Published by The Lawfare Institute
in Cooperation With
Jennifer Daskal and Andrew Woods recently put forth a reform proposal for law enforcement demands for communications content across national borders. Their proposal is the product of extensive consultation and it merits extensive consideration. It is similar, in some ways, to the “straw man” MLAT reform proposal that we at the Center for Democracy and Technology (CDT) released some months ago. The purpose of this and subsequent posts is to examine a few aspects of the Daskal-Woods proposal to promote understanding of its implications, drawbacks and benefits. This post will consider how the proposal relates to the U.S. probable cause requirement for cross-border requests for content.
A key feature of the Daskal-Woods proposal is to eliminate, in some circumstances, the requirement that a U.S. court find probable cause prior to the disclosure of stored communications content by U.S. communications service providers. Under this proposal, the probable cause finding would not be required where the requesting entity is a foreign government that meets certain human rights standards, makes a request for content that meets the same standards, and requests the content of a “target” who is not a U.S. citizen or resident. The CDT proposal likewise eliminates the probable cause findings requirement, but in a more restrictive class of cases: where the perpetrator, victim, and location of the crime are all in the country that was making the demand for stored content. We worry that the elimination of probable cause for a broader class of content demands by foreign governments may be a step too far, absent additional civil liberties and human rights protections that should be built in.
The Daskal-Woods proposal replaces the requirement that a U.S. judge find probable cause with a lower standard of proof, a standard similar to that governing orders issued under 18 U.S.C. 2703(d): “a strong factual basis to believe that a crime has been, is being or will be committed and that the information [sought] is relevant and material to the investigation of the crime.” The requesting country’s law would have require a level of proof that meets or exceeds this standard. Under the proposal, a judicial or non-judicial entity – presumably an entity in the requesting country – would determine whether the request meets the standard, and the entity must be independent from the prosecutorial function.
The Electronic Communications Privacy Act, as interpreted by the courts, the Department of Justice, and U.S. providers, bars providers from disclosing communication content without a warrant. For a foreign government to secure such disclosure—even in a wholly domestic case, where crime, victim and perpetrator are all in the same country—that country must file a request for mutual legal assistance under an MLAT treaty or other process. The Department of Justice, Office of International Affairs works with the foreign government to amass the information necessary to make the probable cause showing in court. A primary reason why the MLAT process moves so slowly is that foreign governments’ MLAT requests often fail to include sufficient facts to establish probable cause. When those facts do not exist, the U.S. probable cause requirement provides a level of privacy protection that is not available under the law of the requesting country.
While requirements for demonstrating probable cause vary among U.S. courts, probable cause standard is widely-regarded in the U.S. as an exacting requirement. It provides a high level of privacy protection both because of the level of proof required to meet the standard and because a neutral and detached magistrate decides whether the proof meets the standard.
Non-U.S. persons now enjoy the protection of probable cause and a U.S. judicial finding whenever their own governments demand content held by a U.S. provider, such as that contained in a Facebook or Gmail account. Furthermore, they are given this protection when governments other than their own demand their content from U.S. providers. This is a significant protection, and it is the best protection available under US law at the investigative stage. Foreign civil society organizations did not request this protection, nor did the U.S. Congress specifically vote to extend it. Rather, these probable cause protections grew out of interpretations of ECPA, MLAT processes, and the fact that a large proportion of global data flows through the U.S.
Is it wise to eliminate for non-U.S. persons this significant protection of the U.S. system, and replace it with the standard of the requesting country, implemented by an independent entity in the requesting country, even if that standard is lower than probable cause, but meets a baseline human rights standard? On one hand, where countries have rule of law, their citizens have effectively chosen—through their democratically-elected representatives—the level of privacy protection their law should afford. And if a person commits a crime in such country, that person should expect the country’s laws to govern the country’s investigation of that crime, regardless of the citizenship of the alleged perpetrator. On the other hand, many countries likely to seek the favorable treatment of their stored content demands under this proposal are widely-criticized by human rights campaigners for offering insufficient privacy protections. Therefore, the U.S. requirement that an impartial judiciary determine probable cause may operate as an important supplement.
Consequently, we are reluctant to withdraw this protection for the content of non-U.S. persons. In fact, CDT has fought for years to expand the warrant requirement in U.S. law to cover more content. The entire Digital Due Process Coalition has made expansion of warrant-for-content a top priority. Yet, as Daskal and Woods argue, the strong U.S. protection may simply encourage countries to resort to means of acquiring content that evade U.S. probable cause protections and damage privacy and the Internet itself through forced data localization, extraterritorial warrants and government hacking. Strong protections under U.S. law for content demands by foreign countries may ultimately incent privacy-invasive conduct by those countries.
There are both benefits and drawbacks to this aspect of the Daskal-Woods proposal. In our view, if U.S probable cause and judicial review is eliminated for non-U.S. persons when foreign countries demand their communications content from U.S. providers, then there must be new protections for non-content. Up next: a discussion of those new protections.
Gregory T. Nojeim is the Director of the Freedom, Security and Technology Project at the Center for Democracy & Technology. He is the author of "Cybersecurity and Freedom on the Internet,” which appeared in the Journal of National Security Law and Policy.