Note: on 1 October I wrote a follow-up piece concerning the possibility of forced, clandestine, judicially-unauthorized decryption of Americans’ communications taking place as a result of the proposed data sharing accord.
Americans fought two wars – fought, bled, and died – to throw off the yoke of British rule (1775) and protect American liberty, including the Fourth Amendment, from British invaders (1812).
Despite this history, the United States and the United Kingdom are apparently about to enter into a new data sharing treaty or executive agreement (current reporting from the Times and Bloomberg says it’s a “treaty,” but US statutes in this area indicate that what we’re dealing with is an executive agreement – which is different from a treaty in that it does not require ratification by the Senate) which will
- effectively nullify the Fourth Amendment and the data privacy shield of the related federal Stored Communications Act when a British cop wants access to data stored in the US by American citizens, and
- according to reporting in the Times and Bloomberg, force American citizens to obey British court orders, despite the fact that British courts are not bound to obey and apply the Constitution.
Donald Trump has no business giving these rights away without a fight. Nobody has any business telling Americans that we must obey foreign courts.
According to Bloomberg:
Social media platforms based in the U.S. including Facebook and WhatsApp will be forced to share users’ encrypted messages with British police under a new treaty between the two countries, according to a person familiar with the matter.
From the Times of London, which broke the story (my comments in [italics in brackets]):
WhatsApp, Facebook and other social media platforms will be forced to disclose encrypted messages from… serious criminals under a new treaty between the UK and the US.
At present [British] security services are only able to obtain data [from an American] if there is a need for an “emergency disclosure” due to an imminent threat to life. [Note: this is not true – the consensus view is that Americans have more or less absolute discretion to refuse data requests of any kind originating from the UK, whether emergency requests or not, if they are not approved by a US court under the Mutual Legal Assistance Treaty, or MLAT, procedure which is already in force between the two countries. In my experience, bona fide emergency requests are seldom refused.]
The police and prosecutors can also request data under the “mutual legal assistance” [or “MLAT”] treaty[, where after reviewing the foreign data request for compliance with all US due process and constitutional requirements such as the First, Fourth, and Fifth Amendments, a US judge serves a mandatory court order requiring a US citizen to provide the data] but the process is highly bureaucratic and can take up to two years.
Under the new treaty, the police, prosecutors and the security services [seeking American data from US citizens] can submit requests for information [that are binding on US citizens, under penalty of law] to a [British] judge, magistrate or “other independent authority” [in Britain, which is under zero obligation to follow or apply the provisions of the U.S. Constitution].
The process will be overseen by the investigatory powers commissioner [, an appointed, un-elected British political apparatchik who also is not required to follow US law or implement US constitutional due process protections].
The UK has agreed it will not target people in the US and the US has agreed not to target people in the UK [despite the fact that this is a promise the UK cannot keep, since if the British police knew who the targets of these investigations were, there would be no need to obtain US-based user data from US citizens in the first place, and the British could use their extensive domestic surveillance and interception capabilities to obtain the information they need].
…Richard Walton, a former head of counterterrorism at the Metropolitan Police, said: “US tech giants have been inadvertently putting a veil over serious criminality and terrorism. It has tilted the balance in favour of criminals and terrorists. This is very welcome, it will make a big difference [to be able to circumvent that pesky U.S. Constitution and the Stored Communications Act].”
[Only in a police state is a policeman’s job easy.]
I will preface the rest of this post by saying there is absolutely no way to guarantee that US citizens won’t be picked up in U.K. law enforcement data sweeps. U.K. law enforcement cannot know ahead of time where an Internet user is based. That’s one of the primary reasons why the police ask Internet companies for basic subscriber data and communications data – to identify the user. Even if there were such a guarantee, per the EFF, there is no statutory restriction that would prevent British police from sharing any data they collect on US citizens inadvertently with US law enforcement anyway.
Now: let me explain how all this works.
What the Fourth Amendment says
The Fourth Amendment to the US Constitution says that
- the right of the people to be free from unreasonable searches and seizures shall not be violated; and
- no warrants shall issue, except upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The federal Stored Communications Act has equivalent provisions which apply Fourth Amendment-style protection to user data of online services which require the federal government to obtain a subpoena or a search warrant before obtaining certain types of data from online service providers. This requirement exists even if the online service provider would have been willing to voluntarily hand the data over, subject to certain limited exceptions such as when there is an emergency threatening life and limb.
Without the statutory protections of the Stored Communications Act, online service providers would be free to either hand over the data straight to the government or assert their own Fourth Amendment rights, within their discretion.
