Surveillance

U.S. Government Presents Draft Legislation for Cross-Border Data Requests

By David Kris
Saturday, July 16, 2016, 8:07 AM

The government’s long-awaited proposal for addressing cross-border data requests, in the form of draft legislation, is finally here.  The government also provided a section-by-section analysis and a description of a U.S.-U.K. agreement that would be the first specific application of the legislation if it is enacted.  The government’s cover letter explains that it is going forward with the proposal despite yesterday’s decision in the Microsoft case in the Second Circuit (discussed by Andrew Woods here), but lays down a pretty clear marker that it will be addressing that decision soon.

From a very quick read, the new legislation removes U.S. legal barriers to direct access to U.S. communications providers by foreign governments that have entered into executive agreements with the U.S., where the agreements meet certain requirements that the U.S. Attorney General must certify to Congress. The law applies only to non-U.S. person targets reasonably believed to be located abroad; can be used only in support of criminal investigations (in other words, not for affirmative foreign intelligence, but including for the prevention of crime); reaches both contents and metadata; covers real-time interception as well as access to stored data; and forbids bulk collection. It does not address encryption one way or the other.

The draft legislation also has an anti-cat’s paw provision, under which the U.S. government cannot misuse a foreign government to obtain information it would not otherwise be able to obtain. It does allow the U.S. government to block access—i.e., to veto direct access—in any given case where it concludes that the foreign government’s request is outside the scope of the executive agreement. Both the access and veto rights apply reciprocally, meaning that (subject to veto rights) the foreign government must remove barriers blocking U.S. access to data held by its providers. And providers remain free to challenge the requesting government’s orders, on a case-by-case basis, under that government’s own law (i.e., the new legislation merely removes barriers to access by foreign governments, it does not itself affirmatively compel production to foreign governments).

For those who aren’t familiar, the problem of cross-border data requests arises when one government’s laws compel the production of information while another government’s laws simultaneously forbid that same production. For example, the UK has been terribly frustrated by its inability to compel American communications providers, like Microsoft, to provide email that resides on servers in the United States but is from the account of a suspected terrorist located in Britain and planning attacks there. UK law can be used to compel such production, but current U.S. law forbids it.

Another example involves Brazil, where Microsoft has been fined millions of dollars, and its employees threatened with criminal prosecution, for following a U.S. law that makes it a crime to obey a Brazilian court order demanding information about a suspected criminal in Brazil. Microsoft’s Chief Legal Officer, Brad Smith, testified in Congress in February, asking the House Judiciary Committee to “[i]magine the kind of meeting that I have had to have with a Brazilian employee [of Microsoft] who is being prosecuted [for refusing to comply with Brazilian law]. And imagine trying to talk about the fact that we cannot, in fact, take the steps that would bring the prosecution to an end in Brazil, because it would require that we commit a felony in the United States.”

This problem is not unprecedented, but it is getting much worse. In the 1980s, our courts heard a few cases in which foreign banks, with branches here, resisted subpoenas for records on the ground that the records were protected by foreign bank secrecy laws. Today, however, the conflicts are growing in both frequency and intensity. As the U.S. has become increasingly anti-surveillance in the aftermath of Edward Snowden’s leaks, Europe has moved in the other direction, expanding surveillance laws in response to the rise of the Islamic State. At the same time, encryption has made European governments more dependent on companies for access to readable data, such as email. The result has been a very significant increase in foreign demands for American companies to produce information. As the government’s explanation says, “[t]he current situation is unsustainable.”  Today’s draft legislation is an attempt to address those concerns.

There have been many Lawfare posts and other papers written on this topic (including one by me), and Congress has held hearings. The issue has been pretty thoroughly explored by academics, industry, and the U.S. and foreign governments. The draft legislation represents progress and should be applauded because it allows for a more focused debate on the particulars of a proposed solution. Below, I provide a very quick summary and some initial thoughts.

The heart of the proposed legislation is section 4, which allows for executive agreements between the U.S. and foreign governments. Where a satisfactory agreement is in place, the barriers to access in the Wiretap Act, Stored Communications Act, and criminal Pen Register statute are removed (by section 3).

For an executive agreement to satisfy the statutory requirements, the Attorney General, with the concurrence of the Secretary of State, must determine and certify to Congress several elements concerning the foreign government, the nature of the agreement, the types of foreign orders or directives affected by the agreement, and the foreign government’s treatment of the information it obtains. None of these determinations is subject to judicial review (or any other review, it appears), but the certifications are due to appropriate committees of Congress 60 days before taking effect, and must be published in the Federal Register.

