Are some companies ‘yes men’ when foreign governments ask for user data?

Once you start looking at which countries are requesting data from US companies, the next obvious (and critical) question is: how do companies respond to those requests? This is largely a matter of company discretion because the Electronic Communications Privacy Act does not apply to requests for user data from foreign governments. Without laws governing this important issue, foreign users are reliant on due diligence and good will by individual companies. This ad hoc approach means that different companies can have quite different compliance rates for the same countries. Continue reading Are some companies ‘yes men’ when foreign governments ask for user data?

Advertisements

Which countries’ law enforcement are data hungry?

One of the trends from the industry-wide transparency report that’s worth looking at more closely is which countries are making requests for user data, to which companies, and on what scale.  This post will break down these statistics and suggest some of the trends behind the numbers. Continue reading Which countries’ law enforcement are data hungry?

International data privacy: what we need is an industry transparency report

Cross-posted from https://cyberlaw.stanford.edu/blog/2014/05/international-data-privacy-what-we-need-industry-transparency-report 

GoogleYahoo!, MicrosoftTwitterAppleDropboxLinkedIn, and Pinterest all publish transparency reports.  WordPress is the latest company to join the party, recently publishing their first transparency report.   However, it’s difficult to see trends and anomalies when the information is scattered across multiple individual company reports.  In order to get a comprehensive view of what is happening, we need to pull all of these fragments into a comprehensive picture.  We need an internet industry-wide transparency report.

To create a kind of hacked industry transparency report, I have consolidated the July-December 2013 transparency data from the main internet companies.  There is such a wealth of information to pore over and slice and dice in different ways that I will separate the analysis into a series of blog entries.  My interest is the international aspect, so I will focus on requests from foreign law enforcement.  This post will outline some of the key themes emerging from my comparison. Continue reading International data privacy: what we need is an industry transparency report

ECPA reform is not just a U.S. issue

Cross-posted from https://cyberlaw.stanford.edu/blog/2014/04/ecpa-reform-not-just-us-issue

If US law enforcement officers want to access your private emails, they need to follow the requirements in the Electronic Communications Privacy Act.  ECPA is an old and imperfect piece of legislation.  Industry and civil society have long been pushing to update ECPA so that it is “technology neutral”; just as government agencies require a warrant to compel disclosure of a person’s locally-stored documents, government should have to obtain a warrant to access private documents stored in the cloud.  While this argument may seem self-evident, reform has been frustratingly slow.  Today, blogs have fired up (such as herehere, and here) with arguments in favor of reform and criticising the Securities and Exchange Commission’s opposition to reform.  However, what is missing in the current debate is that ECPA has implications beyond US borders. Technology neutrality is an important principle that should underpin the reform of ECPA.  However, I believe that the ECPA discussion should also include the question of “location neutrality” ie. foreign law enforcement officers’ access to user data should be based on the same principles as access by US law enforcement.

How is foreign access to non-content regulated?

It doesn’t matter where in the world a police officer is, if he or she wants to access an individual’s Gmail or Facebook records (or many other US-based products), that access is governed by ECPA.  ECPA providessome limits on US law enforcement access to non-content information by requiring at least an administrative subpoena.  However, ECPA completely overlooks access by foreign governments because it defines “government entities” to mean only US government agencies.  This means that when foreign law enforcement officers ask for a user’s subscriber details or email contacts, it is up to the companies to decide whether or not they hand over that information.  Some companies refuse to provide any information voluntarily and insist on a request under a mutual legal assistance treaty (MLAT), supported by a court order.  Other companies will hand over information if they feel that it is appropriate in the circumstances.  In practice, there is no consistency, transparency, or oversight into when non-content information is handed over to foreign law enforcement.

What about content?

Foreign law enforcement must go through the MLAT process in order to access user content held in the US.  Before you get too excited in thinking that this provides good legal and procedural protections, you need to look a little more closely.  The current MLAT-based system for content access is basically due to a legislative oversight, not because of a well-reasoned policy decision.  ECPA doesn’t mention whether or not a foreign law enforcement officer should be able to obtain either a subpoena or court order directly from a US court.  In order to overcome this, a foreign government can make an MLAT request, which effectively asks the US Government to obtain a warrant on behalf of the foreign government.

