Government Affairs Blog
May 12, 2020
HOW COULD A FOREIGN-OWNED COMMUNICATION SERVICE PROVIDER FAIL TO GAIN ACCESS TO THE US MARKET?
On April 4th President Trump issued an order titled “Executive Order Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Sector” (the “EO”). The EO will replace Team Telecom with a senior, formal governmental authority to review applications for foreign investment in the US telecommunications sector.
What are the implications of the EO for foreign-owned communication service providers (CSPs) that want to enter the US market?
Background on the EO
Until now, Team Telecom was the inter-agency body that reviewed potential threats to national security and law enforcement posed by foreign-owned CSPs seeking to expand into the US. The working group has been hosted by DOJ and managed by the FBI. It has contributed to the Federal Communications Commission’s (the FCC’s) “public interest” review of each foreign CSP application by ensuring that the entity adequately assists the investigations of US national security and law enforcement.
Over the past few years, the Trump Administration has grown increasingly concerned about potential threats to the security of America’s telecommunications infrastructure. One sensitive issue is whether to permit Chinese communication service providers to serve the US market. A related question is whether Chinese telecom equipment vendors like Huawei and ZTE pose a threat to our national security.
In response to these concerns, the administration strengthened the review powers of the Committee on Foreign Investment in the US (“CFIUS”). CFIUS performs functions like Team Telecom but spans all industries, not just the communications sector. In addition, last year the FCC opened a rulemaking to modify its rules governing subsidies for the buildout of broadband networks in rural areas. The proposed rules would condition the subsidies on the exclusion of Chinese-made network equipment. A few years ago, the FCC opened a proceeding to discuss how to streamline the Team Telecom process. That proceeding may now be moot.
Against this backdrop the President issued the recent EO. Soon, the FCC is expected to finalize its pending rural broadband rulemaking in a way that conforms to the EO.
Summary of the EO
The new “Committee” referenced in the title of the EO must be established by July 3rd. It will be chaired by the Attorney General. Other Committee members will include the Department of Defense, the Department of Homeland Security, and other agencies as the President may direct. A secondary governmental group called the “Advisors to the Committee” will play an advisory role in the process. The Advisors will be the State Department, Treasury Department, Commerce Department, the Office of Management and Budget, the Director of National Intelligence, the US Trade Representative, and others.
Upon referral by the FCC, the Committee will review applications filed by CSPs with foreign ownership, as well as the licenses of CSPs that involve foreign ownership, to identify risks to national security and law enforcement. The review process will require the CSP to answer a detailed questionnaire. Presumably, the document will resemble the “triage” questionnaire that Team Telecom routinely handed to foreign-owned CSPs. If the Committee discovers a risk to national security or law enforcement, it may recommend “mitigation” measures to the FCC. Based on those recommendations, the FCC may dismiss the given application, modify it, condition the grant of license on the performance of certain law enforcement assistance, or revoke an existing license.
For example, if the Committee audits a foreign CSP operating in the US and discovers an incident of noncompliance with a license condition, the Committee may recommend that the FCC further modify or revoke the license.
The review process must take place within 120 days of the date the Committee decides the given questionnaire is complete. An additional 90-day period may be used for cases that require deeper analysis. Adverse decisions must be based on a written record. Team Telecom was not required to produce such writings.
Implications for Foreign-Owned CSPs
Foreign-owned CSPs will soon face a more powerful and formal body when seeking FCC licenses to serve the US market. That does not necessarily make it more difficult to enter the US market. Foreign CSPs based in allied nations may jump through the national security hoops just as easily as they did in the Team Telecom days. The new regime will not require foreign CSPs to make any greater commitments to US national security or law enforcement than before. However, if someone as powerful as the Secretary of Defense or Homeland Security deems a CSP suspect for any reason – whether due to the owner’s home nation, its ties to suspicious entities, or the nature of the proposed communication service – the official could probably stop the CSP dead in its regulatory tracks.
The Committee’s powers appear to be limited. It can only make “recommendations” to the FCC. However, that may be because a more obligatory process would have required Congressional legislation. It is hard to imagine the FCC rejecting a Committee recommendation, especially one backed by the Attorney General. The FCC routinely took the advice of Team Telecom. Based on that record, the word “recommendation” probably means “command.”
