Last week, The Washington Post reported that the US and the UK were in negotiations to permit UK law enforcement agencies to request stored communications like email and chats directly from US-based providers like Facebook and Google. What’s more, the UK apparently wants these companies to be able to perform wiretaps as well. The proposed agreement hasn’t been made public yet, but the rationale makes sense for the US, UK, and even for providers. But what about users of these services — does it make sense for them?
First, let’s level set on why the US, UK, and providers would support an agreement. The Stored Communications Act (SCA) is a blocking statute. It prohibits US service providers from disclosing the content of their users’ communications to anyone other than the US government (and even then, only upon receipt of proper legal process). If a UK resident uses a US email service to conspire with another UK resident to kill a third UK resident, the SCA prohibits the US provider from disclosing the incriminating emails or other content to UK law enforcement.
Instead, the UK law enforcement agency would have to go through the Mutual Legal Assistance Treaty (MLAT) process to obtain the emails — a process almost everyone agrees is too slow and cumbersome to be effective. But there is no alternative to MLAT to get the evidence. The US-based provider is the only source in this example.
In response to this untenable situation, the UK (and indeed other countries) are considering or have passed data localization laws. That is, providers whose services are accessible in a particular country would have to store the content and related data (or copies of it) of resident-users in that country so the information could be produced upon receipt of domestic legal process. This approach, some fear, will result in the Balkanization or splintering of the Internet.
Data localization also puts the privacy and security of user information at risk for users in countries with less than stellar human rights records. It renders the content discoverable on a lower legal standard in most countries outside the US as well. At the same time, the data remains available to US law enforcement if the US provider has custody or control over the data (although Microsoft is currently challenging that notion in the Second Circuit Court of Appeals).
Apart from data localization, the UK believes that it has jurisdiction over providers outside of its territory who are offering services to users within the UK and who otherwise have subsidiaries and operating entities within the country. That means the UK could seek content directly from many providers today under UK law, setting up a conflict of laws problem if the UK tries to enforce a disclosure order against a US-based provider.
Enter the US-UK negotiation to reach a compromise on data sharing. It’s no surprise that providers who are caught in the middle support the idea of responding directly to non-US law enforcement requests rather than fighting enforcement orders in UK courts.
Indeed, concomitant with the US-UK negotiation, providers, academics, and other stakeholders have made suggestions on what sorts of legislative frameworks might best enable cross-border data sharing arrangements to avoid conflicts of law problems and data localization threats. The Jennifer Daskal and Andrew Woods proposal is a mashup of these efforts, and the discussion of the merits and need for this reform is well documented at Just Security.
Under the Daskal-Woods proposal, providers could disclose stored user content if the “requesting government has jurisdiction over both the target and the relevant criminal activity, in accordance with the government’s domestic law, and therefore a legitimate interest in the criminal activity being investigated.” The target could not be a US person or located in the United States. The requesting government would have to satisfy its own domestic law requirements and meet basic principles of US law (e.g., an equivalent of probable cause, an order from a neutral magistrate, and particularity). Further, the US would enter into data sharing agreements only with countries it or some third party organization certifies as meeting basic human rights requirements. For everyone else, the MLAT or letters rogatory process would remain available. Presumably, those countries that are not certified could still pursue data localization laws or less transparent means of obtaining the desired information from providers, but the hope is that joining the club for more expeditious data sharing would be preferable to extended fights with providers and the US government.
Indeed, Daskal, in a thoughtful response to the Washington Post story, sees the US-UK negotiation as an opportunity for improving the MLAT process and ameliorating the worst consequences of this broken system. She’s right. Congress could “help relieve the pressure in the system, but also insist that it is done right” by requiring that foreign requests follow the principles she and others have articulated for stored communications while rejecting any notion that US providers would have to conduct wiretaps of non-US users at the behest of other countries. In short, she and others see the US-UK negotiation as an opportunity to establish a better data sharing agreement globally. Andrew Woods likewise responded to the Post story, arguing that some deal is necessary and almost by definition is better than no deal and status quo.
Now back to the original question — is the current Daskal-Woods proposal or the putative US-UK agreement good for users? Sadly, no. But Daskal and Woods are right that there is an opportunity that is better than the alternatives, and the proposals on the table can be fixed.
