The Big Interception Flaw in the US-UK Cloud Act Agreement

On October 3, 2019, the United States and the United Kingdom entered into a first-of-its-kind executive agreement under the CLOUD Act. The text of the agreement was released on October 7, 2019. For a fine overview of the provisions of the agreement, Jennifer Daskal and Peter Swire posted a summary on Lawfare, identifying some surprising provisions and others that fall a little flat. But there is a big flaw in the agreement that hasn’t been discussed -- it allows either the US or UK to require a covered provider to wiretap a user located not in the US or UK, but in any third country, without the approval of that sovereign nation and perhaps even without its knowledge. 

Yes, read that again. The agreement permits either the US or UK to require a covered provider to intercept the communications of its users in third countries, say like France or Germany or really any other country. So much of the discussion around the CLOUD Act has dealt with access to stored data that almost no attention has been paid to this expansive wiretap provision. It is one thing to leave it to a provider as to where to store your content but it is wholly another matter to realize that your entirely local communications through a platform in the US or UK may be subject to extended monitoring in the future. 

The CLOUD Act provides that a foreign government that has entered into an executive agreement with the US may issue an order for interception to a US provider. See 18 U.S.C § 2523(b)(4)(D). Article 5, section 3, of the US-UK agreement parrots section 2523 and states: 

Orders subject to this Agreement for the interception of wire or electronic communications, and any extensions thereof, shall be for a fixed, limited duration; may not last longer than is reasonably necessary to accomplish the approved purposes of the Order; and shall be issued only if the same information could not reasonably be obtained by another less intrusive method.   

The CLOUD Act and the agreement have reciprocal rights so the US would be able to order a UK provider to intercept the communications of its users in a third country as well. See 18 U.S.C. § 2523(b)(1)(I)(“the foreign government shall afford reciprocal rights of data access [author's note: which includes interception], to include, where applicable, removing restrictions on communications service providers, including providers subject to United States jurisdiction, and thereby allow them to respond to valid legal process sought by a governmental entity (as defined in section 2711) if foreign law would otherwise prohibit communications-service providers from disclosing the data”)

But wait, the Wiretap Act has no extraterritorial effect, right? That is, by definition under section 2518(3) of Title 18, a judge may only issue an order for interception of communications “within the territorial jurisdiction of the court in which the judge is sitting (and outside that jurisdiction but within the United States in the case of a mobile interception device authorized by a Federal court within such jurisdiction).” 

Many commentators have said exactly as much. For example, Jennifer Daskal in an article last year, titled Setting the Record Straight: the CLOUD Act and the Reach of Wiretapping Authority Under US Law, said: “there is no authority for a judge to issue a wiretap warrant for the interception of data in Europe, or any other place outside the territorial boundaries of the United States. The CLOUD Act did not change this.”

But that’s not exactly how wiretaps work under US law. Interception is defined in section 2510(4) of Title 18 as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Where acquisition of content occurs then defines the territorial jurisdiction of the court issuing the order.    

In the US, an interception may take place where the communications are heard (i.e., the “listening post” of the agent), where the target device is located, and/or where the equipment used to divert the communications is enabled. See United States v. Denman, 100 F.3d 399 (5th Cir.), cert. denied, 520 U.S. 1121 (1996)(for jurisdictional purposes for ordering a wiretap, interception of a wiretap includes both the location of tapped telephone and the original listening post, and judges in either jurisdiction have authority to issue wiretap orders.) So while literally true that the CLOUD Act didn’t authorize interceptions in Europe, for example, the truth is that it didn’t have to because as long as the aural acquisition of contents occurs in the US, the interception takes place in the US. 

If you think the logic is limited to cases where the devices, the network and the listening post are in the US, that would be incorrect. For example, a wiretap order has been held to be proper when targeting a drug defendant's cellular telephone calls made on devices located in Mexico because, under the “listening post” analysis, the “interceptions” took place in the Drug Enforcement Administration “wire room,” which was located in the US in an area within the district court's jurisdiction. United States v. Cano-Flores, 796 F.3d 83 (D.C. Cir.), cert. denied 136 S.Ct. 1688 (2015). 

The Cano-Flores court also noted that the communications traversed and were accessed by cellular towers located in the US, but that was not the dispositive point. See United States v. Rodriguez, 968 F.2d 130 (2d Cir.1992)(besides occurring at the site of the telephone, an interception “must also be considered to occur at the place where the redirected contents are first heard.”). The basic reasoning has been accepted in all US courts of appeals to address the issue. See United States v. Henley, 766 F.3d 893, 911–12 (8th Cir.2014); United States v. Luong, 471 F.3d 1107, 1109–10 (9th Cir. 2006); United States v. Jackson, 207 F.3d 910, 914–15 (7th Cir.), vacated on other grounds, 531 U.S. 953 (2000); United States v. Tavarez, 40 F.3d 1136, 1138 (10th Cir. 1994).

