Note: This is part three of a series of posts on the MLAT system and human rights. See part one: We need to fix the broken system for cross-border access to data , part two: What’s wrong with the system for cross-border access to data, part four: How to fix MLATs — and a path toward resolving jurisdictional issues, and part five: How to make an MLAT “safe harbor” safe for users.
As we explained in our previous post, there are significant shortcomings in the current system for cross-border access to data. In the absence of reform, some countries are pursuing harmful unilateral laws and policies that undermine human rights. We’re also seeing governments look to non-MLAT bilateral or multilateral options to bypass the MLAT process. The European Union, for example, is reviewing digital evidence rules that would apply to all E.U. countries, and the Council of Europe is in the early stages of negotiations to grant greater direct access to the countries party to the Convention of Cybercrime (Budapest Convention).
The U.K.-U.S. MLAT “bypass” proposal is a cure that fails the patient (and our rights)
You can see the dangers of bypassing the MLAT system in the agreement the U.K. and the U.S. have been discussing (largely in 2016). This agreement would allow law enforcement officials in the U.K. to wiretap or directly order companies to hand over user data stored in the U.S. — and vice versa — without going through formal processes. Such a “safe harbor” around the U.S.-U.K. MLAT and U.S.-E.U. MLAT, would, as crafted, fail to protect the rights of people in either of the participating countries — leaving aside the rights of people in other countries.
For the agreement to move forward, the U.S. Congress would have to pass a law to modify the protections people in the U.S. now have against foreign government access to their data. Lawmakers in the U.S. advanced draft legislation to do this last year, but it hasn’t yet been seriously considered in the Congress, although it has been identified it as a priority for 2017. What makes the draft law especially worrisome is it would not only let the U.S. government make this new agreement with the U.K., but also grant it authority to make similar agreements with other countries. This “cure” for the MLAT problem would likely prove popular, since many of the world’s largest tech firms are located in the U.S., and much of the data itself is also stored there. Indeed, countries such as India and Brazil have already evinced interest in it.
There are deep flaws with this type of agreement, some of which we have previously addressed, including problems with how the legislation would be implemented and what it would mean for the system of sharing criminal evidence. Notably, this bypass would also would fail to accomplish the critical goals for MLAT reform that we identified in part two of this blog post series. Here’s how it falls short.
- MLAT bypass agreements will bring only limited efficiency gains for lawful government requests
While a “safe harbor” agreement could alleviate some of the strain on the MLAT system, it would have limited impact. First, only some countries would be invited to an agreement with the U.S., while others would be left to depend on MLATs. Importantly, no part of the proposal would reform the regular MLAT process.
The proposed agreement would create a process for the U.S. Departments of Justice and State to approve countries for participation. Given U.S. government aversion to international influence and the desire to protect domestic companies from resource-intensive data requests, the U.S. government would likely enter into only a limited number of agreements. Because these agreements are intended to be reciprocal, preference would likely be given to nations where the U.S. has an interest in conducting its own law enforcement activities. The most obvious partners would be the usual players: the U.K., Canada, New Zealand, Australia, Germany, France, and India.
Some of the countries most affected by cybercrime include China and Russia, both of which have an MLAT with the U.S. yet are not close allies for the purpose of intelligence sharing. These countries likely under-utilize the MLAT system and both have moved to mandate the localization of more data within their geographic boundaries.
As part of its post-Snowden reforms, the Obama administration promised to increase trainings for foreign officials so that trans-border requests for user data would be more likely to meet the U.S. search standard — reducing the MLAT backlog. But bypassing the process for certain countries would do nothing to help other countries satisfy the U.S. standard (by establishing “probable cause” when seeking communications content, as is required by U.S. law, or providing the appropriate amount of detail).
- MLAT bypass agreements don’t adequately reduce incentives for governments to interfere with private-sector platforms and networks
Governments have gained and continue to pursue means of getting access to user data that do not depend on cross-border cooperation. They have purchased or developed hacking tools, arrested uncooperative corporate executives, required that companies store data locally or maintain local infrastructure, or simply taken steps to statutorily extend law enforcement’s jurisdictional reach beyond national borders. These policies threaten human rights, undermine cybersecurity, and put at risk the free flow of information, as Access Now and many others have pointed out. People may assume that MLAT bypass agreements will fix the problems that are causing these issues. But no part of any current agreement actually requires partner countries to do so.
