The day the Department of Justice lost its case before the U.S. Circuit Court for the Southern District of New York, in which it was seeking to force Microsoft to turn over email content stored on a server in Ireland, it presented a plan to sidestep those limits with new legislation.
The DOJ revealed its plans at a meeting of the Advisory Committee to the Congressional Internet Caucus. The presentation included a draft of proposed legislation attached to a letter to Vice President Joe Biden and a white paper explaining the need for it.
The draft legislation is part of a proposed bilateral agreement between the United States and the United Kingdom that would allow courts and other designated investigative agencies to directly order the release of private user information held by U.S. companies.
The proposed legislation specifies that the information being sought must be about foreign nationals located outside the United States and that the request must be in accordance with the laws of both the United States and the foreign government—in this case, the United Kingdom.
The proposed legislation would require passage by the U.S. House of Representatives and the U.S. Senate, and it would need to be signed by the president. If passed in its current form, the legislation would provide protection for U.S. companies that had to comply with the laws of the country demanding the information. The bulk of the legislation actually consists of amendments to existing laws that govern how private information located on the internet is protected and who can see it.
The proposed legislation is meant to streamline access to data being held across international borders during the investigation of a crime.
According to former White House Cybersecurity Director Ari Schwartz, foreign law enforcement agencies needing information about foreign nationals that was being held by U.S. companies were directed to use the mutual legal assistance treaty (MLAT). But when U.S. law enforcement agencies wanted information, they just expected it to be turned over, regardless of whether it was located outside the United States.
"A lot of countries felt it was hypocritical," Schwartz said. Meanwhile, the companies that were being forced to turn over information found themselves in an impossible situation of either violating U.S. law or the laws of the foreign country.
Schwartz said that while the MLAT process was intended to provide the information required by law enforcement or the courts, it could be cumbersome for U.S. agencies seeking information from abroad as well as for foreign agencies seeking information stored in the United States. Schwartz noted he worked on incoming MLAT requests a number of times and they weren't always prepared properly.