Experts will recognize many of the requirements in extant U.S. or international law. Indeed, although the proposed legislation was surely coordinated with the British government, one can imagine Brexit supporters—and others in the UKobjecting to it as a new form of legal imperialism. Here are the main requirements as I understand them based on an initial review:

The Attorney General’s certification to Congress must be based on a determination that the foreign government “affords robust substantive and procedural protections for privacy and civil liberties” in both its law and the implementation of its law (and this determination must be renewed every five years). This determination may depend in part on whether the foreign government has acceded to the Budapest Convention on Cybercrime (or has equivalent domestic-law analogues), and “adheres to applicable international human rights obligations” including “prohibitions on arbitrary arrest and detention [and] prohibitions against torture and cruel, inhuman, or degrading treatment or punishment.”

The foreign government must have adopted “procedures to minimize the acquisition, retention and dissemination of information concerning United States persons subject to the agreement.” This minimization requirement comes directly from FISA, 50 U.S.C. 1801(h), which similarly refers to minimization at the three stages of “acquisition, retention and dissemination.” Some U.S. minimization procedures are public, and it is easy to imagine foreign governments using those as a model for their own.

The agreement must forbid the foreign government from intentionally targeting a U.S. person or a person located in the U.S., forbid reverse targeting, and forbid acting as a cat’s paw for the U.S. or another government. These targeting requirements come directly from the FISA Amendments Act (FAA), 50 U.S.C. 1881a, and the cat’s paw provision has an analogue in Section 2.12 of Executive Order 12333 and its subordinate procedures. The proposed legislation requires targeting procedures, just as the FAA requires them.

The foreign orders authorized by the agreement must meet several specific requirements. First, they must pertain to the “prevention, detection, investigation, or prosecution of serious crime, including terrorism.” This means that affirmative foreign intelligence gathering is out of bounds. Conceptually, the idea here seems similar to the split in FISA’s two definitions of “foreign intelligence information,” 50 U.S.C. 1801(e)(1)-(2). Note, however, that counter-intelligence, expressly including counter-terrorism but also probably including counter-espionage, is included, because the language refers not only to “investigation” and “prosecution,” but also to “prevention” and “detection” of crime. With the FISA Wall down, this is a familiar idea in U.S. law.

Second, the foreign orders must use a “specific” identifier such as a name or account as the “object of the order.” This comes from the USA Freedom Act’s amendments to FISA, designed to prevent bulk collection, 50 U.S.C. 1841, 1861. However, there is no authority for multiple-hop collection, as there is in the Freedom Act.

Third, the orders must be “based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation,” and must be subject to “review or oversight” by a judge or other “independent authority.” These elements seem to be derived in part from several U.S. constitutional requirementse.g., those governing a stop and frisk (Terry v. Ohio, 392 U.S. 1 (1967)), the definition of probable cause (Illinois v. Gates, 462 U.S. 213 (1983)), the requirements for a search warrant (including particularity and a neutral and detached magistrate, see Maryland v. Garrison, 480 U.S. 79 (1987)), and a proportionality requirement. Of course, the requirements are not exactly the same as those the Fourth Amendment would compelfor example, the reference to “review or oversight” by a judge or other “independent authority” would seem to permit after-the-fact review by a Parliamentary body rather than advance review of orders by a judge.

Fourth, the orders must be of fixed and limited duration and issued only when necessary if concerning live interception; and they may not be used to infringe freedom of speech. These requirements have analogues in the Wiretap Act and FISA, 18 U.S.C. 2518(3)(c), 50 U.S.C. 1804(a)(6)(E)(ii), 1805(a)(2)(A).

The foreign government must promptly review and properly store the information collected, must “segregate, seal or delete” (and not disseminate) the non-pertinent information, may disseminate a U.S. person’s communications to U.S. authorities only in certain circumstances, must provide reciprocal access rights to the U.S. government with respect to data held by foreign providers, must submit to periodic auditing of its compliance with the agreement by the U.S. (in support of a requirement that the U.S. review its certification every five years), and is subject to a veto on direct access by the U.S. government in any particular case. Some of these requirements likewise find their roots in FISA’s minimization procedures.

From what I can determine, based on an initial read, the government has produced a very credible document that seems designed to solve a serious problem without indulging in opportunistic overreach. There are lots of points in the proposal that are worthy of debate, however, and it will no doubt provoke serious debate. Three issues, in particular, strike me as likely candidates for attention.

