Published by The Lawfare Institute
in Cooperation With
This week, the Second Circuit heard arguments in the “Microsoft Ireland” case on whether the U.S. government has authority to compel Microsoft directly to turn over data from a server in Dublin. Microsoft, the Irish government, other companies, and civil society groups contend the U.S. government should instead follow the U.S.-Ireland Mutual Legal Assistance Treaty, which would require the U.S. government to work with the Irish government to obtain the data.
The Microsoft Ireland case touches on a broader, ongoing debate about reform of Mutual Legal Assistance Treaties. Mutual Legal Assistance Treaties establish how countries can share evidence for criminal investigations across borders. As global communication relies increasingly on U.S.-based services that generally store data in the U.S., MLATs have grown in importance. The Mutual Legal Assistance (MLA) process is now sometimes necessary to investigate a crime between, say, two British citizens communicating within London using a U.S. product.
The slow pace and opacity of MLA processes for cross-border data sharing have frustrated many countries. For requests to the U.S., processing can take from six weeks (for requests with minimal issues complying with U.S. legal standards) to 10 months. This process contains checks and balances that protect rights but contribute to delays, pushing countries towards faster ways of accessing data that lack protections. MLAT reform must balance retaining adequate protections with the definite need to streamline this process.
Security Implications of MLATs
MLA processes most immediately have implications for law enforcement and companies (including the future of data localization) but also for national and cyber security. As encryption adoption increases, MLATs will become more important. When interception becomes less useful because of encryption adoption, two options usually remain: hacking or legal requests for data sharing. The spectre of local law enforcement hacking across borders encourages the development of a workable MLA process. Such hacking—and other workarounds, such as calling foreign companies before local courts or laws mandating data access—also raises concerns about comity. Workable MLATs may help ensure national sovereignty remains unruffled by normal criminal investigations.
New Thinking From Civil Society
Discussion about MLAT reform is accelerating. In the UK, a high-level report named U.S.-UK MLAT reform as a priority. Peter Swire & Justin Hemmings, Jennifer Daskal, and Gail Kent have developed thoughtful academic proposals. The Congressional Internet Caucus held a session on the topic. Civil society has increasingly discussed the topic; see, for instance, the Global Network Initiative report. The Center for Democracy and Technology recently released some thoughts on reform.
This post reflects discussions held in recent months among and within various U.S. and UK civil society groups in which I participated. These reflections have been reviewed but not endorsed by participants in this discussion and do not represent a consensus opinion. I have been encouraged to offer them at this point to contribute to ongoing conversations about these issues in a timely manner.
As stated above, reform needs to balance protections with usability. To be clear, a reformed MLAT should replace all other mechanisms for accessing data, serving as the single legal point of access.
The U.S. MLA Process: The Three-Pronged Problem
Regarding usability, three primary problems frustrate countries making requests to the U.S. The first set involves request submission. Content requests are made to the U.S. Department of Justice Office of International Affairs (OIA). Countries often struggle to comply with U.S. legal standards, often higher than most other standards and thus poorly understood or met by requesting countries, causing delays.
Requests for metadata can be made directly to companies; if companies accept the request, responses are returned to requesters outside the MLAT framework. Given the range of information that can be gleaned from metadata, greater protections for metadata requests—perhaps within a revised/expedited MLAT framework—is worth considering.
The second set of problems surrounds transfer of requests from OIA to relevant companies, which first go through a U.S. attorney and district court in D.C. or with jurisdiction. Each of these parties serves as a check on the interests of the requesting country. OIA is understaffed and underfunded—a recent request for a $24.1 million funding increase to improve the MLAT process was not granted—so requests take time to clear OIA. Processing can also be delayed due to overloaded district court dockets and prioritization of local matters.
The third set of problems relates to the company’s response: it travels back through OIA, which reduces data to a minimum before sending to the requesting country. As mentioned above, this minimization ensures the least personal information is revealed to requesting countries but slows the process.
First Prong Solutions: An International Standard for Expedited Access
Offering expedited access (see below suggestions) to certain countries could help address first-prong delay. But, which countries get expedited access? Swire & Hemmings suggest expedited access for countries with a demonstrated history of meeting U.S. legal standards, akin to qualifying for the U.S. visa waiver program.
This suggestion is practical. However, many countries that would fit this category already enjoy the fastest processing times. Can we incentivize improvements for countries that may be more likely to circumvent MLATs? Setting up a new international legal standard might be one possibility. Any request to any country could be made according to one standard, simplifying compliance and allowing countries to develop expertise in only one request process. This standard should remain high, perhaps similar to the Necessary and Proportionate principles, which require independent judicial authorization and proportionality (somewhat akin to probable cause). Countries meeting this standard would gain expedited access to the U.S. MLA process, providing an incentive. Although less practical than the Swire & Hemmings suggestion, countries are beginning to show interest in such a standard; see the recent UK report. Establishing a new standard could also allow human rights issues to be considered centrally during construction. A primary risk, however, would be the development of a standard that greatly reduces legal standards for access.
