ECPA reform is not just a U.S. issue

Cross-posted from https://cyberlaw.stanford.edu/blog/2014/04/ecpa-reform-not-just-us-issue

If US law enforcement officers want to access your private emails, they need to follow the requirements in the Electronic Communications Privacy Act.  ECPA is an old and imperfect piece of legislation.  Industry and civil society have long been pushing to update ECPA so that it is “technology neutral”; just as government agencies require a warrant to compel disclosure of a person’s locally-stored documents, government should have to obtain a warrant to access private documents stored in the cloud.  While this argument may seem self-evident, reform has been frustratingly slow.  Today, blogs have fired up (such as herehere, and here) with arguments in favor of reform and criticising the Securities and Exchange Commission’s opposition to reform.  However, what is missing in the current debate is that ECPA has implications beyond US borders. Technology neutrality is an important principle that should underpin the reform of ECPA.  However, I believe that the ECPA discussion should also include the question of “location neutrality” ie. foreign law enforcement officers’ access to user data should be based on the same principles as access by US law enforcement.

How is foreign access to non-content regulated?

It doesn’t matter where in the world a police officer is, if he or she wants to access an individual’s Gmail or Facebook records (or many other US-based products), that access is governed by ECPA.  ECPA providessome limits on US law enforcement access to non-content information by requiring at least an administrative subpoena.  However, ECPA completely overlooks access by foreign governments because it defines “government entities” to mean only US government agencies.  This means that when foreign law enforcement officers ask for a user’s subscriber details or email contacts, it is up to the companies to decide whether or not they hand over that information.  Some companies refuse to provide any information voluntarily and insist on a request under a mutual legal assistance treaty (MLAT), supported by a court order.  Other companies will hand over information if they feel that it is appropriate in the circumstances.  In practice, there is no consistency, transparency, or oversight into when non-content information is handed over to foreign law enforcement.

What about content?

Foreign law enforcement must go through the MLAT process in order to access user content held in the US.  Before you get too excited in thinking that this provides good legal and procedural protections, you need to look a little more closely.  The current MLAT-based system for content access is basically due to a legislative oversight, not because of a well-reasoned policy decision.  ECPA doesn’t mention whether or not a foreign law enforcement officer should be able to obtain either a subpoena or court order directly from a US court.  In order to overcome this, a foreign government can make an MLAT request, which effectively asks the US Government to obtain a warrant on behalf of the foreign government.

When it comes to the content of users’ emails, the current system might seem good on first glance because it only allows foreign governments to access user data through the MLAT system, which involves a US warrant process.  However, the MLAT system is not designed to cope with the large volume of requests for online data that are now being made or the tight timeframes that cyber-investigations demand (the President’s Review Group found that MLAT requests for online records take an average of 10 months!).  This means that either (1) legitimate criminal investigations and prosecutions are compromised because the evidence cannot be obtained quickly enough or (2) police find “creative” work-arounds and “informal” means to obtain the data, which undermines transparency, accountability and user protections.  Neither of these is a good outcome.

Where to from here?

In the context of ECPA, technology neutrality means that a user should have the same protections for their personal data, regardless of whether it is stored in physical format, in a locally-based electronic format, or in the cloud.  I suggest that another principle for ECPA should be location neutrality – ie a user’s personal data should have the same protections from all law enforcement agencies, regardless of whether that agency is based in the US or abroad.

The reform of ECPA is certainly not just a US issue; it impacts millions of users outside of the US.  It would be a great step forward to protect users’ data from unwarranted US law enforcement snooping.  However, this is only half the picture; we need to start talking about foreign law enforcement access to electronic communications as part of the ECPA reforms.

Extraterritoriality and digital surveillance – time for the lawyers and the advocates to bring the dialogue together

This weekend, as an ex-bureaucrat, I felt for the folk at the State Department.  It must have been a ridiculously busy weekend for those preparing for this week’s Human Rights Committee Hearing in Geneva.  On Friday, the New York Times leaked Harold Koh’s legal advice acknowledging that the US obligations under the International Covenant on Civil and Political Rights do not stop at the border.  The NYT article would have meant that the briefing folders that had been merrily making their way up the clearance chain in time to be packed into the delegation’s suitcases would have been discarded (or at least the sections on extraterritoriality would have been yanked out) and all the talking points would have needed to be rewritten.

