Procedural Options for Improving Cross-Border Requests for Data

Andrew K. Woods
Tuesday, October 13, 2015, 7:58 AM

Reading through the news coverage of the Microsoft Ireland warrant case, one thing stands out: nearly everyone agrees that the existing system for managing cross-border law enforcement requests for data is deeply flawed.

Published by The Lawfare Institute
in Cooperation With

Reading through the news coverage of the Microsoft Ireland warrant case, one thing stands out: nearly everyone agrees that the existing system for managing cross-border law enforcement requests for data is deeply flawed. (Commentators as varied as David Kris; Jen Daskal; Mailyn Fidler, and me all reach the same conclusion.) Where people seem to disagree is how to fix the system. Some of this disagreement is substantive – for example, some reform advocates want to preserve the Fourth Amendment due process standard for foreign government requests for US data, while others (like me) think the standard should be based on international norms of due process. But much of the disagreement is procedural. For example, some are pushing for an international treaty while others (like me) think reforming ECPA would be a better strategy. Because this procedural aspect of the discussion has received comparatively little attention, I will briefly outline some of the tradeoffs associated with each option.

  1. New Multilateral Treaty

A number of people have argued that we need a new multilateral treaty delimiting government access to data. Microsoft’s President and General Counsel Brad Smith has repeatedly made the case for a global treaty. David Kris outlined an argument for one here just a few weeks ago. And this makes sense: A good treaty signed by all relevant parties would be ideal. But in practice, it has at least one of two problems: if it is good, it will not be signed by all relevant parties, and if it is signed by all relevant parties it will not be good.

Anyone with even passing familiarity with internet governance debates knows that the topic is highly politicized and achieving agreement between the major powers is extremely difficult. Even the relatively benign cybercrime treaty found non-universal adherence among like-minded western countries and no accessions by major non-western countries. Add to this the questions of sovereignty, due process, and privacy rights and you have a recipe for deep divisions between many of the most important countries. For example, it is simply unlikely that the US and China will agree to the same set of due process provisions regarding cross-border law enforcement access to cloud data. Forging an international agreement that satisfies India, China, Brazil, Russia, and the US will likely be so watered down, it would have little utility; in fact, there is a serious risk that the resulting agreement would lead to an erosion of privacy rights, not an enhancement.

It is for precisely this reason that treaty advocates have suggested starting small with a handful of likeminded states. The US, the UK, and the French can relatively easily forge an international agreement with high due process standards and privacy protections – an agreement that produces a cross-border process that is much more streamlined than the existing mutual legal assistance process. But how much does this agreement accomplish? If you ask people at the Office of International Affairs which international partners they have the most problems with, they will likely not list the UK, France, or any other country with whom we might easily forge a new international agreement. Missing from such an agreement would be Brazil, India, China – all of whom rejected the cybercrime convention. These are the countries putting enormous pressure on American tech firms, and if they are not part of a new treaty regime for cross-border data requests this pressure will not ease up.

  1. Mutual Legal Assistance (MLA) Reform

Because the bulk of current cross-border requests for data from US providers are routed through the MLA regime, many reform proposals focus on the MLA process itself. These reform proposals – some of which I outlined in more detail here – range from improved funding and staffing to better technology for expediting requests, to renegotiating existing MLA treaties to focus explicitly on data. This line of reform has obvious and intuitive appeal: the MLAT system cannot handle the number of requests, so let’s fix the MLAT system. Moreover, this presents an opportunity to update existing MLAT agreements and even implement new ones where the MLA process is inadequate for cross-border law enforcement purposes.

MLAT reform is a necessary part of fixing the cross-border data request problem. Yet while these reforms are necessary, they are ultimately inadequate. The pressure on the MLAT system – thousands of MLA requests being routed through the DOJ – is the direct result of the Electronic Communications Privacy Act (ECPA). If ECPA did not require foreign law enforcement officers to get a US warrant in order to compel data, those officers would never need to request mutual legal assistance in the first place. The best way to resolve the MLA problem, then, is not to speed up the handling of MLA requests, but to end ECPA’s requirement that all requests got through the MLA process.

