In defence of law enforcement cooperation

One of the aspects of Brown and Korff’s report on Digital Freedoms in International Law that warrants further discussion and analysis is their recommendations about mutual legal assistance.  The report recommends that companies and States should insist that MLA arrangements are the only appropriate means of cross-border data access.  While I understand the authors’ logic in recommending MLA as a structured system with comparatively well-defined legal boundaries and safeguards, this approach overlooks the valuable role that police-to-police cooperation plays in international crime cooperation.

The scope and role of law enforcement cooperation

Law enforcement cooperation is less formal than MLA, with information being shared directly between law enforcement agencies, rather than through ‘Central Authorities’ under cover of formal Government-to-Government requests.  Law enforcement cooperation is governed by informal arrangements or by instruments of less-than-treaty-status (such as memoranda of understanding).  It is less transparent than MLA, with the terms of international agreements often not being publicly available (this issue came up in the Australian case of Rush and others v Commissioner of Police (2006) 229 ALR 383, where the memorandum of understanding between Australian and Indonesia was not produced due to public interest privilege).  The scope of information that can be provided on an agency-to-agency basis is often described in these confidential MOUs, but is delimited by the domestic law of each individual country.

There is a further level of complexity in investigations that relate to criminal activity across international borders.  Information that may not be able to be obtained directly on behalf of a foreign country can sometimes be obtained by the police in the host country for a domestic investigation and then shared with the foreign country as part of a joint investigation.

It is not just police forces that share information on an agency-to-agency basis; customs or immigration authorities also have extensive international cooperation networks.  The value of law enforcement cooperation is recognised in multilateral treaties such as the UN Convention on Transnational Organized Crime (art 27), the UN Convention against Corruption (art 48) and the Convention on the Prevention of Terrorist Bombings (art 10).  International organisations such as Interpol and the World Customs Organization facilitate interagency cooperation on a range of areas.  These international networks can move quickly in situations where the time involved in making an MLAT request could thwart an operation.

As noted in a previous post, MLA can be slow.  It is heavy on the paperwork and, because it involves a large number of stakeholders and formal processes, is resource-intensive.  There has been a trend towards looking for more streamlined alternatives to MLA.  The most ambitious of these is the European Evidence Warrant (EEW), which represents a sort of half-way point between law enforcement cooperation and MLA.  A designated judicial authority in one member State can issue an EEW for certain objects, data and documents that are in another jurisdiction and are required for criminal proceedings.  The EEW is transmitted to the State in which the evidence is located and that State is obliged to recognise and execute the warrant, subject to limited grounds for refusal.  The EEW replaces much of the existing MLA system within the EU and coexists with the system of law enforcement cooperation through mechanisms such as Europol.

Where to from here?

It is not just the fact that law enforcement cooperation is an entrenched part of the system that leads me to advocate its retention (at least in some form).  The existing MLA system is not appropriate for the wide range of circumstances in which online information needs to be shared.  Requiring MLA for the sharing of all data evidence could be akin to the proverbial nut and a sledgehammer.  The existing system of international information sharing is complex and confusing.  However, there were valid reasons behind the decisions to create many of these different processes and they should not be dismissed out of hand.

Instinctively, there seems to be a difference between an ICT company divulging a user’s name and e-mail address to a foreign country compared with handing over the content of their personal e-mails.  And it is another step again to grant ongoing access to a user’s e-mails into the future.  The European Convention on Cybercrime recognises this by creating different obligations for each of these circumstances.  Many countries’ domestic laws take a similar approach.  For example, the US Electronic Communications Privacy Act requires different processes for content or traffic data and separately regulates surveillance.

It is also relevant to consider the destination of the information that is being shared.  The EEW is premised on the idea that a more streamlined approach is appropriate for cooperation between States with a shared standard of human rights protections and criminal justice.  Where the State requesting the information has a radically different justice system, a more comprehensive MLAT process is necessary.

I agree with Brown and Korff that there needs to be better controls on the way in which information is shared across borders.  However, requiring all information sharing about online records to go through the MLA process is not the answer.  Instead, there needs to be analysis of all the ways in which information is currently shared through MLA and law enforcement cooperation.  A new framework for international information sharing for criminal matters should take into account:

  • The nature of the information sought – is it basic subscriber information, e-mail content or ongoing access to an individual’s communications?
  • The purpose for which it is sought and any need for urgency – is it an emergency situation where an individual’s life is at immediate risk or is it a long-term criminal investigation?
  • The State to which the information is being provided – is it a trusted partner country with shared criminal justice and human rights standards or a State with more divergent legal practices?

