In July 2016, the United States Department of Justice released a legislative proposal that could vastly increase surveillance by other governments with the direct assistance of Silicon Valley. The unprecedented proposal would allow certain governments to demand the contents of Internet communications such as e-mails and chats directly from US companies, rather than going through cross-border law enforcement treaties that have long been in place to protect rights. The US has already negotiated the outlines of such a deal with the United Kingdom and the Justice Department proposal would extend it to other governments.
This development should raise alarm bells for any user of US-based Internet companies such as Google or Facebook. If enacted, privacy safeguards will get much weaker, collection much broader, and private information potentially more widely shared since governments will have increased access to user communications. While the legislative proposal generally conditions this access on a government’s general respect for human rights, it falls short of ensuring that rights will be adequately protected.
The proposal was introduced on September 14 in the US Congress as an amendment to a defense spending bill, and may be introduced in stand-alone legislation later this year.
Under current US law, Internet companies are prohibited from turning over the contents of communications directly to foreign governments, even for investigating crime. Instead, law enforcement agencies outside the US must make requests through Mutual Legal Assistance Treaties (MLATs), with the Justice Department and US judges serving as intermediaries between the requesting government and the company that holds the information.
As a byproduct of this process, the US extends the same strong constitutional privacy protections enjoyed by US citizens to surveillance targets outside the US. These protections have long promoted respect for rights in criminal investigations, despite the US reputation for excessive surveillance in the intelligence context.
Under this system, the requesting authority must convince a judge that there is “probable cause” the search will elicit evidence of a crime. This is a high standard. The requesting government has to put forward specific facts—and not just a hunch or belief—that demonstrate the communications sought are likely to be evidence of criminal activity. The request must also specifically describe the evidence sought, preventing governments from speculative “fishing” for evidence of crime. An impartial and independent judge must authorize the warrant and the US government also strips out communications that aren’t relevant to the request, all prior to disclosure. Finally, some treaties limit how the information may be used. While the MLAT process isn’t as transparent as it should be, it is rigorous and protective of rights—often more so than the domestic law of requesting governments.
Law enforcement agencies in the UK and elsewhere have become increasingly frustrated with this process, which can be slow. One 2013 review found that it takes an average of 10 months to fulfill a government request. This tortoise-like pace is not intrinsic to the process, which can be very quick for US authorities seeking warrants. The US has devoted insufficient resources to the process, leading to a large backlog, with the number of requests only increasing. Also, with US standards more rigorous than those in many requesting countries, requesting authorities must often devote more resources to gather evidence to meet them.
In response, the UK has claimed that they can extend their surveillance orders “extraterritorially” to Internet companies outside their borders to bypass this process. This places companies in the awkward position of deciding whether to comply with UK warrants in violation of US law. Major US Internet companies have also said that foreign governments’ frustration with the process is leading to calls for data localization worldwide, which would force companies to store user data locally in territories where they offer services, or even arrest of employees.
US companies believe that the Justice Department proposal would prevent this parade of horribles and are actively supporting the government’s move. Whether it would do so is an open question. But the proposal also means eliminating rights protections for many users outside the US.
The proposal would allow qualifying countries to request the contents of communications directly from US companies, bypassing the MLAT process, for the investigation of undefined “serious crime.” The proposal actually goes beyond the existing system since it would allow governments to demand real-time wiretapping from US tech companies for the first time. But the requirements governments would have to meet fall well short of what international human rights law requires of the US and its partners—that an independent authority consider whether, in each individual case, the request is necessary and proportionate and subject to challenge and redress.
For a government to qualify, the US would have to negotiate a bilateral agreement with the country and certify that it has “robust substantive and procedural protections for privacy and civil liberties.” But the proposal only lists “factors to be considered,” not firm requirements. The factors include whether the country generally has respect for the rule of law and human rights and “sufficient mechanisms to provide accountability and appropriate transparency” for surveillance.
