US cross-border data deal could open surveillance floodgates

Click:Mold manufacturing for automotive

Edward Snowden, a former CIA worker before turning whistleblower, speaks via satellite at the IT fair CeBIT in Hanover, Germany, 21 March 2017. Friso Gentsch/Press Association. All rights reserved.In July 2016, the United States Department
of Justice released a legislative proposal
that could vastly increase surveillance by other governments with the direct
assistance of Silicon Valley. The unprecedented proposal would allow certain
governments to demand the contents of Internet communications such as e-mails
and chats directly from US companies, rather than going through cross-border law
enforcement treaties that have long been in place to protect rights. The US has
already negotiated the outlines of such a deal with the United Kingdom and the Justice
Department proposal would extend it to other governments. The US has already negotiated the outlines of
such a deal with the United Kingdom.

This development should raise alarm bells
for any user of US-based Internet companies such as Google or Facebook. If
enacted, privacy safeguards will get much weaker, collection much broader, and
private information potentially more widely shared, since governments will have
increased access to user communications. While the legislative proposal generally
conditions this access on a government’s general respect for human rights, it
falls short of ensuring that rights will be adequately protected.

The proposal was introduced on September 14
in the US Congress as an amendment to a defense spending bill, and may be introduced
in stand-alone legislation later this year.

The rationale

Under current US law, Internet companies
are prohibited from turning over the contents of communications directly to
foreign governments, even for investigating crime. Instead, law enforcement
agencies outside the US must make requests through Mutual Legal Assistance
Treaties (MLATs), with the Justice Department and US judges serving as
intermediaries between the requesting government and the company that holds the
information.

As a byproduct of this process, the US
extends the same strong constitutional privacy protections enjoyed by US
citizens to surveillance targets outside the US. These protections have long
promoted respect for rights in criminal investigations, despite the US reputation
for excessive surveillance in the intelligence context.

Under this system, the requesting authority
must convince a judge that there is “probable cause”
the search will elicit evidence of a crime. This is a high standard. The requesting
government has to put forward specific facts – and not just a hunch or belief –
that demonstrate the communications sought are likely to be evidence of criminal
activity. The request must also specifically describe the evidence sought,
preventing governments from speculative ‘fishing’ for evidence of crime.

An impartial and independent judge must
authorize the warrant and the US government also strips out communications that
aren’t relevant to the request, all prior to disclosure. Finally, some treaties
limit how the information may be used. While the MLAT process isn’t as
transparent as it should be, it is rigorous and protective of rights – often
more so than the domestic law of requesting governments. The request must also specifically describe
the evidence sought, preventing governments from speculative ‘fishing’.

Law enforcement agencies in the UK and
elsewhere have become increasingly frustrated with this process, which can be
slow. One 2013 review
found that it takes an average of 10 months to fulfill a government request. This
tortoise-like pace is not intrinsic to the process, which can be very quick for
US authorities seeking warrants. The US has devoted insufficient resources to the
process, leading to a large backlog, with the number of requests only increasing.
Also, with US standards more rigorous than those in many requesting countries, requesting
authorities must often devote more resources to gather evidence to meet them.

In response, the UK has claimed that they
can extend their surveillance orders “extraterritorially”
to Internet companies outside their borders to bypass this process. This places
companies in the awkward position of deciding whether to comply with UK
warrants in violation of US law. Major US Internet companies have also said
that foreign governments’ frustration with the process is leading to calls for data
localization worldwide, which would force
companies to store user data locally in territories where they offer services,
or even arrest
of employees.

US companies believe that the Justice
Department proposal would prevent this parade of horribles and are actively
supporting
the government’s move. Whether it would do so is an open question. But the
proposal also means eliminating rights protections for many users outside the
US.

The
proposal

The proposal would allow qualifying
countries to request the contents of communications directly from US companies,
bypassing the MLAT process, for the investigation of undefined “serious crime.”
The proposal actually goes beyond the existing system since it would allow
governments to demand real-time wiretapping from US tech companies for the
first time. But the requirements governments would have to meet fall
well short of what international human
rights law requires of the US and its partners—that an independent
authority consider whether, in each individual case, the request is necessary
and proportionate and subject to challenge and redress. It would allow governments to demand real-time
wiretapping from US tech companies for the first time.

For a government to qualify, the US would
have to negotiate a bilateral agreement with the country and certify that it
has “robust substantive and procedural protections for privacy and civil
liberties.” But the proposal only lists “factors to be considered,” not firm
requirements. The factors include whether the country generally has respect for
the rule of law and human rights and “sufficient mechanisms to provide
accountability and appropriate transparency” for surveillance.

