This is the final post in a series analyzing the Daskal-Woods reform proposal for law enforcement demands for communications content across national borders. Daskal and Woods have proposed that countries whose laws and practices meet certain human rights standards, and whose system for cross-border requests includes certain elements, ought to be able to make content disclosure demands directly to U.S. communications service providers rather than having to make the demand through mutual legal assistance processes. In the first post, I examined how the proposal dealt with communications content and in the second, how the proposal should be adjusted to account for cross-border demands for communications metadata.
The Daskal-Woods cross-border law enforcement proposal turns on a determination of which countries’ laws and practices meet human rights standards set forth in the proposal. Under the proposal, only countries whose laws and practices are deemed sufficient will be permitted to obtain content directly from U.S. providers under their own laws, and without intervention by a U.S. court or the U.S. Department of Justice (DOJ). This post addresses the question of who decides whether a country’s laws and practices meet those standards.
First, it is important to distinguish this question from the determination of whom may be the subject of a demand for disclosure of content. The proposal addresses that question well and clearly: a court or another independent process established by the country making the demand authorizes the demand on a case-by-case basis. The proposal is silent, however, on who decides whether a country’s laws and practices meet the required standards.
One potential answer is that the U.S. government would decide. The Department of Justice, in consultation with the Department of State Bureau of Democracy, Human Rights and Labor, could be tasked with this decision. Protections could be built in, such as requirements that:
- The specific criteria on which the decision is made are incorporated into the law;
- The factual record on which the decision is made is available to the public (with a classified annex, if necessary);
- The decision is the subject of a public notice-and comment rule making procedure that gives civil society organizations in the U.S. and abroad an opportunity to provide facts that could influence the decision;
- The designation of the country could expire after a period of time (perhaps two years) so that changed circumstances could be accounted for; and
- Relevant committees in the U.S. Congress are given 30-days notice of a change in any country’s status within the regime so Congress can act, for example, to conduct hearings about the impending change.
However, such a U.S.-centric procedure is susceptible to political influence and might lack global credibility. For example, the DOJ may feel pressure to pick long-time U.S. allies to participate in the program, and to turn a blind eye to surveillance and other human rights abuses by those countries that are brought to its attention. It might select countries to participate based on other political considerations of the day, such as the need to gain the cooperation of the foreign country in completely unrelated contexts. Or, it might pick a country to participate for the purpose of circumventing the U.S. judicial review processes that would apply if the U.S. government were to seek the information directly. This can arise in terrorism and other investigations conducted jointly with foreign governments.
Establishing global credibility is important to the viability of the proposal. A country that qualifies for favorable treatment can demand U.S. providers turn over the content of not only its own citizens, but of the citizens of any other country as well, excluding U.S. citizens and residents. For example, in an international fraud investigation, the United Kingdom could demand the Facebook, Gmail or Outlook communications content of a citizen of Canada, even if Canadian law would provide a higher level of protection than does UK law, and even if Canada is investigating the same course of criminal conduct because fraud victims are located in Canada as well as well as in the UK.
True, current MLAT processes give the 3rd country no say as to whether its citizens’ information in one country is turned over based on a cross border request made by another country. However, under current law, the 3rd country is assured that in the MLAT process, U.S. judicial review and the probable cause requirement will protect its citizens’ content stored with U.S. providers. Under the proposed regime, that backstop goes away. Whether the 3rd country’s citizens’ privacy is adequately protected when their data is stored with U.S. providers turns on whether the countries chosen to participate in the system have laws and practices that provide such protections. If that choice is influenced by politics, the rights of the people whose communications are disclosed could suffer. If the choice lacks global credibility, U.S. providers may suffer because users outside the U.S. will not trust that their data will be protected against demands other countries.
It may be difficult to achieve global credibility for the decision as to which country’s laws and practices meet human rights standards. Ideally, a finding that a country’s laws and practices meet the standards would have to be made by both the U.S. government and by an independent entity with global credibility and human rights expertise. However, the international entities that might be tasked with making this assessment—for example, the UN Human Rights Council—are often criticized as overly politicized. Asking special rapporteurs appointed by the Council to collaborate and make such decisions would make the selection of these mandate holders even more politicized than it is today. Creating a new, credible entity that would make the assessment could take years.
Perhaps readers will have some thoughts about how to make this assessment, and I’d welcome their opinions. For now, perhaps the best that can be done in the context of the Daskal-Woods reform proposal is to require that the assessment as to whether a country’s laws and practices meet human rights standards has both domestic and international credibility, and leave to another day the process for determining the entity or entities that will make the decision.
Gregory T. Nojeim is the Director of the Freedom, Security and Technology Project at the Center for Democracy & Technology. He is the author of "Cybersecurity and Freedom on the Internet,” which appeared in the Journal of National Security Law and Policy.