Four ways the new proposal for bypassing MLATs fails human rights

At Access Now we care deeply about your right to digital privacy. If you follow this blog, you’ll know that it leads us into some fairly nuanced areas of international law, such as the Mutual Legal Assistance Treaties (MLATs). These treaties are central to the international framework that allows law enforcement in one country to get access to information stored in another country.

Like agreements in many areas of law, these treaties were drafted for an analog world. Access Now has long called for improvements to the MLAT process to cure known failures. The process is too slow for urgent law enforcement investigations and is often under-resourced and confusing.

This week the U.S. government proposed a new piece of legislation that will allow other governments, starting with the U.K., to directly request users’ data from companies within the U.S., including from major tech companies. That would mean letting a court — or, in some cases, a law enforcement official — in one country issue a legally binding order on a company in another country. This could undermine legal protections and harm human rights. Law enforcement in the U.K. and elsewhere need to conduct valid investigations, and there should be appropriate tools to access data.  But we cannot allow privacy safeguards to deteriorate, and, unfortunately, the proposed legislation does not guarantee that a partner country will respect human rights standards. Nor does it offer much-needed improvements for the existing MLAT system.

Here are four problems with what is being proposed:

1.) The legislation enables agreements with countries with poor human rights records

The current proposal was drafted in coordination with the U.K. government, but other governments are reportedly interested in similar agreements. Under the proposal, the U.S. Department of Justice would have to certify that each country meets certain baseline human rights standards, but those standards aren’t adequately established. For example, under the proposal a partner country must “adhere to applicable international human rights standards.” However, countries that do not adhere to these standards would be required to have only a “demonstrat[ion of a] respect for international universal human rights.” It’s hard to see how this weak standard will properly protect users.

2.) The legislation enables direct requests for wiretaps without heightened protections

Under current U.S. law, it’s easier for law enforcement to get access to stored data than to wiretap a live conversation. Orders for live interception require a showing of a higher standard. The current proposal would allow agreements that cover orders for stored data and live wiretaps. That is a significant new authority, as wiretaps capture the entire fire hose of data that flows between users, whereas with stored data, you can apply filters to limit a search to only relevant information. The legislation provides no additional protections for the wiretap access. Neither the U.S. nor the U.K. governments have adequately justified this expansive access, and there is no indication at this point that there will be sufficient protections for wiretaps.

3.) The legislation is set to extend the reach of already-expansive U.K. surveillance

This agreement is drafted specifically with the U.K. in mind, however, U.K. law does not have the same legal protections as U.S. law, and this would undermine privacy standards. For example, U.K. law does not currently require judicial approval for warrant requests. The Investigatory Powers Bill, an expansive new surveillance law being debated in the British Parliament, adds only a very narrow new oversight mechanism. The mechanism lacks both the independence and authority for conducting adequate review of warrant requests. Yet once the U.S. approves the U.K. as a partner, the U.K. could directly request data from U.S. companies about people anywhere in the world — Germany, India, Brazil, China, and beyond.

4.) The proposed legislation doesn’t fix the flawed system for cross-border law enforcement data requests

The MLATs established the current process for law enforcement to request data from a foreign country, and in general, these treaties are drafted to respect human rights. However, the MLAT system as a whole doesn’t work very well. MLAT offices, and the U.S. MLAT offices in particular, are substantially overburdened and under-resourced. The draft legislation isn’t supposed to replace the MLAT system, as it covers requests for data only in certain circumstances. If we’re going to make changes to enable certain law enforcement cross-border data requests to bypass the MLAT system, we should couple that with additional improvements to correct the larger problems, such as increasing funding.

The bottom line: while it makes sense to address the MLAT system’s shortcomings, the new proposal doesn’t really do that. It also fails to implement a true human rights framework.

There are real problems with the current MLAT process. Bilateral agreements could help us address the inconsistency, inefficiency, and lack of support that law enforcement faces in current systems for data access. Better systems would reduce the incentive for data localization laws, encryption mandates, and overuse of national security authorities. However, if we don’t do it right, these agreements could also do irreparable damage to global human rights. They could end up lowering legal standards, decreasing transparency, and blocking avenues for access to remedy. A better process could be created, and if properly targeted and robustly implemented, could help law enforcement get expedited access to important data in the most urgent criminal cases. However, such a framework must guarantee human rights protections.

This is not that agreement.