Mutual Legal Assistance Treaties (MLATs) are the primary legal method enabling law enforcement officials in one country to request data located or stored in another country. Though MLATs are notoriously slow and cumbersome, they provide a legal process through which to share data across borders for criminal investigations. The inefficiencies of the system have prompted government officials around the world to pursue alternative means of acquiring data in criminal investigations — including government hacking.
This has profound implications for human rights, especially for the most vulnerable among us, such as activists, dissidents, journalists, human rights defenders, and members of marginalized communities. If there is any authorization for extraordinary access to data across borders, it must increase — not decrease — vital and necessary protections for our fundamental rights.
The rise of government hacking
There is a nascent global trend toward revising and/or promulgating laws and policies in order to authorize government hacking, including by codifying extraterritorial reach of domestic laws. Proponents of these proposals cite as a justification a need for law enforcement to bypass encryption, which they argue has been thwarting investigations around the world. However, this argument muddles the issues of law enforcement’s cross-border access to data and digital security. Strong encryption is necessary to keep us safe, and any proposals for weakening it must be rejected outright.
In the U.K. last year, lawmakers passed the Investigatory Powers Act, which authorizes government officials to conduct “equipment interference” (read: hacking) of devices. This authority specifically includes devices located abroad and allows hacking in “bulk.” The German Parliament has also recently approved a law to allow authorities “to use spyware to infiltrate a suspect’s device and read such messages before they are encrypted,” according to Politico.
In addition, the European Commission is pursuing the creation of a common legal framework after surveying E.U. member states on how they are currently addressing access to data across borders. A report of the results indicates that member states already engage in government hacking activities, citing language such as “remote access” and “the interception of communications” as commonplace.
In India, the Information Technology Act already authorizes express territorial jurisdiction for offenses, though that is subject to judicial rulings which temper when it can be invoked. However, more broadly, Indian criminal law allows for extra-territorial jurisdiction.
There is also evidence that other countries are engaging in hacking activities in the absence of a legal framework. Italy, for instance, has reportedly engaged in hacking for several years, though only this year have lawmakers published a draft law that would regulate the practice.
If this trend grows, it threatens to chill free expression and deal a massive blow to human rights across the globe. Studies show that when people expect government entities to access their messages, they will self-censor. The United Nations resolution on “The Right to Privacy in the Digital Age” highlights the negative impact of surveillance on human rights, including surveillance through hacking. It underscores that protecting privacy is vital for free expression, which is a critical foundation for a democratic society.
Access Now has responded to this threat by publishing “A Human Rights Response to Government Hacking.” In the paper, we call for a presumptive global ban on hacking, but, recognizing that governments are already engaging in the practice, we set out the minimum human rights safeguards that must be in place for the rare instances that such hacking could be justified.
Global hacking as an “end-run” around MLATs
If the European Commission’s investigation of hacking authorities can be taken as an indicator, we may see governments continue to craft, implement, or expand extraterritorial authorities, including using it to bypass the MLAT system as well as other regional legal frameworks. In fact, the draft of the Italian hacking authority explicitly contemplates using the law to access information stored abroad.
The situation gets even more complicated when officials attempt to access data from an unknown location. In the U.S., for example, there was judicial pushback to requests to authorize hacking criminal investigations, and this has led to amendment of Rule 41 of the Federal Rules of Criminal Procedure. Rule 41 generally limits authorization for searches to the district where the search is to take place. The revision, implemented at the end of 2016, added an exception for magistrates to authorize hacking devices in unknown locations. The Stanford Law Review described the change as possibly “the largest expansion of extraterritorial enforcement jurisdiction in FBI history.” Experts warned that the change would allow U.S. government officials to bypass MLAT requirements and potentially undermine attempts at reform.
Extraterritorial hacking is incredibly dangerous and harmful to human rights. When authorities hack beyond their jurisdiction, they may bypass the legal requirements for respecting the principle of “dual criminality” — that the crime is a punishable offense in both countries. When we do not know the location of the data/device, we cannot guarantee dual criminality. In our paper on human rights and government hacking, we specify that “extraterritorial government hacking should not occur absent authorization under principles of dual criminality.” We also provided advice to the authors of the Italian government hacking proposal, asserting that, “[g]overnment hacking should not be allowed to act as an end-run around [the MLAT system].”
A better path forward: update MLATs and codify human rights protections for hacking
As we have explained, bypassing MLATs and using government hacking as “Plan B” for acquiring data in criminal investigations is a threat to human rights. It also threatens digital security. As the devastating WannaCry and Petya (/NotPetya) attacks show, we cannot predict how vulnerabilities will be exploited to cause harm to our vital systems and infrastructure around the world. Instead, we need a two-fold response: 1.) update the MLAT system to make it more efficient, and 2.) legislate human rights safeguards for any use of government hacking.
We have proposed comprehensive reform of the MLAT system to increase efficiency and efficacy while protecting human rights. Optimal steps for MLAT reform include incorporating more countries in the system through law enforcement/lawful investigation-related data sharing agreements. This would make it less tempting for authorities to use extraterritorial or indiscriminate hacking to obtain data.
Government hacking must be strictly limited to protect human rights and digital security. Under no circumstances should it serve as a substitute to the MLAT process. In some instances, this may be a difficult prohibition to enforce. Policy experts are attempting to answer difficult questions, such as what to do when authorities do not know where a device is located. More discussion is necessary to find a rights-respecting solution, but governments must first acknowledge the threats of hacking.
We must not abandon standards for cross-border access to data because the MLAT system needs work. Our goal should be to update the system or buttress it in a way that addresses the complexities of changing technology, and increases — not decreases — protections for our privacy and security. (For more information on how, see our series of blog posts on MLAT reform and the Access Now two-pager on MLATs providing an overview of guidance on the issue.) Hacking to bypass MLATs would create many more problems than solutions, including weakening our digital security globally.
Our hope is that lawmakers considering new solutions for access to data understand that we must maintain or increase the standards that protect human rights, not unleash unilateral options with potentially devastating unanticipated consequences for everyone.