Following Edward Snowden revelations, it’s an understatement to say that governments were unhappy with their citizens' data being managed solely under US laws. This frustration is brought into sharp contrast when you examine the elongated system which other states have to use to obtain the same data for criminal investigation into serious, but sadly every day offences, such as murder, rape, cybercrime and increasingly cyber bullying or stalking - Mutual Legal Assistance.
The integration of the internet into most aspects of our daily lives has wrought similarly profound changes in crime and criminal justice, from the rise of purely online criminality (cybercrime), to the use of internet communications technology in the commission of real-world crimes, to the use of internet records to investigate, identify and convict.
As I wrote in my last blog, it is quite possible that the location of the companies providing a communication platform, the location of data, and the location of perpetrators are all in different parts of the world.
Internationally, my colleagues in the law enforcement community lament what they perceive as less than straightforward access to user data from online providers based (for them) overseas. Facebook, Microsoft, Yahoo and Google - all based in the US - are the most commonly cited providers, but providers can and are increasingly based anywhere in the world.
This is often described as ‘the Mutual Legal Assistance Treaty (MLAT) problem’, after the existing international frameworks used to obtain evidence - including communications data - across borders. There are, however, alternatives to MLAT available in differing circumstances, and this in itself adds to the problem.
For examples, whilst US legislation precludes the sharing of content with non-US requesters, except in cases of “danger of death or serious physical injury to any person”, it is absent on the sharing of less sensitive information, such as subscriber data. This leads the US providers deciding in certain circumstances to share data directly with non-US law enforcement requesters. This is the data that most transparency reports provide. Favourable circumstances always include a proven adherence to a national legal process, and are also likely to relate to a serious offence, where no human rights violations are likely and where the user of the data is based in the requestors jurisdiction. Another option is to focus on joint investigations with the US where there is a clear US dimension to the crime, for example where victims or perpetrators are located in the US.
The options would be the same if the data was held elsewhere in the world, with the joint investigation being with the relevant local agency - these issues are not limited to the US.
The most resilient way of obtaining data is, however, by invoking MLAT. Despite MLAT regularly touted as the solution to obtaining data internationally, it is not well understood. Mutual Legal Assistance (MLA) is an agreement, usually by treaty (T), between two or more countries to provide assistance to each other on criminal legal matters. The types of assistance that can be provided through MLATs traditionally include: service of documents; search and seizure; restraint and confiscation of proceeds of crime; provision of telephone intercept material; and the facilitation of taking of evidence from witnesses. The agreements themselves, whilst indicating the points of contact in both countries, do not specify the end-to-end process. This is governed by a mixture of national laws: laws covering international co-operation and laws relating what is being requested. The MLA process is therefore determined by a combination of domestic law and bilateral and multilateral treaties on international crime. MLA is resilient because it is the only process that ties together the laws of both receiving and requesting country, making it legally robust at all stages.
However, the MLA process is long. It requires an administrative legal process in each countries and duplicate checking of paperwork. In the UK to US process it involves the law enforcement requestor working with the Crown Prosecution Service to write a letter of request under the US-UK MLAT, which then is forwarded to the UK’s Central Authority in the Home Office. The Central Authority checks that the request complies with the Treaty regulations, including whether it “would be contrary to important public policy” or if the request relates to an “offense of political character.” The UK central Authority will then forward the letter of request to the US Central Authority, at the US Department of Justice’s Office of International Affairs (OIA) in Washington DC. The OIA will then review the letter for compliance with the treaty, before forwarding it to the US Attorney’s Office in the District where the provider is incorporated, which is often the Northern District of California, where Silicon Valley is located. The US Attorney will then translate the letter of request into a US legal document, usually a court order, which is then served on the recipient company. Following the company’s response to the legal order, the response will then go back through US law enforcement office for ‘minimization’, where an interpretation is placed on the data required for the foreign investigation and any data exceeding this interpretation is removed. The response is then sent back via both Central Authorities, again for verification, to the original Crown Prosecutor and the law enforcement requester.
The length of this country-to-country process can be compounded by legislation requiring that communication should be via the traditional postal service.
