Interview: The British Perspective on the Cross-Border Data Problem

The issue of law enforcement access to data held abroad is in the news again with the Supreme Court set to hear oral argument in United States v. Microsoft on Feb. 27, and Congress considering the recently-announced CLOUD Act. The problem, put simply, is how to devise a regime that fairly and sensibly allows a state to access criminal evidence for local crimes, even when that evidence is digital and even when it is stored in the cloud, perhaps on foreign servers. Because much of the discussion has focused on U.S. government efforts to access data held abroad—the core concern in the Microsoft case—I thought it might make sense to get a foreign government perspective on the matter.

What follows is an interview with Paddy McGuinness, the U.K. deputy national security adviser. McGuinness testified before the Senate Judiciary Committee in May 2017, and before the House Judiciary Committee in June 2017.

***

Q. You testified before Congress — twice now — about the need for Congressional reform of the Electronic Communications Privacy Act, and yesterday, the Clarifying Laws on Overseas Use of Data (CLOUD) Act was introduced in the Senate toward those ends.

Why is this issue so important for the U.K. government?

Most of the British public are pleased to use communication services provided by U.S. companies–but unfortunately, terrorists and criminals are no exception. When British law enforcement move to counter crime in the U.K. and abroad, the companies that control communications data say that U.S. law prevents them from fully cooperating with lawful U.K. orders for targeted access. This profoundly limits the U.K.’s ability to access data that can be critical for disrupting or preventing threats to our citizens and residents living in the U.K., including 200,000 Americans.

Q. Do you have numbers you can share, either the total number of investigations or the percentage of your investigations that call for evidence held by American firms?

Well, our law enforcement and security agencies tell me that U.S. communications services are used by 90 percent of their suspects and that reflects the broader penetration of the British market by these services. So we can read across from that into the figures for serious and organized crime and terrorism.

Readers will recall that between March and September this year Britain suffered five terrorist attacks. Thirty-six people lost their lives, while hundreds more were injured. Today, our police and intelligence agencies—amongst the best in the world—are running well over 500 live operations involving around 3,000 individuals known to be involved in extremist activity. In addition to the list of current cases, we face risks from those who have travelled to Syria and Iraq to fight with the so-called Islamic State and the growing pool of over 20,000 individuals in their U.K. that have been investigated in the past but did not cross the threshold for prosecution. In almost every investigation we conduct, those we investigate use services provided by U.S. CSPs.

U.S. technology companies have done what they can to assist in cases where the immediate threat to life can be demonstrated. But this falls short of what is required to detect and prevent terrorist plots. It leaves the companies in the invidious position of having to withhold information that could protect public safety. They want this resolved.

For serious crimes, U.S. companies say they are only able to respond to only a very small proportion of requests for content from U.K. law enforcement. It does not make sense that criminals plotting a major drug deal, a murder, a kidnap, trafficking people or sexually abusing a child in the U.K. can have their communications intercepted if they communicate via text message, but if they use a U.S. company’s services their data should be out of reach of U.K. law enforcement. This issue can mean that, for instance, a U.K.-led investigation into pedophiles, distributing images globally, cannot be progressed. The pedophiles remain at large, distributing images globally.

Q. Why not use the Mutual Legal Assistance Treaty between the U.S. and the U.K. to get access to evidence when you need it?

Mutual Legal Assistance Treaties are important, but they are not the answer to the cross-border data problem. These treaties are designed for obtaining evidence after a crime has been committed. Even in those cases, it can sometimes take too long to receive the necessary evidence–up to nine months–in order to progress an investigation and secure convictions. It is widely acknowledged that MLAT processes are too slow for rapidly developing counter terrorism and serious crime investigations.

Instead, we have been negotiating, first with the Obama Administration and now with the Trump Administration, a new Bilateral Agreement, for which the CLOUD Act would pave the way. The Agreement would recognize the high standards of authorization and oversight that the U.K. and U.S. have in place and allow companies based in one country to comply with lawful orders for electronic communications from the other. As you mentioned, I testified on this twice before Congress at the request of the Prime Minister, both in the Senate and the House; a first for a British official.

