Nov 05, 2019, 17:12 pm
(This post was last modified: Nov 05, 2019, 18:35 pm by Resurgence. Edited 1 time in total.)
The recently signed CLOUD Act deal between the U.S. Department of Justice and the U.K. Home Office will allow U.K. police easy access to data held by American companies, regardless of where the data is stored. These U.K. data requests, including demands to collect real-time communications, do not need to meet the standards set by U.S. privacy laws or the 4th Amendment. Similarly, the deal will allow U.S. police to grab information held by British companies without following U.K. privacy laws.
This deal, negotiated by American and British law enforcement behind closed doors and without public input, will deal a hammer blow to the legal rights of citizens and residents of both countries. And the damage won’t stop there. The U.S.-U.K. Cloud Act Agreement may well become a model for further bilateral deals with other foreign governments and the United States. Earlier this month, Australian law enforcement agencies began negotiating their own deal to directly access private information held by U.S. Internet companies.
There’s still one possible path to put the brakes on this disastrous U.S.-UK deal: Congress can introduce a joint resolution of disapproval of the agreement within 180 days.
In the U.S., the standard for when law enforcement can collect stored communications content is clear: police need to get a warrant, based on probable cause. If police want to wiretap an active conversation, they have to satisfy an even higher standard, sometimes called a “super warrant,” that limits both the timing and use of a wiretap. Perhaps most importantly, stored communications warrants and wiretap warrants have to be signed by a U.S. judge, which adds an extra layer of review to whether privacy standards are met.
Judicial authorization is a critical step in the U.S. warrant process. When police search people’s private homes, offices, or devices, they must justify why the search for specific evidence outweighs the presumption that individuals remain free from government intrusion. Judicial authorization acts as a safeguard between citizens and law enforcement. Further, history has shown that police can and will abuse their powers for intimidation, or even personal gain. In colonial times, the British military used general warrants to search through colonists’ houses and seize property—actions that helped fuel a revolution, and formed the basis for the 4th Amendment to the U.S. Constitution.
Incredibly, the DOJ has just thrown those rights away. Instead of relying on probable cause, the new agreement uses an untested privacy standard that says that orders must be based on a “reasonable justification based on articulable and credible facts, particularity, legality, and severity.” No judge in any country has decided what this means.
The current deal just says that the U.K. must have “review or oversight” by an independent authority. Oversight is much different than prior judicial authorization. That means when a U.S. tech software company is asked to hand over communications and other sensitive data to UK police, the police don’t have to go to an impartial third-party to first review and see if the request complies with the U.S.-UK agreement. This takes away an important check before data is turned over to make sure that privacy rights are not harmed. Importantly, this hurts the rights of non-U.S. people as well because it takes away protections and recourse under U.S. domestic privacy laws.
The U.S.-UK agreement also doesn’t create safeguards the provide notice to the target of a law enforcement order, or any other affected people.
Without notice, a person won’t be aware that they are under foreign surveillance, won’t be able to hire a lawyer, and won’t be able to examine the evidence against them. Further, the agreement allows U.K. police to request U.S.-based data under U.K. law. People subject to unlawful surveillance won’t be able to exercise legal or constitutional rights they have under U.S. law.
National police agencies are trying to soft-pedal their demand for this new power by pointing out that it won’t be applied to U.S. persons. But foreign police will be getting Americans’ data. First of all, U.K. police will inevitably scoop up the information of Americans who have been in contact with foreigners who are the official subjects of U.K. police requests. That’s why there are mandatory “minimization” procedures to make sure U.K. police don’t get too much data about U.S. persons, or distribute it too widely.
As for U.K. citizens and residents, what happens to their data under this agreement isn’t clear. When U.S. police go to British information providers, there are no clear requirements for how the U.S. should even perform minimization. The only requirement on the U.S. is that the agreement be reciprocal, including limitations on targeting people within British territory. But that doesn’t mean that the U.S. won’t still get information about U.K. persons, as long as they’re in communication with a non-U.K. target—just as U.K. police will get from the U.S.
U.S. Attorney General William Barr has claimed that offering extraordinary access to foreign police is the right thing to do because of the awful crimes they’re pursuing, citing terrorism and crimes against children.
However, the deal will allow U.K. police to comb through the data of U.S. companies for relatively low-level crimes, including fraud, assault, and simple theft. The only justification U.K. police will have to come up with is that they’re investigating a crime that holds at least a three-year prison sentence in their own country. They could even be investigating acts that aren’t crimes in the U.S. Again, the same holds true for U.S. law enforcement gathering information held in the U.K.—there’s no requirement that a similar crime exists in both countries.
It’s worth noting that under U.K. law, a 10-year sentence can also be handed down for criminal copyright infringement.
Under the current system, if a foreign law enforcement agent wants access to protected information in the U.S., both the DOJ and a judge will review the request to make sure it doesn’t violate human rights, or U.S. laws like the First Amendment. This review is a part of the long-standing mutual legal assistance process that lets governments access data stored in other territories, but with procedural safeguards. Under this agreement, there won’t even be a cursory review. In some situations, U.S. authorities won’t even be notified about the foreign agent’s request.
The CLOUD Act and U.S.-U.K. agreement specifically say that foreign governments shouldn’t be allowed to file requests that “impinge freedom of speech.” But “freedom of speech” has a different meaning in U.S. and in UK law. The U.K. has several laws that potentially violate article 19 of the International Covenant on Civil and Political Rights.
Under this agreement, it will be up to U.S. tech companies to challenge requests that aren’t compatible with human rights or free speech. As we have seen time and time again, tech companies are not in the best position to understand the nuance of free speech law.