This blanket determination is far weaker than the case-by-case judicial authorization that the current process requires, and it overlooks the fact that the authorities of any country—no matter how well intentioned—may make mistakes or overreach. It also makes the certification process vulnerable to politics, where the US might ignore serious abuses to certify key allies.
Once a country is certified and an agreement is in place, its law enforcement agencies could request stored communications or real-time wiretaps directly from US companies. Generally, those requests would be subject to the country’s own domestic procedures and standards, although the proposal would require them to ensure there is a “reasonable justification based on articulable and credible facts.” The meaning of that standard remains unclear, though it appears to be less than “probable cause.” The proposal doesn’t compel companies to comply, though the requesting government may try to do so. If a company denies a request, the government can resubmit its order through the usual MLAT process.
Under the proposal, requesting governments would have to subject requests to undefined “review or oversight” by an independent authority, but officials would not have to seek prior judicial authorization. Such review could also be generalized rather than specific to each request. This is a major weakness since the current system requires an independent examination by a US judge of the justification for the request (and the potential impact on rights) before disclosure.
Many of the proposal’s terms are undefined, and it is unclear how they will be interpreted and applied under vastly different legal systems. For example, the proposal requires requesting governments to specify a “person, account, address, or personal device” to target, which in theory might deter some sweeping data requests. In practice, however, a single request could involve disproportionate amounts of data, depending on how specific provisions are defined. For example, an “address” could be interpreted to include an “Internet Protocol address,” which could be shared by thousands of computers. The onus will be on the requesting government to “segregate” non-relevant information.
Finally, the proposal does not require governments to provide notice to surveillance targets. Yet notice is a critical human rights protection that enables individuals to seek redress for surveillance abuses. Participating countries are also allowed to share information collected under this regime with the US and other governments in some circumstances.
Impact on User Rights
Agreements negotiated under the proposed framework would undoubtedly lead to far more user information flowing from US Internet companies to the UK and other governments than under the current process. The proposal would protect US companies from liability for complying with requests made in “good faith.” This removes incentives for companies to scrutinize or deny such requests, given other legal or political pressures they may face from requesting governments.
For users outside the US, the proposal’s shift of human rights scrutiny from US courts back to the institutions of the requesting country means the impact on privacy and other rights depends first and foremost on whether their country’s laws are more protective than the current MLAT system. In the UK, the protections are weaker.
The US government contends that the new system would encourage other countries to reform their own surveillance laws to qualify for speedier access to data held by US firms. But whether that is likely depends on political interests of both the US and the participating government. What countries may qualify—or could qualify with some reforms—is uncertain. The draft agreement appears designed to require no changes to UK law, which Edward Snowden described as legalizing “the most extreme surveillance in the history of western democracy.” From conversations with companies and other stakeholders, Brazil and India may also be on a desired short list for data sharing under the proposal.
People in countries like Brazil or India should decide whether they are willing to trade privacy protections provided by the current MLAT system for some hazy incentive to improve domestic laws. The proposal’s criteria fall short of international human rights law, including the Necessary and Proportionate Principles, which would likely limit any reforms, even if a government were willing to change its laws.
Finally, there is a question of accountability. The MLAT system subjects users’ rights to standards their own governments did not enact, under a process they cannot contest. This is not ideal, yet it manages to provide strong protections for people outside the US. The new proposal would simply remove many of these protections and defer to the participating government’s domestic processes, which may be even more opaque and unaccountable.
Internet users should assess whether their domestic system would adequately prevent their government from abusing the arrangement, and whether local law enforcement can be held accountable, given how much more data would be available to them under the deal.
The US should adequately fund the current process so that government requests can be properly reviewed in a timely way. The US could also streamline the MLAT process, for example, creating a standardized online system for requests that would not require weakening rights protections. Both technology companies and the US should prioritize these solutions before pursuing a proposal that could allow a potentially vast expansion of surveillance, with lower safeguards.
To be truly viewed as an improvement, any cross-border data request proposal should strengthen privacy protections and improve human rights accountability, not merely shift the burden to systems that have fewer protections. The current proposal doesn’t come close to achieving this.