HOW CAN AN INTERNATIONAL COMMUNICATION SERVICE PROVIDER AVOID INTERNATIONAL CONFLICTS OF SURVEILLANCE LAWS?
As US communication service providers (CSPs) increasingly enter foreign markets they become subject to foreign mandates for lawful electronic surveillance, otherwise known as lawful interception or “LI.” The US LI mandate was not designed in coordination with foreign LI mandates. As a result, an LI validly authorized in the US may be deemed illegally implemented on another country’s soil. How can an international CSP avoid these conflicts of law?
The US Lawful Intercept Process
In the US, the LI process is heavily regulated. First, the US law enforcement agency (LEA) must be vested with the authority to conduct LI. Next, the LEA must apply to a court for authority to conduct LI in a particular criminal investigation.
The judge’s authority is also strictly bound. He or she cannot grant the LI application without first finding a basis for asserting jurisdiction over the case. Jurisdiction over the CSP is usually found if the CSP operates network facilities in the US or at least does business in the US.
In addition, at least one element of the LI must be located within the judge’s geographic scope. Here is where US law is somewhat unsettled. The few courts that have addressed this issue of “territorial jurisdiction” have agreed that a judge may grant an LI order if the judge’s district includes the LEA listening post or “monitoring point,” where the intercepted communications are heard by the monitoring agents. A signifier of jurisdiction accepted by other courts is the location of the intercept access point, or “IAP,” the place in the CSP network where the interception device is installed. Still other courts have asserted jurisdiction based on the location of the suspect’s communication device, such as a laptop or smart phone.
US LI law, like the laws of many other nations, has no “extraterritorial jurisdiction.” That means a US judge cannot order an LI in a foreign country. Conversely, if a foreign country judge orders an LI in the US, and there is no US court approval, the LI would be illegal under US law. But the US has not confidently established exactly which jurisdictional signifier – the monitoring point, the IAP, and/or the suspect device – would make an LI extraterritorial.
Assuming the judge issues an order for LI, the LEA then serves the order on the CSP. The CSP’s role is to review the order for validity. If the order is valid, the CSP activates the ordered LI and then deactivates it by the expiration date indicated in the order.
LI Territorial Jurisdiction Conflicts
Most of the US LI process poses no conflicts with the LI laws of other nations. But the lack of an internationally-recognized signifier for territorial jurisdiction can wreak havoc. Let’s say a US court in New York signs an LI order, basing its territorial jurisdiction on the fact that the LEA monitoring point is in New York. The order is served on a US-based CSP we’ll call Compliant Wireless. Compliant Wireless implements the order using an IAP located in Canada, and the suspect is talking on a Compliant Wireless phone in Canada. The LI order and its implementation may well be valid in the US, but it would violate Canadian law. If the IAP or suspect is in Canada, a Canadian court LI order is required. In the US and elsewhere, unauthorized LI is a serious crime. The failure to implement a valid LI order is also a crime. Should Compliant Wireless implement the LI order and risk a Canadian prosecution or refuse to implement the order and risk jail time in the US? That’s a daunting conflict of law.
Efforts to Avoid LI Territorial Jurisdiction Conflicts
The European Union avoids LI territorial jurisdiction conflicts among its own member states. Imagine that the Police Nationale (French National Police) asks its investigators located at a monitoring point in France to monitor a suspect talking on a smart phone in that country. The investigators discover the CSP network spans France and Germany, and the technically appropriate IAP is in Germany. An EU-wide treaty permits the cross-border aspect of the LI, so the LI would not violate German law. Unfortunately, no similar treaty bridges the LI jurisdictional gaps between the EU and the rest of the world.
The US and Great Britain are currently negotiating a “data-sharing agreement” in which the two nations would permit reciprocal LI implementations under common standards of due process and privacy. Territorial jurisdiction would be based on the location and nationality of the suspect. If the suspect is a British citizen located in Great Britain, the British LEA could compel a US CSP to facilitate the LI, and conversely, if the suspect is a US citizen on US soil, a US LEA could ask a British CSP to implement the LI. That way the citizens of each nation remain subject to their own national laws of due process and privacy. Promising as the arrangement seems, it requires the approval of Congress, and no one knows when that consent might be granted.
Establishing the Best Signifier of LI Territorial Jurisdiction
Notice that the jurisdictional signifiers chosen by the US and Great Britain are the suspect’s location and nationality. This certainly helps avoid conflicts of law. For a given investigation, the location/nationality signifiers would confer LI jurisdiction on just one nation without violating the other nation’s laws.
The question remains, should all nations rely on suspect-based signifiers? Sometimes the suspect’s location and/or nationality are unknown. Even when a suspect’s IP address is known, the suspect could use anonymization tools to hide that information. And an IP address says little about a person’s nationality.
The other possible signifiers also involve trade-offs. For example, any LEA could theoretically install a monitoring point anywhere in its own country. Such ad hoc creations of jurisdiction would permit LEAs to “forum shop” among courts for the most LEA-friendly judges, and those judges could authorize LI on suspects located literally half a world away.
Anointing the IAP as the universal signifier offers some benefits. The IAP is literally where the interception takes place. Plus, it is a fixed point that is easy to locate, so the legal implications are clear to all interested parties: LEAs; judges; CSPs; and end users. On the other hand, why should an IAP in one country determine the due process rights of a suspect located in another country?
An Imperfect Signifier would be Better than No Signifier
Despite the above-described difficulties of choosing a uniform LI territorial signifier, it would be better to settle on an imperfect signifier than no signifier at all. If no diplomatic solution is found, nations may increasingly take matters into their own hands. Some countries have already circumvented conflicts of law by imposing “data localization” mandates. A data localization law forces all CSPs that serve the given country to install network facilities in the country for purposes of creating territorial jurisdiction. Such extreme measures can be prohibitively inefficient for CSPs.
The issue of international LI jurisdiction is fraught with tension. Standardization of the process could efficiently serve the needs of law enforcement, free CSPs to pursue their business goals, and protect the rights of suspects.