The national security review process may also become more politicized. For example, if the President needs more leverage in the US-China trade war, he might have his attorney general oppose an FCC application involving a Chinese interest. Alternatively, if the privacy lobby feels aggrieved by a foreign-owned CSP, the group could pressure the Administration – and by implication the Committee – to retaliate using its national security review and audit tools.
In another sense, the higher-profile structure may benefit foreign-owned CSP’s. The 120-day review deadline may expedite the license process. Similarly, the more formal rules may create more accountability. A written record of an adverse decision could give an applicant valuable guidance. In the Team Telecom days, a single review could last a year or more, and the basis for its decisions was never publicly disclosed.
On the other hand, the 120-day process does not start until the Committee chair says the questionnaire is complete. How hard could it be for the chair to find the questionnaire is not complete? That indicates the Committee has flexibility to slow down the train.
By making the national review process more accountable, the EO impliedly makes foreign-owned CSPs more accountable. Applicants must be more candid than ever, in my view, when completing the questionnaire. Beyond that, they must thoroughly implement any promises to assist LEAs. One Committee audit could result in the loss of a license.
The increased importance of CALEA Compliance
The increase in foreign-owned CSP accountability means those entities must, at a minimum, provide good-quality assistance for US lawful surveillance. Specifically, the foreign competitors must be prepared to demonstrate that they can deliver effective interception capabilities as required by the CALEA (lawful surveillance) statute. CALEA differs from the surveillance laws of other nations. For example, under CALEA a court may require a CSP to limit an interception to just the metadata of a suspect’s communications. Most of the foreign counterpart laws take an all-or-nothing approach, requiring the disclosure of both content and metadata or nothing at all.
If a foreign CSP lacks familiarity with US surveillance law, it should retain the needed expertise before entering the new Committee-based foreign review process. It may hire a qualified US law firm or a trusted third-party provider of CALEA compliance programs. Subsentio is a leader in CALEA compliance. Either way, the foreign-owned CSP will likely find that US authorities take lawful surveillance more seriously than ever before.
March 26, 2020
COULD A COMMUNICATION SERVICE PROVIDER BE HELD LIABLE FOR IMPLEMENTING AN INVALID FISA ORDER?
March 26, 2020
COULD A COMMUNICATION SERVICE PROVIDER BE HELD
LIABLE FOR IMPLEMENTING AN INVALID FISA ORDER?
Congress is debating whether to renew certain provisions of the Foreign Intelligence Surveillance Act (“FISA”) and whether the renewal authority should include reforms designed to limit FISA investigations. The controversy was sparked by a Department of Justice inspector general report, which revealed that the DOJ and FBI had abused the FISA process during their investigation of Russian involvement in the 2016 presidential election. Specifically, the report found the law enforcement agencies had made “significant errors and omissions” when applying for FISA orders to wiretap an advisor to President Trump’s election campaign. The malfeasance had wrongly induced the FISA court to issue orders for electronic surveillance that lacked the requisite probable cause.
In an investigation when law enforcement agents serve an invalid surveillance order on a communication service provider (CSP), what are the consequences? Can a CSP be penalized for conducting unauthorized surveillance?
When a CSP is served with a surveillance order, whether the order is served under the FISA statute (for foreign intelligence investigations) or the Wiretap Act (in criminal probes), the provider should have someone with appropriate expertise review the order for validity. If the order is invalid on its face, the network owner should notify the case agent and ask for the defect to be cured. The agent may need to have the order revised and reauthorized by the presiding judge. A good understanding of the surveillance statutes and related case law may be needed to persuade the agent that the legal re-write is needed. Otherwise the situation may become confrontational.
Validating the surveillance order is important for two reasons. If a CSP disregards this step and participates in unauthorized surveillance, it could suffer criminal penalties. In addition, the CSP could be sued by the aggrieved subscriber.
Now consider a tougher question. Say the CSP properly reviews a surveillance order and determines it is facially valid but later learns the order was defective. Maybe the law enforcement agency omitted key facts when applying for the surveillance approval. Or maybe the judge lacked jurisdiction to issue the order. A CSP is not required to investigate the entire judicial process. As long as the CSP finds the order is facially valid, it will be immune from prosecution by the government and lawsuits from subscribers. “Statutory immunity” protects CSPs from due process failures beyond their control. Consequently, if an order that appears facially valid turns out to be the product of a misrepresentation by a law enforcement agent, or a jurisdictional overreach by a judge, the CSP is off the hook.
