Note: This is part four of a series of posts on the MLAT system and human rights. See part one: We need to fix the broken system for cross-border access to data, part two: What’s wrong with the system for cross-border access to data, part three: A diagnosis: why current proposals to fix the MLAT system won’t work, and part five: How to make an MLAT “safe harbor” safe for users.
In previous posts we introduced the major problems with Mutual Legal Assistance Treaties (MLATs), the system for law enforcement access to data across borders. We also discussed how current proposals for fixing these problems miss the forest for the trees by neglecting to address the MLAT system itself, while also failing to protect human rights. Here, we’ll talk about what real, rights-respecting MLAT reform should look like, and suggest a path forward for determining jurisdiction when it comes to access to data.
Two years ago we published a set of recommendations to improve MLATs. Those recommendations dealt with shortcomings that still exist. We should also take further steps to modernize MLATs.
Ensure human rights protections
First, existing and new MLATs must contain adequate human rights safeguards. MLATs should include methods to ensure parties maintain human rights protections in the scope of implementation. MLATs should also provide clear process for emergency cases so that the process can be expedited when needed. Properly indicating which requests are truly emergency requests would alleviate pressure on the entire system.
MLATs should also all ensure appropriate accountability, remedy, authentication, and oversight in legal assistance. Each country participating in an MLAT should commit to public transparency reporting with clear, easily accessible information covering the way users’ data records are shared with foreign law enforcement and by notifying users when their data are accessed. Public oversight and accountability would inherently raise awareness that MLATs exist and must be implemented in a way that respects rights.
Cover the gaps in MLAT coverage
There are still gaps in MLAT coverage. The website MLAT.info that Access Now operates shows connections representing agreements, but there are regions with very little coverage. Africa, for example, has fewer agreements than other regions. Yet even those countries with fewer resources to address criminal activity online must still deal with it. Policymakers should close the gaps with a balanced approach that facilitates creating agreements, offers training on MLATs requests, and provides resources for participating in the exchange of information. One way to help encourage the creation of new and updated MLAT agreements is to develop a model MLAT. The U.N.’s model treaty is out of date, but a new version could better capture the demands of modern cross border data exchange.
MLAT requests are complicated because they involve a number of parties. Network and computer systems supporting MLATs must be up to date. The Obama administration requested funds to update the U.S. MLAT system, but it remains underfunded. Governments must do more, both in the U.S. and internationally. The system would work much better with more resources, electronic request forms, and a single agency designated as a point of contact in all countries.
Clarify jurisdictional questions
MLATs create a process to allow the transfer of data between jurisdictions, but they don’t resolve the underlying, fundamental questions about what information government officials can access without international assistance. In other words, even with MLAT reform as a helpful first step, it would be far from settled whether and when a country can exercise jurisdiction over data.
MLATs can help when they have more specificity in their terms. For instance, some agreements contain a dual criminality requirement, meaning that law enforcement can request data only when the criminal acts under investigation are a crime in both countries involved in the request. MLATs could also clarify the circumstances under which countries must use an MLAT request to access data and when they must operate outside MLATs. Moreover, they could specify the factors for determining which country’s laws apply.
However, problems remain because underneath MLATs, the way we traditionally determine whether a country has jurisdiction is not necessarily appropriate for access to data:
- Location of the data – as we have noted, data are often stored in arbitrary locations, or even multiple locations, for reasons such as efficiency or security that are unrelated to considerations regarding government access.
- Location of the entity holding the data – if jurisdiction is based on the location of the entity, or the terms of service set by the entity that controls the data, then companies can self-select the jurisdiction that satisfies their interests. Further, corporate entities may be located in several locations, making it difficult to determine what data are controlled by what entity.
- Location of the data subject – again, the data owner’s location may have only a tangential relationship with the crime or country investigating the crimes — say, for instance, a data subject moves in anticipation of an investigation. Also, this standard encourages the collection of unnecessary information, itself a human rights violation, in order to determine where the data subject is located. Even with the additional collection such a determination may be difficult due to the use of virtual private networks (VPNs) or other services like Tor.
- Location of the victim or harm – countries can broadly define this standard in order to enforce criminal laws against domestic persons or companies where the primary victim or harm is felt elsewhere.
Want data? What is your relationship to it?
In a world where data flows are complex and often counter-intuitive, unleashing government access based purely on the above factors would grant governments too much leeway over data with which they have a very tenuous connection. Though simple, a test based on all or one of these factors alone could create further incentives for bad behavior, like companies, governments, or people moving themselves or data or manipulating criminal circumstances to gain jurisdiction rather than based on justice, fairness, efficiency, human rights, and user protections. It would also grant countries with access to companies or data undue authority. Whether or not data justifies unique treatment — a source of debate for decades — the traditional jurisdictional rules are a poor match for determining whether access to data is appropriate.
Also a poor fit for rights-respecting access to data is a system of universal accessibility for any country. Such a system would likely be dependent on a centralized authority to resolve conflicting claims over data and, in practice, do little to prevent access to the information for unfettered human rights violations.
Instead, in the future international law will need to adapt or develop a standard that considers the above bases for jurisdiction, but in a way that is more equitable and respectful of the parties involved in a criminal investigation and the people about whom data is being requested. One factor by itself is likely not enough.
- Is the county’s relationship with the data based on an actual interest in the harm, victim, or data subject?
- What are there competing claims or jurisdiction? How specific or generalized is the harm?
- What is the basis for the country’s relationship with the data?
Only through an analysis of a combination of the factors should a country be recognized as having an intimate enough relationship with the data to demonstrate jurisdiction. If not, and the relationship is based on the location of data or location of company holding the data, the country should defer to international agreements like MLATs.
The MLAT system can reduce the tension created by questions of internet jurisdiction. However, moving forward, we need a more comprehensive and long-term approach. Changes in international law are never easy and certainly not so for longstanding law. However, countries should not be perpetually bound to rigid, outdated systems simply because it was the way things have always been done. All parties will benefit from a more effective but fair system, first by updating the MLAT system, but ultimately through creating more fair and just jurisdictional rules for access to data.
In our final post in the series, we will focus on the potential for rights-respecting MLAT “safe harbor” mechanisms. Stay tuned.