Unless Congress stops it, foreign police will soon be able to collect and search data on the servers of U.S. Internet companies. Theyll be able to do it without a probable
This is all happening because, for the first time, the U.S. executive branch is flexing its power to enter into law enforcement agreements under the CLOUD Act. Weve been strongly opposed to this law since it was introduced last year. The recently signed deal between the U.S. Department of Justice and the U.K. Home Office will allow U.K. police easy access to data held by American companies, regardless of where the data is stored. These U.K. data requests, including demands to collect real-time communications, do not need to meet the standards set by U.S. privacy laws or the 4th Amendment. Similarly, the deal will allow U.S. police to grab information held by British companies without following U.K. privacy laws.
This deal, negotiated by American and British law enforcement behind closed doors and without public input, will deal a hammer blow to the legal rights of citizens and residents of both countries. And the damage wont stop there. The U.S.-U.K. Cloud Act Agreement may well become a model for further bilateral deals with other foreign governments and the United States. Earlier this month, Australian law enforcement agencies
Theres still one possible path to put the brakes on this disastrous U.S.-UK deal: Congress can introduce a joint resolution of disapproval of the agreement within 180 days. This week, EFF has joined 19 other privacy, civil liberties, and human rights organizations to publish a joint letter [PDF] explaining why Congress must take action to resist this deal.
No Prior Judicial Authorization
In the U.S., the standard for when law enforcement can collect stored communications content is clear: police need to get a warrant, based on probable cause. If police want to wiretap an active conversation, they have to satisfy an even higher standard, sometimes called a super warrant, that limits both the timing and use of a wiretap. Perhaps most importantly, stored communications warrants andwiretap warrants have to be signed by a U.S. judge, which adds an extra layer of review to whether privacy standards are met. At EFF, a core part of our work is insisting on the importance of a warrant in manydifferentscenarios.
Judicial authorization is a critical step in the U.S. warrant process. When police search peoples private homes, offices, or devices, they must justify why the search for specific evidence outweighs the presumption that individuals remain free from government intrusion. Judicial authorization acts as a safeguard between citizens and law enforcement. Further, History has shown that police can and will abuse their powers for intimidation, or even personal gain. In colonial times, the British military used general warrants to search through colonists houses and seize propertyactions that helped fuel a revolution, and formed the basis for the 4th Amendment to the U.S. Constitution.
Incredibly, Congress is about to throw those rights away. Instead of relying on probable cause, the new agreement uses an untested privacy standard that says that orders must be based on a reasonable justification based on articulable and credible facts, particularity, legality, and severity. No judge in any country has decided what this means.
Furthermore, its debatable whether UK law even satisfies that standard. As our coalition letter states, U.K. law on the production of stored content data and live wiretaps do not raise to the standards in the U.S.-U.K. Agreement and indeed at points may be weaker, emphasizing the need for strong safeguards to be written into CLOUD Act Agreements.
Thats why we believe any agreement should include prior judicial authorization. The current deal just says that the U.K. must have review or oversight by an independent authority. Oversight is much different than prior judicial authorization. That means when a U.S. tech software company is asked to hand over communications and other sensitive data to UK police, the police dont have to go to an impartial third-party to first review and see if the request complies with the U.S.-UK agreement. This takes away an important check before data is turned over to make sure that privacy rights are not harmed. Importantly, this hurts the rights of non-U.S. people as well because it takes away protections and recourse under U.S. domestic privacy laws.
No Required Notice to People Under Surveillance
The U.S.-UK agreement also doesnt create safeguards the provide notice to the target of a law enforcement order, or any other affected people.
Without notice, a person wont be aware that they are under foreign surveillance, wont be able to hire a lawyer, and wont be able to examine the evidence against them. Further, the agreement allows U.K. police to request U.S.-based data under UK law. People subject to unlawful surveillance wont be able to exercise legal or constitutional rights they have under U.S. law.
Unfair and Unequal Minimization Procedures
National police agencies are trying to soft-peddle their demand for this new power by pointing out that it wont be applied to U.S. persons. But foreign police will be getting Americans data. First of all, U.K. police will inevitably scoop up the information of Americans who have been in contact with foreigners who are the official subjects of U.K. police requests. Thats why there are mandatory minimization procedures to make sure U.K. police dont get too much data about U.S. persons, or distribute it too widely.
As for U.K. citizens and residents, what happens to their data under this agreement isnt clear. When U.S. police go to British information providers, there are no clear requirements for how the U.S. should even perform minimization. The only requirement on the U.S. is that the agreement be reciprocal, including limitations on targeting people within British territory. But that doesnt mean that the U.S. wont still get information about U.K. persons, as long as theyre in communication with a non-U.K. targetjust as U.K. police will get from the U.S.
U.K. Police Can Secretly Gather Evidence to Pursue Low-Level Crimes
U.S. Attorney General William Barr has claimed that offering extraordinary access to foreign police is the right thing to do because of the awful crimes theyre pursuing, citing terrorism and crimes against children.
However, the deal will allow U.K. police to comb through the data of U.S. companies for relatively low-level crimes, including fraud, assault, and simple theft. The only justification U.K. police will have to come up with is that theyre investigating a crime that holds at least a three-year prison sentence in their own country. They could even be investigating acts that arent crimes in the U.S. Again, the same holds true for U.S. law enforcement gathering information held in the U.K.theres no requirement that a similar crime exists in both countries. Its worth noting that under U.K. law, a 10-year sentence can also be handed down for criminal copyright infringement.
No Safeguards for Free Expression
Under the current system, if a foreign law enforcement agent wants access to protected information in the U.S., both the DOJ and a judge will review the request to make sure it doesnt violate human rights, or U.S. laws like the First Amendment. This review is a part of the long-standing mutual legal assistance process that lets governments access data stored in other territories, but with procedural safeguards. Under this agreement, there wont even be a cursory review. In some situations, U.S. authorities wont even be notified about the foreign agents request.
The CLOUD Act and U.S.-U.K. agreement specifically say that foreign governments shouldnt be allowed to file requests that impinge freedom of speech. But freedom of speech has a different meaning in U.S. and in UK law. The U.K. has several laws that potentially violate article 19 of the International Covenant on Civil and Political Rights, as we pointed out last year in a letter signed by EFF and other free expression organizations.
Under this agreement, it will be up to U.S. tech companies to challenge requests that arent compatible with human rights or free speech. As we have seen time and time again, tech companies are not in the best position to understand the nuance of free speech law.
Congress didnt give proper thought to the CLOUD Act when it passed last year, and it let fundamental U.S. privacy and speech protections fall to the wayside. Now, Congress shouldnt double down on its mistake by letting an executive agreement negotiated behind closed doors pass through its halls without review. The 180-day clock is already ticking to protect our privacy. Congress should initiate a joint resolution of disapproval of the U.S.-U.K. agreement, as soon as possible.