Does statutory immunity protect a CSP when responding to court orders and subpoenas for stored records? Yes. As long as the service provider reviews the due process for validity and confirms it is facially valid, it may disclose the requested subscriber records to the law enforcement agent without fear of liability. At the trial stage of the proceeding, if defense counsel shows that the court or law enforcement agent lacked authority to issue the legal instrument, the agency may be penalized but the service provider would not.
In sum, CSPs bear a responsibility to validate documents demanding assistance to law enforcement, and they should be prepared to serve that role. But the burden is a reasonable one. It keeps industry from getting blamed for improper government actions like the surveillance in the FISA/Russia scandal.
December 31, 2019
DOES CALEA PERMIT THE FCC TO BAN “UNTRUSTWORTHY” EQUIPMENT VENDORS SUCH AS HUAWEI AND ZTE?
The Federal Communications Commission rarely adopts rules directed at certain named communications companies. It is unprecedented for the Commission to use the CALEA lawful surveillance statute as a tool of cybersecurity. Yet the FCC just cited CALEA as one basis to restrict the use of communications equipment by China’s two leading communications equipment vendors: Huawei Technologies Company and ZTE Corporation. Can the FCC do that?
The USF ban on Huawei and ZTE
On November 26th the Commission released an order that significantly modified a subsidy program called the Universal Service Fund. The USF promotes the buildout of broadband networks for rural areas, as well as schools and libraries. According to the FCC order, USF funds may no longer be used to buy equipment or services from vendors that pose “a national security threat” to the U.S. The order explained that the FCC would make a list of such “untrustworthy” vendors. Then the order imposed an initial designation of untrustworthiness on Huawei and ZTE.
To justify its action against vendors such as Huawei and ZTE, the Commission cited multiple sources of authority. Among the named laws was CALEA. CALEA requires telecommunications carriers to equip their networks with certain technical capabilities needed to implement court orders for surveillance. The FCC asserted that under CALEA it may ban untrustworthy vendors to protect against unauthorized surveillance.
One issue raised in the USF order was how to compensate carriers that may be forced to “remove and replace” FCC-banned equipment with acceptable gear. The Rural Wireless Association estimated that the potential replacement of the infrastructure could cost its members about $1.2 billion.
On December 4th Huawei challenged the FCC order before the U.S. Court of Appeals for the Fifth Circuit, where the company’s U.S. headquarters is based. Huawei’s petition claimed the FCC lacked authority to impose the USF ban and failed to provide evidence supporting its determination that Huawei posed a cybersecurity threat. For over a decade Huawei had battled U.S. accusations that the Chinese government could exploit the vendor’s technology for spying. But that did not stop the U.S. Defense Department or Commerce Department from imposing their own blacklists of Huawei gear.
How the FCC interpreted CALEA to justify the USF ban on Huawei and ZTE
After stating that the FCC may condition the disbursement of USF funds on public interest factors such as national security, the order then presented a more specific justification for its USF ruling under CALEA. It cited CALEA Section 105, titled “System Security and Integrity.” Section 105 states that a CALEA-covered telecommunications carrier must ensure that any interception on its network is activated only with the authorization of a court and the approval of an appointed member of the carrier’s staff. The Commission theorized that an untrusted supplier could insert malicious code in a carrier’s network that would enable the supplier to activate surveillance without the awareness of a court or the carrier’s staff. According to the agency, Section 105 imposes a duty to avoid the risk of such unauthorized surveillance.
The above characterization of CALEA Section 105 as a defense against cybersecurity attacks marks a curious departure from the conventional interpretation of the 25-year-old statute. Because cybersecurity was a relatively new term at the time, and cyberattacks were rare, nothing in the text of Section 105 even mentioned cybersecurity. The language spoke only of the need for surveillance to be done with certain legal approvals.
The legal nature of Section 105 was also the focus of CALEA’s legislative history. The October 4, 1994 House Judiciary Committee Report 103-827, titled “Telecommunications Carrier Assistance to the Government,” established the official purpose of CALEA. Among other things, the Report explained the Congressional intent behind Section 105:
within the switching premises of a telecommunications carrier … All executions of
court orders or authorizations requiring access to the switching facilities will be made
through individuals authorized and designated by the telecommunications carrier.