The proposed treaty/executive agreement reportedly disapplies the Fourth Amendment and the Stored Communications Act in relation to, and may force Americans to obey, the rulings of foreign courts
US companies and citizens are currently absolutely free to assert their Fourth Amendment rights, refuse a foreign or domestic government agency request for data that is not judicially authorized by a US judge, and require such foreign or US government agency to obtain a subpoena or search warrant signed by a U.S. judge before they will turn over so much as one bit of data to that agency.
The U.S. has, however, enacted a statute, known as the “Clarifying Lawful Overseas Use of Data Act” or, more commonly, the CLOUD Act, which
- permits the U.S. to enter into executive agreements with third countries for data sharing and
- eliminates any conflicting obligations between the existing federal Stored Communications Act and compliance with data disclosure under any of aforementioned executive agreements (18 USC 2511(2)(j)). To wit, the U.S. federal law that a U.S. citizen could invoke to preserve its users’ rights in the face of an unreasonable foreign request is disapplied with respect to any lawful order handed down by a court in a country with which the U.S. has an executive agreement. So when the U.K. asks a U.S. company for information, the US company no longer can answer that “America says you can’t see these communications without a U.S. warrant,”
- while also permitting some sharing of data inadvertently obtained by the U.K. on U.S. persons with the U.S. despite the fact that the U.K. unquestionably, under the new arrangements, will have come into possession of that data under the authority of a British judge, and will not have first obtained a valid search warrant issued by an American judge.
The CLOUD Act also makes certain provisions for what requirements foreign orders must comply with if they are to qualify for preferential treatment under the executive agreement.
Based on U.K. and U.S. media reports, what I believe has happened is that the U.S. and the U.K. have quietly concluded the terms of an executive agreement under the CLOUD Act which will allow British courts to serve legally binding data requests on US companies directly, without requiring a U.S. judge to sign off. If such an executive agreement is signed by the President, certain US companies may be, for all intents and purposes, stripped of their hitherto-untouched 4th Amendment right to refuse search and seizure orders from foreign courts.
If the U.K. media reports are correct, this executive agreement will “force” certain U.S. citizens to follow the orders of British courts that are not themselves answerable to the Constitution or constitutional government. This may be either, as reported in the Times, through express terms in the executive agreement of which we are not yet aware, or by removing conflicting terms in existing statutory protections such as the Stored Communications Act which U.S. persons can currently invoke to withhold disclosure when faced with an overbroad foreign order.
U.S. company, no U.K. presence
DOJ guidance states that “[t]here is no requirement under U.S. law that a provider comply with a foreign order, and the CLOUD Act creates no such requirement[.]” If we’re working from the CLOUD Act alone, US companies with no U.K. presence will face significantly increased pressure to acquiesce to U.K. law enforcement demands, but no compulsion.
However, the reporting from the U.K. last week directly contradicts the DOJ guidance. It is presently unclear whether the executive agreement will introduce a standalone provision that purports to require US-based companies to obey foreign orders, as the U.K. reporting claims, or whether the U.K. is overstating the impact of the provisions that have been agreed. The language from both Bloomberg and the Times is pretty unambiguous: “Social media platforms based in the U.S. … will be forced.” In my opinion, any such requirement would be unconstitutional.
I am hoping the picture will become clearer in the coming days as the pending agreement comes under greater public scrutiny in the U.S.
U.S. company, U.K. presence
As put by the EFF:
…foreign law enforcement officials could grab data stored in the United States, directly from U.S. companies, without following U.S. privacy rules like the Fourth Amendment, so long as the foreign police are not targeting a U.S. person or a person in the United States.
Taking the above analysis re: “will be forced” language as read, U.S. companies with significant operations in the U.K., but which keep their data in the U.S., such as virtually all major SaaS companies and all major consumer web companies including social media companies and e-mail providers, effectively lose any statutory or Fourth Amendment protection they had to withstand U.K. police requests which conflict with US constitutional norms and statute.
Unless these companies close up shop and leave the U.K., their global standard for data disclosure will immediately deteriorate to match the those in the U.K.
U.S.-based users, past, present and future, even if they are not allowed to be intentionally targeted, will all suffer from the loss of privacy to which this gives rise. I consider it extremely unlikely that most U.S. companies with U.K. presences will routinely challenge the U.K. authorities’ requests on grounds that, e.g., First Amendment concerns are implicated.
I note that proponents of the executive agreement claim that “the U.K. and U.S. will not be able to target each other’s citizens” in order to sell the deal. This is a little misleading.
