Accessing online records and user data is an integral part of modern criminal investigations and prosecutions. However, accessing an individual’s communications, subscriber details or metadata can raise significant privacy concerns. These issues become even more complex when they involve users and governments from several different countries. Unfortunately, the legal framework that guides these decisions is out of date and unable to adequately cope with rapidly evolving technologies, cross-border interactions, and exponential growth in data collection. This means that internet providers are making important decisions about whether or not to hand over user data to law enforcement from all over the world without clear legal guidance.
This paper analyses the law controlling when U.S.-based providers can provide online user data to foreign governments. The focus is on U.S. law because current U.S. dominance of cloud-based services and internet providers means that U.S. laws and practices affect a large number of global users. The first half of this paper outlines the legal framework governing these requests. The second half of the paper highlights the gaps in the law and how individual companies’ policies fill these gaps.
2. Forms of international legal cooperation
There are three main forms of international legal cooperation that law enforcement and prosecutors can use to obtain online data in criminal matters:
- direct relationships with providers;
- law enforcement cooperation; and
- mutual legal assistance.
Letters rogatory are a fourth type of assistance, and consist of a formal request for assistance from the courts in one country to the courts in another country, usually by way of the diplomatic channel. In practice, letters rogatory are very slow and are not used frequently, and will therefore not be covered in this paper.
2.1. Direct relationships with providers
Depending on the domestic laws of the States where the provider and the law enforcement officer are based, a provider may be able to hand over user data without any formal legal process. This will depend on laws about the power of the law enforcement officer to request user information, and any data protection or privacy laws about when a provider can disclose user data.
2.2. Law enforcement cooperation
Law enforcement cooperation is when law enforcement officers in one State share information that they have obtained using their own domestic processes with law enforcement officers in another State. It can be based on bilateral relationships (often formalized in memoranda of understanding), or can be facilitated through regional or international organizations such as Interpol.
Numerous multilateral treaties on transnational crime, including the Council of Europe Convention on Cybercrime (the Budapest Convention) encourage States parties to provide law enforcement cooperation to one another. Some governments have law enforcement liaison officers or legal attachés stationed around the world to facilitate law enforcement cooperation. Whether or not an agency can share information with a foreign counterpart may be governed by laws on data privacy and police powers of the requested State.
2.3. Mutual Legal Assistance
Mutual legal assistance (MLA) is the formal government-to-government process for sharing information relating to criminal matters. It is conducted through designated “Central Authorities” (usually part of a State’s justice ministry). Central Authorities provide the contact point between the State requesting assistance and the State providing assistance.
Where domestic laws permit, MLA can occur without a treaty by relying on the principle of reciprocity. However, MLA relationships are often formalized through MLA treaties (MLATs). In addition to bilateral MLATs, there are numerous regional MLATs that facilitate MLA between States parties to those treaties. There are also MLA provisions in multilateral treaties on transnational crime. Where two States have multiple bases for an MLA relationship, they may be able to select which treaty they wish to use in a given matter.
3. Legal framework for online requests to the United States
3.1. A short note about jurisdiction
International requests for access to user data can involve several different countries; the user, law enforcement officer, data, and company headquarters can each be in a different location. The controversy about jurisdiction over data has recently come to a head in a case in which Microsoft Corporation is challenging a U.S. search warrant over user data that the company stores in Ireland. Microsoft argues that the search warrant seeks access to data that is stored outside of the United States and the warrant is therefore extraterritorial and invalid. The Government argues that Microsoft is a U.S. corporation governed by U.S. laws and that the data is under Microsoft’s control, regardless of its physical location. Many companies and advocacy groups have supported Microsoft’s approach. However, other companies (including Google, Facebook, and Twitter) have remained noticeably silent. Until this case is settled, the law remains in a state of flux.
In current practice, the question of which laws control access to a user’s data depends on a combination of company policy (as reflected in the terms of service), the corporate structure, and where the data is physically stored. Many large companies, including Google, Twitter, Facebook, and LinkedIn will only accept jurisdiction in California, where their headquarters are located. This is reflected in their terms of service and guides for law enforcement. This paper will focus on the way in which U.S. law applies to international requests.
3.2. ECPA and the law on access by U.S. government entities
The Electronic Communications Privacy Act 1986 (ECPA) is the primary piece of legislation controlling access to online user data in the United States. The starting position is that an internet provider cannot voluntarily disclose customer records to any “governmental entity” unless a statutory exception applies. It establishes a tiered system for compelling access to different categories of online information. In practice, this can be summarized as follows:
- Basic subscriber and session information is available through a subpoena. There is a low legal threshold for issuing subpoenas and they may not require any judicial involvement.
- Other information pertaining to a subscriber or customer (including non-content transactional data) can be obtained through a court order. A so-called 2703(d) order requires a judge or magistrate to be satisfied that there are “specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”
- Content of a communication can generally only be obtained through a valid search warrant based on the evidentiary standard of “probable cause”.
