Editor’s note: This post also appears on Just Security.
On July 15, the Obama administration unveiled proposed legislation designed to improve the process by which law enforcement agents access digital evidence across borders. (David Kris has a superb summary of the legislation here.) This is something that the two of us have long urged, and we were both pleased to see the administration’s ultimate—and extremely thoughtful—proposal. (Indeed, the proposal reflects many of the human rights and privacy protections that we proposed several months ago.)
In this post, we seek to clarify what the legislation does and why it is necessary—for our economy, our security, and perhaps most of all, our privacy.
The Problem, Briefly
The Stored Communications Act (SCA) prohibits US-based companies from turning over emails and the content of other stored communications to foreign governments. If an American company operates a business in another country, it can respond to local law enforcement demands for physical evidence, but not digital evidence like emails or other stored communications – even where those demands are legitimate and comply with the strictest due process and privacy standards. Rather, the foreign government must make a diplomatic request for the information, employing the Mutual Legal Assistance (MLA) process. The request, which is routed through the Department of Justice’s Office of International Affairs, ultimately requires US judge approval of a US-issued warrant for the data based on the US standard of probable cause—a process that takes an average of ten months. It is a state of affairs that Congress didn’t—and couldn’t—have anticipated when it adopted the SCA some 30 years ago before the rise of the global Internet.
Foreign governments are understandably frustrated. In response, they have passed (or are considering) mandatory data localization requirements, pursuant to which residents’ data (or copies thereof) must be stored locally. Such requirements facilitate domestic surveillance, but without any of the privacy and human rights protections included in the DOJ proposed legislation; impose added costs on US businesses; and make it increasingly difficult for start-ups and small Internet businesses to compete globally. Foreign governments also are increasingly asserting extraterritorial jurisdiction over the same data that is subject to the blocking provision under the Stored Communications Act, thereby putting US companies in the crosshairs of conflicting legal obligations. This is not just a hypothetical problem: in 2015, for example, a Microsoft executive was arrested in Brazil for failing to turn over data that US law prohibited him from disclosing. And foreign governments also are incentivized to seek out surreptitious means of accessing data, including the use of malware, as a means of bypassing the laborious MLA system.
The Proposed Legislation
Enter the draft legislation. The legislation would permit the President to enter into agreements with foreign countries whereby US firms would no longer be prohibited, as a matter of US law, from responding to local law enforcement demands for emails and other communications in the investigation of serious crime. Importantly, the legislation sets numerous human rights and privacy-protective restrictions on what these agreements would look like. These agreements would only be permitted with foreign governments that afford “robust substantive and procedural protections for privacy and civil liberties” —a determination that takes into account, among other things, compliance with human rights obligations and respect for the principle of non-discrimination.
Moreover, the orders issued pursuant to the agreement must meet numerous requirements—including that the requests be tailored to a specific account, person, or device, of limited duration, and based on articulable and credible suspicion. The requests must be overseen by a judge or other independent authority, may not be used to infringe freedom of speech, and are subject to a strict prohibition on the dissemination of non-relevant information unless necessary to protect against the threat of death or serious bodily harm. These requirements apply at the request level—that is, each request by the foreign country must meet these standards.
Importantly, the agreements would not permit the foreign government to make direct requests for data of a US citizen, legal permanent resident, or any person located in the United States (so-called “US persons”). To get access to that data, the foreign government would still need to go through the MLA process and ultimately obtain a US warrant based on probable cause. Of course there would likely be times when US person data is nonetheless collected (such as when a non-citizen target communicates with a US citizen). The agreement anticipates this problem and imposes strict limits on the sharing of such information back with the US government. Such sharing is permitted only if the evidence is relevant to the investigation, detection, or prevention of serious crime and relates to a significant harm, or threat of such harm, to either the United States or a US person. It also prohibits the dissemination of all non-relevant information, whether of a US person or not.
The agreement also includes a monitoring requirement; the foreign government must agree to periodic reviews by the US Any such agreement will, according to the proposed legislation, expire at the end of five years, unless the Attorney General, with the concurrence of the Secretary of State, certifies that the requirements are being met.
This is, in sum, a remarkable effort by the administration to lay out, in great detail, a set of baseline privacy protections that apply to law enforcement access to data. Imagine, for a moment, that countries around the world implemented these requirements. We would see a significant enhancement of privacy protections globally.