Clearly, the goal of Section 105 was to prevent law enforcement from activating a carrier’s embedded surveillance solution themselves or without obtaining the proper legal approvals. The Section was not intended to prevent equipment vendors or others from threatening the carrier’s cyber defenses.
Even the FCC’s own rules governing CALEA interpret Section 105 as a protocol to ensure the legality of surveillance. The rules do not mention cybersecurity. Rule Section 1.20003, titled “Policies and procedures for employee supervision and control,” requires the carrier to:
interception of communications or access to call-identifying information
within its switching premises can be activated only in accordance with a
court order or other lawful authorization and with the affirmative intervention
of an individual officer or employee of the carrier.
Based on the above, the Fifth Circuit Appeals Court review of Huawei’s petition may well overturn the USF restriction to the extent it relies on the FCC’s revisionist reading of CALEA.
How CALEA-covered carriers may respond to the USF ban on Huawei and ZTE
Not many large U.S. carriers have outfitted their networks with Huawei equipment. On the other hand, the core network elements of Huawei and ZTE are reportedly cheaper than those of other vendors that serve the U.S. market. Cost is an important factor among the small, rural competitors that receive USF funding. Now those entities face the dilemma of buying non-Huawei/ZTE products or foregoing USF subsidies.
The impact of the USF order reaches far beyond the realm of small and rural carriers to all CALEA-defined telecommunications carriers: telephone companies, wireless carriers, broadband providers, interconnected VoIP providers, cable providers, satellite operators, potentially other voice and data service providers and their resellers.
For this broader scope of industry players, the conservative approach to CALEA compliance would be to avoid Huawei, ZTE, and perhaps other Chinese equipment manufacturers. Any network design that unwittingly permits a foreign government to spy on U.S. citizens or monitor U.S. surveillance practices could be disastrous for national security.
However, it is far from certain that the Commission’s USF order will survive judicial scrutiny. As explained, the FCC’s reliance on CALEA to regulate communications network security is doubtful. The Commission may lack any jurisdiction over network security. Even if the Fifth Circuit finds grounds for the FCC to regulate network security, the question remains whether the agency has produced enough evidence to demonstrate that Huawei or ZTE pose a threat to network security. The evidence disclosed in the USF order is vague. The order emphasizes the fact that the Chinese government has strong powers of cyber espionage and ties to Huawei and ZTE. But it lacks examples of any Chinese telecom network elements found to contain spyware. Adding to the mystery, most of America’s allies have not treated Huawei or ZTE as a national security threat.
In this climate of regulatory uncertainty, carriers mapping their CALEA compliance strategies may decide to wait for the Fifth Circuit to address the USF order before they foreclose any opportunities to buy the infrastructure products of Huawei, ZTE, or other Chinese vendors.
Implications for CALEA safe harbor protection
Suppose the Fifth Circuit upholds the FCC’s newly conceived CALEA authority to blacklist untrustworthy telecom equipment vendors, but carriers have already installed industry-published “safe harbor” CALEA surveillance solutions in their networks using Huawei or ZTE switches. Could the FCC force the carriers to replace those switches despite the validity of the safe harbor set-ups? The answer is a qualified “yes.”
CALEA Section 107 treats safe harbor solutions as presumptively valid, but the presumption could be overcome. If the FCC considers a solution “deficient” because it does not adequately “protect the privacy and security of communications not authorized to be intercepted,” it could open a rule making proceeding to explore methods of closing the stated security gap. The resulting rule could exclude network elements deemed untrustworthy from inclusion in the safe harbor standard. Industry could then appeal the rule, just as Huawei appealed the USF order. And if the new safe harbor standard is upheld, the FCC would be required to provide “reasonable time and conditions” for industry to implement the new standard.
Notice the potentially sweeping implications of the USF order. If upheld, the ruling could cause significant disruption to the USF-dependent sector of the communications industry and even more widespread disruption to industry overall.
October 31, 2019
WHAT DOES THE U.S.-U.K. DATA ACCESS AGREEMENT MEAN FOR INTERNATIONAL COMMUNICATION SERVICE PROVIDERS?