Second Prong Solutions: Direct Request to District Courts
How might the U.S. enable expedited access? Resource constraints may prevent OIA from facilitating expedited processing, and countries seem eager to deal directly with companies. One possibility is a compromise: allow countries qualifying for expedited access to submit requests directly to a dedicated MLAT district court (see Swire & Hemmings “rocket dockets”). Foreign parties already bring civil suits directly in U.S. courts. Such a system would skirt the OIA bottleneck but still provide greater protection than direct-to-company requests. Countries could only make such requests relating to their own nationals. The court could also refer problematic requests back to OIA; OIA would have received notice of the request and also could intervene and audit, perhaps through an electronic system (see Swire & Hemmings). The court would evaluate expedited requests by the same standard used for non-expedited requests - existing U.S. standards, unless an international standard were adopted. This approach risks losing OIA as a check on the requesting country’s interests; as a result, courts may not adequately be presented with a countervailing view. Hopefully, the restriction of this expedited option to a very select group of countries would mitigate this risk.
Third Prong Solutions: Direct Company Response to Requesting Countries
Both Swire & Hemmings and the President’s Review Group on Intelligence and Communications Technologies write briefly about allowing companies to send responses directly to requesting countries, notifying the OIA of submission or posting it on an online system that OIA can access.
The following ideas elaborate on the protections that could be built into a direct response system, important to ensure companies are not pressured into sending too much data to requesters. Companies could notify OIA ahead of responding, and OIA could have a set number of days to intervene. Both the requesting country and responding company could be trained in data minimization to set clearer expectations for what can be requested and what can be sent (currently, 55 percent of Interpol countries have no such guidelines). The company can refer the request to OIA if concerning. Last, if the requesting country disputes the amount or type of data it receives, it would take that dispute to OIA, not the company, relieving companies of that arbitration burden and associating a cost with requesting more data.
Expanding MLATs to Include Metadata
As mentioned above, metadata and content requests reveal similarly personal information. From a human rights standpoint, continuing to allow metadata requests without the checks and balances afforded content requests does not seem suitable. Expanding and revising MLATs to handle metadata requests would provide needed protections for metadata.
Further Expansion: Live Intercept Requests and Intelligence Sharing?
Although adding expanding MLATs to include metadata makes human rights sense, other MLAT expansion options may not be similarly endorsable. MLATs currently apply only to stored data. British law enforcement has few options for conducting live intercept of communications between the Londoners mentioned above, particularly when communications are encrypted in transit. Allowing countries to requests live intercept through MLATs could encourage lawful live intercept and discourage hacking. However, adding live intercept requests to MLATs would be complicated. In the U.S., wiretap requests enjoy higher legal standards, and the Electronic Communications Privacy Act (ECPA) extends such protections to electronic communications. Could requests for live intercept happen quickly enough and still abide by higher levels of protection? Last, adding live intercept capabilities to MLATS would essentially endorse additional surveillance capabilities for governments, which civil society groups discourage.
MLATs apply to data sharing in the law enforcement context; intelligence data sharing is governed by less public mechanisms. Countries generally provide higher protections for law enforcement requests than for intelligence, likely because law enforcement can lead to physical penalties. This distinction may not always be valid, especially when intelligence agencies share data with law enforcement or when intelligence informs consequential decisions such as drone targeting.
Given this information, should intelligence sharing be brought into the MLAT framework? Doing so would bring intelligence sharing into the public eye and provide an opportunity for higher human rights standards to be incorporated. However, intelligence purposes do not always parallel law enforcement purposes. Intelligence often searches for new information, whereas law enforcement often looks for additional information: it is unlikely the U.S. had “probable cause” to tap foreign heads of state, other than they probably say interesting things. (Such tapping may be problematic for other reasons.) Although the same high-level principles could be used to oversee law enforcement and intelligence activities, practical guidance may diverge. If MLATs did include intelligence sharing, MLATs would need to be the exclusive mechanism for intelligence sharing, otherwise such expansion would also increase government options for surveillance.
Legal mechanisms that are not used are effectively broken. MLAT reform should provide a usable legal process that encourages states to stay within the rule of law while still incorporating adequate protection of rights. Reforming the MLA process to provide workable legal oversight of cross-border data requests thus deserves consideration.
If you have comments on the above that you would like circulated to the relevant organizations, please contact me at firstname.lastname@example.org.