There is an initiative to reform the MLAT regime so that the U.S. intermediaries will be permitted to provide the contents of communication to foreign investigatory authorities DIRECTLY as long as the requesting governments meet a certain human rights standard. Currently, the U.S. intermediaries are allowed to provide only the metadata and user identifiying data to the foreign authorities directly. The reason for such initiative derives from the enormous backlog on the MLAT requests that have not been processed by the U.S. DOJ, which has caused much discontent with the foreign authorities, which in turn began putting pressure on the U.S. intermediaries serving their people, including requiring the intermediaries to locate the servers in-country thereby making available for their domestic surveillance requests. For the following reasons, I oppose the proposed MLAT reform.
- Human Rights: How legitimate are those back-logged MLAT requests? How urgent is it to process them? How many of the back-logged data requests are legitimate ones from human rights perspectives? Even if they are procedurally legit, i.e., meet some surrogate of ‘probable cause’ in their domestic surveillance scheme, what if they are substantively illegitimate, i.e., issued for crimes that do not meet international human rights standards such as ‘false news’ crime, insult, blasphemy, demonstration law violation, national security law violation, etc.? Before jumping onto a conclusion, we need to at least study (if possible) a random sample of back-logged data requests to find out whether it is at all important to reduce the backlog. Yes, it is always better to at least process the requests (even if it means denying them) than to keep the backlog but we need to figure out how urgent it is to reduce the backlog in light of the nature of the data requests. I am sure that some of them are extremely urgent requests for extremely legitimate crimes, but we can always keep MLAT as it is and have DOJ process just those requests on a priority basis instead of trying to bypass the entire MLAT system.
- Borderless Internet: Is it a good bargain, i.e. giving up people’s choice of which surveillance governance they want to communicate under? The Internet, being an extremely and globally distributed communication network, has been relied upon by people under authoritarian regimes to communicate with one another free from domestic surveillance and censorship. Actually, it is not just about people under authoritarian regimes. Governments around the world have varying standards and procedures for surveillance and censorship, and so far people could forum-shop in communicating one another, depending on surveillance/censorship governance applicable to the servers they will be communicating through. Especially, the U.S. servers were the preferred forum because of the high ‘probable cause’ standard. If foreign governments can easily search and seize data hosted on the U.S. servers, we will be forbearing that single most important gift for the powerless individuals around the world who chose the U.S. server as their communication conduit. Also, global companies should understand that one of the reasons for their overseas success is exactly this diversity of communication governance that people of various countries seek. Again, at one end of the spectrum is the people under authoritarian or conflict regimes where Twitter/Facebook/Gmail provide the only secure forms of communication and therefore became popular communication forum. See here for the Korean example.
- Due Process: Is it legitimate from constitutional principles concerning surveillance governance? “The power of a warrant stops at borders.” Why? Number one, the essence of a warrant is to authorize law enforcement, not order around private citizens. Otherwise, it will violate the Fifth Amendment privilege against self-incrimination or will become an equally unconstitutional affirmative order to rat on fellow citizens, the same way an order to make “iOS 10” will do. Number two, the general rule of thumb is that state intrusions into a person’s privacy or communication must be reviewed by officials held politically accountable to that person, namely judges. Judges will have legitimate authority to decide on the privacy of only those people who have directly or indirectly certain mutual responsibilities with them and whose privacy they have institutional concern over. So, surveillance/censorship requests on American people must be supervised by American judges and requests on French people by French judges. Now, what if locus of data and locus of data subject/content author diverge, as in the case of surveillance/censorship on user-created data residing on an overseas company server? Well, such surveillance/censorship involves intrusion into both the privacy of the server operator and the users, therefore it is constitutionally kosher (and human rights-wisely mandated) to go through the filtering of both judicial systems. That is what exactly MLAT does in the privacy area: it is consistent with the essence of a warrant and yet achieves the general rule of thumb by requiring a warrant on a person to earn a status as a warrant on the data before it is enforceable. Now, if MLAT is bypassed, for instance, Korean judges will decide whether user data residing in the Bay area should be disclosed to the Korean prosecutors, just because the relevant user looks like a Korean resident/citizen. (There is a whole new pot of thorny questions concerning whether global intermediaries should be allowed to discriminate their users by nationality.) To stretch the analogy, a Korean judge can order Apple to crack open an iPhone of a Korean citizen who happened to drop it while traveling on street during his trip through the U.S.
- Impact: Even if it is urgent, a good bargain, and legitimate, will it achieve what it is supposed to, i.e., ease pressure for data localization? The main reason cited for MLAT reform is to stop foreign governments from putting pressure for data localization. The regimes that want to do data localization have very strong desires that dwarf their concern about the unfilled MLAT requests to the U.S. In other words, receiving returns on those MLAT requests quickly will not be a sufficient incentive for those governments to turn around on their data localization initiatives. Just last week, China instituted data localization rule on all publishers of contents of ‘informational or thoughtful nature” – video, cartoon, maps, etc. – obviously to strengthen its censorship and surveillance on the contents viewed by Chinese people. Sitting here in East Asia, I just don’t think that China would not have done it if MLAT requests were processed any quicker. We really should evaluate the feasibility of MLAT reform as a method to stop these practices from happening. Think about it. Human rights infringing governments by definition do not care about human rights. Then, it is natural to think that they do not care about collecting evidence the legitimate way, either. If they have jailed people without trial or without lawfully collected evidence, why would they care so much about collecting the evidence lawfully, so much so that they will pay the price of withdrawing data localization initiatives or otherwise transforming its human rights practices? Again, sitting here in Asia, I think that the expectations of MLAT reform proponents are simply too naïve.
- One carrot thrown in the MLAT reform for privacy advocates is a proposal changing the U.S. law ECPA 2702 so that the U.S. intermediaries are no longer freely allowed to turn over METADATA to foreign governments (i.e, they will be allowed to do so only to those governments meeting certain international human rights standards or those requests meeting certain foreign procedure. Currently, the statutory restrictions as to metadata apply only to U.S. governments but not to foreign governments). My two cents from a Korean perspective is that it is something that should have been done domestically by the U.S., not as part of any deal with foreign governments. Korean law already forbids Korean intermediaries from offering content OR METADAT to anyone including foreign governments unless the requests are accompanied with a Korean warrant.
To sum up, we should think of the human rights value of the current MLAT regime such as offering diverse surveillance/censorship governance environments for the users to choose from, including the vulnerable people living under authoritarian regimes, and blocking sub-standard requests or the requests for sub-standard crimes, and weigh that against the possibility of actually incentivizing foreign governments to upgrade their substantive or procedural criminal laws. My gut feeling is that we will lose more than gain.