Criminal Justice & the Rule of Law Foreign Relations & International Law

A “Qualified SPOC” Approach for India and Mutual Legal Assistance

Peter Swire, Deven Desai
Thursday, March 2, 2017, 12:14 PM

There has been growing legal, policy, and academic attention to the topic of Mutual Legal Assistance (MLA), the mechanisms for evidence held in one country to be provided to a different country for law enforcement purposes. This post summarizes recent developments and proposes a new mechanism for MLA that could be used for the important country of India, and also more generally.

Published by The Lawfare Institute
in Cooperation With
Brookings

There has been growing legal, policy, and academic attention to the topic of Mutual Legal Assistance (MLA), the mechanisms for evidence held in one country to be provided to a different country for law enforcement purposes. This post summarizes recent developments and proposes a new mechanism for MLA that could be used for the important country of India, and also more generally. This new mechanism entails establishing an office in a country such as India that would that serve as a Single Point of Contact (“SPOC”) for high-quality MLA requests, what we call the “Qualified SPOC” approach.

We begin with an explanation about why MLA’s importance continues to grow. We next examine proposed solutions and the recent negotiations between the United States and the United Kingdom as an example of potential MLA reform. Drawing on the proposed solutions and the U.S.-U.K. approach, we look at what might work in India. India is important for two reasons. First, as a large country and market, the need for MLA to work well is high. Second, India provides a test case for whether the U.S.-U.K. approach scales or whether another option is needed. We conclude that another approach is needed to supplement the U.S.-U.K. approach, and the Qualified SPOC approach provides a way forward for India and other similarly situated countries.

Why MLA is Increasingly Important

Two technological trends pose severe challenges to law enforcement access to evidence in their home country. First, law enforcement often cannot get data at rest—webmail, social networks, and other electronic communications are pervasively stored in the cloud, often in a different country. Second, law enforcement often cannot get data in transit—the widespread use of encryption means that wiretaps in the local country often do not gain access to the contents of communications.

As an example of how these changes affect law enforcement, assume a murder has taken place in New Delhi. The victim is an Indian citizen, and the Indian Police Service is investigating. The investigation has identified an Indian citizen as the suspected murderer, and the investigation has produced evidence that the target likely sent emails discussing the planning of the crime. The target, however, used an email service based in the U.S. that only stores emails on servers in California.

This example illustrates three points. First, the interests of the jurisdiction in which the crime was committed (India) are greater than those of the jurisdiction in which the evidence resides (U.S.): there is an Indian crime, an Indian victim, and an Indian suspect. Nonetheless, the country holding the evidence has legal rules that govern the ability to provide the evidence, despite a lack of other connection to the crime, victim, or suspect. Second, electronic evidence overseas is increasingly relevant to crimes that were traditionally local, such as a murder, in addition to trans-border crimes, such as money laundering or drug smuggling. The growth in the importance of MLA is thus due, in this example, to the cross-border nature of communications, rather than the cross-border nature of the crime itself. Third, absent a good MLA process, the country in which the crime was committed (India in this example) may be frustrated and demand that companies store data locally and break their Internet operations into country subsets.

The example supports four goals that have guided our work on MLA reform:

  • Fulfill legitimate law enforcement requests, to investigate cybercrimes and other crimes where evidence is held in a different country;
  • Protect privacy and civil liberties in the United States and globally, by assuring due process before evidence is sent to a different country;
  • Provide a workable regime for the companies holding the communications records; and
  • Safeguard the Internet by resisting calls to localize data and splinter the Internet.

The Visa Waiver Program Analogy, Daskal-Woods, and U.S./U.K.

