Cross-Border Data

Lessons from the Mutual Legal Assistance Reform Effort

By Andrew Keane Woods
Monday, May 22, 2017, 1:00 PM

This post is part of a series written by participants of a conference at Georgia Tech in Surveillance, Privacy, and Data Across Borders: Trans-Atlantic Perspectives.

Rather than merely rehash the many good reasons for reforming the mutual legal assistance regime for the digital era, it is useful to step back and ask if there are any lessons to be learned from current reform efforts. Here are three.

  1. The MLAT Debate is Tied to the Encryption Debate (and the Data Localization Debate and the Device Hacking Debate and So On…)

The MLA reform challenge, at its core, is about delimiting the scope of the government’s ability to access personal data—and that is, at some level, the same challenge we find in the “going dark” debate, the Privacy Shield context, PPD-28, debates over device hacking, and more. In each of these areas, the core policy questions overlap: when should governments have access to data? How should governments handle conflicts of laws over digital stuff?  Do old rules—regarding evidence, due process, and jurisdiction—work in a digital world?

Consider, for example, two of last year’s most prominent court battles: Microsoft’s dispute with the Department of Justice over data held in Ireland and Apple’s dispute with the FBI about access to an encrypted iPhone. These are different cases, of course, and the litigation turned on different legal doctrines. The first case was a dispute about cross-border law enforcement access to data, and focused mostly on the territoriality of the Stored Communications Act. The second case was a dispute about the All Writs Act, and the scope of the court’s power to compel a corporation to aid law enforcement in circumventing a phone’s security features. Different cases, different doctrines, different public debates.   

But both cases featured government attempts to get access to data, and in both cases the essential barrier to that access was a large American corporation. In both cases, there was little doubt that the government had a legitimate interest in the data in question—data a judge had concluded was critical for a consequential criminal investigation. Both cases garnered international news media. Both cases led to amicus briefs filed on behalf of technology companies and civil society groups arguing that the future of privacy was on the line.  

The connection between the cases runs even deeper. In fact, it is precisely due to the rise of encryption on both services and devices—the subject of Apple’s dispute with the FBI—that countries increasingly feel the need to seek data via mutual legal assistance, effectively overloading a diplomatic process that was never designed to handle the numbers of requests seen today. Because states can no longer get access to data by simply asking the local telecom provider for it, they must instead ask the internet service provider (such as Facebook, Google, or Microsoft) for the data, and that provider often cannot and will not comply without a warrant from a U.S. judge.  

The point is that because these issues are related, cutting off law enforcement access in one domain merely displaces that demand. Law enforcement agents seek evidence to solve crimes. They are generally agnostic about the means through which they get the data, so long as they can get it. That data might come by hacking a device, forcing a company to decrypt a phone, catching the data as it passes over public communications networks, or asking the company to hand the data over.

A loss for the government in one domain, therefore, places pressure on the others, which brings me to my second point.  

  1. Beware of Pyrrhic Privacy Victories

One of the reasons that states pursue today’s most controversial policies—mass hacking, attempts to defeat encryption, forced data localization—is because they cannot get the data through the mutual legal assistance regime. If you worry, as I do, about state over-reach in this area, then you ought to be working to make it easier for governments to get data in those cases when they have a legitimate interest in the data, not harder.

But this has not been the general attitude of civil society groups in the MLA context. As Greg Nojeim has argued on Lawfare, groups like the Center for Democracy and Technology reject MLA reforms that attempt to impose anything other than a 4th Amendment standard around the world. The failure of the privacy community to get behind a policy solution in this space strikes me as myopic. This is not a question of values. I do not think that I value privacy less than my friends in civil society. Rather, I am suggesting that over the medium to long run, Internet users will have more privacy if we reduce barriers to legitimate government access and increase barriers to illegitimate government access.  

(3) Jurisdictional Compromises May Be Preferable to Technological Compromises

My final point is that in crafting a set of limits around government access to data, we may have to decide whether technology or law is the best place to make appropriate compromises. Some domains call for more modification of the underlying technology than others. For example, the debate over encryption is largely about whether to make changes to existing security technology in order to satisfy law enforcement demands. Forced data localization laws are similar—they typically require companies to change the way they engineer their networks in order to facilitate law enforcement demands. Both of these efforts to change to the technology underlying today’s Internet products and services are troubling because both introduce all sorts of new vulnerabilities along the way.

MLA reform, by contrast, is about states agreeing to a set of limits around the scope of each’s authority. Rather than change the underlying technology, the reforms on the table require clarifying and making compromises about one state’s jurisdictional reach vis-à-vis another’s. This strikes me as a fruitful place to start making reforms, since it does less to destabilize the technology that is driving one of the more dynamic areas of entrepreneurship today.  

It may not always be true that technological changes are the wrong place to look for compromises. For example, one could imagine geotagging and related location services being legitimately useful to determine when one governments’ laws ought to apply over another’s. In the regulation of online speech, for example, we may welcome the use of mandated location tagging in order to limit the reach of a court’s takedown order. But in other areas, like law enforcement access to data, we may prefer negotiated agreements over state jurisdiction to calls to weaken encryption.  

We should think carefully about whether the appropriate place to solve these policy problems is with laws, technology, or most likely some mix of the two.