Take the first step toward good global data sharing rules
© Getty Images

Recent events remind us that terrorism and crime are now global phenomena.  Attacks in Paris, and here in the U.S. metastasize from rhetoric and calls for violence that begin overseas in the Middle East.  Criminal theft at the Bangladeshi national bank has its origins (probably) in North Korea.  When I first began my career as a prosecutor back in the 1980s most crime was local.  The greatest jurisdictional challenge we had was that physical evidence of a crime in New Jersey might be somewhere in New York City, or Philadelphia.  Today, that same crime (or terrorist attack) in New Jersey more often involves digital evidence that is overseas. 

And that’s a problem.  Cross-border law enforcement cooperation is hampered by inadequate laws and conflicting jurisdictional demands.  As a result, evidence overseas is often, in practice, unavailable to prosecutors.  Congress has an opportunity to take the first steps toward fixing the problem; it should seize that chance. 

ADVERTISEMENT
The fundamental problem is competing assertions of control. 

The United States, for example, has argued that its authority to demand electronic evidence extends globally wherever it may be and whomever might be under investigation – the government says this global reach is essential to its counterterrorism program.  But last year, the US Court of Appeals for the Second Circuit in New York City held that the US government did not have global authority.  It said that the US could not force Microsoft to produce data that it had stored in an Irish data center, even though Microsoft was an American corporation.  

That decision leaves American law enforcement at a significant disadvantage to the criminals – but it would be a mistake to think that the solution is to simply reverse the court, and give US officials worldwide authority.  For one thing, we would never give that authority to the Chinese over American citizens, so why should we expect others to accept our assertion of universal jurisdiction?  For another, global authority risks imposing conflicting requirements on American companies that are contrary to the laws of the countries where they operate.

How then to answer legitimate law enforcement needs while protecting American privacy and the competitiveness of American companies? There are two key ways in which Congress should act.

First, Congress should pursue a modified restoration of the government’s global authority – one that recognizes the legitimacy of the interests of other countries while preserving America’s ability to protect its own interests.  The Senate will hold a hearing on May 10, and they will, I hope, recognize that certain core principles should guide the legislative response.  

  • The US should be obliged, where reasonably possible, to determine the nationality of the person who is the subject of the investigation and, if we have an existing and efficient law enforcement cooperation agreement with the country of which the subject is a citizen, we should use the mechanisms of that agreement instead of acting unilaterally to secure digital data. 
  • These rules should be reciprocal.  The US should only follow them when other like-minded countries agree to treat American citizens in the same way.
  • Finally, we need to be sure of the bona fides of any reciprocal agreement.  So the Attorney General should have a way of exempting the requirements of this law when it involves a request to an authoritarian country whose adherence to the rule of law is not robust.

The second is a more practical proposal currently before Congress– legislation necessary to implement the first test of these principles.  The US has a pending reciprocal agreement with the United Kingdom of the sort that ought to be a model for the world.

Here the problem is that American privacy laws sometimes prevent the UK from investigating UK-based crimes; if, for example, they try to force Google to provide email from servers in the US, American law may impede that production, even if it is information about a suspected terrorist attack by a British citizen in Great Britain.  Congress should adopt legislation that would implement our reciprocal agreement for criminal investigation with the UK, and, where appropriate, other nations. 

These two proposals – a restoration of a limited, symmetrical world-wide evidentiary authority and the implementation of the US-UK agreement -- fit nicely together and should proceed.  These common-sense reforms have wide, bipartisan support.  Caution is required however; all too often in Congress when broad agreement is reached, others try to add more controversial proposals, in the hopes of seeing their enactment.  Today, privacy advocates and law enforcement advocates have many issues about which they disagree – any one of which might sidetrack these useful first steps toward reform.  We should not let those issues derail reforms on which most agree.

Michael Chertoff is a former homeland security secretary and is executive chairman of the Chertoff Group, a security and risk management advisory firm with clients in the technology sector including Microsoft.


The views expressed by this author are their own and are not the views of The Hill.