The actual text of ECPA provides a more complicated scheme that depends on whether content is less than 180 days old, has been retrieved by the user, or is held by an “electronic communication services” (ECS) or “remote computing services” (RCS). However, in practice, these distinctions are of limited application since the Sixth Circuit decision of United States v. Warshak, which held that an internet company can only be compelled to disclose online content in response to a search warrant that meets the standard of “probable cause.” Most major internet companies and the U.S. Department of Justice have adopted the Warshak position.
3.3. Applying ECPA to the international context
ECPA was designed largely for domestic purposes, and is ill equipped to deal with the cross-border nature of data transfers. In particular, many of ECPA’s provisions only apply to “governmental entities.” The definition of “governmental entity” is “a department or agency of the United States or any State or political subdivision thereof.” This means that foreign governments are not “governmental entities” and are therefore not subject to the full range of ECPA’s restrictions and privileges.
Two of the main implications of foreign governments not being “governmental entities” are:
- Foreign governments may be able to access non-content information without any legal process (but cannot compel an internet provider to do so if they refuse). This is because foreign governments are not captured by the prohibition on disclosing non-content data to governmental entities.
- Foreign governments cannot obtain user content on their own behalf (either voluntarily or compulsorily). This is because the subpoena and court order processes in ECPA are only available to “governmental entities.”
If a foreign government wants to compel access to any type of user data, they must either obtain it through law enforcement cooperation, or MLA. Section 18 U.S.C 3512 provides the mechanism for federal courts to issue an order such as a search warrant or to compel testimony in response to a request from a foreign authority under a MLAT or letter rogatory.
It has now become a familiar refrain that the MLAT system is slow and inadequate. For this reason, in time sensitive matters, law enforcement officers and companies may be more inclined to access information through law enforcement cooperation or without legal process.
4. Areas where company policies plug gaps in the law
The outline above indicates that there are grey areas and gaps in the law on international law enforcement access to user data, which means that there is no clear guidance for companies as to when and how they should hand over user data. This section highlights some of the areas where gaps in the law mean that individual companies’ policies determine the outcome for users. The Electronic Frontier Foundation’s annual report, Who Has Your Back, rates technology companies (including telecommunications companies) on their public commitment “to standing with users when the government seeks access to user data.”
ECPA creates a civil cause of action against persons or entities (other than the United States) who violate the provisions of chapter 121 with a “knowing or intentional state of mind.” In any event, as discussed below, many of the disclosures made by providers relating to international governments are not covered by the provisions of ECPA and there is therefore no statutory liability for inappropriate disclosures.
4.1. Notice to user
Providers have significant discretion about whether or not to inform their users that their accounts have been accessed by law enforcement. For both domestic and international cases, the company may notify the user unless there is an order preventing a company from doing so. However, notice is purely voluntary; there is no statutory obligation on service providers to do so.
In some circumstances, law enforcement has a statutory obligation to notify users when their accounts are accessed. ECPA establishes clear obligations with respect to notice in matters of domestic access to non-content data. Section 2705 authorizes delaying notice for 90 days if there is reason to believe that prior notice “may have an adverse result” and allows for extensions of another 90 days. It also allows a court to issue an order prohibiting a provider from notifying the user. This means that, for domestic requests for non-content data, even if the provider does not provide notice, there are clear obligations for when law enforcement must provide notice.
However, when a provider grants access to an international government for non-content user data outside of the ECPA framework, there is no guidance about whether or not notice should be given. In these circumstances, there is no obligation on either law enforcement or the service provider to provide notice, which makes a company’s decision all the more important.
When law enforcement (either domestic or foreign) seeks access to content using a search warrant under Rule 41 of the Federal Rules of Civil Procedure, it is not clear whether law enforcement must notify the user. ECPA is silent on this issue. The Department of Justice Manual on Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations states that “the SCA makes quite clear that § 2703(d) and the notice requirements of § 2703 are implicated only when law enforcement does not obtain a search warrant.” Procedures under rule 41 of the Federal Rules of Civil Procedure generally require notice before a search. However, at least one court has found that in cases involving access to user data through a provider, law enforcement only need to provide a copy of the warrant to the service provider, not to the user. Again, this means that a company’s decision whether or not to notify a user is important because it may be the only form of notice that he or she will receive.
The major companies all state that their starting position is that they will notify users before granting access to their information. Yahoo! simply states that “Our policy is to explicitly notify our users about third-party requests for their information prior to disclosure.” LinkedIn acknowledges that they may be legally prohibited from notifying a user. Twitter, Apple, Microsoft, and Facebook all reserve the right not to notify users, for example, where there are exigent circumstances, situations of child endangerment, or where notice would be counterproductive. This indicates some degree of consensus in practice, but there is no legal underpinning on this important issue.
4.2. Undertaking to fight on user’s behalf
If a user does not know that a government officer is seeking to access his or her data, he or she cannot object. Internet providers therefore play an important role as gatekeepers of the information. Providers have discretion about whether or not to push back against a government request on a user’s behalf. They are also able to require greater legal process or to require minimization of the data being requested (for example to reduce the time period for which data is sought). This role can be critical in the context of international requests because of the inadequate legal framework in relation to non-content requests.
