Cybersecurity

The US-UK Data Deal

By Andrew Keane Woods
Wednesday, February 10, 2016, 9:27 AM

The Washington Post recently leaked the news that the US and UK have been negotiating a deal regarding each government’s access to data held by the other country’s providers.  This deal is no surprise to anyone following this issue – I mentioned rumors about such a deal in an op-ed in the Times back in December, and Jen Daskal and I blogged about these rumors as far back as last summer. Perhaps that is why the story has not generated as much attention as it merits.  Or maybe it’s because the deal is simply not as controversial as the Post makes it sound.

The headline reads: “The British Want to Come to America – with Wiretap Orders and Search Warrants,” which of course is a 21st Century way of saying: “The Redcoats Are Coming!”  Besides being unbearably corny, this headline is misleading.  It incorrectly suggests: (a) that the British government plans to encroach on American sovereignty, and (b) that this deal is obviously bad for privacy.  I don’t think either is true.  In fact, I think the article could just as easily have been titled: “US and UK Take Important Step for Internet Privacy.”  

Before I explain why, let me be clear that I’m not endorsing the US-UK deal (which I have not seen and the only public details of which come from the Post’s clickbait).  But without knowing many of the key details, I want to make the case that such an agreement, with the right safeguards, can be seen as critical for the preserving the internet as we know it, and over the long term a significant victory for privacy. 

Governments are increasingly aggressive in their efforts to assert territorial control over the Internet.  As Freedom House reported last year, “internet freedom around the world [is] in decline for a fifth consecutive year as more governments censored information of public interest while also expanding surveillance and cracking down on privacy tools.”   Put simply, we are nearing the end of the time when the US can tell the world what rules apply on the Internet.  Until now, US firms have been able to say to foreign governments, “Sorry, since we’re American, even if the data you seek passes through servers on your soil we can’t comply with your lawful and legitimate request for user data.”

The response from foreign governments has been, more or less:  fuck that. 

In the course of researching MLAT reform, I met with a number of lawyers in the UK, some of whom worked for the British government.  They all made the same argument:  If American companies want to come here and make money on our citizens, they gotta play by our rules. Other industries have come here and tried to get away with not playing by our rules, and we set them straight; we’ll do it with the tech companies, too.

And this is the rational thing to do from the perspective of the British government.  If you want to faithfully enforce your laws, and the evidence necessary to prosecute crimes like murder and theft are held with American tech firms, you have a few options.  You could demand that the data be stored in the UK; you could demand a way around encryption so that you can sniff out the evidence as it passes through British communications networks; you could simply enforce your laws – seize Google’s assets; arrest Microsoft’s employees; shut down Facebook and Twitter – regardless of whether doing so throws the company in a conflict between British and American law.  Or you could negotiate a principled agreement that resolves the conflict of laws and that says, effectively, that British law applies in the UK and American law applies in the US. 

If you think, as I increasingly do, that the absence of such an agreement will lead to any number of privacy-threatening outcomes – data localization, anti-encryption mandates, etc. – then you end up seeing an international agreement of the sort described above as privacy enhancing over the long run. 

Unfortunately, we know very little about the contents of the US-UK deal.  But what the Post describes is not as crazy as it is made to sound. Consider the lede:

“If U.S. and British negotiators have their way, MI5, the British domestic security service, could one day go directly to American companies like Facebook or Google with a wiretap order for the online chats of British suspects in a counter­terrorism investigation.”

This is precisely what happens in the UK when the government approaches BT and Virgin and any other British company seeking digital evidence of a crime; those companies must comply with lawful wiretap orders.  So as far as I can tell, this sentence simply reads: “If U.S. and British negotiators have their way, British law will apply to American companies operating in the UK.”  This, on its face, is not at all a crazy idea.  Indeed, it would be quite extraordinary if the UK allowed a foreign corporation to operate in its territory without subjecting the company to its domestic laws. 

Concerns about this deal are not really concerns about British encroachment of American sovereignty; rather, they are concerns about the adequacy of British law.  In many ways, the UK’s laws are simply not as privacy protective as those in the US, and unfortunately they are poised to get worse as a result of the Investigatory Powers Bill.  But arguing that British law does not adequately safeguard Internet privacy is a very different argument from the claim that the US and UK should not agree that UK law applies to companies operating in the UK.

This raises two additional questions. 

First: if British law is problematic, should the US attempt to fix it by international agreement?  I’m not so sure.  I certainly hope that any US-UK agreement would improve privacy practices in both countries.  Indeed, I have been working with a group of civil society groups, academics, and companies to identify just what principles ought to guide such an agreement.  This US-UK agreement may be a model for agreements with other countries – countries with fewer privacy protections than the US.  But I have to admit to being anxious about Britain’s response to our efforts to dictate what privacy rules ought to apply in Britain, knowing that we would bristle at another country’s efforts to dictate our privacy rules.

Second: even if British privacy rules are suboptimal, is Internet privacy as a whole enhanced by walking away from an international deal of this sort?  Perhaps it is too soon to say – and we certainly need more information about the deal before we draw any strong conclusions.  But ultimately, I worry much less about an agreement that defers to local law – especially where that law can be changed through a legitimate democratic process – than I do about the world in which we insist that US companies will play by US law worldwide, we reach no agreement with foreign partners, and the British lawyer tells his government to seek the data another way. 

Topics: