If U.S. and British negotiators have their way, MI5, the British domestic security service, could one day go directly to American companies such as Facebook or Google with a wiretap order for the online chats of British suspects in a counterterrorism investigation.
The transatlantic allies have quietly begun negotiations this month on an agreement that would enable the British government to serve wiretap orders directly on U.S. communication firms for live intercepts in criminal and national security investigations involving its own citizens. Britain would also be able to serve orders to obtain stored data, such as emails.
The previously undisclosed talks are driven by what the two sides and tech firms say is an untenable situation in which foreign governments such as Britain cannot quickly obtain data for domestic probes because it happens to be held by companies in the United States. The issue highlights how digital data increasingly ignores national borders, creating vexing challenges for national security and public safety, and new concerns about privacy.
The two countries recently concluded a draft negotiating document, which will serve as the basis for the talks. The text has not been made public, but a copy was reviewed by The Washington Post.
The British government would not be able to directly obtain the records of Americans if a U.S. citizen or resident surfaced in an investigation. And it would still have to follow the country’s legal rules to obtain warrants.
Any final agreement will need congressional action, through amendments to surveillance laws such as the Wiretap Act and the Stored Communications Act.
Senior administration officials say that they have concluded that British rules for data requests have “robust protections” for privacy and that they will not seek to amend them. But British and U.S. privacy advocates argue that civil liberties safeguards in Britain are inadequate.
The negotiating text was silent on the legal standard the British government must meet to obtain a wiretap order or a search warrant for stored data. Its system does not require a judge to approve search and wiretap warrants for surveillance based on probable cause, as is done in the United States. Instead, the home secretary, who oversees police and internal affairs, approves the warrant if that cabinet member finds that it is “necessary” for national security or to prevent serious crime and that it is “proportionate” to the intrusion.
If U.S. officials or Congress do not seek changes in the British standards, “what it means is they’re going to allow a country that doesn’t require independent judicial authorization before getting a wiretap to continue that practice, which seems to be a pretty fundamental constitutional protection in the United States,” said Eric King, a privacy advocate and visiting lecturer in surveillance law at Queen Mary University of London. “That’s being traded away.”
Senior administration officials said that they are seeking to relieve the pressure on U.S. companies caught in a “conflict of laws.” The United States bars American firms from providing intercepts to anyone but the U.S. government after law enforcement has obtained a court order. Britain wants to directly compel the production of the data and has already passed legislation to make that happen.
To obtain stored emails, a foreign government must rely on a mutual legal assistance treaty (MLAT) by which the country makes a formal diplomatic request for the data and the Justice Department then seeks a court order on its behalf — a process that is said to take an average of 10 months.
“This has been an issue with the U.K. and other countries for a number of years,” said one senior administration official, who like several others spoke on the condition of anonymity to discuss the negotiations. “Because of technological changes, the U.K. can no longer access data in the U.K. like they used to be able to, and more and more, U.K. nationals — including criminals in their country — are using providers like Google, Facebook, Hotmail. The more they are having challenges getting access to the data, the more our U.S. providers are facing a conflict of laws.”
Administration officials and officials from several tech firms said the stakes are high if no agreement is reached.
They fear that if the trend continues, more foreign governments will force U.S. firms to host their data in those countries — a practice known as “data localization.” They also fear passage of laws, like the one in Britain that has not yet been enforced, requiring foreign firms doing business in their country to comply with their surveillance orders, even if the orders conflict with U.S. law.
“We’re reaching a moment where the status quo is no longer workable,” said an official at a major tech firm. “We’re concerned about the mounting frustration and the inability of foreign governments, including the U.K., to receive responsive data in law enforcement investigations in a timely manner.”
Up to now, he said, U.S. firms have “held their ground” when pressured to turn over data or conduct wiretaps in conflict with U.S. law. “Increasingly, that’s not something we’ll be able to do,” he said.
Just over a week ago, the White House gave the State and Justice departments the green light to begin the formal negotiations. Officials stressed that they were in the very early stages of the talks, which probably will go on for months. They said they will seek to ensure that any agreement protects civil liberties.
But Gregory Nojeim, senior counsel at the Center for Democracy & Technology, a Washington-based privacy group, said allowing Britain to go to U.S. firms directly with wiretap orders “would be a sea change in current law. I don’t see Congress going down that road.”
Senior administration officials said that the goal is to help a close ally investigate serious crimes — something that the United States has a shared interest in.
One potential example: London police are investigating a murder-for-hire plot, and the suspects are using Hotmail to communicate, and there’s no connection to the United States other than the fact that the suspects’ emails are on a Microsoft server in Redmond, Wash. Today, the police would have to use the MLAT process and wait months.
“Why should they have to do that?” said the administration official. “Why can’t they investigate crimes in the U.K., involving U.K. nationals under their own laws, regardless of the fact that the data happens to be on a server overseas?”
Jennifer Daskal, a national security law professor at American University and a former Justice Department official, said before U.S. firms are asked to turn over data, they should be assured that the legal standard for the request is sufficiently high. It need not mimic precise U.S. standards, she said, but should at least require that requests be targeted, and subject to independent review and privacy protections that weed out irrelevant information. If not in the agreement, Congress should mandate requirements, said Daskal, who is part of a coalition of privacy groups, companies and academics working on the issue.
A second administration official said that U.S. officials have concluded that Britain “already [has] strong substantive and procedural protections for privacy.” He added: “They may not be word for word exactly what ours are, but they are equivalent in the sense of being robust protections.”
As a result, he said, Britain’s legal standards are not at issue in the talks. “We are not weighing into legal process standards in the U.K., no more than we would want the U.K. to weigh in on what our orders look like,” he said.
The agreement is intended to be reciprocal, so that the U.S. government could directly request wiretaps or stored data of a British provider as long as the target is American and not a British citizen.
Karla Adam in London contributed to this report.