This blanket determination is far weaker
than the case-by-case judicial authorization that the current process requires,
and it overlooks the fact that the authorities of any country – no matter how
well intentioned – may make mistakes or overreach. It also makes the
certification process vulnerable to politics, where the US might ignore serious
abuses to certify key allies. The
US might ignore serious abuses to certify key allies.

Once a country is certified and an
agreement is in place, its law enforcement agencies could request stored communications
or real-time wiretaps directly from US companies. Generally, those requests
would be subject to the country’s own domestic procedures and standards, although
the proposal would require them to ensure there is a “reasonable justification
based on articulable and credible facts.” The meaning of that standard remains
unclear, though it appears to be less than “probable cause.” The proposal
doesn’t compel companies to comply, though the requesting government may try to
do so. If a company denies a request, the government can resubmit its order
through the usual MLAT process.

Under the proposal, requesting governments
would have to subject requests to undefined “review or oversight” by an
independent authority, but officials would not have to seek prior judicial authorization. Such
review could also be generalized rather than specific to each request. This is
a major weakness since the current system requires an independent examination
by a US judge of the justification for the request (and the potential impact on
rights) before disclosure.

Many of the proposal’s terms are undefined,
and it is unclear how they will be interpreted and applied under vastly
different legal systems. For example, the proposal requires requesting
governments to specify a “person, account, address, or personal device” to
target, which in theory might deter some sweeping data requests. In practice,
however, a single request could involve disproportionate amounts of data,
depending on how specific provisions are defined. For example, an “address”
could be interpreted to include an “Internet Protocol address,” which could be
shared by thousands of computers. The onus will be on the requesting government
to “segregate” non-relevant information. Finally, the proposal does not require governments to
provide notice to surveillance targets.

Finally, the proposal does not require governments
to provide notice to surveillance targets. Yet notice is a critical human
rights protection that enables individuals to seek redress for surveillance
abuses. Participating countries are also allowed to share information collected
under this regime with the US and other governments in some circumstances.

Impact
on user rights

Agreements negotiated under the proposed
framework would undoubtedly lead to far more user information flowing from US
Internet companies to the UK and other governments than under the current process.

The proposal would protect US companies
from liability for complying with requests made in “good faith.” This removes
incentives for companies to scrutinize or deny such requests, given other legal
or political pressures they may face from requesting governments.

For users outside the US, the proposal’s
shift of human rights scrutiny from US courts back to the institutions of the
requesting country means the impact on privacy and other rights depends first
and foremost on whether their country’s laws are more protective than the
current MLAT system. In the UK, the protections are weaker. In the UK, the protections are weaker.

The US government contends that the new
system would encourage other countries to reform their own surveillance laws to
qualify for speedier access to data held by US firms. But whether that is
likely depends on political interests of both the US and the participating
government. What countries may qualify – or could qualify with some reforms – is
uncertain. The draft agreement appears designed to require no changes to UK law,
which Edward Snowden described
as legalizing “the most extreme surveillance in the history of western
democracy.” From conversations with companies and other stakeholders, Brazil
and India may also be on a desired short list for data sharing under the
proposal. The draft agreement
appears designed to require no changes to UK law, which Edward Snowden described as legalizing “the most extreme
surveillance in the history of western democracy.”

People in countries like Brazil or India should
decide whether they are willing to trade privacy protections provided by the current
MLAT system for some hazy incentive to improve domestic laws. The proposal’s
criteria fall short of international human rights law, including the Necessary and
Proportionate Principles, which would likely limit any reforms, even if a
government were willing to change its laws.

Finally, there is a question of
accountability. The MLAT system subjects users’ rights to standards their own
governments did not enact, under a process they cannot contest. This is not
ideal, yet it manages to provide strong protections for people outside the US. The
new proposal would simply remove many of these protections and defer to the
participating government’s domestic processes, which may be even more opaque
and unaccountable.

Internet users should assess whether their
domestic system would adequately prevent their government from abusing the
arrangement, and whether local law enforcement can be held accountable, given
how much more data would be available to them under the deal.

What
alternative?

The US should adequately fund the current
process so that government requests can be properly reviewed in a timely way. The
US could also streamline
the MLAT process, for example, creating a standardized online system for
requests that would not require weakening rights protections. Both technology companies
and the US should prioritize these solutions before pursuing a proposal that
could allow a potentially vast expansion of surveillance, with lower safeguards.
Any cross-border data request
proposal should strengthen privacy protections and improve human rights accountability,
not merely shift the burden to systems that have fewer protections.  

To be truly viewed as an improvement, any cross-border
data request proposal should strengthen privacy protections and improve human
rights accountability, not merely shift the burden to systems that have fewer
protections. The current proposal doesn’t come close to achieving this.