Earlier this month the governments of the United Kingdom and United States signed an agreement to help law enforcement agencies (LEAs) in each country gather digital evidence in the other country for purposes of criminal investigations. The pact is known as the “Data Access Agreement.” Why is the Data Access Agreement needed, how does it work, and what is the impact on communication service providers (CSPs)?
The problem of gathering evidence in cross-border criminal investigations
An order from a judge in Country A to disclose evidence stored in Country B may violate the data protection laws of Country B. This dilemma spawned a legal controversy in 2016, when Microsoft refused to honor a U.S. court order to produce emails that the company had stored in a data center in Ireland. In the litigation, the Second Circuit Court of Appeals ruled in Microsoft’s favor.
The Microsoft ruling delivered an important victory for end user privacy. But it frustrated a law enforcement investigation. Beyond that, criminals likely realized they could help conceal their criminal activity in the U.S. by contriving email user accounts designated for email storage outside the U.S.
The problem with mutual legal assistance treaties (MLATs)
Governments worldwide tried to solve the problem of cross-border digital evidence gathering by entering into agreements called mutual legal assistance treaties, or “MLATs.” Under an MLAT, a law enforcement agency in Country A that needs copies of emails stored in Country B could submit a formal request to the government of Country B, and if Country B approved the request it would dispatch its own law enforcement agents to collect the evidence under its own laws.
MLATs worked well in theory because they paved an investigatory path for LEAs while protecting privacy. Unfortunately, they proved unsatisfactory in practice. Sometimes a country in receipt of an MLAT filing would deny the request. Other times the approval process would take months or years to complete. Countries with good political relations enjoyed more MLAT cooperation than others.
The benefits of the Data Access Agreement
To improve the international sharing of digital evidence, the U.S. Congress enacted a statute called the Clarifying Lawful Overseas Use of Data Act of 2018 (the “CLOUD Act”), and the U.K. passed a similar bill called the Crime (Overseas Production Orders) Act of 2019. The implications of these actions were explored in a prior blog. The dual legislation enabled the two democracies to negotiate the Data Access Agreement. The Agreement facilitates criminal investigations while preserving meaningful privacy protection.
Under the Data Access Agreement, an LEA in the U.K. that must investigate electronic information stored in the U.S. no longer needs to invoke the government-to-government MLAT channel to obtain the evidence. Instead, it may serve an order directly on the U.S. CSP. The order would be issued by a “designated entity,” meaning an agency appointed by the U.K. Home Office or Secretary of State. In the U.S., the designation would come from the attorney general. The service provider could be an email host, a wireless service provider, social network, or cloud storage company. Likewise, a U.S. designated entity could approve the same type of order for delivery to a British CSP. The terms of the Agreement ensure that both sides would observe a common baseline of strong due process and privacy protection. By skipping the governmental middleman, the process should work more quickly and reliably than the MLAT scheme.
The Data Access Agreement is not a cure-all. The arrangement cannot be used for evidence-gathering in civil proceedings. It is available only for “serious crimes,” such as terrorism, transnational organized crime, murder, cybercrime, and child sexual abuse. Even within that narrow scope of wrongdoing, each country may investigate only suspects who are not residents of the other country. The idea is to let Country A investigate its own citizens without exploiting the opportunity to investigate citizens of Country B. Moreover, the range of assistance is limited to the disclosure of stored records. It does not permit orders for real time electronic surveillance (wiretapping). Finally, the plan does not solve the problem of deciphering encrypted communications. Services like Facebook’s WhatsApp could still be encrypted end-to-end.
The bilateral Agreement will take effect following a six-month period of review by Congress and the U.K. Parliament.
The impact on communication service providers
Thanks to the Data Access Agreement, CSPs on both sides of the Atlantic may receive more requests for stored electronic data. A provider that serves both markets may see an even greater upsurge in evidentiary demands. Look for a relatively larger number of orders to flow from the U.K. to the U.S. After all, American competitors like Microsoft, Facebook, and Google hold dominant market shares worldwide.
On the other hand, the U.K.-U.S. deal affects only two jurisdictions. Other governments undoubtedly want similar terms of reciprocity. But if they lack high standards of due process and privacy they probably won’t get far. The EU and Australia have begun data access negotiations with the U.S. Any progress between Australia and the U.S. must overcome at least one significant policy difference. Australia’s decryption mandate is stricter than that of the U.S. Beyond the collection of traditional U.S. allies, it is difficult to predict when any other data access agreements may emerge.
