Why Cross-Border Government Requests for Data Will Keep Becoming More Important

This post is part of a series written by participants of a conference at Georgia Tech in Surveillance, Privacy, and Data Across Borders: Trans-Atlantic Perspectives.

When I participated in the NSA Review Group in 2013, the topic of Mutual Legal Assistance (MLA) was largely viewed as a minor issue. That the issue is far more pressing today was readily apparent by the range of views offered at a recent symposium at Georgia Tech on “Surveillance, Privacy & Data Across Borders: Transatlantic Perspectives.” As explained in this post, technological developments are driving fundamental changes in the importance of cross-border government requests for data. There are multiple institutional mechanisms for possible reform, entirely apart from the traditional approach of Mutual Legal Assistance Treaties (MLATs). And the resolution of MLA issues will have broader implications, on whether multiple nations push for strict data localization laws, and for the ongoing debates about government laws to limit strong encryption and to authorize greater government hacking of computers for law enforcement purposes.

Changing Technology Drives MLA Challenges

From a technology perspective, law enforcement faces growing challenges in accessing both data at rest and data in transit. “Data at rest” includes the emails, social network information, and vast array of other content that increasingly is stored in the cloud. For law enforcement in Europe and most of the world, this evidence is often physically stored in a different country (often the U.S.) or held by a U.S. company that follows the relatively strict probable cause rules of the Electronic Communications Privacy Act (ECPA). In either instance, the court order or other legal process used in the country where the crime occurred (such as in Europe) is not sufficient to get this data at rest.

Police and prosecutors face similar difficulties in accessing data in transit. With the shift to the secure HTTPS protocol for many communications, encryption means that a wiretap in the country of the crime very often can’t provide access to the content. Where law enforcement cannot access either data at rest or data in transit in its own country, then it increasingly must seek access to stored records in the cloud. Under ECPA, for the content of communications, that typically means foreign law enforcement must use the MLA system and show probable cause of a crime to a U.S. magistrate. Originally, MLA requests usually were for cross-border crimes, such as drug smuggling or money laundering. Increasingly, MLA requests are for local crimes where emails or social networks contain key evidence but are held abroad.

As even these routine local crimes enter the MLA system, law enforcement is seeking streamlined ways to access evidence across borders, based on concerns that law enforcement is “going dark.” Nonetheless, as I have stated for years, we are also in a "golden age of surveillance." Police have access to unprecedented data on suspects, including location information (tracking our cellphones), comprehensive metadata (based on all of our texts, emails, and social network posts), and the numerous other databases of our Big Data world. As Tim Cook emphasized in his Time magazine cover interview, there are “cameras everywhere, and I mean not just security cameras, but we all have a camera in our pocket.”

Both law enforcement and privacy advocates thus correctly point to technological trends that make their respective tasks (law enforcement and privacy) much harder than before. Cross-border requests for data are increasingly the battleground—providers of email, social network, and other cloud services find themselves in the middle between legitimate law enforcement requests and privacy concerns that government will gain access to the unprecedented wealth of evidence.

Institutional Mechanisms for Reform

The current reform discussions have focused on mechanisms other than the traditional Mutual Legal Assistance Treaties, which are difficult to amend for the numerous countries seeking access to data across borders. Our Georgia Tech Cross-Border Requests for Data Project has explored ways that reform can occur by statute (rather than treaty) or even by agreements where a designated office in a non-U.S. country such as India could seek expedited responses. American legal scholars Jennifer Daskal and Andrew Woods have recently written prominent scholarship as well as practical reform proposals. Bertrand de la Chapelle of the Internet & Jurisdiction Policy Network is leading a process on “Data & Jurisdiction" seeking to develop shared frameworks and operational solutions in the near future. And civil society is engaged as well.

Policy debates in the U.S. have focused especially on an agreement reached in 2016 between the U.S. and the United Kingdom, which would allow the U.K. government to make certain categories of requests directly to U.S.-based service providers, without the need (and delay) of going through the MLA process. (The agreement requires legislation for it to become effective.) Meanwhile, the European Union has stepped up its attention to cross-border data requests. As senior E.U. Commission official Bruno Gencarelli has discussed, the Commission is scheduled to deliver reform recommendations to the E.U. Council in the coming weeks.

Reform efforts are complicated by at least three issues. First, large differences exist in the criminal procedure of different countries. For instance, as discussed by French legal scholar Suzanne Vergnolle, the French system has a tradition of relying on the acts performed at each stage of the investigation, as well as the investigative authority of a particular actor, such as a public prosecutor or a magistrate. In contrast, the US system relies more heavily on distinct rules for different categories of electronic evidence, such as metadata and content. Far more work will be needed to understand how these legal differences can fit within an emerging system for cross-border data sharing.

Second, reform is more difficult because privacy advocates can accurately point to important ways that their own country’s protection are stricter than the other country’s. For instance, France (and the other countries in the E.U.) lacks the “probable cause” standard for government searches. Conversely, the U.S. lacks the comprehensive data protection laws that exist in France and the rest of the E.U. U.S. privacy advocates understandably express concern at any reduction in the probable cause standard, while E.U. privacy advocates express concern at sending data to a jurisdiction that lacks the E.U.’s privacy laws.

Third, MLA applies to cross-border requests to share information for law enforcement purposes. At the same time, allies also share information for intelligence and military purposes. There has been little public discussion to date about how MLA reform efforts should fit together with these other information-sharing systems. This issue is likely to be important in practice, since the relationship between law enforcement and intelligence investigations varies substantially in different countries.

Broader Implications

MLA reform discussions will have broader implications in at least two ways. First, the frustrations facing local law enforcement can lend energy to proposals to localize data—to require that emails and other sources of evidence be stored within the jurisdiction, subject to local legal procedures. One reason to support MLA streamlining is precisely to reduce this risk of localization. Along with other bad policy effects of localization, there are technological reasons why such localization is undesirable.

Second, in addition to implications on localization laws, MLA reform discussion implicates two other hot-button surveillance issues: government limits on strong encryption and government remote hacking into computers pursuant to legal process. When investigation of even local crimes often involves evidence held abroad, law enforcement will have the incentive to consider three choices: (1) break encryption; (2) hack into the remote computer before data is encrypted; or (3) use the MLA process to gain the evidence through legal process. For multiple reasons, my own preference is to create a workable legal process.

In summary, technological change creates growing obstacles to law enforcement access to both data at rest and data in transit. The trend will continue toward the globalization of evidence. For purposes of law enforcement, civil liberties, and the ongoing structure of the Internet, we will need to devote greater attention to the legal and policy issues of government access to data across borders.