Digital Freedoms in International Law – at last a great conversation-starter in the field of law enforcement, human rights and technology

The Global Network Initiative launched their report on Digital Freedoms in International Law: Practical Steps to Protect Human Rights Online in Washington DC yesterday.  The report makes for interesting reading and can be found on the GNI website with webstreaming of the event also available.  The report is of greater interest to me than the title might suggest.  The report certainly delivers on its promise of ‘practical measures to protect human rights in networked technologies’, but there is quite an emphasis on recognising and accommodating law enforcement imperatives.  It was exciting to see how many of the themes in the report echo topics that I have been discussing in previous blog posts.

The report gives a good primer on relevant principles of international human rights law and on international efforts at controlling export of ‘dual use’ technologies.  It gives extensive examples where ICT companies may find themselves involved (unwittingly or otherwise) in situations where the supply of their products in a particular market could contribute to human rights abuses.  It focuses on technologies used for blocking or censoring internet access and those used for surveillance.  The report also addresses the situation where companies hold users’ information that countries may seek to access.

One of the strengths of the report is that it takes a realistic approach to the need for governments to be able to access information for legitimate purposes.  It acknowledges that it is acceptable and, in many cases even desirable, for governments to be able to access users’ information for law enforcement or to use blocking or surveillance tools.  The key challenge is in making sure that these purposes are legitimate and that there is appropriate control and scrutiny.  The report explains the international human rights law jurisprudence on the ways in which certain rights can legitimately be limited, giving particular attention to the context of security and anti-terrorism measures.  It then explores ways in which these issues apply to sale and use of web and mobile technologies.

The report makes practical recommendations companies, governments, NGOs, IGOs and investors.  The report includes a significant number of references to mutual legal assistance treaties, including several recommendations relating to MLATs:

  • 4.1.7 – companies should insist that, if the company holds data on a server in another jurisdiction, they will only provide that information to the country through MLAT processes.
  • 4.2.13 – States should insist that demands for access to data held on their territory should be made only through MLA arrangements
  • 4.3.18 – global and regional IGOs should review the international system of MLATs to address legal uncertainties and to confirm that MLAT processes are the only appropriate way in which to demand access to information in another country’s jurisdiction.

It is great to see MLA being given attention in this field; too often it is overlooked as a little-understood and obscure governmental process.  The authors acknowledge that the report is not the end of the story, but rather an invitation for further discussion and development of the law and policy in this area.  It certainly has raised some interesting questions in my mind:

  • What is the role of cooperation outside of the MLAT process?  The report does not consider agency-to-agency sharing of information that occurs between foreign police forces or other law enforcement agencies either formally (through memoranda of understanding) or through less formal channels.  This is such an important and frequently-used tool from an operational perspective that it would be good to give consideration to issues such as when is agency-to-agency cooperation appropriate, are there adequate safeguards in place and are there improvements that should be made to existing practices?
  • How can MLAT processes be improved?  The report notes that MLATs are time-consuming and inefficient and invites further consideration on how to improve this system.  The formality of MLA is both its strength and its downfall, which the authors implicitly acknowledge by praising the protections provided under MLATs but lamenting MLATs’ inefficiencies.  This is certainly an area that is ripe for exploration.
  • What is the best way to assist small companies and start-ups to navigate this difficult area? While companies such as Yahoo!, Google and Microsoft may have sufficient depth of experience in their legal and policy teams to be comfortable engaging on these issues, many other ICT companies operate with much smaller teams who are more accustomed to dealing with issues of commercial contracts and intellectual property than international human rights law and mutual legal assistance.  The report encourages sharing of information and expertise through networks such as GNI and highlights the supporting role that governments and NGOs can play.  Clearly further work is needed to build a culture of human rights protection and information sharing.
  • How should companies handle the ‘borderline’ cases? Examples such as Syria and Egypt provide excellent starting points for discussion and formulation of suggestions on the approach that ICTs should take.  But as the audience discussed in Thursday’s Q&A session, how should we handle circumstances where ‘good’ countries do bad things?

Human rights risks and strategies in new markets – herding cute cats?

While much of the material on the internet and social media may seem trivial, its power as a tool for political mobilisation was evident during the Arab Spring.  Ethan Zuckerman’s ‘cute cats’ theory posits that while Web 2.0 may have been designed for people to share pictures of cute cats, it can still have a powerful role in political movements.  People who would ordinarily distance themselves from political issues can become politically mobilised when a government restricts their access to their ‘cute cats’.  The habit of sharing everyday thoughts and photos with the world can also become powerful when individuals are in an environment where access to information and sharing of opinions is being restricted.

While commentators love to dispute the importance of the role of social networks and the internet in revolutions (Sarah Joseph offers an interesting summary), there seems to be a strong case that these products can have a beneficial role in developing countries and societies in transition.  However, the principle of ‘first do no harm’ is also relevant here.  Are there times when a company’s presence in a country is doing more harm than good?  And are there steps that a company can take to ensure that the benefits outweigh the detriments? Continue reading Human rights risks and strategies in new markets – herding cute cats?