Last month, Brad Smith, the General Counsel of Microsoft, called for an international convention on government access to consumer data (he was at Davos, so presumably he uploaded the blog post while sipping champagne in a ski chalet). Specifically, Mr. Smith criticized the existing legal process through which non-U.S. governments gain lawful access to information stored by American companies on servers in the U.S. This is not the first time that a large company has complained about government access to private data – in the wake of the Snowden/NSA scandal, many of the largest tech firms called for reform of government surveillance practices – but this is to date the boldest and most specific proposal to reform the Mutual Legal Assistance Treaty (MLAT) process. In this brief post, I’ll analyze why Microsoft might take such a step.
There is little doubt that MLAT reform is needed; as Mr. Smith rightfully points out, the current MLAT process is a hot mess. Just how bad is it? (Or rather: what is it?) Imagine that you’re a British police officer tracking a kidnapping suspect and you have good reason to think that critical information might be available on the suspect’s Gmail account. In order to compel Google to hand over the suspect’s emails, you must take the following steps: ask the Crown Prosecution Service to write a letter of request and to forward that letter to the Central Authority at the Home Office for review. If the Home Office approves, they must forward the letter to the U.S. Department of Justice’s Office of International Affairs. The DOJ will then review the request and if they approve, they will forward it to the U.S. Attorney’s Office in Northern California. The local U.S. Attorney will then produce either a subpoena or court order asking Google for the data.
This 5-hop inter-jurisdictional dance is made possible by the MLAT between the U.S. and the U.K, which was drafted in 1994, before Google even existed. (In fact, the MLAT is modeled on the letter rogatory, a legal process so ancient it not only predates Google the company, but also googol the concept). The MLAT process is needlessly lengthy – requests for information can take months if not years – and it is unpredictable. The police dislike it, privacy advocates dislike it, and so should you.
But it is not obvious why Brad Smith and Microsoft should dislike it. That is, why would an American company want to increase the speed and reliability with which foreign governments access user data? Consumers are increasingly worried about how internet companies handle government requests for user information – so much so that Microsoft has taken pains to reassure consumers who are worried about their data falling into government hands. Given this climate of concern, you might think that Microsoft would welcome the chance to drag its feet through a convoluted bureaucratic procedure like MLAT. Indeed, Mr. Smith’s team of lawyers at Microsoft might even conceivably try to out-compete Google or Facebook for privacy-hungry customers by appearing to navigate the MLAT morass slowly, turning MLAT into a source of competitive advantage rather than just a multi-jurisdictional headache.
But instead, Microsoft wants to reform MLAT – presumably making it easier to give the police access to the data they want. Why?
Perhaps the most charitable explanation is that Microsoft wants what’s best for the world, and reforming MLAT is what’s best for the world. But that’s not a very satisfying explanation. A much more likely explanation is that Microsoft operates largely at the pleasure of local governments around the world, and reforming MLAT promises to improve these relationships.
As this helpful analysis by the British parliament reveals, foreign governments have two main channels for accessing data stored on corporate servers held in the U.S.: (1) MLAT and (2) what the British call “goodwill.” That is, foreign governments can (1) pull their hair out while they wait for the MLAT process to work its slow, slow magic, or (2) ask for the information directly from the company and potentially get what they want immediately. As you can imagine, governments much prefer the latter approach. As a result, they put enormous pressure on companies to give them what they want outside of the MLAT process.
What does this pressure look like? At its mildest, it threatens to destabilize the sometimes-delicate relationship foreign technology companies have with their host countries. Microsoft and other companies want to get along with local government, so they comply as often as possible with requests that seem reasonable and lawful and do not violate their user policies. But pressure can also come in more extreme forms, like local police detaining the company’s employees. Needless to say, Microsoft and Google and Facebook want very badly to avoid this. Another, perhaps more insidious form of pressure is the demand for “data localization,” which requires that data be stored locally, where it would be subject to local government access rules. This is a bad idea for a number of reasons – so many reasons that it merits a separate blog post – but it is a bad idea whose origins lie partly in police frustration with the MLAT procedure. If MLAT becomes easier for the police to use – or if it is replaced by something they like better – the police will have one fewer reason to raid the local Microsoft office or to demand that data be stored locally. And that is why Silicon Valley companies want MLAT reform.
Precisely how much MLAT reform does Microsoft want? American technology companies must toe a very thin line between angry customers on the one side and a policeman knocking on the door of local offices in London, or Mumbai, or Sao Paolo on the other. Accordingly, Microsoft (and Google and Facebook) should want a procedure that would give the police just enough data to ease local pressures, but not so much data that privacy-sensitive users revolt. We can imagine at least two broad sorts of MLAT reform: changes in degree and changes in kind. Changes in degree would increase the speed and reliability with which foreign police get access to data stored on American servers. This would be relatively easy to implement; increased staffing for MLAT requests at DOJ would be a good place to start. Changes in kind would mean changing what sorts of data the police are authorized to access at all. By calling for a global convention, Microsoft appears to be seeking a change in kind, but the specific details of MLAT reform remain largely up in the air.
Regardless of the content of the reforms, a further question remains whether reform is best pursued by a global convention, as Mr. Smith suggests, or through a series of bilateral reforms to existing MLAT agreements. I’ll leave that analysis for another day, but it is worth noting that a global treaty seems particularly wishful. Perhaps when Mr. Smith calls for a global convention he is not actually calling for a global convention but instead using it as a call to arms – something to mobilize the troops and to frame bilateral MLAT reform as a second-best compromise. Fair enough. Just don’t hold your breath for a global treaty. It’s not that an international convention wouldn’t be desirable; it’s just not very likely. It’s kind of like drinking champagne in a ski chalet in Davos: it sounds lovely, but for most of us it’s not going to happen any time soon.