Some providers publicly commit to defending a request on the user’s behalf. For example, Google states that “If we believe a request is overly broad, we'll seek to narrow it” and “[i]n some cases we receive a request for all information associated with a Google account, and we may ask the requesting agency to limit it to a specific product or service.” Yahoo! also states that they will object to processes that are “overbroad or inconsistent with applicable law.” Microsoft states that “[i]n a number of cases, we seek to narrow the scope of government demands.” Many companies have also been involved in law suits on behalf of their users. Where such efforts are public, EFF recognizes these companies in Who Has Your Back with gold stars in the category of “fighting for users’ privacy rights in courts.” 
4.3. Whether to require MLA
Without a MLA request, companies have discretion as to how to respond to international requests for user data and whether to provide non-content information. This is because the gap in the definition of “governmental entity” means that there is no prohibition on companies providing non-content information to foreign governments.
Google acknowledges that they may provide non-content to non-U.S. agencies without requiring an MLAT request if “consistent with international norms, U.S. law, Google’s policies and the law of the requesting country.” Facebook provides a less forthright statement, which upon a closer reading between the lines, suggests that they do not always demand a MLAT request. In contrast, LinkedIn has a simple policy that “a Mutual Legal Assistance Treaty (MLAT) request or letter rogatory is required for disclosure of information regarding a non-U.S. request.” Dropbox changed its policy in 2013. Whereas they previously always required a MLA request, Dropbox will now grant some requests without MLA.
For those companies that will provide information in the absence of a MLA request, there is no formal guidance as to when, and on what terms, the information should be provided.
4.4. Emergency disclosures
Under ECPA, a provider is permitted, but not required, to voluntarily disclose information, including communications and customer records, to a “governmental entity” if the provider, “in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.” This “good faith” test affords the provider a significant amount of discretion.
However, by making the emergency disclosure provisions apply to “governmental entities”, ECPA once again overlooks disclosures to foreign governments. This means that even in an emergency situation, requests for content can only be obtained through law enforcement cooperation, MLA or letters rogatory. Requests for non-content fall into the same murky situation as any other non-content foreign request. This is a legitimate reason why companies may not wish to impose a blanket rule requiring a MLA request before responding to any request from foreign law enforcement. Twitter specifically notes that international law enforcement authorities may submit requests for emergency disclosure. Microsoft addresses this issue in more depth and states that “Microsoft considers emergency requests from law enforcement agencies around the world.” Those requests must be in writing on official letterhead, and signed by a law enforcement authority.” As with any non-content request, it is up to the company to determine what requirements and procedures they want to impose on foreign government requests.
4.5. Preservation requests
In contrast to some other jurisdictions, such as the European Union and Australia, there is no mandatory data retention regime in the United States. This means that different companies adopt different data retention policies. For example, LinkedIn states that “LinkedIn does not retain a copy of information from a Member’s profile page once the information is revised by the Member. Additionally, if a Member closes his or her account, we delete or de-personalize all information from that account within 30 days.” Given how quickly users may delete their data, an important part of any investigation or prosecution involving online records is to make a preservation request. This ensures that the data still exists at the time when the law enforcement officer makes a formal request for access.
The Electronic Communications Privacy Act establishes a procedure for “governmental entities” to require providers to “take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.” Yet again, the reference to “governmental entity” means that there is no obligation with respect to international requests. In practice, many providers may be willing voluntarily to preserve data for foreign governments. However, if a provider refuses, a foreign government will either need to seek assistance through law enforcement cooperation or MLA.
4.6. Where to store data and accept jurisdiction
As noted above, companies take different approaches about where they will accept jurisdiction, where to establish legal entities, and where to store data. Previously, decisions about where to store data may be made on technical rather than legal considerations. However, the Microsoft Ireland case suggests that data location could now have significant legal implications.
Companies such as Amazon Web Services offer users the option to specify in which country they would like their data to be stored. Microsoft determines data location by the self-declared region of a user’s residency. Google and many other providers are silent on the issue. If data location is found to be legally significant for determining jurisdiction, it will be important for companies to provide information and options for users that enable them to make informed decisions about their online activities.
Which laws control access to user data internationally is a complex issue for which there are not yet any clear answers. Moreover, even if it were settled that it is U.S. law that applies when a foreign government seeks access to a user’s data held by a U.S. company, the U.S. legal regime provides little certainty. There are numerous gaps and grey areas, which mean that internet companies are making decisions about how to respond to international requests for user data in a legal vacuum.
At the moment, companies must fill this vacuum with internal policies. An increasing number of companies are creating transparency reports, and those reports are becoming more detailed and user accessible. As part of this, Dropbox and Yahoo! publish principles for how they handle government data requests. This is an admirable start, but lacks the detail and accountability of a binding legal regime. There is also no consistency between companies or any realistic way in which users can compare the policies of different providers. It is important to be clear about the limits of the law and the areas of uncertainty in order to have an informed discussion about how these gaps should be filled and by whom.