Modern field guide to security and privacy

Opinion: How the Justice Department data-sharing plan defends privacy

The proposal updates an antiquated law so that countries can exchange electronic data as part of investigations while safeguarding Americans' privacy and promoting security.

|
Hannibal Hanschke/Reuters
The Digital Age has created tough questions for international police who don't always have the jurisdiction to search the necessary data. Here, a German police officer carries a computer server from a mosque as part of an investigation into Islamic extremism.

Earlier this month, the Justice Department unveiled a legislative proposal to facilitate cross-border data sharing for law enforcement purposes. While critics called it a "threat to privacy," that characterization reflects a fundamental misunderstanding of the plan. To the contrary, it's an approach that would promote privacy, security, and innovation. It should be applauded, not decried.

The draft legislation responds to significant law enforcement problems that result from the rise of the global reach of the Internet, and the peculiarities of US law.

Until recently, law enforcement officials could find most of the evidence needed to investigate local crimes within their own countries. There were, of course, times when evidence was moved across borders or agents were tracking multinational criminals and gangs. In those situations, law enforcement officers either opened joint investigations with foreign counterparts or employed the mutual legal assistance process and made diplomatic requests for sought-after evidence.

Today, however, evidence is routinely located in other jurisdictions, often in the US. Much of the world's communications are digitized and held by American companies such as Google or Microsoft. A 30-year-old US law called the Electronic Communications Privacy Act prohibits these firms from turning over the contents of US-held communications to foreign governments, even if the requesting government is investigating its own citizens with respect to a local crime. 

Now, imagine if British police investigating a murder in London seek the suspect's emails. If the perpetrator used a British internet provider, investigators would have the emails in days. But if the email provider is an American company, police must initiate the Mutual Legal Assistance Treaty (MLAT) process, which requires a US judge to approve the request. And that takes an average of 10 months to complete. Meanwhile, the murder goes unsolved.

Frustrated by this situation, foreign governments are responding in a number of concerning ways. These include imposing mandatory data localization requirements, which force companies to store data (or copies thereof) locally. Such measures open the door to domestic surveillance – but without any of the human rights and privacy-protective safeguards included in the Justice Department's draft legislation.

They also impose added costs on US businesses, making it increasingly hard for startups to compete globally; undermine the internet’s efficiency and growth potential; and hinder US government access to data necessary for law enforcement investigations. Other concerning responses include the unilateral assertion of extraterritorial jurisdiction and resorting to other surreptitious means of accessing sought-after data.

Now, the Justice Department is seeking the authority to enter into bilateral agreements with Britain – and other yet-to-be-designated nations – that would permit the partner governments to bypass the laborious MLAT process and directly request sought-after emails and other communications from providers.

Importantly, the proposal would put limits on those agreements. First, the executive branch must certify that the partner government adheres to its human rights obligations, demonstrates a respect for the rule of law and principles of nondiscrimination, and has accountability mechanisms regarding the government’s collection and use of electronic data. Requests made under this expedited process also must be targeted, limited in duration, and reviewed by a judge or other independent authority.

The plan also prohibits partner governments from from relying on the expedited process to intentionally gather the data of anyone in the US – and of US citizens or permanent residents wherever located. Governments still need to employ the MLAT process to get that data.

In other words, even with an agreement in place, foreign governments need a US judge approval to target Americans' data. There will, of course, be times when partners targets a noncitizen and nonetheless acquires the communications of a US citizen (such as when the noncitizen is emailing with a citizen), but the proposed legislation anticipates that: It prohibits the foreign partner from sharing that information with US authorities unless it is of relevance to serious crime and relates to a significant harm against America or Americans. And it requires the destruction of all non-relevant information, whether involving a US person or not. 

The most controversial piece of the Justice Department's proposal is that it covers real-time communications in addition to stored communications. Real-time intercepts have long been subject to enhanced protections under US law – including strict time limits on their use, a determination that other investigative techniques are insufficient, and notice to the targets.

The existing MLAT process does not provide a mechanism for foreign governments to gain access to such real-time communications – so this would give foreign governments access to data not otherwise available. That said, real-time monitoring often is critical in the investigation of terrorist plots and other active crimes. Moreover, a time-limited interception arguably poses less of a privacy threat than a longer-term collection of the same stored data.

In sum, this is a much-needed piece of legislation. If adopted, it would allow the US government to set the rules governing cross-border access to data – rules that promote privacy, human rights, and the rule of law. Without it, countries increasingly can be expected to resort to data localization mandates or surreptitious means of accessing sought-after data in ways in which the US has no say, even if the target is an American citizen.

Melanie Teplinsky teaches information privacy law at the American University Washington College of Law as an adjunct professor. She started her career in cybersecurity in 1991 as an analyst at the National Security Agency.

Jennifer Daskal is an assistant professor at American University Washington College of Law, where she teaches and writes in the fields of criminal, constitutional, and national security law. She was formerly counsel to the assistant attorney general for national security at the Department of Justice, and previously senior counterterrorism counsel at Human Rights Watch. Follow her on Twitter @jendaskal.

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Opinion: How the Justice Department data-sharing plan defends privacy
Read this article in
https://www.csmonitor.com/World/Passcode/Passcode-Voices/2016/0727/Opinion-How-the-Justice-Department-data-sharing-plan-defends-privacy
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe