Privacy

MLAT Reform Proposal: Protecting Metadata

By Greg Nojeim
Thursday, December 10, 2015, 2:43 PM

This is the second post in a series analyzing the Daskal-Woods reform proposal for law enforcement demands for communications content across national borders.  In the first post, I examined how the proposal dealt with communications content.  Here, I explain why the proposal should also account for cross-border law enforcement demands for metadata.

In responding to my first post, Daskal and Woods did not disprove my key point:  their proposal strips privacy protections currently afforded by U.S. law from certain non-U.S. persons who are the subject of a content demand made by a foreign government.  The privacy protection at issue is the requirement that a U.S. judge determine that the facts establish “probable cause” of a crime prior to disclosing any communications content.  My first post surfaced this issue so the proposal could be fully considered, in particular, by those individuals outside the U.S. who are most effected.  Daskal and Woods characterize the extension of the probable cause requirement—which protects the privacy of the content of non-U.S. persons abroad—as “imperialistic.”  And that’s one way to look at it.  I view it more as a gift, although I am not sure it is valued as such by people outside the U.S.  One potentially more productive approach would be acknowledge that the Daskal-Woods proposal contemplates some privacy loss under U.S. law for non-U.S. persons in the context of communication content, and seek to counterbalance this loss with a privacy gain in the form of heightened protection for metadata.

Foreign law enforcement demands for disclosure of metadata are treated differently from demands for content disclosure under the U.S. Electronic Communications Privacy Act (ECPA).  Absent an emergency or other exception, ECPA bars communications service providers from disclosing communications content to anyone unless a U.S. judge issues a warrant based on probable cause.  However, under ECPA, service providers may voluntarily disclose metadata to any foreign government that asks for it.

Although ECPA bars U.S. service providers from voluntarily disclosing metadata to “governmental entities” (18 U.S.C. 2702(c)(6)), the Act defines governmental entity to include only U.S. federal, state and local government agencies (18 U.S.C. 2711(4)).  This definition does not include foreign governments. Therefore, U.S. communication service providers are permitted to voluntarily disclose user metadata—be it of a U.S. or non-U.S. person—to other governments. 

Consequently, foreign governments who seek metadata disclosure from U.S. providers often do not have to file requests for mutual legal assistance.  Because federal law permits voluntary disclosure, the U.S. government may never even learn that a metadata demand was made:  U.S. law permits the provider to volunteer it.  In fact, under ECPA—which governs criminal, not intelligence, surveillance—foreign governments enjoy easier access to metadata of both Americans and of non-U.S. persons than does the U.S. government itself.  Although providers can voluntarily disclose metadata to foreign governments upon request, they are only permitted to disclose the same metadata information to the U.S. government upon subpoena or a court order issued under 18 U.S.C. Section 2703(d).   

The Daskal-Woods proposal would remove the U.S. warrant requirement and judicial review for disclosure to foreign governments requesting content of a non-U.S. person when the foreign government has jurisdiction over the crime and both its laws and the request meet certain human rights standards.  However, it would do nothing to ensure that non-content requests from those same governments meet any standard at all.  Rather than allow providers to continue to volunteer this information to foreign governments that would benefit under the proposal from favorable treatment of their content demands, the proposal should correct this anomaly.

Providers may appreciate the flexibility that current U.S. law gives them to disclose metadata when foreign governments demand it.  In cases where the provider receives a demand for both communications content and metadata, the provider can fulfill the demand for metadata and advise the requesting government to initiate the MLAT process to obtain the content.  This relieves some pressure on the provider and it gives foreign law enforcement a place to start its investigation, and the metadata can serve as a starting point to build up to probable cause for purposes of requesting content, when appropriate. 

Providers advise that they verify that requests for metadata disclosure are proper under the requesting government’s law prior to making any disclosure.  They also indicate that they take steps to ensure that disclosures of metadata are not made to governments with poor human rights records, and are not made when such disclosure would be used to prosecute individuals for speech crimes (for example, the crime of insulting a monarch).  Yet, metadata disclosure practices can vary widely among providers.  Some providers turn down all or most metadata requests; others grant metadata request from a particular list of countries; others grant such requests from a different list; and still others grant requests under pressure from the foreign government, which can threaten them with fines and their employees with arrest.    

The Wild West of voluntary disclosure of metadata to governments outside the U.S. must end.  If countries whose laws meet a certain human rights standard are to be given access to user content under those laws, those laws will also need to provide a human rights-friendly level of protection for non-content.  The standard for non-content may be lower than the “strong factual basis” required for non-content disclosures under the proposal, but a factual basis and particularity should be required along with approval by a judicial or other independent entity. 

U.S. providers should embrace this approach.  It gives guidance under U.S. law on metadata disclosures to other governments where no such guidance exists.  In the same investigations in which the Daskal/Woods proposal contemplates disclosure of content under the requesting countries’ rules, non-content would also be disclosed under those rules.  There would be no need to “relieve the pressure” by volunteering the metadata while the content was held up in the MLAT process because there would be no MLAT process to hold it up. 

Not all metadata is equally sensitive.  Metadata includes both transactional records—such as a to/from email log—as well as identifying information—such as an email address.  Reform that relaxes the standard for disclosure of content should, at a minimum, impose some standard for disclosure of transactional records, which tend to be the more sensitive forms of metadata.  This is the approach adopted in the “straw man” MLAT reform proposal that the Center for Democracy and Technology (CDT) released.

Finally, it is important to recognize that this metadata protection would be imposed only in cases where the requesting country is seeking user communications from a U.S. provider under the requesting country’s laws because those laws have been determined to meet a human rights standard.  For countries whose laws do not meet such a standard, companies should retain discretion over whether or not to provide their users’ metadata.  This anomaly is appropriately addressed in the short term by a uniform system of “best practices” governing such disclosure by U.S. providers, and in the long term can be resolved legislatively if necessary.

To recap:  in this post, I have argued that the Daskal-Woods reform proposal should be revised to account for metadata disclosures.  The proposal would strip away an important privacy protection for content – U.S. probable cause and judicial authorization – and this should be counterbalanced with new privacy protections for metadata disclosures to the countries that would benefit from the change in rules regarding content.

Next, I’ll address the question of “who decides?”  The Daskal-Woods cross-border law enforcement proposal turns on a determination of which countries’ laws meet the proposal’s human rights standards.  Only those countries whose laws meet the standards will be permitted to obtain content from U.S. providers under their native laws. The question remains, who will decide whether a country’s laws meet those standards?

***

Gregory T. Nojeim is the Director of the Freedom, Security and Technology Project at the Center for Democracy & Technology.  He is the author of "Cybersecurity and Freedom on the Internet,” which appeared in the Journal of National Security Law and Policy.