Data access agreements will impose a bigger impact on CSPs subject to data retention mandates. For example, if the U.S. signs a data access agreement with Australia, and a U.S. designated entity requests data from an Australian email provider, the company may need to disclose as much as two years of data because two years is the Australian-mandated period of retention. A U.S. VoIP provider, by contrast, is not subject to any data retention law and therefore need not retain user data at all. No provision of the Data Access Agreement requires a service provider to disclose data it does not have.
The need for appropriate legal expertise
To the extent CSPs receive more requests for stored data they may need more legal experts to review the requests for validity and process them pursuant to the applicable privacy laws. Some service providers could expand their in-house staffs. Others may prefer to outsource the function to a contractor with the appropriate expertise. Another option is to hire outside counsel, though that can be expensive.
A CSP that objects to a digital evidence order may appeal to the foreign designated entity. But that would naturally require foreign legal expertise. At this early stage of the Data Access Agreement, the chances of success would be hard to predict.
The Data Access Agreement intends to expedite LEA investigations while protecting end user privacy. But the legal breakthrough may produce an unintended consequence: a bigger workload for the communications industry.
September 27, 2019
MAY A U.S. COURT REQUIRE A COMMUNICATION SERVICE PROVIDER TO INTERCEPT COMMUNICATIONS IN A FOREIGN COUNTRY?
Most Americans probably assume the U.S. Wiretap Act applies only in the U.S. It is difficult to imagine how a judge in any one country could find authority to order electronic surveillance in another country. Nevertheless, as a practical matter the Act does permit a U.S. judge to order such surveillance, even though the suspect, the suspect’s communications device, other parties to the call, and the communications themselves, are all located outside the U.S. That was the outcome of United States v. Rodriguez-Serna, a federal court ruling issued in southern California earlier this month. How can that be?
The U.S. Legal Standard to Assert Jurisdiction over Lawful Surveillance
It is well-settled law that the U.S. Wiretap Act has no extraterritorial jurisdiction. That is, U.S. wiretap law ends at our nation’s borders. A U.S. judge cannot cite it as a basis to order electronic surveillance in a foreign country. But that’s not the end of the surveillance story.
In the U.S., a judge may assert jurisdiction over a criminal case for purposes of authorizing electronic surveillance if any of three things related to the crime is found in the judge’s territory. The three are:
- the suspect’s communications device, such as a cell phone;
- the intercept access point, which is the point in the communication service provider’s (CSP’s) network where the suspect’s communications are duplicated and re-routed to the law enforcement agency (LEA) monitoring point; and
- the LEA monitoring point, where the intercepted communications are first heard and/or viewed.
In United States v. Rodriguez-Serna, the LEA investigated an illegal drug ring that spanned the U.S. and Mexico. The LEA monitoring point was in the southern California. Hence, the southern California court asserted jurisdiction over the case and decided, based on a showing of probable cause, to order surveillance of the gang members.
The targeted surveillance suspects were Mexican citizens. At the time of the surveillance, they were traveling in Mexico. Their CSP was an American wireless carrier with network infrastructure on both sides of the border. Yet despite the many Mexican features of the situation, the U.S. Federal District Court for the Southern District of California upheld the validity of the intercept due to the presence of the LEA monitoring point on U.S. soil.
If any of the three above-listed elements of the surveillance are in the U.S., the Department of Justice has advised that the intercept must be ordered by a U.S. judge. Otherwise the intercepting party could be prosecuted for the crime of unauthorized surveillance.
The Potential for Jurisdictional Conflicts over Lawful Surveillance
Liberal democracies outside the US have their own wiretap statutes. As in the U.S., most or all those laws have no extraterritorial effect. Also like the U.S., each foreign state considers it a crime to conduct surveillance within its boundaries without approval from a domestic court. The result is a system where each state reserves the sovereign right to conduct surveillance on its own soil.
Notice how international surveillance may create conflicts of law. Let’s say a court in one state, which we’ll call Olympia, orders surveillance on a suspect based on the presence of an LEA monitoring point in Olympia. Now suppose the suspect is talking on his cell phone in another state, which we’ll call Atlantis, and the CSP’s intercept access point is also in Atlantis. The surveillance may be validly authorized by Olympia but still unauthorized by Atlantis because no Atlantis court has approved it.
