Extraterritorial Information Gathering: Overview

Excerpt from: Extraterritorial Ambit through Offence Definitions, Technology and Economic Power, in Micheál Ó Floinn & Lindsay Famer eds., Criminal Jurisdiction (Oxford: Hart Pub. 2022 forthcoming)

Darryl K. Brown

3 Extraterritorial Information Gathering

International law restricts enforcement jurisdiction much more than prescriptive jurisdiction. Where the law clearly bars extraterritorial actions such as police searches, states rely on multinational cooperation to facilitate information sharing, evidence gathering, and arrests through cooperative institutions and formal agreements. But international law in this domain is also permissive in a critical respect, because it is unclear how territorial limits on enforcement apply to remotely conducted digital searches. Remote searches challenge jurisdictional limits for the same reason that transnational crimes do: officials’ conduct in one state has effects in another. Without an international law of ‘investigative jurisdiction’, extraterritorial digital searches by various means are regulated largely by domestic law and ad hoc state interactions. And states have good reasons for seeking extraterritorial data. It is often stored in territory unrelated to data owners’ locations or the crimes to which it relates, in states with perhaps little reason, or jurisdiction, to prosecute.

Unsurprisingly, the same factors that permit domestic offences with extraterritorial reach are at play in state strategies to gather evidence beyond their national boundaries. For the United States (and the European Union), that includes the advantages which come with a large domestic economy and geopolitical leverage.^[1] The United States claims personal (or adjudicative) jurisdiction over most major internet service and data hosting providers, international banks, and large transnational firms, because all have some presence in US territory. Those firms are subject to US warrants, subpoenas, production orders, and reporting requirements, which provide access to the globally distributed information assets that those firms own, manage or control. Other advantages flow from geopolitical influence and capacity to fund extraterritorial enforcement operations, not unlike what we see in the Maritime Drug Law Enforcement Act’s infrastructure. US law enforcement agencies (LEAs) station hundreds of agents in dozens of countries pursuant to various agreements.^[2] Intelligence surveillance by US security agencies – which sometimes supplements traditional law enforcement investigations – has distinct (sometimes notorious)^[3] extraterritorial capacity that builds on digital technologies and information sharing with other states.

The most hotly debated practices involve digital searches and data retrieval, for much-noted reasons: countries regulate data within their territories, but data is often distributed in locations that bear little relation to its owners or the crimes to which it is linked. A pair of distinctions are useful to understand US policy in this domain. The first is between direct versus indirect government access to extraterritorial digital data – that is, whether LEAs access data themselves or compel a private third party to disclose the data. The second is whether investigators know the location where data is stored; when the location is unknown, officials obviously cannot seek permission or help from the hosting state. US law is more permissive for indirect than direct searches, and for direct searches of data when its location is unknown to LEAs.

3.1 Indirect Access to Extraterritorial Information

Two important devices – national security letters and database search warrants – authorise US investigators to compel private firms to search and retrieve information stored in other states. Both rely on US personal jurisdiction over transnational firms,^[4] which in practical effect operates as investigative jurisdiction over firms’ extraterritorial conduct and information. Such orders can conflict with laws in other states. Arguably, they violate no clearly established international law,^[5] although that view is sharply disputed by some commentators and states, which view the practice as an impermissible exercise of indirect enforcement jurisdiction.^[6]

Warrants are authorised by the Stored Communications Act (SCA), as amended by the 2018 US CLOUD Act, which has drawn much commentary. The latter Act [in provisions codified at 18 U.S.C. §§ 2510, 2703, 2711, 2713] clarified that SCA warrants require firms providing remote data storage and communication services to preserve and disclose data stored outside as well as within the United States.^[7] The much-noted problem is that compliance with SCA warrants might conflict with firms’ obligations under other states’ regulation of data stored in their territory. The CLOUD Act provides two ways to avoid those conflicts. First, [in 18 U.S.C. § 2523] it encourages bilateral agreements between the US and other states to resolve such conflicts, set common standards for privacy and human rights, and create a speedy alternative to MLAT requests for other states seeking data controlled by US firms. Second, [in 18 U.S.C. § 2703(h)(2)(B)] it empowers US courts to employ comity analysis to deny warrants if ‘the required disclosure would cause the provider to violate the laws of a qualifying foreign government’ – that is, a government that entered a bilateral agreement with the US. Hörnle correctly describes the coercive nature of this scheme. She suggests that, in negotiating compacts, the US likely will be able to ‘achieve concessions from other States’ given its greater ‘data power’ from the large share of the world’s data that is stored in the US or controlled by US ISPs.^[8]