Congress didn’t give proper thought to the CLOUD Act when it passed last year, and it let fundamental U.S. privacy and speech protections fall to the wayside.
https://www.eff.org/deeplinks/2019/11/co...-agreement
This deal, negotiated by American and British law enforcement behind closed doors and without public input, will deal a hammer blow to the legal rights of citizens and residents of both countries. And the damage won’t stop there. The U.S.-U.K. Cloud Act Agreement may well become a model for further bilateral deals with other foreign governments and the United States. Earlier this month, Australian law enforcement agencies began negotiating their own deal to directly access private information held by U.S. Internet companies.
There’s still one possible path to put the brakes on this disastrous U.S.-UK deal: Congress can introduce a joint resolution of disapproval of the agreement within 180 days.
In the U.S., the standard for when law enforcement can collect stored communications content is clear: police need to get a warrant, based on probable cause. If police want to wiretap an active conversation, they have to satisfy an even higher standard, sometimes called a “super warrant,” that limits both the timing and use of a wiretap. Perhaps most importantly, stored communications warrants and wiretap warrants have to be signed by a U.S. judge, which adds an extra layer of review to whether privacy standards are met.
Judicial authorization is a critical step in the U.S. warrant process. When police search people’s private homes, offices, or devices, they must justify why the search for specific evidence outweighs the presumption that individuals remain free from government intrusion. Judicial authorization acts as a safeguard between citizens and law enforcement. Further, history has shown that police can and will abuse their powers for intimidation, or even personal gain. In colonial times, the British military used general warrants to search through colonists’ houses and seize property—actions that helped fuel a revolution, and formed the basis for the 4th Amendment to the U.S. Constitution.
Incredibly, the DOJ has just thrown those rights away. Instead of relying on probable cause, the new agreement uses an untested privacy standard that says that orders must be based on a “reasonable justification based on articulable and credible facts, particularity, legality, and severity.” No judge in any country has decided what this means.
The current deal just says that the U.K. must have “review or oversight” by an independent authority. Oversight is much different than prior judicial authorization. That means when a U.S. tech software company is asked to hand over communications and other sensitive data to UK police, the police don’t have to go to an impartial third-party to first review and see if the request complies with the U.S.-UK agreement. This takes away an important check before data is turned over to make sure that privacy rights are not harmed. Importantly, this hurts the rights of non-U.S. people as well because it takes away protections and recourse under U.S. domestic privacy laws.
The U.S.-UK agreement also doesn’t create safeguards the provide notice to the target of a law enforcement order, or any other affected people.
Without notice, a person won’t be aware that they are under foreign surveillance, won’t be able to hire a lawyer, and won’t be able to examine the evidence against them. Further, the agreement allows U.K. police to request U.S.-based data under U.K. law. People subject to unlawful surveillance won’t be able to exercise legal or constitutional rights they have under U.S. law.
National police agencies are trying to soft-pedal their demand for this new power by pointing out that it won’t be applied to U.S. persons. But foreign police will be getting Americans’ data. First of all, U.K. police will inevitably scoop up the information of Americans who have been in contact with foreigners who are the official subjects of U.K. police requests. That’s why there are mandatory “minimization” procedures to make sure U.K. police don’t get too much data about U.S. persons, or distribute it too widely.
As for U.K. citizens and residents, what happens to their data under this agreement isn’t clear. When U.S. police go to British information providers, there are no clear requirements for how the U.S. should even perform minimization. The only requirement on the U.S. is that the agreement be reciprocal, including limitations on targeting people within British territory. But that doesn’t mean that the U.S. won’t still get information about U.K. persons, as long as they’re in communication with a non-U.K. target—just as U.K. police will get from the U.S.
U.S. Attorney General William Barr has claimed that offering extraordinary access to foreign police is the right thing to do because of the awful crimes they’re pursuing, citing terrorism and crimes against children.
However, the deal will allow U.K. police to comb through the data of U.S. companies for relatively low-level crimes, including fraud, assault, and simple theft. The only justification U.K. police will have to come up with is that they’re investigating a crime that holds at least a three-year prison sentence in their own country. They could even be investigating acts that aren’t crimes in the U.S. Again, the same holds true for U.S. law enforcement gathering information held in the U.K.—there’s no requirement that a similar crime exists in both countries.
It’s worth noting that under U.K. law, a 10-year sentence can also be handed down for criminal copyright infringement.
Under the current system, if a foreign law enforcement agent wants access to protected information in the U.S., both the DOJ and a judge will review the request to make sure it doesn’t violate human rights, or U.S. laws like the First Amendment. This review is a part of the long-standing mutual legal assistance process that lets governments access data stored in other territories, but with procedural safeguards. Under this agreement, there won’t even be a cursory review. In some situations, U.S. authorities won’t even be notified about the foreign agent’s request.
The CLOUD Act and U.S.-U.K. agreement specifically say that foreign governments shouldn’t be allowed to file requests that “impinge freedom of speech.” But “freedom of speech” has a different meaning in U.S. and in UK law. The U.K. has several laws that potentially violate article 19 of the International Covenant on Civil and Political Rights.
Under this agreement, it will be up to U.S. tech companies to challenge requests that aren’t compatible with human rights or free speech. As we have seen time and time again, tech companies are not in the best position to understand the nuance of free speech law.
Congress didn’t give proper thought to the CLOUD Act when it passed last year, and it let fundamental U.S. privacy and speech protections fall to the wayside.
https://www.eff.org/deeplinks/2019/11/co...-agreement