We need to fix the broken system for cross-border access to data

At Access Now, we fight for the right to privacy across the globe. That means opposing over-broad, unaccountable, and secret government surveillance programs. It also means recognizing that when lawful processes for access to users’ data fail, it can be bad for privacy, the integrity of the internet, and digital security. Unfortunately, that’s exactly what’s happening right now.

Globally, courts are struggling with a seemingly basic question: When law enforcement seeks digital evidence that’s stored in another country, do tech companies have to comply? Or should law enforcement have to depend on the useful (but flawed and outdated) Mutual Legal Assistance Treaty (MLAT) system?

Two U.S. courts arrived at starkly different answers to this question, with disparate repercussions for users. In the first case, U.S. agents requested from Microsoft user data stored in Ireland, and an appellate court in New York said Microsoft did not have to comply. The U.S. law enforcement officials should have used an MLAT instead. Nevertheless, all across the globe, direct requests for users’ data stored abroad have become more commonplace, as have laws limiting the flow of data. This has implications for human rights.

In the second case, agents requested data from Google, and the company handed over only the information that was stored in the U.S. A judge then ordered Google to grant access to the data stored abroad as well, even though law enforcement did not use an MLAT. MLATs provide an additional layer of protection because they grant oversight to the country where where the data are stored. Bypassing the process means losing that additional layer of oversight.

We’ve previously addressed the benefits, limitations, and flaws of the MLAT system. MLATs are international agreements, both bilateral and multilateral, that provide frameworks for government officials to obtain criminal evidence located in other jurisdictions. As we’ve observed, it’s difficult to enumerate all of the ways in which this system has become unworkable. These problems remain, and even with several experts attempting detailed legal and policy solutions for fixing them, these solutions have substantive shortcomings and introduce their own threats to users’ rights.

So what should we do? In a five-part blog series, we will address in greater detail the existing problems with the MLAT system. We will examine the way one current proposal — the MLAT “safe harbor” epitomized by the U.S.-U.K. agreement — would fail to adequately or properly address those problems. Finally, we will identify the factors governments should consider in any reform of the MLAT system to protect privacy and advance the rights of users. Stay tuned.

Note: This is part one of a series of posts on the MLAT system and human rights. See part two: What’s wrong with the system for cross-border access to data, part three: Diagnosis: Why current proposals to fix the MLATs system won’t work, part four: How to fix MLATs — and a path toward resolving jurisdictional issues, and part five: How to make an MLAT “safe harbor” safe for users.