This is not just an important moment for bureaucrats or international human rights law junkies; it is potentially powerful for digital rights activists pushing for reform of global surveillance practices.  Digital rights advocates have been calling for the US government to end global mass suspicionless surveillance and to adhere to their international human rights law obligations.  There may be a strong moral case to support them, but when it comes to the NSA’s overseas activities, the discourse has often lacked a strong legal underpinning.  In order to push governmental policy on this issue, the dialogue needs to mature to the point where it is built on solid legal underpinnings.  The next couple of months bring an unprecedented opportunity to do just that. Continue reading

Whistleblowing about government surveillance: political offense or serious crime?

[cross-posted from http://cyberlaw.stanford.edu/blog]

It seems like the world has been turned upside down when a US citizen flees to China seeking political asylum.  And yet Edward Snowden is apparently hiding out in a secret location in Hong Kong after revealing that he is responsible for the leaked information on the US government’s PRISM program of surveillance.  He explains his choice of refuge as being based on Hong Kong’s reputation for defending freedom of speech.  He is also apparently considering Iceland as another potential refuge.  But if the US chooses to prosecute him, will he be able to avoid being sent home to face charges?  A key part of the answer lies in whether his leaking of official secrets qualifies as a ‘political offense’.

Continue reading

One heck of a timely UN report on government surveillance of communications

If it had happened on House of Cards, you’d have enjoyed the theater of it, but figured that the writers had taken some artistic license in the timing.  I mean, it just doesn’t happen in real life that the UN releases a report on the dangers of government surveillance on the internet immediately before the news breaks that the US Government has been conducting internet surveillance of previously unimagined proportions.  Critics could unkindly say this is because the UN is never ahead of the game, but in this case, you have to hand it to Frank La Rue – he has clearly authored an exceptionally timely report: Continue reading

Trust us, we’re the Government – sharing evidence internationally

It’s the nature of academic articles that by the time they’re published you’ve almost forgotten that you wrote them, particularly if the journal is an annual.  It is therefore pleasantly surprising that as my article on ‘Sharing Evidence Across Borders:  the human rights challenge’ is published ((2012) 30 Aust YBIL 161), I find that the topic is still very much current and the questions raised are still relevant, possibly even more so than when I wrote it a couple of years ago.

Being able to transfer evidence between countries is essential for cross-border investigations and prosecutions.  Even aside from crime types that are obviously transnational in nature such as drug trafficking or international money laundering, everyday crimes are easily given a ‘transnational’ aspect if the criminals use international email providers, have a foreign bank account or if a key witness lives in another country.  Clearly, public policy dictates that investigations and prosecutions can’t be allowed to stop at the border.  To fill this gap Mutual Legal Assistance Treaties (MLATs), law enforcement cooperation and letters rogatory have developed.  However, transferring evidence into another jurisdiction can have significant human rights implications.

After authorities in one country hand evidence over to another country, they may lose control and visibility of how that evidence is used.  And yet, instinctively, it seems like a country should not be able to wash its hands of all responsibility after handing over evidence.  When legal cooperation is used to move people rather than evidence (ie extradition), there are very clear human rights protections.  An abolitionist country cannot extradite or deport a person to a country if there is a real risk that he or she may be subject to the death penalty.  Similar obligations arise if a country wishes to extradite a person to a country where there is a real risk of a person being subject to torture or to cruel, inhuman or degrading treatment or punishment.  However, there is no such obligation if one country provides evidence to another country and that country then uses the information to impose the death penalty, torture or other cruel, inhuman or degrading treatment or punishment on an individual.

Many see this as unjust and there is a temptation to extend the international law that applies to extradition to MLATs and law enforcement cooperation.  After all, the consequences for individuals can be just as dire when countries share evidence as when they cooperate for extradition.  However, if you carefully analyse the extradition jurisprudence and try to apply it to evidence-sharing, you encounter a number of significant logical and legal problems.

In order to be practical and politically-palatable, there must be limits on a country’s human rights obligations.  International human rights law obligations are therefore generally limited to persons within that country’s jurisdiction.  When evidence is provided to foreign countries, it usually affects individuals in the foreign country.  It is difficult to find a logical way to argue that those individuals are within the ‘jurisdiction’ of the country providing evidence.  There are a couple of unique situations in which international human rights law has been found to apply to individuals extraterritorially.  These include where an individual is under that country’s effective control (eg prisons operated in Iraq by allied forces) or for particular rights such as the issuing of a passport or the enforcement of a judgment in absentia.  When you analyse these extraterritorial situations, they seem to be fundamentally different from a person about whom a foreign country facilitates providing evidence.

