Criminal Justice & the Rule of Law Foreign Relations & International Law

Reforming Mutual Legal Assistance Needs Engagement Beyond the U.S.

Ian Brown, Vivek Krishnamurthy, Peter Swire
Tuesday, March 1, 2016, 7:38 AM

Last week, the House Judiciary Committee held a hearing on conflicts of law and mutual legal assistance (MLA)—how to fulfill law enforcement requests for stored data in an era when transnational Internet companies often hold data relevant to citizens of numerous countries.

Published by The Lawfare Institute
in Cooperation With

Last week, the House Judiciary Committee held a hearing on conflicts of law and mutual legal assistance (MLA)—how to fulfill law enforcement requests for stored data in an era when transnational Internet companies often hold data relevant to citizens of numerous countries.

Such questions seemed esoteric even a decade ago, when most people stored the majority of their data on local devices. Now, when much data of interest to law enforcement is held by US-based tech giants, the issue has become more pressing (including as a topic of discussion on this site). Tech companies increasingly face the difficult choice between following the law of the lands where they operate, or obeying the distant command of the US Stored Communications Act not to disclose content data unless authorized by a search warrant issued by an American court.

Non-US governments are no longer willing to obtain this data through mutual legal assistance treaties, for reasons ranging from the volume of requests, the time it takes the US to process MLAT requests (nine months on average), to frustration over being required to meet the exacting American probable cause standard. Furthermore, the US government’s position in the Microsoft Ireland case that data stored by a US-based firm anywhere in the world is subject to a US search warrant fuels only serves to fuel foreign resentments—the stance treats other nations’ laws as irrelevant while expanding the extraterritorial reach of US law.

There is a growing recognition—including from the US government—that the current situation is untenable. The mere fact of last week’s hearing, along with the revelation earlier this month that the US and UK are negotiating a bilateral data access deal, indicate that pressure is mounting to find a new and lasting solution.

Each of us has written about these issues and participated in efforts to find solutions. For instance, Swire has recently written here and here, Brown has here, and Krishnamurthy has here. We have convened meetings from Washington to Brussels, and worked to develop principled frameworks that balance the interests of competing stakeholders in this space. We believe that a consensus is emerging that any proposal aimed at easing the conflict of laws faced by big tech must respect the human rights of users and include strong transparency and accountability measures.

In view of this, we are concerned that a gap has opened between US and non-US stakeholders, despite the fact that both groups are—in our view—fundamentally working toward the same goals. This gap has arisen in part from the challenges of convening MLAT reform conversations on different continents. And it arises, as well, from the development of deep-seated mistrust, notably between the EU and the US.

Silicon Valley’s “ask forgiveness not permission” approach seriously concerns many Europeans, given the strict legal frameworks that have developed on the continent to protect human rights since the Second World War. Now, after Snowden, many Europeans have developed new levels of mistrust of the US government, despite the important (yet little recognized) surveillance reforms the US has undertaken in recent years. Applied to Mutual Legal Assistance issues, civil society and privacy officials in Europe have concerns that reform may result in data about European citizens not being safeguarded effectively when sent to the US.

And, in ways that are less well recognized, US civil society and legal experts have their own concerns about the protection of privacy and civil liberties when data leaves the United States. The US has a proud tradition of requiring probable cause, as decided by a neutral magistrate, before evidence is produced for a law enforcement request. This is an exacting, privacy-protective standard that most countries in Europe and elsewhere in the world do not follow. Those who cherish civil liberties in the US thus have understandable concerns that standards may be lowered if MLA rules are loosened.

To date, those most concerned about privacy on both sides of the Atlantic have had understandable reasons to fear that reform will weaken protections when “our” data gets sent to “their” jurisdiction. Meanwhile, those grappling with these issues in the rest of the world worry that their own nation’s needs will not be met if the US and a few European partners negotiate their own narrow arrangement.

Going forward, a better understanding of the strengths (and weaknesses) of other nations’ systems is needed to avoid a chasm of distrust that will otherwise undermine MLA reform efforts. In last week’s hearing, the discussion aimed to focus on efforts to uphold public safety and make the system manageable for technology companies, while also protecting users’ privacy and civil liberties.

Our point is simple: US efforts to reform MLATs must occur in tandem with reform efforts in Europe and globally. There must be genuine appreciation that other democratic nations differ in the details of their systems, while seeking essentially the same goals. When discussing global communications, the debate in the US should not be US-centric, just as the debate in the rest of the world must not be reflexively anti-American. We need much more robust engagement with civil society and experts from many nations. Only then can reform be achieved in ways that return the “mutual” to Mutual Legal Assistance.​

Professor Ian Brown is Professor of Information Security and Privacy at the Oxford Internet Institute. His research is focused on surveillance, privacy-enhancing technologies, and Internet regulation.
Vivek Krishnamurthy is a Clinical Instructor in Harvard Law School’s Cyberlaw Clinic, based at the Berkman Center for Internet & Society at Harvard University. He holds degrees from the University of Toronto, Yale Law School, and the University of Oxford, where he was a Rhodes Scholar.
Peter Swire is the J.Z. Liang Chair in the Georgia Tech School of Cybersecurity and Privacy, and Professor of Law and Ethics in the Georgia Tech Scheller College of Business. He is Senior Counsel to Alston & Bird LLP, and Research Director of the Cross-Border Data Forum. He served as one of five members of President Obama’s Review Group on Intelligence and Communications Technology.

Subscribe to Lawfare