US and UK CLOUD Act Wiretapping in Third Countries: It Is a Real Problem

My blog post on the big interception flaw in the CLOUD Act and US-UK Agreement generated some interesting responses, mostly offline, arguing that it is legal for the US or UK to use providers in their countries to wiretap users in third countries without the consent or knowledge of the third country. Setting aside national security matters under the Foreign Intelligence Surveillance Act in US, I would have thought that in a post-Snowden world, this kind of surveillance would have been inconceivable for routine criminal cases, but let’s examine the argument.

It goes like this: There really isn’t an interception in a third country when the provider and infrastructure are in the US or UK, and if the shoe were on the other foot, the US would NOT claim such surveillance violated the Wiretap Act. I’ll take the second half of the argument first (and here I can only speak to US law, not UK). The argument is that the cases cited in my blog post are about a US court’s authority to issue a wiretap order in criminal cases, not whether a violation of the Act occurred. In other words, the cases and holdings may be limited to a court’s power to issue an order and would not define where or when a violation of the Act occurs. 

I don’t think that’s right at all. Let’s use a simple case to disprove the point. Employee A works in California. Employee B works in NY. The Company email server is located in Illinois. Employee A adds a rule to the Illinois server that duplicates and sends copies of all of Employee B’s email to California. Obviously, Employee A can be prosecuted by California. And, is there seriously any doubt that NY could prosecute Employee A for intercepting the communications of a NY resident? Is there any doubt that Illinois could do the same under its law? Or any doubt that the US Attorney in any of the three states could prosecute Employee A under the Wiretap Act. Each authority can do so because an interception takes place where the person aurally acquires the content (like the “listening post”), where the wiretapped device is located (here, NY), and where the interception equipment that reroutes or duplicates the message is located. See United States v. Szymuszkiewz, (7th Cir. 2010), for the fact pattern, decided on other grounds. Employee A cannot defend in NY that he only wiretapped in California or Illinois. As some of my DoJ friends have told me in the past, where an interception occurs under the Wiretap Act is a dealer's choice and the government is the dealer, not the defendant.

Now let’s change the fact pattern to see whether a provider can violate the Wiretap Act across state lines. Assume a provider has users in every state and abroad. Users connect through the service to merchants to buy products, but the provider duplicates the purchase messages and beats the price of the merchant for its own fraudulent purposes without the knowledge or consent of the user or merchant. Yes, there’s a clear fraud, but has the provider violated the Wiretap Act? Easy answer. That’s United States v. Councilman, 418 F.3d 67 (1st Cir.2005) (en banc). 

If California, for example, wanted to prosecute the Councilman-ISP for violating the State’s wiretap statute, could it do so even though the ISP was located in a different state, its server was located in a different state and the contents were diverted in a different state? Again, there should be no doubt that the prosecutor can vindicate the rights of a California resident whose communications were diverted. Venue aside, is there any doubt that a US Attorney in any jurisdiction in which a user resides whose communications were intercepted could bring the case under the state's wiretap law? Now move the ISP offshore. Same result.

The prohibition in section 2511(1)(a) of Title 18 says nothing about where the provider or person who orders the intercept is located or where the interception equipment is located. It simply makes it a crime for any person to “intentionally intercept[], endeavor[] to intercept, or procure[] any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.” Intercept simply “means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.”

Now let’s put the shoe firmly on the US foot. If someone in Brazil orders someone at a provider in Brazil to intercept the communications of one of its users in the US, it seems pretty clear that the Wiretap Act is violated. It doesn’t matter if the person intercepted is a US citizen or a Brazilian. The prohibition is against the interception of “any . . . . communication.” Perhaps the matter would be resolved politically if the interception were at the behest of the Brazilian government (and they may not be a “person” by definition under the Act anyway), but it would more likely be resolved criminally if the provider itself were running a Councilman-like scam that impacted residents in the US, as noted earlier. 

It also is a spurious argument to say that interception occurs only where the provider and its infrastructure are located, suggesting that the user, merely, is a passive endpoint. That argument ignores some pertinent technical facts. The target is someone who is using a service accessible in the third country through his or her device in the third country, which can only connect to the provider’s service in the US or UK through an app or interface provided by the provider that allows access through a software interface that resides on the user’s device, not to mention access is through a communications facility in the third country that provides Internet access, probably hitting some infrastructure locally that is procured by the provider as well. 

More, the user no doubt has the provider’s tracking cookies and receives ads on his or device too and a much more involved relationship with the provider in the US or UK. In other words, it is too facile to posit the hypothetical as merely involving infrastructure of the provider in the US or UK. The person, the device, the application and the connection made through equipment located in the third country is a necessary component of the communication and enough for the law of that third country to be implicated. 

Now let’s put the shoe on the third country’s foot. We’ll take Brazil as an example because I reference them in the original post. Article 10 of Brazil’s Law No. 9, 296 makes it a crime, punishable with imprisonment from two to four years and a fine, to: intercept telephone, computer or telematic communications, or to break the secrecy of the courts, without judicial authorization or for purposes not authorized by law. We already know there is an interception because either the US or UK got an order to compel the provider to acquire the content of the Brazilian user's communication. But will Brazilian law view the action as an interception in Brazil?

One need only look at the ramifications of the Snowden revelations in Brazil to understand the likely negative reaction upon learning of such a wiretap. Privacy International summarizes the state of privacy in Brazil here and recounts the Brazilian reaction and changes made in Brazilian law as a result. True, we don’t know the answer to the legal question because Brazilian courts haven’t developed the body of law that the US has on the subject. However, those courts only need to look at how the US views interception to find a useful guide.

Not that the legal question is irrelevant, but someone ought to have asked the political one: do we really believe that Brazil will accept the US or UK wiretapping a Brazilian target who uses the services of a US or UK provider? Of course, we probably are talking about wiretapping more than just the Brazilian target. There also are the target’s Brazilian family, lawyer, accountant, doctor, priest or anyone else in Brazil with whom the target communicates. Yes, that might yield useful investigative material as well, but it just makes the matter worse politically in justifying the wiretapping of a person in Brazil.

Maybe more to the point, why would a US or UK company take the chance of violating the law in a third country in the first place, especially if that company has employees in the third country who may be at risk of arrest or prosecution. Again, Brazil has a history of doing just that so this is not mere speculation. 

The problem is even more acute because third countries like Brazil are the ones most frustrated by the inadequate responses they get when seeking evidence from US providers through the MLAT process or otherwise. Now Brazilian law enforcement will learn that US providers can be made to wiretap Brazilian users to investigate crimes in the US, but Brazilians can’t have the same provider wiretap Brazilians to investigate crimes in Brazil against other Brazilians. Worse, they can’t even access stored content, which the CLOUD Act makes accessible to US law enforcement even when it is stored in Brazil. At best, this is tone deaf on the part of US and UK authorities; at worst, it is putting US and UK providers at risk of criminal prosecution in third countries. In sum, it’s a real problem.