So it seems clear that a US law enforcement agency, in NY for example, could apply for and obtain an order to compel a UK provider to intercept the communications of one of its users located in a third country so long as the listening post for communications was located in NY. What previously had been thought of largely as a domestic law, quibbling over whether a judge in NY could order a wiretap on a mobster in Jersey, now has serious global reach. And it has been enabled by the US-UK agreement, which should give providers serious pause before implementing such an order. And in letting the agreement go into force by failing to disapprove it within 180 days of certification, Congress will acquiesce in the broader reach of wiretaps into third countries. 

Why should providers pause? Because the US-UK agreement requires notice to the third country when either the US or the UK seek data on a person located outside either country. The agreement states as follows:

In cases where an Order subject to this Agreement is issued for data [author's note: which again includes interceptions] in respect of an individual who is reasonably believed to be located outside the territory of the Issuing Party and is not a national of·the Issuing Party, the Issuing Party's Designated Authority shall notify the appropriate authorities in the third country where the person is located, except in cases where the Issuing Party considers that notification would be detrimental to operational or national security, impede the conduct of an investigation, or imperil human rights.  

On the face of it, kudos are in order because the provision appears to respect the sovereignty of the third country whenever data on someone within its borders is being sought. However, how the notification process will work is unclear but it is sure to cause no end of political concern and perhaps worse for providers.

Notice to third countries actually doesn’t ameliorate the problem, it exacerbates it by cluing the third country in to electronic surveillance on a person within its borders. The agreement makes it worse because nothing in it specifies whether notification needs to be made, for example, before the interception order is issued or executed. If notification is made before the collection, presumably, that country could raise objections to US or UK authorities to the conduct of electronic surveillance on someone within its borders. Although, how and where objections could be lodged is not clear, only that such objections are likely to be for naught because there is no judicial review.  

Indeed, it is the US or UK Designated Authority, not a court, who decides whether notice should be withheld because it “would be detrimental to operational or national security, impede the conduct of an investigation, or imperil human rights.” The discretion seems absolute. Of course, the third country may never know that electronic surveillance was conducted on someone within its borders. If it finds out or gets notice, the third country still has no remedy under the agreement other than political outrage perhaps.   

Nothing in the agreement even appears to require the issuing party to inform the issuing court that the intercept target is located outside the country. A court likely will only be told that the target is a user of the subject provider, which is a covered provider under the agreement.  

Lastly, the agreement does not require that a provider be told that the issuing country has given notice to a third country. Why is it important? In most countries, including the US, it is unlawful to intercept the contents of a communication unless authorized by a court or specified authority. Is there any doubt that the US, for example, would consider the acquisition of the content of communication by a third country of someone located in the US as a violation of its sovereignty and the Wiretap Act? It's why US-based providers offering services accessible in places like Brazil, for example, don't conduct wiretaps for their law enforcement agencies. Indeed, US-based providers don't even flip the switch so to speak in the US to facilitate a tap on a device located in Brazil or any other country because of the broad definition of interception under US law. So is there any doubt that a third country will consider such electronic surveillance to be an unlawful interception? 

The surveillance network made possible under the CLOUD Act is about to be extended yet again as the US and Australia jointly announced that they are negotiating an agreement as well. While the CLOUD Act may have made sense in regard to the disclosure of stored communications under the custody or control of a provider who built its network in a way to distribute data globally for its own business purposes, it is another thing entirely to target users outside the US or UK for the prospective acquisition of their communications. And in the case of the UK, such acquisition is not limited in the agreement to 30 days as under US law.  It would have been more reasonable to limit interceptions to targets within the borders of the requesting country (e.g., interception conducted by US provider on its user located within the UK). 

Providers should not assume the risk that the third country has no objection to or law against such surveillance. Where notice has been withheld, it is imprudent for a provider to take the risk that the third country will be forgiving. The third country’s remedies against the US and UK largely are political, but remedies against the provider who cooperated in the surveillance are criminal. The immunity provisions in the CLOUD Act are for actions brought in the US and UK, not in third countries.  While providers may ask for certifications that third countries have been notified, the better course is to reject interceptions on targets known to the provider to be outside the US or UK. For those that decide to accept such orders, it will be interesting to see whether CLOUD Act orders become part of their transparency reporting, including details on whether the orders were for stored or prospective acquisition of content, and whether the targets were outside the US or UK.