In the UK, requests for communications data through MLA can take up to 13 months. Despite this frustration, the UK is most likely in a privileged position in terms of MLA, speaking the same language. The UN Cybercrime Study of 2013 indicates that most countries ‘reported median response times of ... 150 days for mutual legal assistance requests, received and sent.... It is clear that the use of formal cooperation mechanisms occurs on a timescale of months, rather than days’.
But it’s not just law enforcement that is frustrated by the MLAT problem. Governments have additional frustrations:
there is frustration at an inability to get all communications data relating to nationals, including content, under their own national laws, especially where these laws have proven robust human rights safeguards not enhanced by duplicate processes. In many cases double checking does no more to protect the privacy of the user, instead frustrating the investigative or judicial process in the country requiring the information. There is also the flip side of an inability by foreign citizens or governments to challenge the way in which data has been handled. This is strongly articulated in the EU-US debate on data protection.
an increasing burden, as the number of requests for international communications data goes up, on government’s Central Authorities, who are responsible for processing both incoming and outgoing requests. Few countries, including the US, have increased the resources provided to Central Authorities. Recommendation 34 of the December 2013 Report and Recommendations of The President’s Review Group on Intelligence and Communications Technologies is to “increase resources to the office in the Department of Justice that handles MLAT requests, [given that] the Office of International Affairs (OIA) in the Department of Justice has had flat or reduced funding over time, despite the large increase in the international electronic communications that are the subject of most MLAT requests.”
when a crime is not a crime in both countries, a response that the request requires MLAT is often (mis)interpreted as a refusal to produce information. For example, in December 2012 a prosecutor in India was advised to consider using Mutual Legal Assistance to obtain information from overseas providers and referred to the Treaty between the US and India. Instead the court issued service of summons to bring Facebook, Orkut, YouTube, Yahoo, Blogspot, Google and Microsoft to court for allegedly committing offenses, including those of selling obscene materials to youths and hatching criminal conspiracy. Sometime in these cases MLAT will result in a negative response, especially when the request relates to freedom of speech or hate crime issues, even where these are within a clear national qualified human rights framework.
Finally, governments, including the US, also wish to ensure that companies which are incorporated in their jurisdiction maintain the laws of their jurisdiction. This includes laws relating to sharing communication data, but also more fundamental laws, such as those governing human rights.
Governments are not alone in their frustrations. US providers as recipients want a legal underpinning for providing data that fits with their business model. In light of Snowden’s revelations they are particularly sensitive to voluntary schemes for content and would like to show consistency to their users by only acceding to requests with an explicit legal underpinning. They want this to be in the jurisdiction in which they are incorporated for cultural, human rights and possibly economic reasons. Where there is clashing legislation - such as the US Electronic Communications Privacy Act preventing the release of content requested under another state’s laws - it is understandable that the provider will want to opt to comply with the legislation in the country in which it is incorporated.
Another significant concern to US providers is when countries dispute the need to use formal channels, such as MLAT or a request under their own legislation, and instead threaten legal action against a company’s officials based in-country. In 2012 and 2013 we have seen this in France with Twitter, in India with several providers and in Brazil for Google.
US providers are also fearful of the ‘balkanization’ of the internet. Instead they, like the US government believe that “non-US governments seeking such records [via MLAT] can face a frustrating delay in conducting legitimate investigations. These delays provide a rationale for new laws that require e-mail and other records to be held in the other country, thus contributing to the harmful trend of localization laws.”
Non Governmental Organisations who focus on representing the privacy rights of the users are frustrated by the lack of transparency in the current systems. Despite increased transparency reporting by many providers, it is often unclear under what circumstances and which laws data is or is not shared with law enforcement agencies in different jurisdictions. There is no transparency in MLAT. They are also concerned with the balkanisation of the internet, and the likely global impact on freedom of expression and access to information.
Finally, in the context of NGOs, I think it is important to note that victims of crime which could be better investigated with better access to data, whilst clearly stakeholders, are not currently vocally represented. My feeling is that it is these victims of often serious crimes who are really facing the MLAT problem.