The path to meet these goals has emerged over the past few years. In 2013 President Obama’s Review Group on Intelligence and Communications Technology made a specific recommendation calling for reform of the MLA process. In 2015 Peter Swire and Justin Hemmings drew on the Visa Waiver Program (VWP) to offer a model for MLA reform. The VWP developed as travel globalized and the government moved from a series of bilateral treaties to a statute that permitted the U.S. government to streamline waivers for countries with high-quality visa procedures. Now, as international evidence has also globalized, a move from a series of MLA treaties to one statute with a vetting process similarly makes sense.

In 2015 and early 2016, we were part of a Working Group on Cross-Border Data Requests, containing stakeholders including civil society, technology companies, and academics, in consultation with the Department of Justice. The Working Group sought to create consensus standards for what MLA requests should receive streamlined treatment under U.S. law. The most detailed public record of the Working Group’s draft approach was written by Jennifer Daskal and Andrew Woods, with detailed commentary by Greg Nojeim.

Although the Working Group did not reach consensus, many elements of the approaches discussed there exist in a bilateral agreement between the U.S. and the U.K. that was announced in 2016. As David Kris summarizes:

[T]he new legislation removes U.S. legal barriers to direct access to U.S. communications providers by foreign governments that have entered into executive agreements with the U.S., where the agreements meet certain requirements that the U.S. Attorney General must certify to Congress. The law applies only to non-U.S. person targets reasonably believed to be located abroad; can be used only in support of criminal investigations (in other words, not for affirmative foreign intelligence, but including for the prevention of crime); reaches both contents and metadata; covers real-time interception as well as access to stored data; and forbids bulk collection.”

If enacted, this legislation would allow non-U.S. law enforcement to request covered communications from U.S. email providers and other companies. Authorized requests would no longer violate the Electronic Communications Privacy Act (ECPA).

In reaction to the U.S.-U.K. agreement, there has been substantial debate about whether the criteria for allowing exceptions to ECPA are strict enough. Civil society has noted multiple concerns about the exceptions possibly being too broad. Others have mostly defended the approach. Without taking a position on the numerous sub-issues raised by the agreement, we note that the overall structure is consistent with the Visa Waiver Program model,.

A “Qualified SPOC” Approach for India

The Working Group discussions revealed concerns on the part of some that the U.K. legal system did not provide enough safeguards to justify streamlined MLA, including lack of a probable cause standard for law enforcement access to the content of communications. Even if a U.S.-U.K. agreement were finalized, the discussions showed substantially greater skepticism about the rigor applied to many MLA requests made by other nations. This was sometimes discussed as the problem of creating a “club” of relatively wealthy nations that might permit streamlined MLA, while excluding other nations from the club, with the resulting slower access to information requested for criminal investigations.

While the U.S.-U.K. agreement has been on the table, there has also been a process in motion on how India and the U.S. might streamline and improve MLA between the two countries. Deven Desai was one participant in a Track 1.5 dialogue held last September in New Delhi, hosted by the Observer Research Foundation and the Council on Foreign Relations, in conjunction with the India Conference on Cyber Security and Internet Governance.

Based on our discussions with stakeholders, we believe U.S.-India MLA reform, to be successful, will likely need to start with something other than all law enforcement agencies on either side being able make a direct request to a company. We thus propose a version of the Single Point of Contact (SPOC) approach as the best way to begin. SPOCs are already familiar concept in MLA. They have been used previously for administrative purposes, such as to speed cooperation between countries by having a clearly-identified point of contact for government-government requests. We draw on these practices to provide a novel legal way to streamline MLA requests.

Under the Qualified SPOC approach, one defined office in the Indian national government would process MLA requests and adhere to and verify that India’s rules for requesting information are in place and being followed. For example, the Indian Ministry for Home Affairs (IMHA), which currently handles MLA requests, might house such an office. (See Article 2 of the Treaty on Mutual Legal Assistance in Criminal Matters between the United States of America and India.) Regardless of which office or agency is designated as the Qualified SPOC, a request from that office would receive different legal treatment than requests coming from another office or agency. For instance, waiver of the ECPA’s requirement of a probable cause order for the types of requests that qualify under the VWP statute for data are possible if they come from a Qualified SPOC. Once established, the SPOC thus can gain the advantage of streamlined MLA process just as requests from a country such as UK if and when the entire country’s legal system qualifies under a VWP approach.

