The Department of Justice announced last week that it will begin using a controversial 2018 law meant to give law enforcement agencies in the U.S. and U.K. easier access to data from technology and telecom companies as part of criminal investigations.
The little noticed announcement that Justice will use the “data access agreement” beginning in October with U.K. officials comes more than four years after Congress passed what is known as the Clarifying Lawful Overseas Use of Data (CLOUD) Act in March 2018. Justice has said the legislation will “speed access to electronic information held by U.S.-based global providers that is critical to our foreign partners’ investigations of serious crime.”
In an announcement posted to its website, Justice hailed the inaugural partnership with the U.K. as the “start a new era of cooperation.”
But digital rights advocates and tech policy experts are less bullish and note that the CLOUD Act passed with no debate as part of a $1.3 trillion government spending bill, a process the Electronic Frontier Foundation has said resulted in a “tacked-on piece of legislation [that] will erode privacy protections around the globe.”
The data access agreement will reduce protections for foreigners in troubling ways, according to Andrew Crocker, a senior staff attorney at EFF.
“Each of these agreements between the U.S. and other governments raises concerns that it will allow foreign governments to obtain information held by U.S. companies, without full review by U.S. courts and some of the protections for civil liberties that comes with that,” Crocker said. He noted that the U.K. has “very troubling encryption laws” that authorize the British government to force providers to compromise encrypted communications.
Greg Nojeim worked with the Department of Justice to craft the legislation with an eye on civil liberties protections. But he said his organization, the Center for Democracy and Technology, a nonprofit focused on internet policy, ultimately declined to support the bill because the final legislation did not do enough to protect individual civil liberties.
Nojeim, who serves as director of CDT’s Security and Surveillance Project, said the bill’s passage will reduce pressure on the U.S. government to deal with what can be a cumbersome process for complying with foreign government data requests in law enforcement matters. But he said that process protects civil rights: Until the CLOUD Act agreement with the U.K. takes effect in October, officials in Britain and Northern Ireland have to “meet a very high U.S. standard, the probable cause standard” to obtain such data, he said.
Because the CLOUD Act does not address a key gap in U.S. law regarding cross-border data demands, Nojeim said it will be possible for technology companies to share what’s known as non-content, or data about users captured during account management and customer support activities such as name, street address and IP address.
As it stands, when a foreign government is seeking non-content data from a U.S. provider, the provider has complete discretion on whether to provide it, he said.
“If we’re going to go down the road of allowing foreign governments’ laws to dictate whether a U.S. provider will make a disclosure of information about a foreigner believed to be abroad, we ought to at least ensure that those demands for non-content meet the foreign government’s surveillance law requirements,” Nojeim said.
Since the U.S. has not done that, the CLOUD Act effectively creates a “parallel system” where a foreign government can “appeal to the provider to voluntarily disclose the information without complying with its own local law,” Nojeim said. “That seems a significant defect in the legislation.”
Nojeim also worries there is “room for mischief” in terms of which individual countries the U.S. may choose to partner with beyond the U.K.
“If the Department of Justice, under pressure from an administration, wants to enter into a Cloud Act agreement with another country for various political reasons that might cause it to interpret flexibly the weak requirements of the CLOUD Act,” Nojeim said.
Nojeim said he specifically worries about the U.S. forging a CLOUD Act agreement with a country that has a poor human rights record and a less than independent judiciary.
“One wouldn’t want U.S. providers to honor surveillance demands made by that country because they could be used to persecute rather than prosecute,” he said. “Other countries will line up to get the same treatment that’s being offered to the U.K.”
He said that Canada, India, Turkey, Japan and most of the countries in the European Union are now seeking a data-sharing agreement akin to the one with the U.K. government.
The Justice Department sees it differently. In its announcement regarding the U.K. agreement, Justice said the development will help law enforcement prevent, detect, investigate and prosecute serious crime “more quickly than ever before.”
“This will help, for example, our law enforcement agencies gain more effective access to the evidence they need to bring offenders to justice, including terrorists and child abuse offenders, thereby preventing further victimization,” the Justice announcement said. “Our Agreement will maintain the strong oversight and protections that our citizens enjoy and does not compromise or erode the human rights and freedoms that our nations cherish and share.”
A spokesperson for the Department of Justice said via email that the U.K. agreement “does not alter the fundamental constitutional and statutory requirements U.S. law enforcement must meet to obtain legal process for that data – standards that are among the most privacy-protective in the world. The US-UK Data Access Agreement is only used to obtain information relating to the prevention, detection, investigation, or prosecution of serious crime and only in response to legal process.”
A former Justice prosecutor who helped draft the CLOUD Act said it is an important new tool for law enforcement worldwide. Aaron Cooper, now a partner at Jenner & Block and previously a prosecutor in the DOJ’s Computer Crimes and Intellectual Property Section, said that strict U.S. laws have to date challenged what U.S. data providers and law enforcement can share.
“For the DOJ to use its domestic investigative powers on behalf of a foreign law enforcement entity, and then return the data to the requesting entity, that could get really cumbersome at times,” Cooper said. “So, there’s a significant national security issue for the U.K. and some of our [the U.S.’s] other law enforcement partners.”
Cooper said CLOUD Act agreements also will likely keep countries from requiring providers to store data concerning people located in their jurisdiction inside the country. Cooper said that such “data balkanization” would be problematic and the CLOUD Act should address such pressures.
The CLOUD Act is “relieving the conflict of laws and that solves a lot of these policy problems,” Cooper said.
Historically U.S. technology providers have declined to provide substantive investigative data to foreign partners due to potential legal conflicts or out of concerns over legal predication, Cooper said. Adoption of the CLOUD Act also addresses investigative hurdles the U.K. faces due to the rise of end-to-end encryption platforms. This type of encryption makes it difficult for the U.K. to conduct wiretap investigations without help from U.S. providers, Cooper said.
But Cooper acknowledged there are questions about how the CLOUD Act will play out.
“If the U.S. finds out that the U.K. is not complying with or respecting the rules, and things aren’t working the way we wanted them to, what are the consequences?” Cooper said.