When it comes to the content of users’ emails, the current system might seem good on first glance because it only allows foreign governments to access user data through the MLAT system, which involves a US warrant process.  However, the MLAT system is not designed to cope with the large volume of requests for online data that are now being made or the tight timeframes that cyber-investigations demand (the President’s Review Group found that MLAT requests for online records take an average of 10 months!).  This means that either (1) legitimate criminal investigations and prosecutions are compromised because the evidence cannot be obtained quickly enough or (2) police find “creative” work-arounds and “informal” means to obtain the data, which undermines transparency, accountability and user protections.  Neither of these is a good outcome.

Where to from here?

In the context of ECPA, technology neutrality means that a user should have the same protections for their personal data, regardless of whether it is stored in physical format, in a locally-based electronic format, or in the cloud.  I suggest that another principle for ECPA should be location neutrality – ie a user’s personal data should have the same protections from all law enforcement agencies, regardless of whether that agency is based in the US or abroad.

The reform of ECPA is certainly not just a US issue; it impacts millions of users outside of the US.  It would be a great step forward to protect users’ data from unwarranted US law enforcement snooping.  However, this is only half the picture; we need to start talking about foreign law enforcement access to electronic communications as part of the ECPA reforms.

Trust us, we’re the Government – sharing evidence internationally

It’s the nature of academic articles that by the time they’re published you’ve almost forgotten that you wrote them, particularly if the journal is an annual.  It is therefore pleasantly surprising that as my article on ‘Sharing Evidence Across Borders:  the human rights challenge’ is published ((2012) 30 Aust YBIL 161), I find that the topic is still very much current and the questions raised are still relevant, possibly even more so than when I wrote it a couple of years ago.

Being able to transfer evidence between countries is essential for cross-border investigations and prosecutions.  Even aside from crime types that are obviously transnational in nature such as drug trafficking or international money laundering, everyday crimes are easily given a ‘transnational’ aspect if the criminals use international email providers, have a foreign bank account or if a key witness lives in another country.  Clearly, public policy dictates that investigations and prosecutions can’t be allowed to stop at the border.  To fill this gap Mutual Legal Assistance Treaties (MLATs), law enforcement cooperation and letters rogatory have developed.  However, transferring evidence into another jurisdiction can have significant human rights implications.

After authorities in one country hand evidence over to another country, they may lose control and visibility of how that evidence is used.  And yet, instinctively, it seems like a country should not be able to wash its hands of all responsibility after handing over evidence.  When legal cooperation is used to move people rather than evidence (ie extradition), there are very clear human rights protections.  An abolitionist country cannot extradite or deport a person to a country if there is a real risk that he or she may be subject to the death penalty.  Similar obligations arise if a country wishes to extradite a person to a country where there is a real risk of a person being subject to torture or to cruel, inhuman or degrading treatment or punishment.  However, there is no such obligation if one country provides evidence to another country and that country then uses the information to impose the death penalty, torture or other cruel, inhuman or degrading treatment or punishment on an individual.

Many see this as unjust and there is a temptation to extend the international law that applies to extradition to MLATs and law enforcement cooperation.  After all, the consequences for individuals can be just as dire when countries share evidence as when they cooperate for extradition.  However, if you carefully analyse the extradition jurisprudence and try to apply it to evidence-sharing, you encounter a number of significant logical and legal problems.

In order to be practical and politically-palatable, there must be limits on a country’s human rights obligations.  International human rights law obligations are therefore generally limited to persons within that country’s jurisdiction.  When evidence is provided to foreign countries, it usually affects individuals in the foreign country.  It is difficult to find a logical way to argue that those individuals are within the ‘jurisdiction’ of the country providing evidence.  There are a couple of unique situations in which international human rights law has been found to apply to individuals extraterritorially.  These include where an individual is under that country’s effective control (eg prisons operated in Iraq by allied forces) or for particular rights such as the issuing of a passport or the enforcement of a judgment in absentia.  When you analyse these extraterritorial situations, they seem to be fundamentally different from a person about whom a foreign country facilitates providing evidence.

I therefore argue that international human rights law does not create any obligations with respect to law enforcement cooperation or mutual legal assistance.  This is not to say that there should not be legal obligations, just that they do not currently exist under international human rights law.  Any attempt to create obligations needs to engage with the complexity of the issue, not just assume that the same rules that apply to extradition can be applied to evidence-sharing.

