The investigation of online crime has been challenging for law enforcement under the existing system of territorially-based Mutual Legal Assistance Treaties (MLATs) that help shuttle evidence of crime across borders.
Simply put, cloud-based services have introduced new physical, technological, and corporate structures that aren’t necessarily compatible with MLATs.
A new paper from Harvard Law School Cyberlaw Clinic instructor Vivek Krishnamurthy proposes an alternative approach centering on the US taking the lead in fixing the tedious and flawed MLAT system.
Part of the solution is to provide a framework through which US-based multinational cloud service providers can release customer data – given their enormous role in storing of data relevant to law enforcement.
Reforming the Stored Communications Act to Facilitate Foreign Requests
Currently, the Stored Communications Act (SCA) of 1986, in effect, bars service providers from voluntarily disclosing content data to anyone other than an account’s owner and provides for civil liability if they do. Though there’s no case law to back it up, the presumption is that US cloud providers don’t have to fulfill a foreign government request for content data made under foreign law.
An area many (including Krishnamurthy) are eager to reform is to change the SCA to permit US-based cloud service providers to disclose stored data at the reasonable and legal request of a foreign government as long as the government meets certain legal and human rights standards.
Krishnamurthy said this provision would help protect a free and open global Internet and the human rights benefits it brings through the open sharing of information.
The request would also have to comply with the following requirements:
- be authorized by a judge or other independent decision-maker in the requesting state;
- be certificated by the requesting state that the target of the request is neither a citizen nor a resident of the cloud provider’s home country;
- articulate a strong factual basis that the information sought is relevant to the investigation of a serious crime;
- provide notice to the target of the search;
- limit the scope of the requests to particular accounts, devices, or persons, with additional restrictions on the total volume of data obtainable under a specific request.
Krishnamurthy notes that this mechanism, in which US-based cloud providers can respond directly to certain foreign government requests for data, is similar to what has been proposed by the Cross Border Data Requests (CBDR) working group.
He notes, however, that some foreign stakeholders may object that this framework because requests for data – while reciprocal in theory – might not be reciprocal in practice. This is because US-based cloud providers may hold all the cards. For instance, US-based cloud providers have more data about their Swedish customers than Sweden-based cloud based have about Americans.
Also, since a wide ranging change could take a considerable amount of time, Krishnamurthy proposed some ways to reform the current MLAT system. For instance, it could include conditions where one state must seek the consent or at least notify another before obtaining certain types of data. Also, the outer limits of any one country’s enforcement jurisdiction over a transnational entity (like a cloud service provider) could be delimited in a treaty or through the development of customary norms.
Either way, the status quo doesn’t seem to be working.
An Example of How Broken the MLAT System Is
One of the most current examples of the MLAT system’s inadequacy is the current dispute between Microsoft and the US government.
A US search warrant directed Microsoft to disclose the contents of a web-based email account. However, Microsoft is arguing that the account’s contents are stored in its Irish data center, meaning the US government would have to obtain the data through the MLAT with Ireland.
The US government contends, however, that Microsoft could retrieve all the necessary records from a facility in California, and that the emails stored by Microsoft on behalf of its customers are its “business records” and are subject to US extraterritorial jurisdiction.
This case is still being argued with no clear outcome, but it stands as an example of the confusing, time-intensive and difficult nature of the current MLAT system which experts say is in desperate need of replacing.