I’ve written here, here, here about the interception flaw in the US-UK Agreement under the CLOUD Act, which permits at least the UK to order US platforms to wiretap a user in a third country, without notice or permission of the third country and possibly against its law. And here about the lack of transparency for CLOUD Act interceptions. To close out the discussion, this post asks whether these flaws in the Agreement can be fixed.
Civil liberties and privacy groups have raised other concerns about the Agreement in a letter to Congress, asking that the Agreement be rejected as is Congress' prerogative under the CLOUD Act. Even ardent supporters of the Agreement like Jenn Daskal at Lawfare have written that there is room for improvement in the Agreement. In my view, the first executive agreement under the CLOUD Act ought to be a model of clarity, transparency and accountability for future agreements and it should not be approved by Congress until it is fixed.
If done right, these agreements can raise the bar in partner nations when it comes to standards for surveillance and transborder investigations, all of which benefits user privacy. Done poorly, the result will be abuse, suspicion, criticism and potentially disfavor amongst other nations. If the US and UK were smart about it, one more pass at the Agreement’s terms, taking into account the comments of various stakeholders, would be worth the wait in approval.
Targeting Users in Third Countries under the Agreement Should Be Rejected
As I’ve noted in prior posts, this is a vastly different issue than retrieving user data a provider chooses to store somewhere abroad. Reaching into another sovereign nation to target one of its citizens without so much as a “by your leave” is bad policy; but worse, it may leave providers exposed to criminal liability in those countries once the activity becomes known.
Jenn Daskal at Lawfare also acknowledges the sovereignty flaw in the Agreement, saying:
It also would be helpful to both specify the timing of third party notice and provide a mechanism for third party countries to raise objections upon receiving notice that their citizens’ or residents’ data is being targeted pursuant to an order issued under the CLOUD Act agreement—e.g., pursuant to a UK wiretap order issued to a U.S.-based provider.”
But in truth, the third country notice process, while commendable in theory, is unworkable within a CLOUD Act framework. The right answer is to limit interceptions to domestic targets.
Daskal essentially comes to the same conclusion:
Alternatively, future agreements—or modifications of the current one—could avoid this problem altogether by limiting the foreign government authority to wiretap third party nationals. The Agreement could specify, for example, that the partner government (in this case the UK) could target their own nationals or residents only. The communications of third party nationals might still be subject to so-called “incidental” collection – meaning their conversations could be picked up if they were in communication with the target of the interception – but direct targeting of third party foreign nationals would be avoided. These changes could be added as modifications authorized under the Agreement, via supplemental agreements and/or in further agreements that may follow this one.
The efficacy of such a change, however, is undermined if in fact the US currently conducts interceptions of user communications in third countries pursuant to US wiretap orders. The “listening post” theory of where an interception takes place under US law could be applied to interceptions of targets located outside the US, but listened to or accessed within the US. As I’ve noted previously, doing so puts providers at risk in the country where the target is located. This is not a CLOUD Act problem, it is a transparency problem, as we do not know if this has been practice outside of FISA. If it is the US practice, then it is understandable why other nations like the UK (and every other nation that seeks an executive agreement) would want the same investigatory tools.
Perhaps these precepts of sovereignty are quaint in the modern, interconnected world, but I do not think the nations outside the CLOUD Act club will take kindly to the surveillance hegemony of a handful of states where the bulk of providers reside. Many of these countries will never qualify for or enter into a CLOUD Act executive agreement. So the CLOUD Act does nothing to solve the problem of extraterritorial assertion of jurisdiction over US-based providers for compelled access by third countries, data localization, or lower standards for surveillance. The US and UK should confine interceptions to domestic monitoring and avoid these otherwise difficult sovereignty problems.
More Transparency, not Less, is Needed for CLOUD Act Agreements
As noted in the last transparency blog post, we may never know if a US provider conducts a wiretap in the UK or a third country under the Agreement. And we do not know if the US compels US providers to target users in third countries today (including, ironically, users located in the UK). The Agreement ought to ensure that providers can report their own data access statistics, and providers ought to be more transparent still, reporting the location of the targets of surveillance at a minimum.
Both the US and the UK actually report aggregate wiretap statistics. The UK reports wiretap numbers through the Investigatory Powers Commissioner’s Office. The 2017 annual report - the first under the Investigatory Powers Act - was published in May 2019. There were a total of 3535 interception warrants issued during 2017, of which 2,306 warrants (65.22%) were for serious crimes; the rest for national security. (21 of these warrants were issued under the controversial bulk interception provisions of IPA, which by definition means a larger number of users potentially affected).
Publication of these statistics is commendable but still insufficient. As the IPCO stated in the report:
There is a limit to how much we can say in a public document about the interception of communications because of the statutory secrecy provisions contained in RIPA (and replicated in the IPA). These provisions place a duty on anyone involved in interception to keep secret certain aspects of the interception process including, for example, the existence and contents of a warrant, the steps taken to enforce a warrant, and everything in the intercepted material or any related communications data. Par. 7.11.
The CLOUD Act requires that any executive agreement entered into must have “sufficient mechanisms to provide accountability and appropriate transparency regarding the collection and use of electronic data by the foreign country.” See Section 5, codifying new section 2523(b)(1)(B)(iv) of Title 18. How that provision manifests itself in the Agreement is baffling if providers are constrained from reporting the number of UK interceptions or the location of targets in third countries.
As I’ve written in the past, in the US, provider reporting of government data access requests often conflicts with the Congressionally mandated reporting of the “official” numbers. Provider transparency is a government accountability mechanism. It must be preserved and expanded to ensure we can judge the value and benefit of these agreements in the future.
Sometime next Spring, the US-UK CLOUD Act Agreement will go into effect absent Congressional disapproval. It would be wise for the US to act now to fix and improve the Agreement. There may well be ways to do it without restarting the 180-day approval clock, but that presupposes either the US or UK are interested in making these changes, which, unfortunately, is a doubtful proposition.