MLAT agreements cover much more than data – they are omnibus agreements between states regarding the cross-border requests for criminal evidence and other law enforcement matters. They have worked reasonably well, in some cases for decades, before the current problems arose. Revising each agreement simply because ECPA requires foreign law enforcement to seek US government assistance to compel the data would be onerous and ultimately counterproductive. It would require the US to renegotiate dozens of treaties, a costly and unpredictable process that could ultimately lead to weaker agreements than the ones currently in place; it could also take years to complete. A better approach would be to fix the Electronic Communications Privacy Act (ECPA).

  1. ECPA Reform

The reason foreign law enforcement must ask the US government for MLA in the first place is ECPA’s requirement that US data holders only release stored digital content in response to a warrant from a US judge. That is, ECPA acts as a blocking statute, preventing US data holders from complying with foreign law enforcement requests for data. If this blocking feature were removed, American tech firms could comply directly with foreign law enforcement requests for data and the “cross-border” nature of cross-border data requests would essentially go away. The upshot is that reforming one bill in Congress is likely easier than forging a new global treaty or revising dozens of bilateral agreements. This is also a serious drawback: the problem with this proposal is that it requires congressional action. Congress has not been terribly productive lately. And besides Congress, it is not clear that civil society, companies, and government agencies can agree on how to effectively reform ECPA. (The Senate’s hearings on this matter a few weeks ago suggest that different agencies within the government feel very differently about ECPA reform.) There are other substantive reasons that auger for and against ECPA reform, of course, but from a procedural standpoint ECPA reform is the simplest and most direct route to solving the bulk of cross border data requests.

  1. Budapest Convention on Cybercrime Amendment

The Budapest Convention on Cybercrime essentially foreshadowed this cross-border data request problem, but it did not resolve it. Article 32b governs “Trans-border access to stored computer data” and weakly says that in most cases, countries should seek that data by requesting mutual legal assistance from the country with the authority to compel it. The drafters of the convention discussed the idea of allowing signatories the ability to directly request data from foreign data holders operating in their jurisdiction, but the provision was deemed too controversial. Rather than negotiate a new treaty on government access to data, then, countries could simply revise the agreement already in place.

While the Budapest Convention is primarily concerned with cybercrime, many commentators overlook the fact that the Convention’s provisions explicitly apply to all crimes for which there is digital evidence. This makes it a prime candidate for reforming the cross-border data request problem. The problem, however, is that the treaty has political baggage. The Convention has been signed by some fifty states, but implementation has been spotty and a number of key states – such as Russia and China – have expressed their opposition to the treaty on the grounds that they were not part of the original negotiations. Reforming the treaty therefore carries some of the same limitations as forging a new global treaty on cross-border data requests.

  1. Bilateral Agreement(s)

The US and the UK are rumored to be negotiating a treaty on cross-border requests for data. If such an agreement comes to fruition, and it is inconsistent with ECPA (and self-executing and properly worded) it could supersede the statute at least with regard to UK government requests for data. While such an agreement would presumably enhance the cross border data problem vis-à-vis the UK, it would do nothing for other countries and may in fact anger them by leaving them outside the agreement. While such an agreement would not resolve what to do about Brazilian or French government requests for data, companies might look to the US-UK agreement as a firm commitment of the US government position on cross-border data requests. This would not be unlike company policies in the wake of US v. Warshak, the Sixth Circuit’s ruling that emails are protected by the Fourth Amendment, contra ECPA, a view the companies treated as national law.

  1. Executive Agreements

Finally, rather than forge entirely new treaties, the President could also sign executive agreements with other countries outlining the details of a new data-sharing program across borders. This would have the advantage of being much simpler politically as it would not require consent by the Senate. However, assuming that it falls within the President’s authority to conclude such an executive agreement, it would have one significant drawback: without Senate consent (or Congress’s consent via congressional-executive agreement) such an agreement would almost certainly not supersede ECPA. This could put companies in a difficult position if, for example, the data sharing agreement encourages or requires them to comply with a foreign government’s request, while ECPA bars the very same thing. Indeed, this fact alone explains why the President would likely not enter into such agreements at all.

Andrew Keane Woods is a Professor of Law at the University of Arizona College of Law. Before that, he was a postdoctoral cybersecurity fellow at Stanford University. He holds a J.D. from Harvard Law School and a Ph.D. in Politics from the University of Cambridge, where he was a Gates Scholar.

Subscribe to Lawfare