Data centres in the UK could soon find themselves served with warrants by US law enforcement authorities.The US Department of Justice is looking to free itself from the burdens of national jurisdiction, so it can effectively pursue international crime.
The DoJ is asking the US Congress whether it can start making reciprocal international agreements to enable it to serve warrants on data held in other countries – a move that could upset tech companies.
The DoJ presented the idea at a recent Senate Judiciary Subcommittee on Crime and Terrorism. It already has a draft agreement in place with the UK, which would allow both countries to circumvent cumbersome diplomatic and bureaucratic processes to pursue investigations. That agreement can only come into action, however, if Congress approves the executive branch's ability to make such agreements.
The essentially international nature of not just cyber-crime, but crime in general, has caused countless headaches for law enforcement officials and politicians around the world. While Mutual Legal Assistance Treaties (MLAT) are common, they often take months of meticulous work to complete, during which time an investigation may go cold.
Sheldon Whitehouse, a democratic senator for Illinois, called MLATs a “legendarily slow and antiquated process. I think it was developed when lawyers used quills.”
“MLATs are complicated,” Joyce Hakme, a legal fellow at Chatham House and cyber-crime expert told SC Media UK. “They can take a really long time.” Drafting a treaty can require months of investigation and review as to whether the laws of the two countries are in harmony, she added.
While international cooperation in criminal investigations is common, there are still many roadblocks which slow investigators to a snail's pace.
One battle between the US and Irish government is emblematic of exactly this problem. In December 2013, a US investigation into narcotics decided it wanted to look into the emails of one individual who held a Microsoft account. However, the data was held on a server in Ireland.
Microsoft refused to hand over the data, arguing the US had no power to ask for it, a position the company maintained despite a US federal court order issued in April 2014.
John Frank, deputy general counsel and VP of legal and corporate affairs at Microsoft, told trade press in January 2016, “These are the private communications of our customers. They're not ours. We don't have access to them. We don't want access to them.”
A US Second Circuit appeals court eventually found in favour of Microsoft in July 2016, ruling that US jurisdiction only extends to data that is held on US territory. While the courts are powerless to do much about what is already law, Congress, as per the DoJ's request, can change that law.
The stakeholders at the Senate subcommittee, which included Brad Smith, president and chief legal officer at Microsoft, agreed that relying on existing processes was an unworkable solution and a legislative option was required.
Jennifer Daskal, an associate professor at American University Washington College of Law, gave evidence to the committee. In a recent blogpost on her testimony, she wrote that all witnesses “agree that the status quo is unworkable. All of us agree that relying on the mutual legal assistance process as the exclusive means of managing access to data across borders is an unacceptable solution. And all of us agree that Congress needs to engage.”
The move may well provide some clarity for large tech companies who often reside in one country and hold data in another. The US Electronic Communications Privacy Act forbids them from handing over private information to a foreign government.
However, the Microsoft Ireland case was considered a landmark ruling in the tech industry, and reciprocal agreements would effectively reverse that decision.