The treaties that create evidence-sharing relationships provide some protections by specifying situations in which the requested country may refuse to provide evidence.  Such situations include where the death penalty would be imposed or there is a real risk of torture.  However, this is permissive rather than mandatory.  Moreover, MLATs and agreements on law enforcement cooperation are negotiated on an ad hoc basis and there is no uniformity in approach.  In the end, it all comes down to the particular policies of the administration that negotiated the treaty and the policies in place at the time that it is asked to provide the evidence.

The government makes decisions about which countries it is appropriate to enter into evidence-sharing relationships with and on what terms.  There is also scope to make decisions about specific requests.  For example, the requested country may specify that evidence will only be provided if the other country gives certain assurances (eg not to impose the death penalty).  Enforcement of such undertakings is a diplomatic matter.  In this way, the responsibility to make the right decisions about who to do business with and on what terms is largely a matter for the executive.

The system is further complicated when third parties hold the requested evidence, and these parties have their own relationship with the owner of the information.  The most pressing current example is online records.  Companies such as Google and Facebook hold large amounts of user data and many of their users reside in foreign jurisdictions.  The relationship of trust between these companies and their users is a valuable part of their business.  Being a good corporate citizen and cooperating with law enforcement to combat crime may also be important, but the priorities are not necessarily always compatible.

This somewhat changes the assumption that evidence-sharing can be handled adequately on a purely diplomatic basis because you have an additional party with a different set of interests.  This is not a new problem; for many years, countries have been sharing bank and telephone records.  However, the scale of the issue has certainly grown, with users storing more and more personal data online and increasing numbers of these users being in different jurisdictions from the tech companies.

These companies can scrutinize the requests that flow through from the Department of Justice or law enforcement to ensure that the legal requirements have been met.  However, where the discretion is a matter for the executive, the companies have limited options.  It is for the government to decide whether the other country’s justice system is adequate or undertakings are sufficient.  Provided that the other legal requirements are met, the company is obliged to hand over their user’s information.  Essentially, the system is based on trust that governments will do the right thing.

The increasing role of third party holders of information brings another dimension to the question of civil liberties protections in international evidence sharing.  It means that there is a new voice in the debate.  While governments have tended to keep evidence sharing confidential, tech companies are increasingly going public about government requests for user data.  Companies may challenge government requests in the courts on behalf of their users and raise public awareness about any perceived deficiencies in the laws.  What has tended to be an obscure area of government practice where the lack of legal protections has gone largely unnoticed now has the potential to become an issue of public discussion and concern.

MLA – are there too many cooks?

When managing mutual legal assistance (MLA) requests on a day-to-day basis, the main complaints from prosecutors and police are incredulity at how long a request may take to process, and frustration at the complexity of the process involved.  Depending on the country from which information is being sought, it can also be the case that the country holding the information is not willing or able to obtain it on behalf of another country.

As noted previously, MLA involves many players in multiple steps: police and central authorities in both the requesting and the requested countries as well as sometimes judges, prosecutors and witnesses in the requested country.  The steps are generally governed by a combination of domestic laws and international treaties (either bilateral or multilateral).  Law enforcement officers are inclined to argue that MLA has too many processes and protections, while civil libertarians tend to argue that there are not enough safeguards in place.  There may be some agreement from both sides that there is not sufficient differentiation between the processes or safeguards that are necessary in some circumstances and what may be appropriate in circumstances where the information is less sensitive or the information is being shared with a trusted partner country.

In order to make the MLA system faster and less complicated, governments (and the public that they represent) need to be willing to either reduce the number of steps in the process and/or make each of the steps faster.  Many countries, including the US, have omitted the step of requiring an MLA request to be made and received through diplomatic channels.  To further reduce the number of players in a meaningful way requires a more fundamental shift in the MLA process.

Continue reading MLA – are there too many cooks?

In defence of law enforcement cooperation

One of the aspects of Brown and Korff’s report on Digital Freedoms in International Law that warrants further discussion and analysis is their recommendations about mutual legal assistance.  The report recommends that companies and States should insist that MLA arrangements are the only appropriate means of cross-border data access.  While I understand the authors’ logic in recommending MLA as a structured system with comparatively well-defined legal boundaries and safeguards, this approach overlooks the valuable role that police-to-police cooperation plays in international crime cooperation.

