In a little-noticed piece of news (at least in the US), the UK has been contemplating a new international treaty to enable British authorities to access user data held by US tech companies. While the details remain classified, the Special Envoy to the prime minister on intelligence and law enforcement data sharing has recommended such a treaty. And Prime Minister David Cameron has endorsed the idea.
The fact that this is even being considered is noteworthy for at least four reasons:
First, it highlights the pressing problem of jurisdictional conflicts regarding law enforcement access to data — an issue also at the heart of the pending Microsoft case (discussed here, here, and here). The UK, along with many other foreign countries, is — quite understandably — frustrated by the length of time it takes the US government to turn over sought-after data stored by US service providers on US soil. Whereas the UK would likely get sought-after emails within days if held by a UK provider, it takes an average of ten to twelve months to get the same data if held by a US-based service provider. This is because the Electronic Communications Privacy Act (ECPA) prohibits US-based companies from disclosing the contents of stored communications absent a warrant based on probable clause. (Notably, however, ECPA does not bar the US-based firm from handing over so-called metadata, such as basic subscriber information or location data.)
Because ECPA requires an American warrant for stored content, it forces the UK government to request US assistance via the time-consuming mutual legal treaty assistance (MLAT) process. And this is the source of much frustration. The requirement that a foreign government seek permission from, and abide by the requirements of, the US government simply because the relevant data happens to be controlled by a US based service provider strikes many foreign law enforcement officials as absurd — particularly when they are requesting data regarding a crime between two of their own citizens that took place on their soil. Why, foreign governments ask, should we have to meet a foreign legal standard — and wait ten to twelve months for a response — when we’re investigating an entirely local matter?
Second, a bilateral US-UK treaty provides a welcome alternative to the UK’s unilateral attempt to apply its laws extraterritorially. In 2014, partly in response to frustrations over jurisdictional conflicts, the UK passed broad, emergency legislation that, among other things, authorizes the government to directly access data from US-based service providers if sought for specific purposes and the request is approved by the Secretary of State or other specified executive branch official — but not a neutral arbiter such as a magistrate or judge.
While we don’t know of any cases where the UK has actually engaged in the extraterritorial exercise of this authority (readers, please let us know if you do), the statute sets a concerning precedent that would, if actually implemented and enforced, operate as an end run around the US legal standards — including substantive limits and procedural protections — governing access to data stored in the US. ECPA may cause jurisdictional headaches for the UK, but that does not justify the UK’s unilateral exertion of extraterritorial authority. If implemented, it would put companies in an impossible bind, forcing them to choose between a UK mandate or US prohibition. It also moves us dangerously toward a system where governments ignore one another’s privacy protections and substantive limits on law enforcement access to data, even if seeking data of another sovereign’s citizen or for purposes that would violate basic human rights norms. (Imagine, for example, a similar claim to data from, say, Russia or China.)
A mutually agreed upon treaty that specifies when, in what circumstances, and based on what standards the UK could access that data through streamlined procedures would be a welcome alternative to the current UK law. (It may also have the added benefit of moving the needle on ECPA reform, which would likely be required as a means of implementing any agreed upon deal, as discussed below.)
There is one important caveat, however: If such a treaty is additive — leaving in place the current provisions and adding new treaty provisions on top of them — then it may in fact make things worse, not better.
Third, as a follow-on to the last point, the proposal raises all kinds of questions as to its actual design. We can think of two basic options, although there are multiple variations on each. The first would authorize direct requests to the companies, assuming certain agreed upon procedural and substantive requirements were met. This is the most efficient from the UK perspective, but it would require an amendment to ECPA for data stored in the US It also puts companies in the difficult position of being the arbiter of whether or not the specified criteria are met.
The second option would institute an expedited processing mechanism — much as is required under the Budapest Convention for Cybercrime. Depending on the design mechanism, this too could require an amendment to ECPA, particularly if there were a decision to bypass standards laid out in current law, such as the requirement that the request be signed off on by a US magistrate or judge. Expedited proceedings without legal reform are another option. But it is unclear how much of a dint would be made in the MLAT processing time given that the request would still have to clear multiple requirements laid out in US law — all steps that are potentially time-consuming.
Fourth, it is worth emphasizing that it is nearly impossible to evaluate the proposal in the abstract. Much of the treaty’s viability will turn on its procedural standards, substantive standards, notice requirements, and dispute mechanisms — all things we know nothing about. Consider just the question of jurisdictional scope: will the treaty only provide streamlined access for investigations involving UK suspects, UK victims, and UK-based crimes? Or will the treaty provide streamlined access if only one or two of these UK elements are present? Will the scheme offer increased privacy protections — for example, introducing some limits on accessing metadata directly from the companies where ECPA provides none — or will it water down existing protections?
Answers to these questions will likely determine the political viability of the treaty. Needless to say, this treaty comes at a time when there is a great sensitivity to government attempts to access data. Perhaps that explains why so little about the treaty is public. But without further details, the treaty will be impossible to assess.
* * *
All this points to the need for transparency as the discussions continue so as to enable the kind of public engagement and debate that is so essential in this area — and that will ultimately be required by any agreement that involves changes to US law. As we have both written in different contexts (here and here), these are difficult, complicated issues that require international cooperation, consensus building, and a great deal of care. The UK’s reported interest in talking with the United States is a positive step forward. What we ultimately think about any such deal, however, will depend on the actual details.