The day the Department of Justice lost its case before the U.S. Circuit Court for the Southern District of New York, in which it was seeking to force Microsoft to turn over email content stored on a server in Ireland, it presented a plan to sidestep those limits with new legislation.
The DOJ revealed its plans at a meeting of the Advisory Committee to the Congressional Internet Caucus. The presentation included a draft of proposed legislation attached to a letter to Vice President Joe Biden and a white paper explaining the need for it.
The draft legislation is part of a proposed bilateral agreement between the United States and the United Kingdom that would allow courts and other designated investigative agencies to directly order the release of private user information held by U.S. companies.
The proposed legislation specifies that the information being sought must be about foreign nationals located outside the United States and that the request must be in accordance with the laws of both the United States and the foreign government—in this case, the United Kingdom.
The proposed legislation would require passage by the U.S. House of Representatives and the U.S. Senate, and it would need to be signed by the president. If passed in its current form, the legislation would provide protection for U.S. companies that had to comply with the laws of the country demanding the information. The bulk of the legislation actually consists of amendments to existing laws that govern how private information located on the internet is protected and who can see it.
The proposed legislation is meant to streamline access to data being held across international borders during the investigation of a crime.
According to former White House Cybersecurity Director Ari Schwartz, foreign law enforcement agencies needing information about foreign nationals that was being held by U.S. companies were directed to use the mutual legal assistance treaty (MLAT). But when U.S. law enforcement agencies wanted information, they just expected it to be turned over, regardless of whether it was located outside the United States.
“A lot of countries felt it was hypocritical,” Schwartz said. Meanwhile, the companies that were being forced to turn over information found themselves in an impossible situation of either violating U.S. law or the laws of the foreign country.
Schwartz said that while the MLAT process was intended to provide the information required by law enforcement or the courts, it could be cumbersome for U.S. agencies seeking information from abroad as well as for foreign agencies seeking information stored in the United States. Schwartz noted he worked on incoming MLAT requests a number of times and they weren’t always prepared properly.
DOJ Seeks New Law to Require U.S. Firms to Deliver Overseas User Data
“When I was in the White House I worked on a lot of these questions,” Schwartz said, noting in many cases, such requests didn’t include information that was needed for the request to be approved, but “the Justice Department works closely with the other countries,” he said.
At this point, the proposal by the DOJ is just that. It’s basically a skeleton that needs to be fleshed out to become a bill, and then someone needs to introduce it for consideration in the House of Representatives and Senate.
However, considering it’s a presidential election year and that everyone in the House of Representatives and a large portion of the Senate is out campaigning for re-election, it doesn’t seem likely.
In addition, while the proposed legislation does mention certain steps that might require transparency, there’s little in the draft that would require it. “It needs to be transparent,” Schwartz said. “Companies will feel better if it’s more transparent.”
But it just doesn’t require approval in the United States to take effect. An agreement like the one being proposed also needs to be acceptable to every foreign country that might be willing to support it.
Considering the level of suspicion now complicating relations between the United States and Europe, for example, bilateral adoption is far from assured. While it appears that the agreement between the United States and the U.K. is making progress, it’s still in the discussion stage. Much depends on Britain’s exit of the European Union (EU), if and when that happens.
In the short term, the DOJ needs to decide whether it’s going to appeal the circuit court’s decision blocking access to private data stored overseas by Microsoft. But even if it does, a resolution won’t happen in the near future, if only because the appeal could take years.
Probably the speediest resolution for getting the agreement with the UK is to hope that nation’s secession from the EU moves ahead in the estimated two years that many observers think is likely. Then, unlike making an agreement with all of Europe, only two countries need to agree and given the history of close cooperation between the UK and the United States, such an agreement is at least feasible.
But the Microsoft case will remain the 800-pound gorilla in the room, lurking over any agreement that some might take as an infringement on privacy. Will it make it through Congress? Will the president sign it and would such an agreement make it through the courts? All of that remains a mystery.
Until then, the reach of the Justice Department to get access to email stored overseas is seriously limited. For some, that’s very good news.