First, the CLOUD Act only requires that the countries do not intentionally target the other’s citizens; it does not prevent the foreign country from passing that data back to the U.S. where it is unintentionally obtained and pertains to serious crime. As I mentioned above, it is very difficult if not impossible to determine where an Internet user is from prior to serving a warrant, as a search warrant or subpoena under the Stored Communications Act or equivalent foreign instrument is often, if not usually, issued in part in order to ascertain or confirm a user’s identity and location.
Second, the “target” of a court order is not the same thing as the person upon whom the warrant is served. The “target” is the person or account being investigated; the warrant is not served on the target, but on a US person who holds data about the target. While the CLOUD Act provides that US persons may not be intentionally targeted by U.K. court orders, it is beyond doubt that US persons will be on the receiving end of these orders, in relation to which the British courts will consider them bound to obey.
What terms, exactly, the draft executive agreement contains are not presently known. The U.K. reporting has described it as a treaty, but the US CLOUD Act makes reference specifically to executive agreements (i.e. an agreement which does not require ratification by the Senate) – but whatever the final form, it seems clear from existing reporting that the U.K. believes that companies will be forced to disclose this information under whatever arrangements have been agreed.
The U.S. has made no mention of it – yet.
As described, these transatlantic data sharing arrangements constitute an end-run around U.S. citizens’ Fourth Amendment right to refuse to comply with foreign government-initiated, unconstitutional searches and seizures
In my experience, US tech companies are not as obstinate as the U.K. politicians who favor this “treaty” portray them. They usually voluntarily provide data to foreign law enforcement agencies where an emergency – i.e., an immediate danger to life or threat of serious bodily injury – clearly exists, such as where someone is posting a threat.
Otherwise, in non-emergency scenarios where the online activity poses no immediate danger to anyone, US tech companies generally require overseas law enforcement to get a warrant from a US federal judge that ensures the overseas request, called a Mutual Legal Assistance Treaty or MLAT request, comports with all U.S. due process, free speech, or other constitutional requirements.
So if U.K. police aren’t getting data quickly from US companies, it’s because – generally speaking –
- for metadata or basic subscriber information, the situation isn’t an emergency; or
- for metadata or basic subscriber information, where an emergency request is made, the police are unable to convince the U.S. company that the situation is an emergency; or
- for metadata or basic subscriber information, in either an emergency or non-emergency setting, the U.S. company is simply exercising its constitutional rights, enshrined in the Bill of Rights appended to the Constitution of the United States of America, which the United Kingdom of Great Britain and Northern Ireland has no business whatsoever interfering with, because America won the war, and when you win the war you get to make the rules.
And if they’re not getting requested data at all from U.S. companies in non-emergency situations, it’s because
- for metadata or basic subscriber information, the U.S. company is simply exercising its constitutional rights, and the British decide filing an MLAT is not worth their time or the MLAT they do submit does not pass constitutional muster; or
- for the content of communications, disclosure of which will generally require a U.S. warrant, the British decide filing an MLAT is not worth their time or the MLAT they do submit does not pass constitutional muster.
Long story short: the British can already get data on a non-emergency basis if they want to, but this requires extensive bureaucratic vetting to ensure the requests comport with US constitutional requirements. What the new executive agreement is likely to aim to do is make it considerably easier for British police to pry open American servers on short notice and with limited, if any, American judicial supervision.
What this will look like in practice is anybody’s guess. Lawfare blog wrote at the time of the CLOUD Act’s passage that
The U.S. has perhaps the strongest free-expression rules in the world. In the context of mutual legal assistance treaties, the U.S. turns down many data demands from foreign governments because they seek information in connection with speech that would not be criminal in the U.S. because of the First Amendment. The Justice Department must decide whether to ensure similar protections under Cloud Act arrangements, and it will have to determine how to prevent foreign orders from infringing on freedom of speech no matter whose version of free speech is being protected.
It seems observers are not clear as to the extent to which foreign orders can bind and what the extent of protections will be under CLOUD Act data sharing agreements. (This makes sense, as no CLOUD Act agreements have ever been made before.) Much will therefore depend on the exact terms of the U.K.-U.S. arrangements.
As a final note, if the data which a foreign government obtains happens to implicate a U.S. citizen in a crime, well, too bad: per our friends at the EFF, even where foreign police haven’t complied with U.S. constitutional requirements
the CLOUD Act fails to provide any limits on foreign police sharing Americans’ metadata with U.S. police.
and content of communications data may be shared with US authorities where it pertains to serious crime per 18 USC 2523(b)(4)H).
The U.K. does not have substantially equivalent procedural protections to the United States’
The CLOUD Act which authorizes the entry into this executive agreement with the U.K. specifies that
an executive agreement governing access by a foreign government to data subject to this chapter… shall be considered to satisfy the requirements of this section if the Attorney General, with the concurrence of the Secretary of State, determines, and submits a written certification of such determination to Congress, that… (1) the domestic law of the foreign government, including the implementation of that law, affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement[.]