Indeed, we imagine that states will be incentivized to make positive changes to their laws and practices in order to benefit from being able to directly request digital evidence from US firms. To be sure, such changes will not be universal. No one thinks that, say, China or Russia, will suddenly abandon their own data localization initiatives and institute the kind of major overhaul that would be needed to meet these standards. But for many states, this legislation and the prospect of an agreement with the United States will be a force for positive change.
This is not to say that the legislation is perfect. We share others’ concerns, for example, about how the provision on judicial oversight is drafted. Any legislation ultimately enacted by Congress should require “authorization” by a judge or other independent authority, rather than “review or oversight,” as is specified in the current proposal. Congress should also require that the range of requirements that partner countries must meet to be eligible to enter these agreements—i.e., that the partner country “demonstrates respect for the rule of law and principles of non-discrimination” and “adheres to applicable human rights obligations” —are explicitly certified to by the executive branch. But these are the kind of details that can, and should, be corrected in the legislative process. Overall, the approach is one to be applauded.
Perhaps the most controversial piece of the draft legislation is the additional proposed amendment to the Wiretap Act. If enacted, it would permit foreign governments to access real-time communications like live Google chats. Currently, foreign governments cannot access that data from US-based companies, even via the MLA process. The only way they can do so is if they open up a joint investigation with the United States, and then the United States agents initiate the intercept. In many cases of interest to foreign law enforcement, however, the United States does not have a direct interest—and thus there are no grounds for a joint investigation. Meanwhile, live communications can be key to the ability to detect and prevent serious crime, including terrorism.
At least in the United States, live intercepts have long been subject to enhanced privacy protections—including robust judicial review, strict time limits on duration, exhaustion requirements, and notice obligations. Some of this is replicated in the draft legislation: interception orders must be time-limited; last no longer than is reasonably necessary; and only issued when the same information cannot reasonably be obtained by another, less intrusive method. It is worth considering whether the ultimate legislation should also include a notice requirement or other additional protections.
That said, we disagree with those who outright oppose any possible agreement that includes real-time communications. Purely from a privacy perspective, such a position makes little sense. It can be significantly more intrusive on privacy for law enforcement to access months or more of stored communications than a 30 or 90 day period of live communications. Moreover, the line between live and stored is increasingly blurring. It’s not clear to us why it would be permissible for law enforcement to access the exact same data once it is stored, but be impermissible to access it live.
Relationship to the US-UK Deal
The US and the UK appear to be close to reaching an agreement of the sort contemplated by the DOJ’s implementing legislation. The agreement would permit UK law enforcement to make direct requests to US-based providers for emails and live chats that are sought in the investigation of serious crime. Consistent with the provisions in the legislation, the UK could only make such requests with respect to non-citizen targets outside the United States. If the UK wanted the data of a US citizen or legal permanent resident wherever located, or any person physically located in the United States, regardless of their citizenship, it would still need to employ the MLAT process. Moreover, the agreement is reciprocal—meaning the United States would be able to directly request data from UK-based providers; the UK would be prohibited from blocking such requests so long as the US is targeting a non-UK resident or citizen.
The UK Home Office has described this as one of their top priorities vis-à-vis the United States. Moreover, informal conversations suggest that the prospect of such a deal has helped spur support for provisions in their draft Investigatory Powers Act that require judicial review of all intercepts and orders to compel the production of stored communications; the UK understands that this change is essential to the completion of the agreement. (We are not commenting on the Investigatory Powers Act as a whole – that requires a much longer conversation; rather we are simply noting that the particular provisions on judicial review are a change, and a positive one, that reflect a convergence of norms on lawful processes for accessing the content of communications.)
We have both described the US-UK deal as a positive step forward. But as we have noted, it cannot be implemented without this legislation. The legislation gives the executive the authority to complete the agreement—and sets the parameters of the agreement. The two issues are thus deeply intertwined.
This legislation should be embraced by civil liberties groups, the business community—both global technology firms and their customers—and ultimately members of Congress. The United States has a unique opportunity to set the norms for cross-border data requests—and in so doing protect privacy, security, and US business interests alike. The alternative is a world in which foreign nations increasingly adopt data localization mandates, employ surreptitious means of accessing sought-after data, and unilaterally assert extraterritorial jurisdiction, without any of the privacy protections included in the draft legislation and without regard to the interests of the United States or US citizens. Once that happens, the US’s leverage will be lost; nations will no longer have an incentive to reform their laws to access US held data, because they will have found other ways to do so. Congress should enact this legislation before its too late.