Stanford CIS

The Cross-Border Data Fix: It’s Not So Simple

By Albert Gidari on

The House Judiciary Committee held a hearing yesterday on cross-border data requests, featuring testimony from the Department of Justice, the U.K. government, Google, the Center for Democracy and Technology, state law enforcement, and Professor Andrew Woods. Everyone recognizes the problem: law enforcement outside the U.S. can’t get data for their legitimate investigations from U.S. providers because the Electronic Communications Privacy Act (ECPA) prohibits such disclosures; that is, ECPA is a classic blocking statute.  No one agrees on the solution, although there appears to be some consensus that some accommodation should be made for cross-border requests provided privacy safeguards are in place such as judicial oversight, roughly probable cause for content disclosures, due process, and limitations on the types of offenses for which disclosure would be made.

Professor Woods, who has studied this issue for a long time and who has produced some excellent work on the topic, testified at the hearing that the simplest solution would be to amend ECPA to permit U.S. providers to directly respond to cross-border requests. He argues that by removing the block, Congress would also remove the incentive for other countries to enact data localization laws or anti-encryption measures -- actions perceived to be privacy-eroding.  He seems skeptical that side agreements between the U.S. and other countries as a prerequisite for data transfers will be a sufficient basis for removing the block because those countries not in “the club” still will insist on compliance with their orders even if extraterritorial in reach and likely enact data localization laws of their own. He’s largely right, but simplicity is not necessarily a virtue in solving the cross-border data problem.

The solution may be simple, but the problem is not simple at all. Most agree that it is a bad idea to require U.S. providers to disclose user data to authoritarian regimes who will use it to suppress dissent under the guise of local criminal law. (But even there, there may be legitimate criminal cases or impending attacks that warrant disclosure even in an authoritarian nation!) If you remove the blocking statute and the requirement to make such requests through the Department of Justice, you practically have removed the ability to resist such disclosures at all. But, as Professor Woods notes, DoJ says that handling the volume of such requests today puts

a strain on the Office of International Affairs and on the U.S.’s diplomatic relations. Many of these requests take nearly a year to complete. Worse, these numbers do not represent the true scale of the demand because many foreign law enforcement agents never make a request at all, knowing that the petition will languish for months or years.

These are poor excuses for eliminating the blocking statute. The real “simple solution” is to properly staff and budget for the realities of a new digital world so that the Department of Justice can properly do its job in screening such requests for legitimacy. The answer is not to shift the burden to providers to make those decisions or bear the ignominy of deciding wrongly. We would be one disclosure away from renaming the simplest solution to be the Tiananmen Square solution.

If it takes a year for DoJ to properly review and comply with a non-U.S. request for data, then one has to ask why anyone thinks providers will be able to do so more efficiently or quickly? The answer betrays the privacy fear - because providers won’t be able to review them at all. They will comply much more often than not, and presumably have the requisite immunity under ECPA in doing so. And why should anyone expect otherwise? Whom will a provider send into China to resist such orders? Which employees on the ground in the business will want to be at risk of arrest for obstruction in Brazil? This is no real solution at all, although it is simple.  It is manifestly unfair to put providers in that position.

It also undermines the Budapest Convention, also known as the Cybercrime Convention. Over 50 nations have agreed to respect the sovereignty of each other and to use proper channels to obtain evidence stored within another country’s borders. Granted, countries like Brazil, India and Russia have refused to participate, so Professor Woods rightly recognizes that those nations will continue to insist on data localization and compliance under their law with consequences for providers and their employees in country (while some wistfully suggest other countries will raise their standards to meet the club’s rules). But that is no reason not to fully implement the Convention, make it work, reform mutual legal assistance procedures to get the job done right while diplomatically working with non-signatory nations to put a regime in place. That is the role of governments, not providers.