For instance, these agreements do little to stop governments from imposing mandatory data localization laws or policies, even though that has been cited as a primary rationale for pursuing them in the first place. As we noted above, the U.S. will grant special access only to certain countries. At the same time, a Russian data localization law has ostensibly gone into effect, requiring companies to store Russian citizens’ data in Russia. China similarly bolstered its own data localization rules via a new cybersecurity law. These requirements put companies in the difficult position of deciding either to pull out of the market or comply with the law and store data locally, thereby putting their users at greater risk of surveillance. Late last year, Russia banned LinkedIn when it refused to comply with a localization requirement.
Further, governments have many different motivations for passing these laws: to gain advantage for local infrastructure or disadvantage foreign tech companies, to enable access to data for non-criminal purposes, to prevent surveillance by foreign governments, etc. Even a perfect MLAT system would not likely put an end to localization laws (although it might help).
Another problem that this type of bypass agreement won’t fix: governments seeking access to data on end-to-end encrypted communications services like WhatsApp. When the data are encrypted this way, the companies themselves do not have access to the plain text of the communications. Governments could still seek access to metadata from these companies under a bypass agreement, but generally speaking, companies can already hand it over outside of the MLAT system.
- MLAT bypass agreements won’t give users, governments, or companies clarity on how user data will or should be treated
The U.S. draft legislation to implement MLAT bypass agreements provides criteria for evaluating whether a country is eligible. The language provides only factors, not requirements, for approval and is written so broadly as to be open to interpretation. For example, one factor is that a country “adheres to human rights obligations” or simply “demonstrates respect for international universal human rights….” Under such a vague standard, whether a country qualifies or not could be at the sole discretion of the U.S. government, and because the bill prohibits any judicial review of the determination, there is unlikely to be transparency or accountability for the process.
Also, the system would be built around U.S. protections for privacy, and while these may provide a heightened standard, the protections remain in flux, so there are no guarantees for longevity. For example, the U.S. Supreme Court has never addressed whether constitutional privacy protections apply to data stored at rest. Additionally, it remains in question what level of protection is available for data at third-party providers, like phone companies. Even more troubling is that the U.S. has narrowly interpreted its human rights obligations for people living outside the U.S. Without tackling any of these more challenging questions, the proposal makes the U.S. government a gatekeeper in determining whether a country can have access to user data, and even with an agreement in place, grants U.S. authorities a veto over that access (which could be used selectively).
- MLAT bypass agreements won’t provide adequate protections for our rights
Because MLAT bypass agreements between countries would greatly increase law enforcement’s access to data, they must come with increased commitments to protect people and safeguard human rights. Setting the bar low to allow countries to qualify only ensures that human rights protections continue to erode. If we move ahead with these kind of agreements, we must at minimum establish high standards for governments around the world to strive for.
We previously discussed four human rights problems with the U.S.-U.K. agreement. They were, broadly:
- The legislation enables agreements with countries with poor human rights records
- The legislation enables direct requests for wiretaps without heightened protections
- The legislation would extend the reach of already-expansive U.K. surveillance
- The legislation won’t fix the flawed system for cross-border access to data (MLAT)
There are a number of other problems to raise. The legislation is missing several elements to make it a rights-respecting instrument that would adequately protects the rights of users around the world. In all these instances, people would be dependent on protections that exist under the law of the country that makes the request.
- The legislation would also give the U.S. reciprocal access under every agreement, which may deepen the concern globally that the U.S. has disproportionate access to users’ data.
- The safeguards for the requests themselves are inadequate. Under the proposal, agreements must contain some (albeit inadequate) safeguards to protect the data of U.S. persons and institutions, with more narrow requirements for non-U.S. persons. It does not include proper due process protections or requirements for user notification, transparency, or public oversight, nor does it provide protections for the integrity of communications systems.
- The legislation does not provide any mechanism for challenging the requests for failing to satisfy any of the requirements.
- The legislation prohibits mass surveillance, but it does not limit targeted orders that would require significant technical modifications.
So the question remains: If this isn’t how we should fix the way law enforcement gets access to data overseas — what is? Our next two posts will explore how to fix MLATs and examine the potential for rights-respecting “safe harbor” mechanisms.