National Security Letters (NSLs) provide an alternate means to compel data disclosures from communication service providers, credit reporting agencies, and banks. Several statutes [such as 18 U.S.C. §§ 2709(d) and 3511] authorise the FBI to issue NSLs, which are effectively subpoenas issued directly by investigators rather than courts, although recipients can seek judicial review of certain requests. The most frequently used type of NSL is also part of the SCA and is directed at metadata on specific individuals’ phone and email accounts.^[9] Other NSL statutes address financial data.^[10]

To enforcement agencies, NSLs offer the advantage of not requiring a court preapproval. But they are limited in two important respects. They can be used to obtain only communications metadata (not email contents), and they can be issued only as part of an ‘investigation to protect against international terrorism or clandestine intelligence activities’.^[11] Information obtained through NSLs is often shared with criminal prosecutors, mostly for terrorism-related cases. How often is unknown. The FBI claims that NSL responses have played a critical role in specific counterterrorism convictions, and an independent review found that the FBI ‘routinely shared’ information from NSLs with prosecutors, who also sometimes ask the FBI to issue NSLs. But no records exist of which or how many criminal cases benefited from NSL-obtained evidence, although the number is likely substantial. In the years 2003–05 [according to an Inspector General report], the FBI issued at least 143,074 NSL requests, almost three-quarters of which were for counter-terrorism (rather than counter-intelligence) investigations. Nor is there data on how often NSL requests require disclosure of extraterritorial data; few if any court decisions resolving NSL challenges address data stored abroad. But here too the number is likely substantial given that requests must focus on international terrorism and counter-intelligence.

3.2 Direct Access of Extraterritorial Information

Not all remotely stored information can be obtained by compelling private entities to disclose it. The US Justice Department uses the term ‘network investigative techniques’ to describe ways that LEAs directly access websites and stored data, especially when the server location or user identities of those targets are concealed through ‘dark web’ technologies such as Tor networks. For example, to identify the location of a server hosting child pornography, officials may surreptitiously deploy computer code designed to identify users and administrators by causing computers to send the IP and MAC addresses and other information to a government computer – techniques fairly characterised as government hacking. Like the digital data and networks they target, these techniques can disregard territorial boundaries; the location of data, and of administrators or users, can be widespread. The FBI’s investigation of the ‘Playpen’ child porn and exploitation site identified 8,000 IP addresses that visited the site, many outside the United States.

As a matter of federal law, search warrants may be issued for electronic or digital searches only for devices located within the United States – or at least not known to be outside the United States, if the search is otherwise lawful. [Federal Rule of Criminal Procedure 41(a)–(b).] The distinction between these direct searches and the indirect searches via SCA warrants is subtle but important. No statute authorises law enforcement officials to knowingly and directly search a server in another state’s territory. Justice Department policy reinforces that constraint by directing prosecutors to limit warrants to searches within the United States unless conducted in cooperation with foreign counterparts. [See DOJ Justice Manual § 9-13.525.] These limits implicitly recognise direct searches by officials as extraterritorial exercises of enforcement jurisdiction even though conducted remotely. But because SCA warrants are understood as exercises of adjudicative jurisdiction over domestic firms, and the duty to preserve and disclose applies regardless of the location of data, US law makes extraterritorial reach explicit.

The line grows greyer when the location of servers is unknown. A partial answer is provided in Federal Rule of Criminal Procedure 41(b)(6). As amended in 2016, that rule authorises a judge:

[I]n any district where activities related to a crime may have occurred … to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if … the district where the media or information is located has been concealed through technological means’ (emphasis added).