Finally, Professor Woods notes that other nations “resent” having to ask the U.S. government to obtain information in the hands of U.S. providers necessary to a legitimate investigation in their own country involving their own citizens, both perpetrators and victims, under the procedures applicable in their own country. Resentment betrays a lack of respect for sovereignty. Doesn’t the U.S. respect the laws of other nations when seeking evidence in those jurisdictions and don’t those very countries insist on it?

Advocates for direct access to providers like to refer to the “paradigmatic case” as described in the last paragraph to illustrate the simple point. DoJ’s Richard Downing, for example, testified at the hearing in favor of direct wiretapping under the DoJ-UK proposed agreement and corresponding ECPA amendments using exactly that term. But the paradigm is seldom the case anymore. Investigations often involve users based in more than one country, data storage in another country, victims in potentially many countries. Downing relies on the “standards” in the agreement to which the UK would agree -- almost probable cause, proportional, limited duration, etc. But how would a provider know the standards have been applied? While U.S. persons would not be “targeted,” they would be incidentally collected without any notice or remedy. And there is no way to be certain of the location of the actual target either -- thus the UK could require a provider to wiretap a person in France or Germany, or anywhere the provider offered service, except for the U.S.

All this is to say that the problem is too complex for a simple or single solution. Solutions to complex problems are never simple. The fact is that there is no single solution that solves every cross-border data problem. A year ago, I argued that it might be better to seek an 80% solution through MLAT reform than trying to achieve a “complete” solution. There certainly ought to be room for agreements between nations for direct provider disclosures in certain, universally recognized cases like human trafficking or child exploitation. Using limited cases over time, with transparency, to build trust, infrastructure and experience is the stuff of creating international norms.

There also should be a greater U.S. government commitment to efficient handling of foreign requests for data. Emergency requests, for example, are handled expeditiously today. We ought to build on that experience. We need a Department of Justice for the digital era that can navigate and negotiate the myriad of interests involved in cross-border data requests.  It is not up to providers to fill that gap.

Providers, of course, can play a role. ECPA already permits the voluntary disclosure of user data with the consent of the user of the service. Uncertainty about which law might apply to determine the validity of the consent  (the law where the provider sits without regard to conflict of laws principles; the law where the subscriber to the service resides; the law of all parties to a communication; the laws of the country of any person affected by the disclosure, etc.) prudently dissuades providers from risking voluntary disclosure in response to governmental requests.

But one part of the solution might be to amend ECPA to protect providers where users of the service consent through clear terms of use to such disclosures in specific cases. Disclosure as a matter of contract law -- providers rely upon their terms of use and policies in other contexts so this is not unfamiliar territory. It only lacks clarity under ECPA and would be a simple amendment. Yes, providers would be in a difficult position, as they are today, when they say no to a voluntary disclosure. But a fully engaged Department of Justice ought to fill that gap too to protect providers against undue influence in “voluntary” disclosure cases.

In all of this, there looms the Microsoft Ireland decision. Professor Woods would reverse it through legislation. DoJ agrees and now has 5 lower court decisions in other circuits, building the case for Supreme Court review. The European Union in particular is upset at the notion that the data of EU users is accessible to the U.S. government but not EU investigators. The situation as most commentators have observed is untenable. The untenable part of it is the notion that where the data resides, regardless of how it got, who put it there, how long it has been there or is going to be there, should decide the rule of law for its disclosure to any government. Data is not in rem in the traditional sense, and old school principles of jurisdiction should form the basis of any solution for compelled cross-border disclosures.

Finally, the truth is that providers that offer global services will meet the sovereigns of other nations head on over taxes, consumer protection, criminality and national security. Nations negotiate treaties to address all of these types of international issues so that companies and individuals have certainty about the law. The entire law of international relations is built upon the recognition that sovereigns have an interest in building a fair and sustainable rules-based system for facilitating interaction on a global stage with predictable outcomes. It really is up to the U.S. government to negotiate the framework, implement the rules, protect providers and users, and move with a pace slightly greater than an iceberg because, forgive the mixed metaphor, climate change is real.

Published in: Blog , Privacy