The scope and role of law enforcement cooperation

Law enforcement cooperation is less formal than MLA, with information being shared directly between law enforcement agencies, rather than through ‘Central Authorities’ under cover of formal Government-to-Government requests.  Law enforcement cooperation is governed by informal arrangements or by instruments of less-than-treaty-status (such as memoranda of understanding).  It is less transparent than MLA, with the terms of international agreements often not being publicly available (this issue came up in the Australian case of Rush and others v Commissioner of Police (2006) 229 ALR 383, where the memorandum of understanding between Australian and Indonesia was not produced due to public interest privilege).  The scope of information that can be provided on an agency-to-agency basis is often described in these confidential MOUs, but is delimited by the domestic law of each individual country.

There is a further level of complexity in investigations that relate to criminal activity across international borders.  Information that may not be able to be obtained directly on behalf of a foreign country can sometimes be obtained by the police in the host country for a domestic investigation and then shared with the foreign country as part of a joint investigation.

It is not just police forces that share information on an agency-to-agency basis; customs or immigration authorities also have extensive international cooperation networks.  The value of law enforcement cooperation is recognised in multilateral treaties such as the UN Convention on Transnational Organized Crime (art 27), the UN Convention against Corruption (art 48) and the Convention on the Prevention of Terrorist Bombings (art 10).  International organisations such as Interpol and the World Customs Organization facilitate interagency cooperation on a range of areas.  These international networks can move quickly in situations where the time involved in making an MLAT request could thwart an operation.

As noted in a previous post, MLA can be slow.  It is heavy on the paperwork and, because it involves a large number of stakeholders and formal processes, is resource-intensive.  There has been a trend towards looking for more streamlined alternatives to MLA.  The most ambitious of these is the European Evidence Warrant (EEW), which represents a sort of half-way point between law enforcement cooperation and MLA.  A designated judicial authority in one member State can issue an EEW for certain objects, data and documents that are in another jurisdiction and are required for criminal proceedings.  The EEW is transmitted to the State in which the evidence is located and that State is obliged to recognise and execute the warrant, subject to limited grounds for refusal.  The EEW replaces much of the existing MLA system within the EU and coexists with the system of law enforcement cooperation through mechanisms such as Europol.

Where to from here?

It is not just the fact that law enforcement cooperation is an entrenched part of the system that leads me to advocate its retention (at least in some form).  The existing MLA system is not appropriate for the wide range of circumstances in which online information needs to be shared.  Requiring MLA for the sharing of all data evidence could be akin to the proverbial nut and a sledgehammer.  The existing system of international information sharing is complex and confusing.  However, there were valid reasons behind the decisions to create many of these different processes and they should not be dismissed out of hand.

Instinctively, there seems to be a difference between an ICT company divulging a user’s name and e-mail address to a foreign country compared with handing over the content of their personal e-mails.  And it is another step again to grant ongoing access to a user’s e-mails into the future.  The European Convention on Cybercrime recognises this by creating different obligations for each of these circumstances.  Many countries’ domestic laws take a similar approach.  For example, the US Electronic Communications Privacy Act requires different processes for content or traffic data and separately regulates surveillance.

It is also relevant to consider the destination of the information that is being shared.  The EEW is premised on the idea that a more streamlined approach is appropriate for cooperation between States with a shared standard of human rights protections and criminal justice.  Where the State requesting the information has a radically different justice system, a more comprehensive MLAT process is necessary.

I agree with Brown and Korff that there needs to be better controls on the way in which information is shared across borders.  However, requiring all information sharing about online records to go through the MLA process is not the answer.  Instead, there needs to be analysis of all the ways in which information is currently shared through MLA and law enforcement cooperation.  A new framework for international information sharing for criminal matters should take into account:

  • The nature of the information sought – is it basic subscriber information, e-mail content or ongoing access to an individual’s communications?
  • The purpose for which it is sought and any need for urgency – is it an emergency situation where an individual’s life is at immediate risk or is it a long-term criminal investigation?
  • The State to which the information is being provided – is it a trusted partner country with shared criminal justice and human rights standards or a State with more divergent legal practices?