Thus, the rule permits direct, NIT searches of extraterritorial data, but only when (a) the data or server location is unknown, and (b) it is unknown because it was deliberately concealed. In these circumstances, seeking assistance from states in which the data resides is not possible. And ordinary warrant requirements are unchanged by the amendment. Warrants must identity the person or property to be searched with ‘reasonable particularity’.^[12] US courts give those requirements some teeth; a few have rejected NIT warrant requests that did not sufficiently specify the target computer, and when the prospect of searching innocent users was too great.^[13]

In sum, US law and Justice Department policy disapprove of officials knowingly and directly searching devices outside US territory. However, [pursuant to 50 USC § 1881a(h)(2)(A)(v)] when a ‘significant purpose’ of the search – but not the sole or even primary one – is ‘to obtain foreign intelligence information’ rather than to investigate crime, section 702 of the Foreign Intelligence Surveillance Act Amendments Act of 2008 (FISA) provides greater authority to monitor and gather electronic communications data of noncitizens outside the United States^[14] – via US infrastructure – than is permissible when noncitizens are within US territory. Instead of a search warrant, officials can get preapproval from the Foreign Intelligence Surveillance Court (FISC) of their surveillance tactics and plans for analysing data.^[15] The FISC ensures that surveillance targets are people outside the United States, and that techniques minimise data collection from (and analysis of) people within US borders.^[16]

Section 702 searches have gathered massive amounts of data, particularly during the PRISM program, through which the National Security Agency accessed vast amounts of users’ data – more than 250 million internet communications annually. And despite its constraints, section 702 collections can include data of US persons if gathered ‘incidentally’ whilst targeting noncitizens outside US territory.^[17] Such data have proven useful in several criminal prosecutions (usually for terrorism-related offences) to justify domestic intelligence surveillance under FISA, to obtain domestic search warrants, or as trial evidence.

The focus of section 702 operations is explicitly on extraterritorial actors and data (when accessible via US-based communications service providers). Its justification rests in part on a distinction between foreign intelligence and law enforcement activities. Espionage – especially by remote surveillance – is often said not to violate international law (although it usually violates domestic law). Section 702 surveillance is designed to serve national security interests, but is not classic espionage; it targets not state secrets but non-state actors – the kind of intelligence that states often share. But international law ambiguity, and the fact that all states seek foreign intelligence by various means, helps to explain section 702’s comparatively expansive surveillance authority. When surveillance is primarily for law enforcement purposes, US law is more restrictive of extraterritorial searches, whether conducted both directly via ordinary warrants or indirectly via CLOUD Act warrants. An additional political explanation would point in part to the US global footprint – notably but not solely via its military – as creating more targets for (and animosity from) international bad actors. And here as in other contexts, US financial resources provide the capacity for expansive infrastructure and operations.

Footnotes:

[1] See, eg: Andreas and Nadelmann, Policing (n 6) 220–21: ‘US strategy to secure greater law enforcement cooperation … could best be described as coercive co-optation involving a mix of sticks and carrots’; id. at 196-97, 241-43; Sinnar, ‘Separate and Unequal’ (n 50) 1372, describing US pressure on other states to adopt anti-terrorism policies.

[2] The US Drug Enforcement Agency has 90 offices abroad in 60 countries. See: US DEA, ‘Foreign Offices’ (DEA) www.dea.gov/foreign-office-locations. The Federal Bureau of Investigation (FBI) has international operations in 93 offices abroad. See: FBI, ‘International Operations’ (FBI) www.fbi.gov/about/leadership-and-structure/international-operations. More than 70 federal prosecutors are stationed outside the US, often under the Office of Overseas Prosecutorial Development, Assistance and Training (OPDAT). See: OPDAT, ‘Office of Overseas Prosecutorial Development, Assistance and Training’ (Justice) www.justice.gov/criminal-opdat.

