Long past time to fix evidence-sharing across borders

Everyone agrees that the current international order for sharing evidence in criminal prosecutions is broken. 

This is at the heart of the litigation Microsoft is pursuing against the Department of Justice (DOJ) over data stored in Ireland, after a New York judge ordered Microsoft to retrieve and give the government the contents of communications of a customer. Microsoft, and the many companies and organizations supporting its position, asked the court to prohibit the DOJ from getting communications content from overseas via a U.S. warrant. The government’s alternative would be to use the antiquated and slow mutual legal assistance treaty (MLAT) process. 

While this case awaits a decision by the U.S. 2nd Circuit Court of Appeals in New York, all sides agree that, whatever the outcome of the decision, it will not begin to solve the larger — and critical — international data-sharing issues.

There are steps, however, that could advance the much-needed process of modernizing international evidence gathering and, more importantly, better protect privacy and civil liberties and help save U.S. internet-based businesses from being trapped between inconsistent legal obligations in the U.S. and overseas. One such step would be legislation improving the U.S. laws governing international evidence exchange while, at the same time, encouraging our allies and other countries to do likewise. 

The International Communications Privacy Act (ICPA), introduced at the end of May by Sens. Orrin Hatch (R-Utah), Dean Heller (R-Nev.) and Chris Coons (D-Del.), takes steps in this direction, picking up where last year’s Law Enforcement Access to Data Stored Abroad (LEADS) Act left off but improving it. The LEADS Act, in addition to implementing various process and transparency improvements to the MLAT process, sought to effectively prevent U.S. judges from compelling cloud companies to bring content data stored overseas back to the United States unless that content is of a U.S. person. The ICPA maintains this legal limitation but, in a major improvement, also allows such a warrant if the content is of a foreign national located in a country without an MLAT agreement with the United States. This clever bit of legislative jiu jitsu not only empowers our law enforcement agencies to get required data from countries with which we don’t have an MLAT agreement, it gives such countries a powerful incentive to negotiate such an agreement — something that is equally important.

One might reasonably ask: What would the U.S. government, and particularly our law enforcement agencies, have to gain from such an agreement if they can currently use warrants to get the same data more quickly? First, there is no guarantee the government will win the Microsoft-Ireland case, either in New York or, potentially, at the Supreme Court. Whichever side wins, the warrant issue is part of a larger and more complex set of issues over international data transfer that simply cannot be solved by courts alone. The 2nd Circuit panel hearing the case all but begged Congress to step in and fix the problem so courts wouldn’t have to do so. 

More broadly, such legislation can be a key first step toward long-term stability, greater legal certainty and enhanced foreign cooperation with U.S. law enforcement investigations. 

The future prospects for law enforcement in light of globalizing information networks is uncertain at best. For now, U.S. law enforcement is still able to take advantage of uncertainty in American and international law regarding access to cloud-based evidence. This current, but almost certainly fleeting, “home field” advantage is grounded in the circumstance that U.S. companies dominate the cloud storage market and that, to date, courts have been willing to compel them to assist U.S. investigations regarding data stored abroad. 

But this form of mandated assistance cannot be sustained in the long run. 

U.S. companies are beginning to lose market share because of these demands and are increasingly faced with stringent countervailing foreign law demands. To restore perceived customer confidence in the wake of Edward Snowden, many U.S. companies are feeling increasingly compelled to challenge law enforcement demands for data in court and to create and deploy technologies such as device-based encryption that can frustrate investigations. U.S. law enforcement also risks a loss of access to data stored abroad if the United States pursues a unilateral approach, because other countries are likely to mandate both local data storage and increased extraterritorial assertion of jurisdiction in response. This would be to the detriment not only to Americans and their privacy but also to robust U.S. law enforcement investigations. 

Sensible reforms, starting with the ICPA, can help mitigate these negative consequences. 

Cunningham is an information security, privacy and data protection lawyer and a senior adviser of The Chertoff Group, a security and risk management advisory firm. Formerly, he was a U.S. civil servant, working for the CIA and Department of Justice and serving as deputy legal adviser to then-national security adviser Condoleezza Rice.