In this scenario, how should the CSP respond? It does not want to be prosecuted for engaging in unauthorized surveillance in Atlantis. But it may risk an enforcement action in Olympia if it refuses to implement the valid Olympian order.
In American criminal procedure, the “exclusionary rule” ensures that unlawfully gathered evidence may not be used against a defendant in a criminal trial. If a judge orders an intercept but lacks jurisdiction to do so, a higher court may apply the exclusionary rule to decide that any evidence gathered from the surveillance must be thrown out. Therefore, it is not only the CSP that may suffer from a defective jurisdictional analysis. The general public may also lose out because the legal mix-up may let a criminal go free.
How Service Providers Avoid Jurisdictional Conflicts over Lawful Surveillance
The U.S. and all but a few countries have signed treaties that shield CSPs from getting sandbagged in jurisdictional conflicts over lawful surveillance. Under these mutual legal assistance treaties, or “MLATs,” if a court in Olympia serves an order on a CSP in Atlantis to conduct surveillance in Atlantis, the CSP may validly say no. The Olympia LEA would then invoke a legal process through which the ministry of justice in Olympia would ask the ministry of justice in Atlantis for help. Upon approval from the ministry in Atlantis, an LEA in Atlantis would serve a surveillance order on the CSP, and the CSP could implement it without fear of violating Olympia’s laws.
MLAT treaties honor the principle of state sovereignty, where each state controls surveillance within its own contours. Therefore, the treaties avoid the most common type of jurisdictional conflict that a surveillance order may cause. Nevertheless, MLATs do not address all surveillance scenarios. Imagine a case where a court in Olympia validly orders a CSP in Olympia to conduct surveillance, even though elements of the investigation lie across the border. That is the dilemma posed in United States v. Rodriguez-Serna. The international community has not yet solved this type of conflict. A solution would require them to reconcile many conflicting jurisdictional laws.
A CSP caught in the above legal vice should consult counsel, ideally someone with expertise in the laws of both governments. Often, a conversation with the applicable LEA can lead to a work-around, such as where investigators modify their plan of attack to avoid CSP friction with foreign laws. If the LEA can gather the communications evidence it needs, it will not need to initiate an enforcement action against the CSP.
European CSPs are better protected from surveillance conflicts. Most E.U. states have signed a special European treaty that permits surveillance agents to follow a suspect across a border without violating the laws of the neighboring jurisdiction. Let’s say a German court orders a German CSP to activate surveillance on a suspect with a cell phone. If the suspect drives from Germany to Italy, the CSP would notify the German LEA, and the LEA would alert its counterpart in Italy. At that point, the Italian authority could halt the surveillance, continue the surveillance through its own laws and technology, or simply consent to the continuation of the German monitoring. The CSP would simply follow the option chosen by the Italian official.
One other initiative may rescue CSPs from the surveillance jurisdiction trap. The U.S. and Great Britain are negotiating an agreement that would permit an LEA in either country to order surveillance by a CSP in the other country. The arrangement would avoid the MLAT process, which is widely considered slow and unreliable. At the same time, it would guarantee a common baseline of due process and privacy protection. Success in this legal experiment could persuade other democracies to follow suit.
Different impacts on different networks
Any analysis of a CSP’s international surveillance law obligations must examine not only the surveillance laws in the governing jurisdictions but the composition of the CSP’s network. Different network architectures require different types of surveillance solutions, and some solutions offer more flexibility than others for purposes of choosing the country or countries where they are deployed. In United States v. Rodriguez-Serna, the CSP operated a traditional wireless network, where communications were captured at a mobile switching center in Mexico. A hosted VoIP provider might house its surveillance solution in the data center where its subscriber communications are processed, even though the CSP serves subscribers in other jurisdictions. A satellite operator might deploy its intercept access point in any of numerous countries covered by its service footprint.
In light of the above complexities, an international CSP should design its surveillance law compliance strategy in close coordination with a surveillance law expert and a communications engineer, with all conversations protected by a nondisclosure agreement. Otherwise the CSP could end up spending a lot of money on a compliance plan that does more legal harm than good.
Maybe one day lawyers will reconcile all the surveillance law conflicts in the world. Of course, that could take a while.