[3] See, eg: TB Lee, ‘Here’s Everything We Know About PRISM to Date’ (Washington Post, 12 June 2013) www.washingtonpost.com/news/wonk/wp/2013/06/12/heres-everything-we-know-about-prism-to-date/.

[4] Other states do much the same. See, eg: Public Prosecutor v Yahoo!, Inc, Hof van Cassatie [Cass] [Court of Cassation] [Supreme Court of Belgium] [1 December 2015], No P.13.2082.N, translated in: J Vandendreissche, ‘Case Translation: Belgium’ (2016) 13 Digital Evidence and Electronic Signature Law Review 156, paras 8–9. See also: Hörnle, Internet Jurisdiction (n 69) 199–200, criticizing this basis for jurisdiction alone as inadequate.

[5] eg: Daskal, ‘Transnational’ (n 69) 697: ‘cross-border accessing and copying of data for law enforcement purposes, without more, does not violate clearly established international law’.

[6] Ryngeart, Jurisdiction (n 4) 89–93.

[7] 18 USC § 2713 (duty to preserve data applies ‘regardless of whether such communication, record, or other information is located within or outside of the United States’); 18 USC § 2703 (warrants can require disclosure of contents of communications); 18 USC § 2711 (defining ‘remote computing service’); 18 USC § 2510 (defining ‘electronic communication service’ as one ‘which provides to users … the ability to send or receive wire or electronic communications’). Warrants must be time-limited relatively specific as to the targeted person, suspected crime, and the data sought. Federal Rule of Criminal Procedure 41(c)–(e).

[8] Hörnle, Internet Jurisdiction (n 69) 201, 214–15, 224–29.

[9] See: 18 USC § 2709 (requests limited to ‘subscriber information and toll billing records information, or electronic communication transactional records’ and similar metadata).

[10] Fair Credit Reporting Act, 15 USC § 1681u (authorising limited data disclosures from credit reporting agencies); Patriot Act § 358(g) (authorising greater data disclosure from credit agencies); Right to Financial Privacy Act, 12 USC § 3414 (financial data).

[11] ECPA, 18 USC § 2709(b)(2); 15 USC § 1681u(a)–(b); 12 USC § 3414(a)(5)(A).

[12] United States v Karo 468 US 705, 713–14 (1984); Maryland v Garrison 480 US 79, 84 (1987); Federal Rules of Criminal Procedure, r 41(e)(2)(A). Warrants for NITs can describe the thing to be searched without knowing its location.

[13] In re Warrant to Search a Target Computer at Premises Unknown 958 F Supp 2d 753, 756–759 (SD Tex 2013).

[14] See: 50 USC §§ 1881a(a) and (b)(1)–(3) (surveillance ‘may not intentionally target any person known … to be located in the United States’ nor ‘a United States person reasonably believed to be located outside the United States’); 50 USC § 1801(i) (‘United States persons’ includes citizens and lawful noncitizen residents).

[15] 50 USC § 1881a(d)(2), (e)(2), (f)(1)(C) and (j).

[16] 50 USC § 1881a(a), (d)–(f) and (j). See also: In re DNI/AG 702(h) Certifications 2018, 941 F3d 547, 552 (FISA Ct Rev 2019) (per curiam): ‘the Attorney General and the Director of National Intelligence can execute a Section 702 authorisation only after the FISC enters an order approving the proposed acquisition’.

[17] 50 USC § 1881a(a) and (b)(2); United States v Muhtorov 20 F4th 558, 604–05 (10th Cir 2021); United States v Hasbajrami 945 F3d 641, 654 (2d Cir 2019). It appears that the government maximises this domestic surveillance by asserting that minimal acts by domestic actors, such as posting YouTube videos, satisfy the international-nexus requirement. See: Sinnar, ‘Separate and Unequal’ (n 50) 1347. The constitutional warrant requirement does not apply to extraterritorial searches: United States v Verdugo-Urquidez 494 US 259 (1990). Federal courts have extended that holding to domestic communications obtained incidentally to extraterritorial surveillance, although such searches still must be ‘reasonable’.