In my first blog post on the CLOUD Act and US-UK Agreement, I noted that the wiretap provision of the CLOUD Act - as opposed to the stored content provisions resolving the Microsoft Ireland case - hardly had been discussed, but it was sure to raise concerns in those third countries where users were targeted by US or UK law enforcement. In my second post, I responded to some of the comments I received by pointing out that indeed, wiretapping in a third country, using Brazil as an example, could be a criminal matter for the provider; and, if a nonUS provider at the behest of foreign law enforcement wiretapped someone in the US, we would no doubt call it a crime under the Wiretap Act.
Jenn Daskal over at Just Security, responded to my two blog posts, asserting that the Act and the US-UK Agreement “does not in any way expand or change U.S. wiretapping authorities.” Of course, I never said it did. But those authorities I cited, and she acknowledges, make my point -- under US law, an interception takes place at the location of the surveilled device as well as the location of the listening post. That means there is a colorable argument in those third countries where their laws prohibit “interception” that there is an illegal wiretap of the US provider’s user if “interception” is interpreted the same way as it is in the US.
Daskal acknowledges that UK CLOUD Act orders “could result in the UK intercepting the communications of persons located outside either the United States or the United Kingdom, if such communications were routed through US-based providers.” That’s the point. The fact that a communication is “routed” through a US provider and then rerouted to a UK listening post does not change the fact or eliminate the risk that if the third country defines interception to include the location of the target’s device, just as does the US, there may be serious consequences for providers. It’s that simple.
Daskal makes another point that I’m not so sure is correct, or at least the Snowden disclosures have taught me to read language in statutes and agreements very carefully with a skeptical eye. She points out that the UK can obtain orders to require US providers to wiretap in third countries because it has “in place authorities that explicitly authorizing the issuance of extraterritorial orders.” True enough. She then says the following:
By contrast, the United States does not, at least currently, have an equivalent authority in U.S. law – in part perhaps because the United States has not had an equivalent need to access communications traveling between UK-based and other extraterritorially located providers. Thus, while, as Gidari points out, the Agreement provides for reciprocal access in theory, there is no reciprocal change in practice. There are no affirmative authorities exist to enable the United States to compel assistance by foreign-based providers that are not otherwise subject to U.S. jurisdiction.
If Daskal is correct, then the Agreement truly is one-sided because there are no authorities to issue search warrants or other legal process to entities outside the US either. Under this line of thinking, the US obtained nothing from the reciprocity provision in the Agreement even though it touted reciprocity as a reason Congress should approve the CLOUD Act. That is, of course, unless the US actually plans to serve subpoenas or court orders on UK providers to access the content of nonUS persons abroad under the CLOUD Act. How would the US do that?
First, Daskal is correct that the Wiretap Act cannot be used to order a wiretap outside of the United States. See United States v. Peterson, 812 F.2d 486, 492 (9th Cir. 1987); United States v. Maturo, 982 F.2d 57, 60 (2d Cir. 1992). But that doesn’t mean that there can be no extraterritorial wiretaps. Said another way, if the wiretap is extraterritorial, there is no Wiretap Act constraint in doing it. As the Sixth Circuit explained in Huff v. Spaw, 794 F.3d 543 (6th Cir. 2015):
when determining whether an alleged interception is extraterritorial . . . we do not consider whether the plaintiffs are citizens of the United States, or whether the communications traveled through United States telecommunication infrastructure. Instead, we look to where the interception took place. Title III defines interception as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4). The relevant location is not where the [plaintiffs’] conversations took place, but where [the defendant] used a device to acquire the contents of those conversations.
Id. (citations and internal quotations omitted).
Neither the CLOUD Act nor the Agreement require that the US procure an order under Section 2518 of Title 18 to compel a UK provider to tap one of its users. The Agreement simply refers to “Orders subject to this Agreement,” which are those certified by the executive authority of the requesting country to comply with the Agreement. The Agreement defines an Order in Section 1(11) as: “a legal instrument issued under the domestic law of the Issuing Party requiring the disclosure or production of Covered Data (including any requirement to authenticate such Data) by a Covered Provider, whether for stored or live communications.”
So what “legal instrument” could the US provide to meet the CLOUD Act if neither Rule 41 for search warrants nor Section 2518 of Title 18 for interceptions apply? Probably any number of lesser forms of legal process. Here is a hypothetical to test the idea:
1. Assume there is a massive, global money laundering case in progress in US federal court;
2. Assume the key target of the investigation is known to be a British Telecom text message user residing in Italy (BT has operations in 180 countries!);
We know the AUSA could not ask the court for a wiretap order on BT under section 2518 of Title 18 because that statute has no extraterritorial reach, but could the AUSA ask the court for an order to intercept the texts of the target otherwise? The court plainly has subject matter jurisdiction over the case, but no doubt would be nonplussed and confused by such a request.
The AUSA could tell the court that (a) the CLOUD Act removed the blocking statute in UK for wiretaps by the US, (b) neither the Wiretap Act nor the Fourth Amendment apply to non-US persons outside US, (c) all steps for interception will be outside the US, and, (d) upon delivery of the “CLOUD Act order” issued by the court, the UK will certify it to BT who will implement it per the US-UK Agreement. Absent the CLOUD Act and Agreement, BT or any other provider outside the US likely would refuse the order, arguing it lacked force, that the AUSA had no authority binding on BT to issue an extraterritorial order, and the absence of personal jurisdiction. But given the Agreement, perhaps BT, under UK pressure, wouldn’t question the order at all. We don't know.
The AUSA might style the order differently as well — something innocuous like An Order to Access Data, which simply would require BT to produce stored text messages and to do so continuously for 30 days after receipt of the order. It wouldn’t be the first time that gentle and generic wording comforted a magistrate into issuing an order (think Stingray and Rigmaiden case) where the "technical" details are blurred.
One other point in Daskal's post made me think more about US provider practices. She said in the quote above that US authorities haven't had the need to resort to nonUS providers, presumably because the vast majority of data of interest to US law enforcement passes through US providers and facilities. So are US providers already implementing email or social media account wiretaps on users located outside the US? I personally never saw it in the years representing many online providers, but if they are, the risks of violating foreign law are every bit as applicable as they are for CLOUD Act interceptions.
Most providers don't say in their transparency reports (fourth blog coming) whether they have received or implemented wiretap orders at all, let alone on users targeted outside the US. Given that DoJ's position in the Microsoft Ireland case was that the search warrant was not extraterritorial because the access took place in the US, the argument sounds eerily similar to the "listening post" location definition of interception I've described in the previous blogs.
This being the third blog post on the CLOUD Act and Agreement, it would be easy to conclude that I’m against both. I’m just against bad drafting, uncertainty caused by clever wording, and a lack of transparency. The CLOUD Act and executive agreements are an important step forward in resolving law enforcement needs for timely access to data for legitimate investigations outside the US, reducing threats to providers where US law otherwise precludes compliance with nonUS data demands, blunting data localization trends, and raising the privacy protections afforded users. Daskal and her colleague Peter Swire make a strong case for the CLOUD Act and executive agreements generally, and everyone ought to read their excellent writing on the subject. But this being the first such Agreement, it is important to get it right and so there will be a couple more posts to come on the subject.