US contemplates framework for aid to UK police that could be extended to other countries

10 July 2017. By Robert Thomason.

A proposed framework that would permit US data service providers to fulfill requests from foreign law enforcement agencies could standardize baseline privacy safeguards throughout the world, proponents said. But a critic said that would come at the expense of US Constitutional protections.

The balance between solving or preventing crimes, on the one hand, and protecting legal rights of people, on the other, has become move vexing, speakers at a Capitol Hill panel* said. Changes in globalized information technology have spawned new criminal activity, heightened privacy concerns and generated courts cases grappling with the issue.

US companies that control dominant international communications platforms such as Microsoft's Skype and Facebook's WhatsApp have increasingly found themselves in a troublesome position when they receive an information request from a foreign law enforcement agency because they are blocked under US law from providing data stored on US-based servers outside the very slow process defined by treaty.

The US last year began negotiating a framework with the United Kingdom to allow law enforcement to serve requests for stored information directly on US companies for use in British criminal and national security investigations, and many experts in the field believe that the US-UK template could be extended to other democratic governments that meet human rights criteria.

Currently, a foreign government investigating a crime committed in its territory must ask for relevant data stored in the US through a diplomatic process called the Mutual Legal Assistance Treaty. Further, the US Electronic Communications Privacy Act of 1986 forbids US data service providers from disclosing some types of information to foreign governments.

The ECPA was described as "woefully inadequate for the world that we live in today" and the MLAT process as being "universally reviled as being too slow."

"Technology has clearly left the law behind and it is time for Congress to bring the law into the present to address 21st Century problems," said Judd Smith, legislative director and counsel to Pennsylvania Republican Representative Tom Marino, echoing comments made by a number of legislators.

The US and UK have been negotiating a bilateral treaty that the US Justice Department says would lift the ECPA restrictions under certain conditions. Last year, Marino sponsored legislation that would have allowed the US to extend the framework to other foreign governments that meet a set of rule-of-law standards. "In the 115th Congress we are excited to be working with Representative [Hakeem] Jeffries [Democrat of New York] to improve and build upon this proposal," Smith said.

Richard Downing, US deputy assistant attorney general, said that only countries that have signed a bilateral agreement with the US would be allowed to make the requests for the data from US data providers. He said those requests would have to comply with about five pages of conditions.

A major condition, he said, is that the foreign police may only seek information about non-US individuals, and may not target a US person or anyone located in the US. Other conditions include a requirement that the request be "based on articulable and credible facts," and that there be a periodic review of the data exchange program.

Downing said that this would have the effect of raising privacy standards across the world, because any country seeking a bilateral arrangement with the US for investigative access to data would have to correct shortcomings in its legal system before the US would agree to cooperate.

However, the principle that the program would only target foreign persons is a "fig leaf," said Neema Singh Guliani, legislative counsel for the American Civil Liberties Union. People from other countries communicate with those in the US, she said, and a program that captures the data of the foreign person would include data about the US person.

At present, if the UK police want a UK person's data, they must comply with MLAT obligations, which Guliani described as a warrant standard. "My conversation with someone in the UK is protected under US Constitutional standards," she said.

"Now if that standard is dropped and the requirements are lessened and weakened, that effects my privacy," she said. "So we are now essentially creating a system where incidentally, as I think the government sometimes refers to it, you can collect information about people in the US, citizens and green card holders, under a standard that is potentially lower than a warrant standard and under standards that are lower than would apply to the US government if it were doing that collection."

She also said that the framework would eliminate a number of traditional US protections in wiretaps if a foreign government wants to perform its own wiretap through data sources on US territory.

She said that the framework does not keep information collected by a foreign government out of the hands of US officials.

Further, under the MLAT system, a US State Department official would review a request for information in light of human rights and other criteria, she said. Under the US-UK proposal, the review would be left to the private US data provider, Guliani said, and she questioned whether the companies would have the resources or experience to perform sufficiently robust reviews.

Guliani pointed to India, where she said human rights activists have chosen US data services with the expectation that their communications would be subject to privacy standards — "not just out of the idea that privacy is important but because their life was on the line."

Downing told MLex there are provisions in the framework that offer, in many cases, protection for US persons who have data collected incidentally. But he also said there is not a "single silver bullet way" of addressing all situations.

"It would be one of those things that would have to be worked out in the details," he said. However, he said if foreign investigators came across irrelevant information connected to a US person in the data collection process, they would have to minimize, set aside or seal that information "except under specialized circumstances."

* "Data Warrants from the Across the Pond: Fighting Crime While Preserving Privacy." Congressional Internet Caucus, Washington, DC, July 10, 2017.

Countdown to the GDPR