from the please-please-please-let-us-get-what-we-want dept
No sooner had the ink dried on the Second Circuit Appeals Court decision regarding Microsoft and its overseas servers than new legislation designed to undercut the court's finding has been printed up by the DOJ and presented to the administration.
Microsoft successfully argued that the US government couldn't force it to unlock a server in Dublin, Ireland, so it could rummage around for evidence. Nor could the DOJ force the company to act on its behalf, performing a search of its overseas servers for documents the US government couldn't access otherwise.
Since that decision obviously just won't do, the DOJ has presented proposed legislation [PDF] that would alter existing Mutual Legal Assistance Treaties (MLATs) so the agency can do the very thing a court just said it couldn't do.
The details are discussed in, um, detail over at the Lawfare blog by none other than a former DOJ lawyer (David Kris). Needless to say, the post skews towards "supportive," but the analysis is thorough and offers some excellent insight on what the DOJ hopes to open up -- and what it's willing to concede in return for this new power.
The law would limit searches to communications from non-US citizens located abroad and only for criminal investigations. This would prevent the altered MLATs from being used by US agencies to gather intelligence, restricting them only to gathering evidence of criminal activity. That being said, for every concession made, there's a DOJ land grab.
The heart of the proposed legislation is section 4, which allows for executive agreements between the U.S. and foreign governments. Where a satisfactory agreement is in place, the barriers to access in the Wiretap Act, Stored Communications Act, and criminal Pen Register statute are removed (by section 3).
Of all the places to remove existing limits, the DOJ has chosen three of its most-abused laws/statutes. The Wiretap Act has been rendered toothless by the DEA's collusion with a judicial rubber stamp in California and used by the DOJ to push American telcos into doing its spying for it. The Stored Communications Act was just another (failed) angle of attack for the DOJ in its fight against Microsoft. And the Pen Register Act has been used as a cover for Stingray deployments by multiple law enforcement agencies, all with the tacit approval of the FBI, which still acts as a middleman in every IMSI catcher purchase by local PDs.
From there, the DOJ offers a melange of legal authorities to govern its searches of foreign servers.
The foreign orders authorized by the agreement must meet several specific requirements. First, they must pertain to the “prevention, detection, investigation, or prosecution of serious crime, including terrorism.” This means that affirmative foreign intelligence gathering is out of bounds. Conceptually, the idea here seems similar to the split in FISA’s two definitions of “foreign intelligence information,” 50 U.S.C. 1801(e)(1)-(2).
Second, the foreign orders must use a “specific” identifier such as a name or account as the “object of the order.” This comes from the USA Freedom Act’s amendments to FISA, designed to prevent bulk collection, 50 U.S.C. 1841, 1861.
Third, the orders must be “based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation,” and must be subject to “review or oversight” by a judge or other “independent authority.” These elements seem to be derived in part from several U.S. constitutional requirements—e.g., those governing a stop and frisk (Terry v. Ohio, 392 U.S. 1 (1967)), the definition of probable cause (Illinois v. Gates, 462 U.S. 213 (1983)), the requirements for a search warrant (including particularity and a neutral and detached magistrate, see Maryland v. Garrison, 480 U.S. 79 (1987)), and a proportionality requirement.
At first blush, these would seem to subject DOJ requests to multiple forms of oversight. But it most likely won't. The self-written loopholes allow for plenty of "search first, ask permission later" action.
Of course, the requirements are not exactly the same as those the Fourth Amendment would compel—for example, the reference to “review or oversight” by a judge or other “independent authority” would seem to permit after-the-fact review by a Parliamentary body rather than advance review of orders by a judge.
On top of that, the folding in of FISA language allows the FBI, et al to interpret "criminal investigation" very loosely.
Note, however, that counter-intelligence, expressly including counter-terrorism but also probably including counter-espionage, is included, because the language refers not only to “investigation” and “prosecution,” but also to “prevention” and “detection” of crime.
So, despite saying the MLAT alterations would be limited to investigatory work, rather than intelligence gathering, the new agreements could be read as permitting both. And, despite restricting agencies from using foreign government to obtain data or communications they otherwise wouldn't be able to access, the proposal does allow these entities to provide US agencies with data and communications involving US persons. Sure, there are minimization procedures, but they're apparently tied to restrictions built into foreign governments' laws rather than our own, and auditing for abuses of this access is limited to a review every half-decade -- hardly the sort of thing that stops abuse in its tracks.
And the minimization procedures deployed by foreign governments when handing over info on US persons are tied to a bunch of exceptions -- the usual parade of horrors agencies use to justify intrusive surveillance.
[A] foreign government “may not disseminate the content of a communication of a U.S. person to U.S. authorities unless it is relevant to the “prevention, detection, investigation, or prosecution of serious crime, including terrorism, or necessary to protect against a threat of death or serious bodily harm to any person,” and also “relates to significant harm, or the threat thereof, to the United States or U.S. persons, including but not limited to crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud.”
So, it can't be used for anything not included on the "serious crimes" list, which doesn't leave much. There's not a whole lot of criminal activity that can't be squeezed into this laundry list. Moving violations? Jaywalking? Lord knows anything drug-related will still be considered "dangerous," even if most of the threat is composed of overreacting drug warriors lobbing flash bangs into cribs at 5 am.
Obviously, the DOJ wasn't just going to stand by and let the Second Circuit determine how it's going to operate. This bill may have been a long time in the works, but its public debut is impeccably timed.