The Qualified SPOC approach offers some other distinct advantages. First, an important advantage is that India (or another country such as Brazil) can take the initiative in creating the office. It is very difficult for a country such as India to amend its criminal legal procedures for a population of more than 1 billion people. By contrast, India can realistically create and staff an office in the government that provides effective scrutiny of MLA requests, and that can then communicate those requests to other governments and to the companies holding the data. Second, for the companies, other governments, and civil society that have to process requests or are concerned about whether the request is proper, a Qualified SPOC offers the important advantage of making the decision about whether the office qualifies manageable—the decision is based on evaluation of a well-defined and small office. Third, it would be far easier to authenticate requests from and monitor compliance by a SPOC than for a large country’s criminal law system. Fourth, when periodic review occurs for whether a particular office qualifies for streamlined treatment (a feature in all the current reform proposals), a change in whether the office qualifies would have a confined effect, rather than disrupting practices of an entire national legal system.

India’s size and its federated system raise an additional issue to consider. In initial discussions of this approach, some have noted that most criminal prosecutions, in India as in the United States, occur at the state level rather than by a national prosecutor. In theory, one could imagine a system of Qualified SPOCs at the state level, where a particular office in each Indian state could gain advantage of streamlined MLA procedures. In practice, we believe that assessing and monitoring this larger number of Qualified SPOCs would be difficult, at least initially. One solution could be to use a system deployed in the U.S. government, namely having detailees from one agency serve in the national office. In that way, a request for a state prosecution would go to their detailee in the India Qualified SPOC office, who could then make the streamlined MLA request from the national SPOC. Starting in this way may offer an additional advantage. As detailees work in the national office and gain experience, they may become precisely the sort of experts needed to expand to a state-level system. Thus a detailee approach could develop the expertise and the trust that the state offices understand and accept the procedures established at the national level.

Conclusion

The Qualified SPOC approach appears to offer a practical path forward for MLA cooperation between India and the U.S., and more generally between countries whose legal systems for whatever reason are not similar enough in law and practice to provide streamlined MLA procedures for their entire legal system.

This approach has some key advantages. India can take the initiative to create an office and procedures that fit its laws. For the U.S. and other countries, assessment of such a single office designed to process requests in a standardized way is far easier than assessing an entire national legal system. Thus both sides can more easily negotiate and establish conditions for high-quality MLA requests. Once established, monitoring one office is manageable; authentication is far easier; and avoiding fraudulent requests is more likely. If well implemented, requests from the Qualified SPOC will meet strong standards for privacy and civil liberties enforcement, and provide companies with far greater certainty about which requests are lawful for all of the countries concerned.

The proposal here is specifically for India, where discussions have been extensive to date. Nonetheless, we believe core features of the proposal would apply more generally for other countries seeking streamlined MLA requests in our era where evidence for law enforcement investigations so often resides in a different country.


Peter Swire is the J.Z. Liang Chair in the Georgia Tech School of Cybersecurity and Privacy, and Professor of Law and Ethics in the Georgia Tech Scheller College of Business. He is Senior Counsel to Alston & Bird LLP, and Research Director of the Cross-Border Data Forum. He served as one of five members of President Obama’s Review Group on Intelligence and Communications Technology.
Deven Desai is a professor at the Georgia Institute of Technology, Scheller College of Business. He joined the faculty in fall of 2014 in the Law and Ethics Program. Prior to joining Scheller, Professor Desai was an associate professor of law at the Thomas Jefferson School of Law. He was also the first, and to date, only Academic Research Counsel at Google, Inc., and a Visiting Fellow at Princeton University’s Center for Information Technology Policy.

Subscribe to Lawfare