voluntarily without restriction to any government that asks for them, except the US government. With respect to non-content transactional records (such as email logs and Internet browsing logs), the CDT straw man subjects foreign governments’ access to such records to rules similar to those for content.
A reform proposal advanced by Jennifer Daskal (a witness at the hearing) and Andrew Woods takes a similar approach and is the product of extensive consultations with civil society groups, industry, and some government officials. In a series of three blog posts we unpack that proposal so readers – especially those outside the US – could better understand it. Like the CDT straw man, this proposal would permit foreign governments to make content demands directly of US providers if the foreign government has a strong human rights record and surveillance laws and practices. It spells out in some level of detail the criteria that should be met in order for a country to qualify for this alternative process, but it lacks an adequate, transparent, and internationally credible mechanism for determining whether those criteria have been met.
Third, Congress should be careful not to turn US communications service providers into tools of intelligence surveillance conducted under lax standards by foreign governments on people worldwide. The nascent US-UK treaty recently reported in the Washington Post creates the specter of such an outcome. As reported, it would go far beyond fixing the MLAT system, which facilitates foreign governments’ access to stored information in criminal investigations.
As reported, the treaty would permit the UK to conduct real-time surveillance in the US (which is currently a crime under US law), and would permit the UK to make demands for national security surveillance untied to any criminal investigation. This is two steps too far, particularly because the UK has lax rules for national security surveillance. Moreover, under current law, UK authorities need no permission from a judge in order to secure a warrant for content even in a criminal case – the Home Secretary issues the warrants. Thus, under this approach, the UK could serve a warrant issued by the UK Home Secretary on a US provider under the looser surveillance standards that pertain in the UK seeking the Internet content of a German, or a Belgian, or a Brazilian, or of any one else in the world but a US person, regardless of that person’s location outside the US. The US probable cause requirement, as found by a US judge, currently protects such disclosures; under this US-UK treaty, it would no longer protect such disclosures. The treaty has not yet been completed or presented to Congress. We would urge Congress to reject such a treaty outright.
We commend the House Judiciary Committee for taking up the difficult issue of cross-border law enforcement demands for Internet users’ communications content and metadata. We urge the Committee to move cautiously as it examines potential solutions and to favor those that will protect or enhance privacy and free speech rights.