DOJ’s Data-Sharing Proposal Threatens Privacy of Americans and Citizens Around the World

On Friday, the Department of Justice introduced legislation that would make it easier for foreign governments to acquire electronic data stored by U.S. companies. This legislation represents a serious threat to privacy, and Congress should reject it.

Under the proposed legislation, the U.S. government would be able to enter into agreements with foreign countries that would allow those countries to obtain stored data and real-time communications directly from U.S. companies without satisfying a probable cause standard and without the authorization of an independent judge, tribunal, or other impartial body. Such agreements would make it easier for foreign governments to obtain the communications of U.S. persons without a warrant. In order to facilitate such agreements, the legislation weakens several U.S. privacy laws—in particular, the Electronic Communications Privacy Act (ECPA) and the Wiretap Act—which prohibit U.S. companies from disclosing their users’ communications directly to foreign governments. The U.S. government is already negotiating one such agreement with the United Kingdom, which is expected to serve as a template for similar agreements with other countries.

The DOJ’s legislative proposal, and the bilateral agreements that the Administration envisions, would roll back existing privacy protections for both Americans and individuals abroad. The proposal has at least four fatal flaws:

  1. The legislation would not adequately protect the rights of U.S. persons. The proposed legislation would allow foreign governments to access the communications between U.S. persons and the targets of foreign investigations, without a U.S. judicial warrant supported by probable cause and without meeting the standards in the Wiretap Act. Moreover, nothing in the agreement would prevent the foreign governments from voluntarily passing this information back to the U.S. government to be used in criminal proceedings in the United States. The deal thus weakens the protections currently in place for U.S. persons and creates a substantial end-run around them.
     
  2. The legislation would permit foreign governments to request that U.S. companies assist in real-time surveillance for the first time and without necessary protections. Currently, ECPA does not permit any government—including ours—to request that providers to disclose communications in real time. Instead, when the U.S. government wants to conduct real-time surveillance, it must comply with the federal wiretap statute, known as Title III, which imposes higher standards than ECPA. For example, Title III requires the government to demonstrate probable cause to believe that its target has committed a serious crime and that normal investigative procedures have failed. Title III also requires the U.S. government to eventually notify targets of their surveillance and to minimize the interception of irrelevant communications. But the proposed legislation would allow foreign governments to compel a U.S. provider to assist in real-time surveillance for the first time and to do so without satisfying the heightened requirements of Title III or anything like them.
     
  3. The legislation does not satisfy human rights law. Human rights law permits governments to conduct surveillance only if it is authorized by an independent and impartial tribunal, necessary and proportionate, and minimally intrusive on privacy rights. Under existing data-sharing arrangements, a “neutral and detached” U.S. magistrate serves as the impartial decisionmaker. While the proposed legislation requires a foreign government to conduct independent oversight over its data requests, an after-the-fact “review” is no substitute for prior authorization by an independent body. Importantly, the legislative proposal is silent about who may authorize such a search, which suggests that an entity like Britain’s Home Secretary—a law enforcement official who is neither independent nor impartial—could approve such searches (as is the current practice in Britain). Moreover, the proposed legislation ignores other key human-rights protections, including the requirements that individuals receive notice of the intrusion and access to meaningful remedies when violations occur.
     
  4. The legislation does not require individualized review of requests for data. Under the Administration’s proposal, the executive branch would certify periodically that a foreign country’s laws permit electronic searches only on a showing of “reasonable justification,” “particularity,” “legality,” and “severity,” and that the requesting country’s laws and practices meet certain baseline standards related to the rule of law and human rights. But a country-wide assessment of that sort would inevitably be toothless. Before our government permits tech companies to hand over sensitive and private data to foreign countries, it should ensure that each request is lawful and consistent with basic human-rights protections. It is not enough that a country, as a whole, generally complies with human-rights standards. The Attorney General and Secretary of State might conclude that India, for example, satisfies human-standards in some broad and nebulous sense; yet an investigation conducted while an Indian suspect is held in “preventive detention” might violate the suspect’s fair trial rights.