First, the proposed legislation allows wiretapping of live communications, not merely access to stored data.  In this respect, it is broader than the current system of Mutual Legal Assistance Treaties (MLATs). Some observers will feel intuitively that foreign-government wiretaps (albeit actually conducted by U.S. providers, likely in much the same way that they conduct wiretaps for the U.S. government) are more invasive than collection of stored data. On the other hand, a 90-day wiretap is likely to collect much less information than a sweep of someone’s email inbox and outbox, which could have years of communications in it. In other words, there may be an intuitive concern about live interception, but it’s not inescapable that live wiretaps for limited periods are actually more invasive of privacy interests than collection of stored data, especially in the modern world of texting and other short-form communications that function more like an oral chat call but can still result in digital footprints of content. But I expect it to be an area of focused discussion.

Second, the proposed legislation does not address encryption. This will likely disappoint observers on both sides of the issue, but in my view it’s the only way the bill could pass in the short run. Encryption is a big challenge, and my sense is that we’re not yet in a position, as a country, to resolve it.

Nonetheless, pressure may come to compel decryption (provision of plaintext) in this bill. Jim Comey and the FBI, among others, have made no secret of the fact that they would like the issue resolved (acknowledging that there are pros and cons to the issue). Senators Burr and Feinstein have a bill, but it has not progressed much. There may be some desire, by pro-surveillance/anti-encryption advocates, to tackle the issue in this bill.

Pressure on encryption may come from the other direction as well. By removing U.S. legal barriers to access, this legislation will allow encryption issues to be resolved under UK law (or other foreign law), rather than U.S. law, with respect to U.S. providers. Knowing this, and fearing that the UK may be less supportive of encryption legally or politically, some will likely argue that encryption needs to be addressed in order to limit foreign authority to insist on decryption. One way that position might be expressed would be as a requirement that foreign governments only be allowed to obtain what the U.S. itself could obtain under U.S. law. But this may be even more unpalatable to British people who believe they are allowed to have their own laws in their own country, and risks making the U.S. appear to be even more of a legal imperialist. It also won’t fool anyone for long, and so will risk opening up an explicit encryption debate, which will mean this bill does not pass in the short run.

Third and finally, there are the anti-cat’s paw provisions. These provisions appear to be very carefully drafted, which makes me think the government gave them a lot of attention, which in turn makes me think they may get a lot of attention in the public debates. The first requirement is that the “foreign government may not issue an order at the request of or to obtain information to provide to the United States government or any third-party government,” and cannot be “required to share any information produced with the United States government or a third-party government.” Section 4(a)(3)(iii). The second is that the foreign government “may not disseminate the content of a communication of a U.S. person to U.S. authorities unless it is relevant to the “prevention, detection, investigation, or prosecution of serious crime, including terrorism, or necessary to protect against a threat of death or serious bodily harm to any person,” and also “relates to significant harm, or the threat thereof, to the United States or U.S. persons, including but not limited to crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud.” Section 4(a)(3)(xii)-(xiii).

As a practical matter, these provisions should permit sufficient two-way information sharing. The U.S. government apparently cannot “request” the UK to issue an orderor, perhaps more precisely, if the U.S. does ask, the British must issue the order for their own reasons, not merely to provide the information to the U.S. But it can share information about someone whom the British may decide for their own reasons to targete.g., where the U.S. has information about a person in Washington discussing terrorism with a person in London, it can tell the British about the person in London.

Looking at it from the other direction, if the British collect information under their laws (with U.S. barriers removed by the new legislation), they cannot be “required” to share information with the U.S. But if the British find someone in London talking terrorism with someone in Washington who is unknown to U.S. authorities, they may inform the FBI and pass the contents of the communications. That is because such information would be relevant to preventing serious crime and would relate to significant harm. I can imagine some challenges at the margins of the rules governing what the foreign government may pass back to the U.S., but in general the idea of two-way information sharing seems likely to prevail. It’s increasingly important in an increasingly connected world, and I would expect the U.S. government to fight hard for this.

Regardless of how these or other issues are resolved, this draft bill represents progress because it will allow debate to proceed based on something specific. In fact, based on my own experience, I am pretty sure this draft legislation required a massive effort, within the Department of Justice, in the U.S. inter-agency community, with the private sector, and internationally with the British and perhaps others. Its shepherds deserve a lot of credit for giving us a very good step forward.