The Agreement would include strong safeguards and maintain rigorous privacy protections for citizens. The U.K. could only use the agreement to request data on non-U.S. persons located outside the U.S. It is deliberately encryption neutral and would permit only targeted access to data–far from Snowden fears about “mass surveillance.” But before we can sign such an Agreement, hopefully the first of many, the U.S. will make with other countries that can meet the same standards, we need Congress to pass enabling legislation. That is why I visited Washington last week to speak to Senators and Representatives.

Q. What do you say to skeptics who argue that this is the "golden age of surveillance”—that even if you can’t get content, you have access to unprecedented amounts of communications data (what we call metadata)?

They are mistaken. For all forms of serious crime, including terrorism, we are finding that we are having to put in more effort to achieve the same outcomes and this is largely because of the technologies available to the perpetrators. Clearly this is unacceptable at a time of heightened threat. There is the possibility of turning that use of technology to our advantage–but only if we have access to the data. To prevent harms such as terrorist attacks we depend on dynamic investigations that can spot and disrupt violent harmful crimes before they are fully carried out. Although metadata is an important investigative and prosecutorial tool, it can never replace the value of knowing what someone is saying, and therefore what they will actually do. Metadata can provide the “who, where, when and how” of a communication, but not the “what.” Access to the content of communications in limited and proportionate circumstances is essential to ascertaining the intent, location and imminence of a threat.

Q. Privacy groups have opposed implementing legislation that would allow the U.S.-U.K. agreement on the grounds that it weakens protections for users. In particular, they have criticized the U.K.’s legal and the substantive standard (a non-probable cause standard). How do you respond?

Privacy is at the heart of the U.K.’s investigatory powers framework–not surprisingly given the emphasis British culture places on privacy in law and the conventions of life. U.K. Agencies and Law Enforcement are governed and overseen by one of the world’s most robust and transparent legal frameworks. The Investigatory Powers Act, which passed through Parliament last year, overhauls the way that the use of investigatory powers are authorised. Warrants must be subject to a new “double-lock,” so that they cannot be issued until a Minister’s decision to do so has been approved by a senior judge, and with adherence to strict principles of “necessity and proportionality.” It is also worth highlighting that the right to freedom of expression in the U.K. is entrenched in Article 10 of the European Convention on Human Rights, and that U.K. is implementing the European General Data Protection Regulation, with its strict safeguards.

The U.K.’s requests for data under the Agreement would have also have another kind of “double protection.” They would satisfy the strong privacy protection under U.K. law, but they would also have to meet and be subject to the more detailed provisions of a U.K.-U.S. Agreement.

Note too that this is not about accessing U.S. nationals’ or residents’ data. This is about tackling a quirk of the internet whereby the U.K. cannot access the data of U.K. citizens, communicating in the U.K., to cause harm. While standards must be high, we do not believe these types of agreements should mean that countries need to have identical systems.

Q. What will happen if ECPA is not amended?

The current legal situation is bad for public safety, bad for companies and bad for privacy. To put it bluntly, we will all be less safe, and crimes will continue. Pressure will grow, in the U.K. and Europe, to find another solution, especially if the terrorist attacks of recent years continue. We must all work to break the momentum of so-called Islamic State’s campaign and Al-Qaeda’s persistence.

In addition to the public safety implications, the current situation incentivises governments to require companies to store data within their territories to ensure access by their law enforcement agencies (“data localization”), which risks the “balkanisation” of the internet. Data localisation measures create barriers to trade, can make data less secure, impair data sharing and innovation, and undermine the uptake of cloud services. Other countries may also not require the same amount of data protections as the U.K. or U.S., thereby reducing overall privacy protections.

This is one of the reasons why both companies and our Governments are supportive. Brad Smith, Microsoft President, said in his testimony at the Senate Judiciary Sub-Committee Hearing on this issue on May 24 that it was “a matter of national and international importance to move forward with” the Bilateral Agreement. In his written testimony for the same hearing he wrote: “Microsoft and other technology companies support Congress enacting a modern legal framework for international data requests.”

The tech companies have worked with us to do all they can within current U.S. legislation. They want us to succeed in public protection and to play their part. But they are constrained by this conflict of laws. That is why they are supporting this legislation.