What’s wrong with the system for cross-border access to data

Note: This is part two of a series of posts on the MLAT system and human rights. See part one: We need to fix the broken system for cross-border access to data, part three: Diagnosis: Why current proposals to fix the MLATs system won’t work, part four: How to fix MLATs — and a path toward resolving jurisdictional issues, and part five: How to make an MLAT “safe harbor” safe for users.

In short, the system is too slow, creating incentives for governments to develop rights-harming workarounds that damage our privacy.

We first wrote two years ago about the significant shortcomings of the Mutual Legal Assistance Treaty (MLAT) system — the system by which law enforcement officials seek and receive information for domestic investigations from other jurisdictions. The MLAT system, a set of bilateral and multilateral agreements, comes with substantive benefits. MLATs can facilitate oversight and transparency by creating a system of checks between the countries coordinating action. In addition, states are empowered to protect human rights by rejecting requests, for example, if the activity under investigation is not a crime in the country that gets the request, or if the request would interfere with a local investigation. Importantly, the treaties also foster specificity and deter mass surveillance, at least in the context of law enforcement investigations.

However, MLATs are general-language agreements and do not have much specificity regarding how data are transferred, nor much detail on the protections for users, such as information about data protection standards or means of redress. Instead, they depend on the laws of the countries party to the treaty. That means they can also be used in ways that are harmful to users’ rights. The logistics of how they work are also outdated, and in many instances, it can be a painfully slow process for investigators seeking specific information in pursuit of indisputably legitimate aims.

As we’ve observed,

“The process for sharing criminal investigation information between countries is broken: official exchanges between nations are slow, underfunded, and lacking in user protections. Human rights are at risk . . . [T]he mutual legal assistance system is slow. Very slow. The problem compounds the lack of human rights protections, pushing law enforcement towards even less rights-protecting channels, such as letters rogatory.”

Government demands for user data stored elsewhere are increasing, making the strain on the MLAT system even worse. A look at Google’s transparency reporting, for example, shows that for the past two years, there has been an uptick in government requests for user data from U.S. companies (growing by about 5,000 requests a year). This highlights another problem: compared to the rest of the world, the U.S. gets a hugely disproportionate number of MLAT requests, due to the fact that it’s the geographic home to many of the world’s largest technology companies that process user data.

Moreover, determining the precise location of data or devices can be difficult. That’s because data are generally transferred to prioritize efficiency and stored in locations based on a number of factors. For example, some companies, namely Google and Microsoft, store data redundantly in multiple locations in case of regional failure. Data are commonly sharded, or split between multiple databases, to increase security and efficiency, replicated for load balance, or placed in a location where expensive computations occur.

Ultimately, whether and how law enforcement can get access to data comes down to jurisdiction, but jurisdiction rules vary by state, and this has created conflicts when there are competing jurisdictional requirements. This is the conflict that played out between France and the U.S. in a seminal early-2000s case regarding the sale of Nazi memorabilia — an activity that is constitutionally protected in the U.S. but prohibited in France.

Any proposal to reform the MLAT process must find a way to address these shortcomings for law enforcement and for our rights. Given the number of issues entangled in the MLAT imbroglio, it’s important to articulate what the priorities are for any reform effort. We believe it’s critical to:

  • Improve efficiency for lawful government requests
  • Reduce incentives for government interference with private sector platforms and networks
  • Provide clarity for users, governments, and companies, on the treatment of user data
  • Ensure the system for cross border data requests protects user rights

In the meantime, as these issues have gotten more difficult and there hasn’t been any significant reform of the MLAT system, countries have continued to respond in ways that undermine user rights. Russia is enforcing a recently enacted data localization requirement, China has approved encryption mandates, and the United Kingdom and Pakistan have passed new extraterritorial authorities to allow law enforcement agents to get access to data abroad. There are also countries requesting data from companies without adequate authority or the use of MLATs, such as Belgium’s request for Skype data, and this is also problematic. As we will show, you cannot blame these problems wholly on the MLAT impasse, but the way MLATs work now — very slowly — is a factor.

Stay tuned for the next post in the series, in which we analyze proposed solutions to the MLATs problem, and explain why we need a new path forward.