Lawmakers Must Fix Cross Border Access to Data
The following is a special editorial from i2Coalition Co-Founder, Board and Policy Chair David Snead, and Board Chair Elect Michele Neylon.
Today, when governments or law enforcement officials need to process warrants or request information from another country, they often must rely on bilateral agreements. These agreements determine how they can access data stored in a country other than their own and are referred to as Mutual Legal Assistance Treaties (MLAT). An MLAT allows law enforcement officials in one country to fulfill legal criteria in another country necessary to gain access to data in the second country.
Yet, the MLAT process is cumbersome. As such, governments often attempt to gain access to data without going through the MLAT process. This activity generates situations with serious implications for privacy and the rule of law. For example, Microsoft is currently litigating a case where the federal government is leveraging a law—the Stored Communications Act (SCA)—to force the company to deliver emails housed in Ireland to the U.S. government. Microsoft claims the SCA has no jurisdictional authority on data stored in another nation. The Irish government is demanding respect for its sovereignty. But, it also admits that its courts would allow for such cross-border data access under certain circumstances.
The Microsoft case is a microcosm of a larger problem that is cross-national and has special resonance in the United States. In the US, Internet infrastructure companies, ISPs, and telecom firms are under enormous (and increasing) pressure from foreign governments to deliver data to them. Meanwhile, other governments are creating more legal challenges for foreign governments to access data within their own borders.
Regardless of location, an Internet business is likely to find itself in the position of a request to provide information to a law enforcement entity outside their country. In a reasonably large subset of these cases, the request may cause a conflict with the laws of the country in which the provider is located. The Microsoft case above is a great example of how this can occur: Microsoft is being compelled by the U.S. government to turn over information stored in Ireland, and in doing so might break Irish law.
Relying on this medley of MLATs has created significant friction in the marketplace. This creates serious legal, regulatory, and business challenges for many private companies who are vital components of maintaining an open and free global Internet. To solve this growing problem, lawmakers, regulators, and international bodies must begin the long and arduous process of hammering out broader bilateral or multilateral agreements. These must bring procedural clarity and legal certainty to the cross-border data access and warrant process.
Under the current system, businesses face considerable challenges. Even the MLAT process at its very basic level can be confusing, and can require duplicate compliance reviews —businesses receive a request for data from the requesting country, then it is domesticated and they receive a valid request from their country of jurisdiction. This isn’t only a U.S. problem, it’s a global one. In the years ahead, as data stored in a variety of jurisdictions increases, these issues will intensify. Cross-border requests for data among nations will only increase.
Often, such requests create a massive administrative burden, creating a significant drag on businesses. Currently, there are no clear, predictable, or implementable ways for companies to comply with routine requests for data. Automation is not possible because such requests are not in a standardized form. This is an especially challenging situation for small businesses that don’t have the resources to understand nuances of laws outside their jurisdiction. This is deeply concerning given that most of the 60,000 Internet infrastructure companies across the globe are small- or mid-sized businesses.
U.S. firms face a unique set of challenges, particularly in the volume of data requests from around the world. Given the size of the Internet infrastructure community, recent focus has been placed on the difficulties presented by cross-border law enforcement requests for data. U.S. infrastructure providers are often in a difficult bind as the United States stores much of the world’s data. While they must comply with U.S. laws that have a different standard to grant access to data than that outside the U.S., these same providers may face conflicts of laws when their data stored outside the U.S. is subject to a law enforcement request that meets a different standard than that used in the United States.
Of course, law enforcement and national governments have a narrative—and legitimate frustrations—of their own. The current situation is just as cumbersome and inefficient for those seeking data as it is for those storing it. The current MLAT process makes it very difficult for law enforcement entities in all nations to conduct investigations. This is a factor which is exacerbated by the inability of many law enforcement bodies to internalize the global nature of the Internet, the implications of this reality for their work, and law enforcement in general.
When every aspect of an investigation can occur in one nation, but the data needed to secure a conviction is located in another, it creates significant roadblocks for law enforcement efforts, and can undermine public safety. More generally, law enforcement officials and agencies are forced to comply with significant numbers of unfamiliar laws, and the MLAT process is notoriously slow. If an agency is working on a fast-moving case, the only way to make the process move more quickly is to exercise political influence via the diplomatic system.
However, while many of the complaints of law enforcement are justified, their reaction to the current process in some cases is unacceptable. At times, law enforcement or governments will try to circumvent nation-based due process, creating potentially major legal, ethical, business, and diplomatic issues for companies that are caught in the middle. Such a situation is untenable. It’s time for governments across the globe to come together to fix this broken system through legislation and international treaties.
The current cross-border data request system consistently affects the ability of Internet infrastructure providers to attract global customers, as well as creates massive administrative burdens that slow growth and undermine the viability of companies that make up the backbone of the Internet. When operating in a global marketplace, companies must be able to be honest to—and be trusted by—customers. This is becoming increasingly difficult as governments, law enforcement, and private companies struggle to manage complex cross-border data request issues via a deeply flawed system.
In the U.S., Congress has tried to address this issue from the American perspective, but have yet to successfully do so. If they had, it would only be a small piece of this particular puzzle. This is a multilateral problem that calls for a multilateral solution. It requires a critical mass of nations to work together. Despite the method, nothing short of a broad-based International framework, agreement convention, or treaty will succeed in replacing our current patchwork system.
No “side” is right on this one—the system is poorly constructed and is ill serving all stakeholders. Mutual trust—between law enforcement, private companies, and national governments—is needed to move toward a successful consensus.
i2Coalition member Google’s General Counsel recently spoke at on these issues at the Heritage Foundation.
Digital security and due process: A new legal framework for the cloud era
Editor’s note: This is an abbreviated version of a speech Kent delivered today at The Heritage Foundation in Washington, D.C. For as long as we’ve had legal systems, prosecutors and police have needed to gather evidence. And for each new advance in communications, law enforcement has adapted.