I therefore argue that international human rights law does not create any obligations with respect to law enforcement cooperation or mutual legal assistance.  This is not to say that there should not be legal obligations, just that they do not currently exist under international human rights law.  Any attempt to create obligations needs to engage with the complexity of the issue, not just assume that the same rules that apply to extradition can be applied to evidence-sharing.

The treaties that create evidence-sharing relationships provide some protections by specifying situations in which the requested country may refuse to provide evidence.  Such situations include where the death penalty would be imposed or there is a real risk of torture.  However, this is permissive rather than mandatory.  Moreover, MLATs and agreements on law enforcement cooperation are negotiated on an ad hoc basis and there is no uniformity in approach.  In the end, it all comes down to the particular policies of the administration that negotiated the treaty and the policies in place at the time that it is asked to provide the evidence.

The government makes decisions about which countries it is appropriate to enter into evidence-sharing relationships with and on what terms.  There is also scope to make decisions about specific requests.  For example, the requested country may specify that evidence will only be provided if the other country gives certain assurances (eg not to impose the death penalty).  Enforcement of such undertakings is a diplomatic matter.  In this way, the responsibility to make the right decisions about who to do business with and on what terms is largely a matter for the executive.

The system is further complicated when third parties hold the requested evidence, and these parties have their own relationship with the owner of the information.  The most pressing current example is online records.  Companies such as Google and Facebook hold large amounts of user data and many of their users reside in foreign jurisdictions.  The relationship of trust between these companies and their users is a valuable part of their business.  Being a good corporate citizen and cooperating with law enforcement to combat crime may also be important, but the priorities are not necessarily always compatible.

This somewhat changes the assumption that evidence-sharing can be handled adequately on a purely diplomatic basis because you have an additional party with a different set of interests.  This is not a new problem; for many years, countries have been sharing bank and telephone records.  However, the scale of the issue has certainly grown, with users storing more and more personal data online and increasing numbers of these users being in different jurisdictions from the tech companies.

These companies can scrutinize the requests that flow through from the Department of Justice or law enforcement to ensure that the legal requirements have been met.  However, where the discretion is a matter for the executive, the companies have limited options.  It is for the government to decide whether the other country’s justice system is adequate or undertakings are sufficient.  Provided that the other legal requirements are met, the company is obliged to hand over their user’s information.  Essentially, the system is based on trust that governments will do the right thing.

The increasing role of third party holders of information brings another dimension to the question of civil liberties protections in international evidence sharing.  It means that there is a new voice in the debate.  While governments have tended to keep evidence sharing confidential, tech companies are increasingly going public about government requests for user data.  Companies may challenge government requests in the courts on behalf of their users and raise public awareness about any perceived deficiencies in the laws.  What has tended to be an obscure area of government practice where the lack of legal protections has gone largely unnoticed now has the potential to become an issue of public discussion and concern.

Transparency – but what are we seeing?

Now that Microsoft has come to the party and is publishing a regular transparency report, there is a meaningful amount of publicly-available data about government requests for online records.  Looking at the data from Google, Twitter, Dropbox and Microsoft side-by-side raises some interesting questions.

The trend towards publishing transparency reports is a welcome one.  It raises awareness and encourages users to think about what protections they’re entitled to and how private their online activities really are.  There are still some very noticeable gaps in the information available.  Facebook and Yahoo! store large amounts of personal data but are noticeably silent on the issue of transparency reports.  Perhaps they will follow in Microsoft’s footsteps and finally succumb to the pressure for transparency.

Consumer and privacy advocacy groups are alarmed at the increased volume of government data requests.  Back in January, EFF reported on the ‘troubling trend’ of the rise in government surveillance because there had been a 70% increase in requests for data since Google started releasing numbers in 2010.  Forums are awash with comments about government snooping and conspiracy theories.  Meanwhile, at last week’s Committee on the Judiciary Hearing, Richard Littlehale from the Tennessee Bureau of Investigation argued for calm in considering the increase in government requests.  He analysed the statistics as demonstrating that ‘just a tiny fraction of one percent of Google’s accounts were affected by government demands’.

