Today’s crimes are increasingly global and likely to perpetrated over or using the Internet. Thus, it is more likely than not that a law enforcement agent will need to serve legal process upon a global company for data regarding an email address, telephone number, or bank account. A major roadblock encountered by law enforcement agencies worldwide in doing this is the archaic and time consuming Mutual Legal Assistance process (MLA), used by many nations to collect authenticated evidence for law enforcement investigations. While the primary goals of MLA should be protected, the legal framework should be reworked in order to enable law enforcement agents to more effectively investigate and prosecute cyber crimes both at home and abroad.
The MLA process is structured upon a series of Mutual Legal Assistance Treaties (MLATs) between the U.S. and foreign nations. MLATs themselves are bilateral, multilateral, or regional agreements detailing how and what kinds of data foreign governments may request. This process is designed to facilitate international collaboration in law enforcement investigations by providing an efficient method for foreign nations access to U.S. companies through the U.S. Department of Justice Office of International Affairs (OIA). OIA reviews international legal process to ensure compliance with Fourth Amendment protections, the Electronic Communications and Privacy Act, and the relevant MLAT. Once verified, the legal process goes through the relevant District Court and FBI office before ultimately being served upon the targeted company. Conversely, American law enforcement agencies serve process to foreign entities through each nation’s or region’s MLA process.
While this process inserts barriers between U.S. companies and foreign law enforcement and ensures constitutional protections for user data, it also creates extensive delays. Requests to the U.S., regardless of type of legal process, can take any where from six weeks to ten months, or even longer. These delays are only exacerbated by the increased volume of requests. In 2015, the Office of International Affairs reported a 60% increase in foreign requests for user data. While the workload has dramatically expanded, the resources for MLAT have not. In 2015, the budget for MLAT was $44 million, which included $24.1 million of additional funding.
Another difficulty associated with MLAT is that the legal process served must be tailored to comply with local law. This leads to delays in two ways. First, if the process does not comply with local regulations, it is rejected and it must be resubmitted, causing the entire process to reset. Second, when attorneys send legal process to foreign entities, they must ensure that it meets local standards of protection. Therefore, attorneys must be adequately knowledgeable of the specifics of the relevant MLATs and local privacy laws or regulations. In other words, a German prosecutor serving legal process on Facebook must understand American requirements and American law enforcement would have to understand German requirements, in order to best limit delays. While this is less of an issue for countries with comparable legal systems and user protections, a lack of knowledge or understanding could significantly delay law enforcement from other countries.
To address the delays, multiple programs have been suggested to allow foreign nations expedited access to data to U.S. data. The first of these programs proposes to amend the Electronic Communications Privacy Act (ECPA) allowing U.S. companies to directly respond to foreign legal process from specified countries that meet certain criteria and have entered executive agreements with the United States. Select foreign entities would be able to serve process directly upon a U.S. company if the foreign company made an adequate showing: 1) that the government has a legitimate interest in the criminal activity being investigated; 2) the target is located outside of the U.S.; and 3) the target is not a U.S. person. The request would also have to satisfy a laundry list of procedural and substantive protections founded in human rights law. The second proposed program is comparable to that of a waiver program. This program would allow countries that have a demonstrated history of meeting U.S. evidence and privacy standards to participate in a “streamlined MLAT” program.
A potential consequence of a failure to reform MLAT is that countries will require companies to localize their data in individual countries. This practice, known as “data localization,” has been debated for many years now, would impose substantial financial burdens on companies, limit the global economy, and restrict Internet use to users world-wide. Therefore, while there may be short term solutions to alleviate the pain of MLAT, large scale reforms should be taken in order hasten responses to data requests, ensure user privacy, and reduce the likelihood of data localization.