First, as to the US-UK agreement, there is something unseemly about two powers with questionable records on surveillance negotiating the terms of surrender for US providers to disclose the stored or real-time content of communications to each other or another government. But distrust alone is not a reason to reject the US-UK negotiation, which, if done right, may become a template for other countries and serve a useful purpose.
The big problem is that, as reported, the US-UK deal is unbounded. While it purports to carve out US persons — i.e., those resident in the US and US citizens abroad — it leaves everyone else subject to UK surveillance worldwide, both as to stored communications and prospective surveillance, and for any crimes or national security purposes. (It’s worth noting the deal would be reciprocal and the same carve out would bar the US from seeking the information of UK persons from UK companies.) That can hardly be good news for users outside the UK and US. As it stands now at least, global users are beneficiaries of US laws that actually have higher standards for disclosure of content than other nations.
The Daskal-Woods proposal suffers from the same defect as the US-UK deal, but the impact is lessened because the nexus for a request is a local criminal, crime, or victim. Still, the user whose communications are sought does not have to be a resident or citizen of the requesting country. If the proposed agreement goes through, US users are protected from UK requests, but no one else’s.
These NIMBY-like agreements will break down over time as more countries join the framework with the promise of more expeditious access to content for their investigations. We can expect the next country in the club to ensure that its citizens’ data will not be targeted by the US or UK, and so on as others join the club too. Ultimately, US providers could be in the unenviable position of trying to discern locality or citizenship of the target, or relying on the requesting government’s certification in that regard. If the target is outside the country, the national of another country, or can’t be identified, the data should not be disclosed by the provider, but neither the US-UK negotiation as reported nor the Daskal-Woods framework embraces this principle.
But there is a kernel of an idea in all of this discomfort. There is an 80 percent solution to the MLAT problem that admittedly forgoes the perfect and accepts the reality that some good is achievable. Building on the Daskal-Woods proposal, new data sharing agreements should limit requests to the stored content of the citizens or residents of the requesting country in a subset of dual criminality cases — those cases that truly are local where the perpetrator, victim, witness, and crime are all within the jurisdiction and the crime is punishable in both nations. If the request relates to acts that are criminal in both the US and the requesting country, and the content belongs to a user who resides in the requesting country, the interests of that country in prosecuting the crime should surmount the conflict caused by the US blocking statute.
Some might argue that if the request does not originate from a neutral magistrate, or is not based on probable cause as the US defines it, then users are worse off under such a deal. But that’s not so. The same content would, without a deal, still be subject to disclosure under the lengthier MLAT process resulting in a US court order. Worse, the UK could try to get it directly under UK domestic law, leaving the user no better off and the provider in a Catch 22. Or, data localization could be imposed, leaving the data wholly amenable to access under local law and procedure. After all, the SCA has no extraterritorial reach and providers might find some solace in localizing content to avoid international conflict, especially where users are given to understand that terms of service include consent to such disclosures in response to otherwise lawful local process (i.e., on the same terms as if the user were enjoying service from a local provider).
The 80 percent solution would have the benefit of unclogging the MLAT system so that transnational cases could be handled more expeditiously. And the incrementalism of the approach allows time for a system of trust and transparency to be developed. Instead of the NIMBY-like world that would develop under the existing proposals, experience and time could yield a truly cooperative system of cross-border data sharing within the club itself if the basis for disclosure meets or exceeds the standards of the country of residence of the user whose content is sought. And yes, that could include US users too if the requesting country met a probable cause standard as determined by a neutral magistrate.
The truth is that no negotiation is necessary if one country is willing to assert its jurisdiction over global communications and platform providers to compel such disclosures by arresting employees in-country or imposing fines. The 80 percent solution may not forestall such demands forever, but the development of a normative process that permits access to content under transparent rules in limited cases is good for users and may yield a better framework over time. The Daskal-Woods proposal articulates a broader set of principles that has much to commend it, and the opening gambit of the UK does present an opportunity to obtain a deal that protects users and providers and serves the public interest. For the sake of users everywhere, a little incrementalism might be just the thing.
This post originally appeared on Just Security.