By Shana-Tara O’Toole | Due Process Institute | President
Despite every good intention, I watch a lot of TV in the winter months. My dogs would rather curl up next to me on the couch than take a long walk in the cold. This February, during a second bout with DC’s plague-like cold virus, I discovered Black Mirror.
Black Mirror is a British science fiction anthology television series that is accessible via Netflix. It takes our current time—our social ills, our fears, our hubris, our dreams—and pitches it ever so slightly into a future where these characteristics of ours have been exaggerated, have grown into something that is recognizable but thankfully not reality (yet) thanks to a new technology that’s just on the other side of what’s possible now. The characters interact with that technology in a way that evokes pathos, or a dream-like freedom, or sometimes even horror. I consumed every episode available in a matter of days. Many of the episodes still take up space in my head when I’m sitting on a metro train and letting my mind idle a bit.
Call me crazy, but we’re living in a truly amazing time. We might not have the Jetsons space-packs I was promised as a child, but we have robotic vacuums that create maps of the inside of our houses; online ads that follow us from screen to screen; retinal scans; and we even have anatomically correct sex dolls with programmable personalities and artificial intelligence. But what we don’t have are legal protections in place that can keep up with the innovators who speed ahead with new ways for technology to interact with the deepest, most personal aspects of our lives.
Well, there’s the promise of the 4th Amendment to the Constitution right?
Not so much. Not because the Constitution can’t keep up with our modern social needs, but because our government is convinced that the constitutional promise to be free from its unreasonable searches and seizures is less important than its desire to have as much information about us as possible.
Needless to say, our protections have fallen short. In 1986, Congress passed the Electronic Communications Privacy Act (ECPA), which did a number of things including regulating how American law enforcement officials access transmissions of electronic data by computer and also access stored data. Do you remember what life was like in 1986? IBM had just unveiled the first laptop computer. A band named Mr. Mister had two hits in the top 10. And commercial Internet service providers did not yet exist. But a lot has changed since Molly Ringwald was filming Pretty in Pink. The development of location-based tracking capabilities of the communication devices Americans use, as well as the physical location and methodology of data storage, have changed dramatically. As a result, law enforcement, the tech industry, and privacy advocates have all long recognized the need to revise these laws for some time. But there’s obviously a lot of disagreement about what those changes should entail.
Last year, the House of Representatives passed ECPA reform legislation, the Email Privacy Act, by a vote of 419-0. It wasn’t perfect, but it represented progress and it was strongly supported by a broad coalition. That bill was reintroduced in the current Congress and again passed the House. But unfortunately, it has stalled in the Senate. (For good sources on that legislation and why it needs your continued support, please read about the great work that groups like the Center for Democracy and Technology and the Electronic Frontier Foundation have been doing.)
Until the law changed last week, when the US government wanted access to electronic data that was stored in another country, the process was governed by something called an MLAT, a mutual legal assistance treaty. These are agreements between the US and other countries detailing how they will assist each other in investigations by government officials (like which data can be shared, the procedures detailing how it shall be shared, etc.) The specific terms of each nation-to-nation agreement were created to acknowledge the legal standards and protections of each signing country and ultimately needed to be approved by the Senate. Once an MLAT was in place, investigators in one country could send requests for information stored elsewhere. From my criminal defense days, I recall listening to US prosecutors and law enforcement officers complain the process was clumsy and time-consuming as the two countries engaged in a complex process designed to ensure the legality and appropriateness of the disclosure of information.
Take a collection of antiquated laws that don’t account for technological realities that grow increasingly complex every day. Add a layer of Congressional-approved treaties with individual nations engaging in a thoughtful, but lengthy process determining how non-emergency information relating to international law enforcement investigations could occur. And that brings us to Microsoft Corporation v. United States.
The Department of Justice (DOJ) served a search warrant on Microsoft, a US company, for both personal user data and e-mail content of a suspected drug dealer. Microsoft turned over the information it had from US servers, but otherwise challenged the warrant for the information it held on Irish servers, claiming it was not subject to US jurisdiction. If DOJ wanted the information, it could use other means to get it (like an MLAT). (Microsoft also challenged the warrant on other grounds.) DOJ argued it could access the e-mails regardless of where Microsoft stored them. In the summer of 2016, the Second Circuit Court of Appeals ruled that the US government could not compel Microsoft to turn over customer e-mails stored on servers outside the US. The decision deeply emphasized privacy rights implicated in the content of emails. DOJ appealed and a month ago, the US Supreme Court heard oral argument in the case. But companies and government investigators wanted clarity on how to resolve this issue and instead of waiting for a court decision (the outcome of which is hard to predict), they decided to work together on legislation that would govern how to handle these modern world dilemmas. Cue the CLOUD Act (S.2383/H.R. 4943).
