by Kate Westmoreland, Non-Residential Fellow, The Center for Internet & Society at Stanford Law School
*This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).
As internet companies and cloud providers hold more and more communications and user data, access to this information has become a key part of criminal investigations and prosecutions. The current system for managing international access to this data is struggling under the increased demand. Microsoft’s Brad Smith has been vocal in his calls for a new international convention on access to user data for criminal matters. But is a whole new convention really necessary?
The answer depends on (1) whether the system is actually broken and, if so, (2) whether a new international convention is the right solution. Perhaps I should give a spoiler alert on this, but I think the answer is “yes, but don’t put all your eggs in the one basket.” Ultimately, we should be working towards a new international system for managing government requests for user data, but this is a very long-term, ambitious project. In the meantime, we need to pursue a range of shorter-term improvements at the domestic and international levels.
There is a growing consensus that the current system for international government access to user data in criminal matters is broken. It is governed by a creaky old system of bilateral and multilateral treaties (mutual legal assistance treaties or “MLATs”), relationships between law enforcement officers and companies, and a mishmash of domestic legislation. A government report last year stated that MLAT requests to the United States take an average of at least 10 months to process. The White House then called for increased funding to process the requests more quickly, but the appropriation has stalled. When law enforcement agencies feel that they cannot access the information through mutual legal assistance, they turn to alternative, informal methods, including directly asking companies to hand over the data.
Not wanting to be the meat in the sandwich for a failed government-to-government process, many U.S.-based companies have joined Microsoft in calling for reform of the MLAT system. A new, comprehensive international convention could be one way to achieve reform, but it would undoubtedly be a slow process. Back in 2010, countries discussed this possibility at the UN Congress on Crime Prevention and Criminal Justice, but it was ultimately rejected. Even if the renewed pressure sparks negotiation processes, there is a risk that, in order to build consensus between all UN countries, a new convention might end up being even less favorable to companies and users.
This is not to say that we shouldn’t be aiming for a new, comprehensive treaty. Rather, we should keep this as the ultimate goal, but in the meantime also pursue a suite of short- and medium-term initiatives, including:
- Making the current system work as well as possible by ensuring that there is adequate funding for the responsible government agencies, and streamlining, centralizing and automating the request handling processes as much as possible.
- Improving the domestic legal framework to create clarity about when an MLAT is required and clearly defining circumstances in which other forms of legal cooperation are appropriate.
- Creating streamlined processes for requests between likeminded countries with similar legal systems, or countries that have a strong level of confidence in each other’s justice systems.