Over at Stanford CIS blog, Albert Gidari takes aim at the wiretap-related provisions in the US-UK CLOUD Act Agreement – which Peter Swire and I wrote about separately here. He describes, accurately, the possibility that the U.S.-ordered wiretaps could be used to listen into conversations of individuals located outside the territorial borders of the United States – subject of course to the subject to the many procedural and substantive requirements of the U.S. Wiretap Act and approved by an independent judge.
But that was true both before and after the CLOUD Act.
What Gidari is complaining about is U.S. courts’ longstanding interpretation and application of the Wiretap Act – not the CLOUD Act itself. Contrary to Gidari’s suggestion, the CLOUD Act does not give the U.S. new authorities that they didn’t have previously.
The following seeks to distinguish what existed before, what is new, and why the U.S.-U.K. CLOUD Act Agreement does not in any way expand or change U.S. wiretapping authorities.
U.S. Wiretap Authority
Under U.S. law, wiretaps require the approval of a U.S. judge, subject to a number of procedural and substantive requirements. Importantly, these only can be issued if law enforcement is investigating criminal activity over which the U.S. has jurisdiction. In other words, they cannot be used to spy on foreigners for intelligence gathering purposes. There has to be a legitimate criminal investigation as a predicate for obtaining such an order.
In order to get a wiretap, law enforcement must satisfy a number of robust requirements—what many call a “warrant plus” because they go beyond what is required to obtain a warrant to engage in other kinds of searches and seizures, including for stored communications content. An independent judge must approve the order – and only after concluding that there is probable cause to believe that the individuals whose communications are being sought is committing, has committed, or is about to commit a specified offense. The judge must find probable cause to believe that that normal investigative procedures have been tried and failed or reasonably appear unlikely to succeed. Wiretap orders can only be issued for 30 day at a time. They also are subject to a number of so-called “minimization” requirements to protect against the listening in on and dissemination of other communications not involving the target of the investigation. The U.S. government is also bound by notification mandates, ensuring that the target of the investigation receives notice of the fact of the interception within 90 days of its termination
Issuance of warrants also are subject to territorial requirement, as is the focus of Gidari’s blog post. Specifically, the Wiretap Act specifies that judges can only authorize interceptions “within the territorial jurisdiction of the court in which the judge is sitting (and outside that jurisdiction but within the United States in the case of a mobile interception device authorized by a Federal court within such jurisdiction).” As Gidari points out, courts have interpreted this limitation in ways that give judges more latitude than might appear on the face of the statute. Specifically, several courts have concluded that a wiretap is within the relevant territory if the target device is located or the communications is first heard within the court’s territorial jurisdiction.
In at least one case, cited by Gidari, a court has concluded that phone calls made over the border in Mexico, accessed by cellular towers in the United States and listened to in Houston, Texas, fell within the Texas judge’s territorial jurisdiction. The court explicitly rejected the defendant’s argument that the relevant territorial jurisdiction was limited to where the conversation took place. As the court warned, such a limitation would be largely unworkable in the age of cellular (meaning mobile) communications; it would effectively force government officials to go through the duplicative, inefficient, and perhaps unknowable task of obtaining an order in every district where a roaming target might make a call. In short, the court concluded it was authorizing a territorial action, rather than an extra-territorial on, given that the conversations were intercepted to and listened to in the United States.
With the rise of online chats, it is increasingly possible that messaging of two foreigners located outside the United States is occurring via messaging services that are subject to U.S. jurisdiction and thus intercepted in and listened to in the territory of the authorizing judge.
This however was true both before and after the CLOUD Act. In other words, nothing about the CLOUD Act changes – or expands – this reality. And to reiterate, judges can only issue such orders if there is probable cause to believe that the target is, has, or will be engaged in criminal activity over which the United States has jurisdiction and other investigative means are not reasonably available. Any such orders are time-limited and subject to ongoing court supervision as well.
What Does the US-UK Agreement Change?
The US-UK Agreement does not expand US authority to issue wiretaps. It does however enable the UK, pursuant to its own laws and authorities and subject to the particular requirements of the CLOUD Act, to issue wiretap orders on U.S.-based providers—so long as the target of the order is a foreigner (non-U.S. person) located outside the United States. This is an authority that the UK could not exercise absent the Agreement.