The Administration’s proposed legislation would largely supplant the existing process for cross-border data requests and, in doing so, jettison the heightened human-rights protections they offer. Currently for example, when the U.K. government is investigating a domestic crime and wants the contents of a suspect’s Gmail, it generally follows a process laid out in an agreement between the United States and United Kingdom, called a “mutual legal assistance treaty” (MLAT). Under the MLAT, the U.K. government may submit its request to the U.S. Department of Justice, which—after reviewing the request and ensuring it complies with the MLAT’s requirements—would then seek an order from a U.S. court for the content. The United States has similar arrangements with other foreign governments.

There have been complaints that the DOJ office that handles MLAT requests is underfunded and inefficient. Foreign governments have expressed frustration at the time-consuming MLAT process and at having to meet U.S. legal standards when seeking evidence of domestic crimes. This bottleneck has stoked fears that countries will introduce data localization mandates to avoid the cumbersome MLAT process. American tech companies are also under pressure—sometimes forced to decide whether to abide by U.S. law or to comply with foreign data requests made in conformity with foreign domestic law.

In spite of the problems with their implementation, MLATs have played a critical role in safeguarding privacy rights across the world, particularly for those living under regimes that are less respectful of human-rights laws than ours. In many cases, in order to comply with its MLAT, a foreign government requesting data from a U.S. company must meet higher legal standards than would otherwise apply under its domestic law. MLATs thus help to raise the global bar for privacy. With this in mind, members of Congress have introduced various bills designed to streamline and provide more resources for MLAT processing.

In contrast to these bills, the Administration’s data-sharing proposal would weaken privacy protections for both Americans and individuals abroad. Fortunately, the executive branch can’t unilaterally supersede ECPA or Title III. Congress should reject the DOJ’s proposal, and any other legislation that would downgrade global privacy.

View comments (5)
Read the Terms of Use

Anonymous

Everyone well aware of creepy stuff trying to happen and the answer is no .

Anonymous

More publicly-financed election campaigns are a big part of the solution. Many in Congress and state legislatures are simply "employed" by the highest bidder.

If the money comes from American citizens, legislators will try to serve their employers - they only work for us if we pay them. Money talks!

Anonymous

Neither the Executive nor Legislative branches of government are willing or able to uphold their own oath of office to protect Americans' constitutional rights. Only the Judicial Branch can do that - which requires "legal standing" for ACLU plaintiffs.

Americans spied upon pay for the computers, cell-phones and last but not least electricity. When warrantless spying is perpetrated against Americans, the government or contractors are using our equipment and our electricity, at our expense. In a court of law - that unconstitutional exercise by government officials is "legal standing" to challenge that illegal practice.

For example: If police or government officials are remotely searching your cell-phone, without a judicial warrant, they can reduce your battery charge from 100% to 10%. In addition to using our electricity and equipment, that we pay for, it can disrupt a small business or make your phone useless in the event of an actual emergency - making your phone useless for making an income or dialing 911. This isn't theory it's happened to many of us weekly for the past 15 years.

That is legitimate "legal standing" in a Judicial Branch court of law to end these illegal spying programs.

EthicalHackers

Better read "the files". You'll find out that Google and others are already complicit with federal investigators that free roam their networked drives.
Sorry but all Google employees sell their souls for a special chicken curry meal on Fridays, look it up; all the while the federalis surf your data unrestricted.

Don't be fooled by the Google, Microsoft or Apple charm, they are the new triad of information brokers on all humans. The new age of data slavery has begun, the government just wants its part of the pie.

David Kennerly

This is precisely how the International Megan's Law (IML) started off, i.e. it began as an agreement with the U.K. and other "Five Eyes" (English-speaking countries) to trade information about each others "sex offenders", which effectively prevented travel of Registrants between those countries. That was then used as a "template" to disseminate information about "sex offenders" to all INTERPOL member states and with that organization's active collusion (and expansion of global powers). After that policy was implemented administratively by the U.S. government (and where it was not subjected to any external scrutiny by non-government agents) it became the model for Congressional bills which then codified these highly problematic policies into law (the International Megan's Law, signed by President Obama in February) and which greatly extended the scope and effects of those policies.

"First, they started with the sex offenders..."

Stay Informed