Comparing the transparency reports of the different companies shows that Microsoft/Skype and Google are inundated with requests for data.  As you would expect, relative newcomers Dropbox and Twitter receive far fewer requests.  In 2012, there were 122,015 requests relating to Microsoft accounts, 15,409 requests relating to Skype accounts, 68,249 Google accounts, 2,614 Twitter accounts and 164 Dropbox accounts. Each of these statistics relates to the number of accounts affected.  As each user could have multiple accounts, this does not directly equate to the number of individuals affected but nonetheless gives a sense of the scale of the issue.

These are some pretty impressive numbers and they’re on the rise.  The volume of requests to Google has grown significantly even during the short 3 years that they have been publishing their transparency report.  Although the data is not available, it seems reasonable to assume that the other companies are also experiencing significant increases.  Just what do these statistics mean?  Is it time to sound the Orwellian alarm bells?

Of course, more users have been sending, posting and storing information online.  This comes not only from more users engaging with online products, but also through the expanded type of products being offered.  The growth in cloud computing and cloud product offerings such as Google Drive mean that there is more information being held by third parties.  Higher penetration of online products not only means more cute cats and emails home to Mom, but also more use by criminal elements.  This naturally piques the interest of law enforcement officers.

As law enforcement becomes more familiar with the use of online records as evidence, more officers appreciate its value and employ it as one of their investigative tools.  The process has also been simplified and demystified.  Only a few years ago, it was an impenetrable maze to try to work out how to request online records for most of the providers.  Now, many of the companies have publicly accessible guides for law enforcement.  This means that it’s not just the high-tech crime units that are aware of the ability and value in accessing online records, but also the local county sheriffs.

Upward trends in law enforcement requests for records from particular online products can also reveal that some applications are particularly attractive to criminal elements.  For example, in the past, certain messaging applications became havens for child pornography rings to the extent that the product was discontinued.  Criminals will always look for weaknesses in the system and loopholes where they feel that they can communicate with impunity.  Police will naturally want to follow these trends and pursue criminals by accessing these records.  At the same time, innocent users have a valid expectation of privacy over their communications.

This all means that more users are putting more information online and it’s being accessed by a wider range of law enforcement officers.  I don’t think this is necessarily alarming in itself – we are no longer in a society where people (innocent or criminal) handwrite their private documents and store them under lock and key in their filing cabinet and investigative techniques have to adjust accordingly.  However, it does mean that it is increasingly important to ensure that there are adequate systems in place for the way in which this information is stored, accessed and used.

The discussion of this issue is hardly in its infancy; reform of ECPA has been on and off the cards for years (culminating in the last-minute failure to pursue the legislative amendments at the end of last year).  At last week’s committee hearing, there was a new level of consensus that access to users’ content should only be through showing of probable cause.  However, underneath this veneer of agreement, each of the witnesses revealed important differences of opinion.  The Department of Justice advocated substantial carve-outs from the probable cause standard should be afforded for civil litigation.  The law enforcement representative had a wish list including access to SMS messages and mandatory time limits on compliance with government requests.  Questioning by committee members revealed that there was confusion about the difference between traffic data and content and a troubling lack of understanding about how services such as targeted advertising on Gmail accounts affects privacy.  As with most legislative reform, the devil is in the detail and there is a lot of work ahead before there can be agreement on a Bill.

Access to online records needs to be addressed now.  The uncertainties between different jurisdictions and the growing agreement that aspects of ECPA infringe the fourth amendment of the Constitution are unacceptable both from a user’s perspective and also from the commercial perspective of companies that have to navigate this legal minefield on a daily basis.  The law is certainly in need of reform and the problem is only going to get worse.  However, the statistics do not necessarily mean that we are in the grip of a government conspiracy.  While we are no longer in the 1986 world of the original ECPA, we are also a long way from George Orwell’s 1984.

Julian Assange – epic failure of the international human rights system?

Over the coming weeks and months, international lawyers and commentators will no doubt be falling over themselves to write about the issues raised by Julian Assange’s stalled extradition process and dramatic receipt of diplomatic asylum.  Who could blame us when this case raises so many unusual and complex issues of international law and politics? What interests me most is the fact that the Government of Ecuador has effectively declared its distrust of the human rights protections offered by the extradition and criminal justice processes of three countries.  Not just any countries, mind you; Sweden, the United Kingdom and the United States.  While no country’s justice system is perfect, these three countries arguably have some of the world’s most advanced legal systems for extradition and human rights protection and yet we have seen Ecuador invoke the laws of diplomatic asylum to protect Assange where these systems have allegedly fallen short. Continue reading