These provisions were among of the key things sought and pushed for by the UK in the run-up to the passage of the CLOUD Act. As communications – even of two UK citizens or residents — were increasingly routed via US based companies, UK law enforcement lost their ability to track such communications, even if they were investigating local crime. It was thus critical, from the UK perspective, to be able to access live communications of their own residents and citizens and others subject to their jurisdiction in order to prevent and ultimately prosecute a range of dangerous crime.
In order for wiretap orders to issue under the Agreement, specific requirements must be met. They must be “for a fixed, limited duration;” “may not last longer than is reasonably necessary;” and “shall be issued only if the same information could not reasonably be obtained by another less intrusive method.” These provisions incorporate some, but not all, of the same requirements of the U.S. Wiretap Act. Key provisions are more open-ended than what exists under the U.S. Wiretap – requiring time limits, for example, but without specifying what they are (versus 30 day limits in U.S. law).
As Gidari notes, UK-issued orders could result in the UK intercepting the communications of persons located outside either the United States or the United Kingdom, if such communications were routed through US-based providers subject to CLOUD Act orders. In response to this reality, the Agreement also includes new third party notice requirements – requiring that if the UK is targeting the data of someone located outside of the UK that the UK notify the government of the place where the person is located.
Importantly, the UK can take advantage of these provisions because they have in place authorities that explicitly authorizing the issuance of extraterritorial orders, consistent with the requirements of the CLOUD Act. By contrast, the United States does not, at least currently, have an equivalent authority in U.S. law – in part perhaps because the United States has not had an equivalent need to access communications traveling between UK-based and other extraterritorially located providers. Thus, while, as Gidari points out, the Agreement provides for reciprocal access in theory, there is no reciprocal change in practice. There are no affirmative authorities exist to enable the United States to compel assistance by foreign-based providers that are not otherwise subject to U.S. jurisdiction.
What is Needed?
The CLOUD Act standards for issuance of wiretaps are not particularly detailed. They talk about time limits, but without specificity. They don’t require notice to the target of the investigation—something that is important for reasons of both transparency and accountability. And, while they include new the third party notice requirements for those cases in which the UK is targeting the communications of a foreigner outside the United States, those provisions are not, as Gidari point out, particularly detailed. Additional clarity and specificity on each of these would strengthen the UK-US and future agreements; this is something that a range of human rights and privacy groups are pushing for as well.
Ideally, additional guidance would set out clear time limits for intercepts and add in requirements about notice to the targets or the surveillance. It also would be helpful to both specify the timing of third party notice and provide a mechanism for third party countries to raise objections upon receiving notice that their citizens’ or residents’ data is being targeted pursuant to an order issued under the CLOUD Act agreement—e.g., pursuant to a UK wiretap order issued to a U.S.-based provider. Alternatively, future agreements—or modifications of the current one—could avoid this problem altogether by limiting the foreign government authority to wiretap third party nationals. The Agreement could specify, for example, that the partner government (in this case the UK) could target their own nationals or residents only. The communications of third party nationals might still be subject to so-called “incidental” collection – meaning their conversations could be picked up if they were in communication with the target of the interception – but direct targeting of third party foreign nationals would be avoided. These changes could be added as modifications authorized under the Agreement, via supplemental agreements and/or in further agreements that may follow this one.
Finally, one might think, consistent with Gidari’s concerns, that US judges should not be in the position of authorizing wiretaps that result in the interception of the communications of persons located outside the United States. Or that there should be robust third-party notification requirements if they do. But we should be clear about what the concern is. To the extent the concern is about US (as opposed to UK authorities), it is a concern about pre-existing U.S. law. The CLOUD Act, despite all that has been attributed to it, left the affirmative authorities associated with the Wiretap Act in the United States unchanged.
The issue of US legal authority – to the extent one thinks it is an issue – is one that exists and has existed totally independent of the CLOUD Act and the US-UK Agreement that followed. We should not be blaming the CLOUD Act for things that it does not do.