In a hearing before the US House Judiciary Committee, the Department of Justice (DoJ) came under scrutiny for its efforts to compel technology companies to turn over electronic communications data stored in on foreign soil, for law enforcement purposes.
The hearing prominently focused on two ongoing developments: The first is the US government's legal action against Microsoft Corporation to force the software giant to turn over the private emails of a suspect under criminal investigation, even though the data is on a server in Ireland. The second was a Washington Post report from this month revealing that the US and UK had entered negotiations to allow agencies in one country to directly serve warrants for electronic wiretaps and data collection to companies operating in the other country, without their home country's involvement or intervention.
The latter development drew rebukes from some committee members who felt that the White House, DoJ and State Department excluded Congress from this process. “It's unfortunate we learned about your discussions with the British from the Washington Post before we heard about them from you,” said ranking member Repubican John Conyers, addressing David Bitkower, the DoJ's principal deputy assistant attorney general, who was called to testify.
Concerns that US law enforcement overreach may force US companies to violate foreign data privacy laws have prompted a bipartisan effort to pass the Law Enforcement Access to Data Stored Abroad (LEADS) Act. LEADS aims to create universal two-way rules for international data disclosure, and establish privacy protections commensurate with Constitutional law while still honouring the legal processes of other nations.
In his testimony, Bitkower expressed reluctance to see LEADS passed, favouring instead the pact currently in development with the UK, which could potentially be adapted to suit the needs of other ally nations with like-minded values. “We believe the framework I've described, rather than legislation that would unilaterally restrict US law enforcement authority, offers a path forward to efficient and privacy-protecting cross-border law enforcement access to data,” Bitkower said.
Bitkower acknowledged that legalising any such pact would ultimately require some form of legislation on Congress' part, especially because under current law, US companies cannot be compelled to share electronic communications with foreign nations.
One way or another, politicians on both sides of the aisle have been calling on Congress to reform or clarify the Electronic Communications Privacy Act (ECPA) of 1986, including the Secure Communications Act (SCA), which law scholars argue is outdated. Bitkower conceded that “The text of the statute does not particularly mention where the data is stored,” meaning there is no written text on how internationally hosted data should be treated. But he argued that the judiciary branch has favored DoJ's interpretation that the U.S. can pursue data wherever it rests. Such is the case so far with the Microsoft dispute—currently under appeal.
Brad Smith, president and chief legal officer at Microsoft, who also testified, expressed consternation over Bitkower's acknowledgement “that the Stored Communications act passed in 1986 is silent on whether DoJ has the authority to apply these warrants worldwide.” The DoJ's broad interpretation of the law gives the executive branch too much power, Smith argued. “That's not the way the Constitution was written, that's not the way common sense works.”
Committee member Republican Poe asserted that it is Congress' responsibility to fill in this gap in the law. “We set the standards for the expectations of privacy, it should be up to us, not some judge, or a group of judges,” he said.
Committee chairman Bob Goodlatte agreed, noting that LEADS Act is “not possible legislation in my opinion. It's going to be legislation, from my perspective.” Goodlatte opined that having one clear, concise law is a more elegant solution that a series of bilateral agreements with other countries—each one possibly requiring nuances in how disclosure is executed.
Bitkower remained resolute. “For upwards of three decades it's been the clear law of the United States that a lawful process served on an American company can require that company to bring data back from abroad,” insisted Bitkower, who said the DoJ remains willing to engage in dialogue with foreign nations whose own privacy laws are in conflict with a court-ordered warrant or subpoena.
One matter that Congress, the DoJ and other experts could all agree on is that the current system for requesting a voluntary exchange of electronic data between two countries, via a mutual legal assistance treaty (MLAT), is very inefficient. It generally takes up to 10 months for U.S. companies to turn over data requested by another nation, said Bitkower, and when the U.S. requests data from other countries, 10 months is a “best case-scenario.”
Such delays can impede timely investigations and endanger public safety, especially in a terrorism case. However, critics note that using the SCA as an end-around to eschew the MLAT process is bad for foreign relations, hurting US businesses with global assets in the process.
“The result of these conflicts is that US technology companies find themselves with a Hobson's choice,” said Goodlatte. “Either comply with US law, or comply with foreign law. But, it is increasingly impossible to comply with both. This is an untenable situation for US tech companies.”