The United Kingdom utterly lacks such protections.
As I have written before, the state of civil liberties in the U.K. is abysmal. Before any mandatory co-operation between the two countries should be enacted, the U.K. should improve its standards substantially (several-orders-of-magnitude improvements).
US internet companies are currently able, if they choose, to assert their Fourth Amendment rights for the benefit of all their users wherever those users may be based. This includes the basic requirement that before a government agency may compel a private company to hand over records, that government agency must have in hand a search warrant or subpoena. If evidence is obtained unlawfully, e.g. without first obtaining a search warrant, it cannot be used against a defendant. This is known as the exclusionary rule.
England lacks what in the U.S. would be considered the bare minimum due process requirements to effect a search. No oath or affirmation is required, for example, before a warrant may issue. There is no requirement for probable cause before a warrant may issue; English search warrants utilize the lower common law standard of “reasonable suspicion,” and in many circumstances a warrant is not needed at all. For example, if someone is arrested, per Section 18 of the Police and Criminal Evidence Act 1984 (PACE), their house may be searched on the orders of a police officer without any judicial authorization (in a manner that would not be permitted in the US under our search incident to lawful arrest doctrines).
Worse, where the US expressly bans so-called “general warrants,” England permits them in the form of “all premises warrants” (see PACE s. 8(1A)) which authorize the search of all premises controlled by a person named in a warrant, whether there is probable cause for those premises to be searched or not. The US, by contrast, requires suspicion to be particularized (“particularly describing the place to be searched”) and based upon probable cause; the mere fact that someone owns property and has been arrested on an indictable offense does not, in America, permit the police to then rummage through literally everything the arrestee owns.
Nor does England and Wales have an exclusionary rule; section 78 of PACE 1984 says that a court may exclude illegally obtained evidence, not that it must. Inevitably this means that more illegally obtained evidence is introduced against defendants in British trials – including any Americans who might get inadvertently caught in one of the British dragnets envisioned by this new executive agreement – than would be the case in the United States.
In England, the “right to remain silent” does not exist for criminal defendants. Your silence can and will be used against you, as Sections 34 to 39 of the Criminal Justice and Public Order Act 1994 allow the government to draw adverse inferences if you do not answer their questions. This practice is unconstitutional in the United States, where defendants have the right to remain silent; and Carter v. Kentucky, 450 U.S. 288 (1981), says your silence cannot be used against you.
Furthermore, many “serious crimes” in England are explicitly constitutionally protected in the United States. This is especially the case where speech and expression of extreme ideas are concerned: much of what the English terms “terrorism” or “inciting hatred” the U.S. would call “free speech.”
Finally, with regard to data specifically, the English do not have anything approaching “robust substantive and procedural protections for privacy.” The entirety of English legislation surrounding extrajudicial authorization for surveillance and mandatory RIPA data requests without notice, mandatory retention of internet connection records, and more under the Investigatory Powers Act 2016 would be, without a doubt, illegal if done by the US government to US citizens.
England does not know what it means to have a provision like the Fourth Amendment or the Stored Communications Act. Virtually every aspect of English rules of evidence and criminal procedure relating to search and seizure of data, as ordinarily practiced by UK police forces, would be struck down as unconstitutional if enacted in the United States. I struggle to understand how the Attorney General could certify to Congress that the United Kingdom is capable of satisfying the due process requirements of an executive data sharing agreement.
If this becomes law, it will be challenged in court
Britain has no experience with US-style civil liberties and cannot be trusted to issue orders to U.S. persons that comport with and respect our freedoms.
The United States should not enter into this reported executive agreement and the CLOUD Act – which was not debated in Congress and was passed in an omnibus bill – should be repealed.
British police have a tough job to do, as do all police forces. But the British police should be on an equal footing to American police and every other police force on Earth.
What that looks like is a requirement to obtain an American warrant, signed by an American judge, in accordance with American standards, and accountable to an American constitutional challenge, in America, before the British police can say they have a right of any kind to search American citizens’ servers, which are also in America, and seize their content. The current MLAT procedure provides for this. The new U.S.-UK executive agreement/treaty procedure, reportedly, will not.
If the U.K.-U.S. data sharing agreement is about to enter into force, this means the CLOUD Act is about to start causing injury, meaning it is likely to start facing legal challenges. Hopefully enough people will notice what is going on, there will be some backlash, and the U.K.-U.S. data sharing agreement will never become law.
In any case, men fought and died to protect the Fourth Amendment. The U.K. and the President should keep their hands off of it.