Upon its introduction in early February, a number of organizations raised concerns about the CLOUD Act. Those concerns ranged from privacy rights to a wide array of other human rights and also included the broader point that something like the CLOUD Act, which mostly comprised of a wish list from US law enforcement investigators, should not pass into law without also including the much-needed reforms to ECPA that had long been on the table. But none of those concerns were heard.
The CLOUD Act was introduced on February 6, 2018 and a few weeks later, it would become law. Its new ideas were never the subject of a Congressional hearing. It was never reviewed or “marked up” by any committee in either the House or Senate whose members are experts in the area of technology, law enforcement, privacy, or international law. And advocates had very little time to communicate their concerns with the bill. Bills should be vetted by a wide variety of people who can make certain that the idea is a good one and that it is executed in a way that brings the most benefit, with the least harm. But in the case of the CLOUD Act, none of these safeguards had a chance to work.
Importantly, the ideas in the bill were also never subject to a vote on their own merits. Instead, with practically no notice, the bill’s provisions were tacked on to the final pages of the massive $1.3 trillion government spending bill. While there were a number of people on both sides of the aisle concerned with specific terms of the omnibus bill, a lawmaker could only vote yes or no on the entire package—so anyone wishing to avoid another government shutdown was automatically voting yes on the CLOUD Act, despite the fact that the CLOUD Act had nothing to do with the nation’s budget.
Even the normal requirement that members of Congress must have three days to read a bill before voting on it was waived. On the evening of Wednesday, March 21, members of the House of Representatives Committee on Rules were handed a 2,232-page bill to review and approve for vote by the next morning. The next day, the House approved the massive bill and so did the Senate. The President signed it into law on Friday. Most Americans would be appalled to learn that a law that fundamentally changes how law enforcement authorities from around the world can access data and communications inside the United States was not subject to a more thoughtful process than this.
What is different now that the CLOUD Act has become law? First, it compels tech companies to turn over user data to US law enforcement officials (anyone from a local cop to an FBI agent) regardless of where the data is stored. While the Due Process Institute recognizes that given our global economy, maybe it doesn’t make sense that the location of the storage of data be the controlling factor for who has access to that information, I, for one, had personally lauded the Second Circuit’s recognition of privacy rights in the Microsoft case and was eagerly awaiting the Supreme Court’s decision on the issue.
Second, foreign governments can now obtain personal data, which is held/stored in the US, without the foreign government needing to establish probable cause, get a warrant, or be subject to any other judicial review. Content from US companies, located in the US, and even containing content from US users, can be disclosed to foreign government investigators without any part of a legal process designed to ensure privacy or due process protections.
Third, foreign governments can obtain real-time communications (i.e. “wiretaps”) from US companies without meeting the same legal safeguards that exist for wiretapping if done by the US government, i.e. no warrant is required and neither must any notice be given to whoever’s communications have been collected and then disclosed to government investigators.
Despite the relative ease with which law enforcement officers will be able to access data and communications, there are no provisions regarding how a private citizen who is seeking access to this kind of information in order to defend themselves against charges can compel tech companies to give them any information.
This new mechanism replaces the MLAT process and it rests a lot broader authority in the Executive Branch (the President, the State Department, the Attorney General). The Executive Branch will have the power to enter into agreements with foreign nations to allow those nations to access user data stored in each other’s countries. These agreements do not require Congressional approval. Proponents appreciate that the new process provides law enforcement officials with much quicker access to information stored in other countries than they previously had.
But what’s good for the goose is good for the gander. While you may feel safer knowing that the US government can access data and communications of users outside the US, how do you feel knowing that foreign governments can now much more easily access your data and communications? (Lest I be accused of being misleading—there is language in the law that requires that foreign governments not specifically “target” the collection of data and communications of US persons, but certainly the data and communications of any American who emails, chats, snaps, messages, video calls, or engages in an internet voice call with a non US person can be subject to disclosure.)
And importantly, once a foreign police investigator has collected an American’s data, in violation of our 4th Amendment warrant requirements, or in violation of the existing wiretap laws, or any other Constitutional or privacy law designed to safeguard your rights, there isn’t adequate protection in the law to prevent them from sharing those communications with US law enforcement authorities. That data and those communications—which could not have been collected by US law enforcement directly without violating Constitutional and statutory law—can now be used to support criminal charges against an American brought in the United States. United States federal law enforcement agencies can now evade your Constitutionally guaranteed due process rights because of the passage of a bill that was not read or even noticed by most of the lawmakers who voted for it.
The Due Process Institute is deeply concerned that any framework necessary to address the security and accessibility of US persons’ data and communications be established through a law that did not receive adequate input from lawmakers and advocates. It should be no surprise to anyone that such a process has led to a law that fails to adequately address important due process principles. I recognize we might not yet live in a world where we have devices embedded into our brains that record everything we see and hear or the ability to recreate a deceased person’s presence in this world through an amalgamation of their social media profiles. But every day we get closer.