Commonsense prevails

Speaking yesterday at the RSA conference in San Francisco the USA’s Attorney General, Loretta Lynch, announced what I can only describe as being a breakthrough for commonsense. The UK will be the first beneficiary of this development. Here are the golden words

Today, I am pleased to report that we have begun negotiations with the United Kingdom to establish a new framework that would permit UK authorities to access electronic communications directly from American companies where the investigation targets accounts not used by Americans or people in the United States.  To qualify, the UK government would have to agree to a number of provisions designed to protect privacy and fundamental rights, and a UK order would have to comply with UK law.  This agreement would release American companies from conflicting legal obligations in clearly and carefully defined circumstances.  It would help one of our oldest and closest allies perform high-priority criminal investigations that keep its citizens safe – and many of which, in our age of transnational crime and terrorism, also further American interests.  It would provide reciprocal benefits for U.S. government requests to UK companies, which could help U.S. investigations in the years ahead.  And, if it proves successful, it could be replicated with other countries, if – and only if – their laws adequately protect privacy and civil liberties, potentially encouraging other nations to improve their laws and enhance privacy protections in order to obtain the benefits of this arrangement.

This new framework would require action from Congress in order to take effect, and we will continue to engage with communications companies, civil society groups, and academics as we move forward.  But based on our conversations and collaboration so far, I am hopeful that we can take an important step forward that benefits security, commerce, international cooperation, and privacy. 

So if you are not an American citizen and you are not living in the USA you will not be sheltered by US law or its associated procedural complexities. This means  UK law enforcement, presumably, will no longer be required to go through the complex and time-consuming processes which have existed hitherto in relation to obtaining evidence. This is an interesting development from several points of view, but let’s not over-interpret it (at least not yet).

However, I wonder if this might eventually lead to a situation where, for example, it will no longer be necessary for every single report of child abuse images being found on a US-owned service having to be reported to NCMEC for onward transmission to the relevant jurisdiction?  I am not saying the current arrangements are causing any particular problems, and at least it means someone (NCMEC) is able to construct and maintain an overview of a big part of the overall picture, but it has always seemed to me to be a bit odd that cases that manifestly have nothing whatsoever to do with anything happening in the USA or being carried out by US citizens should nonetheless have to be reported there just because the network being used is owned by someone in California.

Not sure how anyone will immediately know or be able to find out whether or not someone is a US citizen or living in America, but there you go. Watch his space.