Time for an international convention on government access to data

The following post is from Brad Smith, General Counsel & Executive Vice President, Legal & Corporate Affairs, Microsoft. It was originally published on Microsoft on the Issues.


Last week, President Obama spoke about the role of the National Security Agency and announced some important changes to the surveillance practices of the U.S. government. We appreciate the steps the President announced, which represent positive progress on key issues including privacy protections for non-U.S. citizens. There is more work to do to define some of the details and additional steps that are needed, so we’ll continue to work with both the administration and Congress to advocate for reforms consistent with the principles our industry outlined in December.

This week, the World Economic Forum holds its annual meeting in Davos, Switzerland where these same issues of data privacy and reform of government surveillance will be on the agenda. We hope that these discussions will spur a focus on the international steps that governments can take together. While there is no substitute for American leadership and action on these issues, the time has come for a broader international discussion. We need an international legal framework – an international convention – to create surveillance and data-access rules across borders.

Historically, the tension between public safety and individual liberty often arises first in moments of national crisis. During the Napoleonic Wars, John Adams signed into law the Alien and Sedition Acts. During the Civil War, President Lincoln suspended the writ of habeas corpus. In World War II, the government interred Japanese-Americans. In the heat of a particular moment, the pendulum swings toward a greater focus on security. When the moment passes, people ask how they want the balance more permanently to be struck.

The issues this time are even more complicated today than in the past. The War against Terrorism is more permanent than these prior wars. Hence, a moment has passed, but an era of concern continues.

In addition, technology is more ubiquitous than ever, and the issues involved are more global. The issues of the last year have reminded the world that the strong protections afforded by the U.S. Constitution and in U.S. law seldom apply to other countries’ citizens. In addition, we’ve all been reminded that surveillance takes place by governments internationally. And as industry reports make clear, governments around the world demand access to customer data.

As a result, we need to broaden the topic and bring together governments to create a new international legal framework.

The cornerstone of such a convention should be respect for human rights and individual privacy. In particular, the convention should ensure that governments seek information about the private citizens of the other participating countries only pursuant to legal rules and due process.

This respect for individual privacy has been part of American values since the Fourth Amendment was added to the U.S. Constitution in 1791. The amendment protects the rights of U.S. citizens “to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures.”

But this isn’t just an American value. It actually started on the other side of the Atlantic, as the English common law evolved in the 20 years before American independence. And over the past two centuries, it has been embraced by many other countries as well.

An international convention should embrace these common values and combine them with new common processes. There’s an opportunity politically to pursue such an approach in part because there’s a need among law enforcement agencies for better international rules to help fulfill their mission of investigating crimes and protecting public safety.

One problem today is that governments still rely on international legal processes that were created in the 1800’s. Under the so-called Mutual Legal Assistance Treaty – or MLAT – government authorities must go through bureaucratic hurdles that address 21st century problems at 19th century speed.

I still remember the day in 1994 when I was in my office at Microsoft in Paris, on the receiving end of a phone call from the police in a Nordic country pursuing a serial murderer they believed was about to strike again. They had recovered his PC hard disk, but he was on the loose and they were having a hard time making sense of his computer files. They were well aware of the MLAT processes, including the likelihood they would require as long as two months to get a U.S. legal order.

This made clear the deficiencies of an antiquated international system that unintentionally sometimes puts public safety as risk. The response from some governments, as we’ve learned over the past year, has been to take unilateral action outside this system to obtain information about private citizens, even in other democratic countries.

This is not the best path forward. Instead, we should create new processes that promote public safety by facilitating timely access to data while ensuring appropriate privacy protections for individuals. A new convention could achieve this by creating new processes that supplement the existing MLAT rules.

For example, if the authorities in one country believe there is a threat that needs to be investigated by accessing data about private citizens in another country, they could use this new, streamlined process to seek this information. They would need to respect the legal rules and safeguards in this second country, including measures that ensure that the requesting government adheres to established due process standards.

Critically, one could start small and open such a convention only to governments that have effective processes and that safeguard due process in ways that meet international standards. This would avoid the risk of governments using expedited procedures to violate human rights.

Over time, this approach would create incentives for additional governments to join. Only by participating would a government obtain access to these new processes to investigate public threats and the enhanced protections for their own citizens.

Finally, such an approach would enhance transparency and reduce the legal uncertainty that currently risks slowing new cloud-based technology services internationally. Clearer rules for access to data internationally would help open borders and enable companies to host services and data in one country for citizens in another.

Many complicated questions remain. But as we enter the New Year, it’s clear that the use of technology by consumers, businesses and governments alike has created the need for a new international approach that is both fair and effective, addressing both civil liberties and public safety.

The best way to launch such an effort is for the United States to take the lead.

Editor’s Note: Brad Smith is participating in a panel discussion at the World Economic Forum Annual Meeting on Wednesday entitled “The Big Brother Problem – What are the consequences of growing public alarm over personal privacy, data security and intelligence gathering?”