from the lots-of-'solutions,'-all-of-them-terrible-in-different-ways dept
Because citizens are localized but their data isn't, things aren't going to get any less weird as time progresses. Or any less legally troublesome. Ellen Nakashima and Andrea Petersen of the Washington Post have seen a copy of a draft negotiating document between UK and US representatives that would allow MI5 (and presumably other agencies) to access data and communications held on US servers.
The transatlantic allies have quietly begun negotiations this month on an agreement that would enable the British government to serve wiretap orders directly on U.S. communication firms for live intercepts in criminal and national security investigations involving its own citizens. Britain would also be able to serve orders to obtain stored data, such as emails.UK agencies would still be locked out of obtaining information or data on US persons and it would take legislation to actually make this access a reality, but it's apparently being considered, as UK officials feel this issue is standing in the way of investigations/counterterrorism efforts.
As it stands now, UK agencies must make formal diplomatic requests which rely on a Mutual Legal Assistance Treaty -- a process that can take months. That's not good enough, apparently. Everyone wants instant access, including UK agencies, and a strong streak of entitlement (the same entitlement guiding FBI director James Comey's one-sided "debate" on encryption) runs through the arguments for this expansion of the UK's legal powers.
“Why should they have to do that?” said the administration official. “Why can’t they investigate crimes in the U.K., involving U.K. nationals under their own laws, regardless of the fact that the data happens to be on a server overseas?”Why indeed? Why comply with existing laws or territorial restrictions? After all, the FBI is working toward the same end, pushing for the right to hack servers located anywhere in the world when pursuing criminals.
Several issues need to be addressed before UK agencies can be granted permission to demand communications and data from US companies. For one thing, a warrant issued in the UK is not exactly the same thing as a warrant issued in the US. The legal standards may be similar, but they're still a long ways from identical.
The negotiating text was silent on the legal standard the British government must meet to obtain a wiretap order or a search warrant for stored data. Its system does not require a judge to approve search and wiretap warrants for surveillance based on probable cause, as is done in the United States. Instead, the home secretary, who oversees police and internal affairs, approves the warrant if that cabinet member finds that it is “necessary” for national security or to prevent serious crime and that it is “proportionate” to the intrusion.Note the "silence" on the differences between the legal standards. It appears no one involved in this discussion is interested in digging into these disparities.
A second administration official said that U.S. officials have concluded that Britain “already [has] strong substantive and procedural protections for privacy.” He added: “They may not be word for word exactly what ours are, but they are equivalent in the sense of being robust protections.”That's great. Both countries won't examine each other's legal standards because they don't want to upset the reciprocity implicit in the draft agreement. The UK can ask for stuff from US companies and vice versa, with neither country playing by the other country's rules. In between all of this are citizens of each respective countries, whose data and communications might be subjected to varying legal standards -- not based on where the data is held, but who's asking for it.
As a result, he said, Britain’s legal standards are not at issue in the talks. “We are not weighing into legal process standards in the U.K., no more than we would want the U.K. to weigh in on what our orders look like,” he said.
Of course, the alternatives are just as problematic. If an agreement like this fails to cohere, overseas governments will likely demand data and communications generated by their citizens be stored locally, where they would be subject only to local standards.
Then there's the question of what information these agencies already have access to, thanks to the surveillance partnership between the NSA and GCHQ. Although neither agency is supposed to be focused on domestic surveillance (although both participate in this to some extent), the NSA is allowed to "tip" domestic data to the FBI for law enforcement purposes. Presumably, GCHQ can do the same with MI5. The tipped info may not be as comprehensive as what could be obtained by approaching a provider directly, but it's certainly more than the black hole the current situation is being portrayed as. (Especially considering GCHQ already has permission to break into any computer system located anywhere in the world...)
No matter what conclusion the parties come to, legislation addressing it is likely still several months away, if it ever coheres at all. Congress -- despite its occasional lapses into terrorist-related idiocy -- is likely not interested in subjecting US companies to foreign laws, no matter the stated reason for doing so. But if it doesn't oblige the UK (and others who will jump on the all-access bandwagon), it's safe to assume the British government will move towards forcing US companies to set up local servers and segregating communications and data by country of origin.