Investigative & Security Professionals for Legislative Action

How LE Should Access Data Across Borders

24 Jul 2017 7:47 PM | Anonymous member (Administrator)

"The methods that law enforcement use to access data outside their jurisdiction are outdated, and if left unaddressed, risk damaging international comity, U.S. competitiveness, and the global Internet economy."

How Law Enforcement Should Access Data Across Borders


In late 2013, U.S. federal law enforcement officials obtained a warrant as part of an anti-narcotics investigation to seize the contents of an email account belonging to a Microsoft customer whose data the company stored in Dublin, Ireland.

Microsoft refused to comply with the order, arguing that the U.S. government cannot force a private party to do what U.S. law enforcement has no authority to do itself: use a warrant to conduct a search and seizure operation on foreign soil.

This case exposed the cracks in the foundation of the current framework used by law enforcement agencies to access digital information and determine jurisdiction on the Internet. Moreover, attempts to resolve this dispute risk either hamstringing law enforcement efforts or distorting the global market place for digital services. This report explains the problems with the status quo, describes the limitations of existing proposals, and offers an alternative framework to resolve these issues along with a set of recommendations to operationalize this framework not just within the United States, but globally.

This report builds from a previous ITIF report offering a framework on how nations should engage in Internet policymaking given the global nature of the Internet.

It makes specific recommendations for how governments can use this framework to establish policies for law enforcement to access data. This report also assesses theoretical approaches to establish jurisdiction over that data, focusing on cross-border law enforcement requests, and not clandestine intelligence gathering for national security purposes. The framework herein is not intended for law enforcement requests for metadata (data that describes information about a communication).


To operationalize the proposed framework, policymakers should pursue the following actions:

  • Modernize the internal processes for responding to foreign requests for legal assistance;
  • Work with other governments to draft and adopt model MLAT 2.0 language;
  • Push back against foreign data-localization requirements;
  • Update the Electronic Communications Privacy Act (ECPA) to protect domestic digital communications;
  • Restrict companies from storing data in countries with conflicting laws that limit law enforcement;
  • Engage with other nations to develop a “Geneva Convention on the Status of Data.”


Law enforcement officials investigating crimes often want to gain access to an individual’s data, such as emails or files. But determining where data is stored can be complicated because it can be stored in a variety of different ways and locations. Sometimes companies store customer data in data centers that are located exclusively in a single country. Other times they store data on servers located in a foreign nation. Similarly, companies store customer data in data centers located in multiple countries, splitting data across multiple data centers to provide faster access to data, ensure data is always accessible, and prevent data loss.

In this latter case, law enforcement officials will have more difficulty gaining access to personal communications data because it is stored in multiple jurisdictions. And, to make matters more complicated, in addition to the location of data, the location of the company storing that data and the nationality and/or residency of the person or persons to whom the data belongs all can vary. And yet, law enforcement must untangle this complicated web for every case in which it wants to seek lawful access to data. Law enforcement officials have two paths that they can use to compel access to data during criminal investigations.

First, law enforcement officials can use domestic legal authorities to access data, such as search warrants and subpoenas. While U.S. law generally allows U.S. law enforcement to compel companies to turn over their own business records store d overseas, it is still an open question as to whether U.S. law enforcement can compel companies to provide their customers’ data through these processes.

Second, in some cases where the evidence is not located within their jurisdiction, law enforcement officials may work through international processes, such as treaties for mutual legal assistance or police-to-police cooperation agreements, to access that data.

U.S. policymakers should ensure law enforcement agencies can gain lawful access to information to protect their citizens and uphold U.S. laws, but without disadvantaging U.S. companies and workers facing global competition. Achieving this will require modernizing the process by which governments around the world obtain data stored outside their borders. Existing legal processes and treaties are woefully out of date and needlessly complex. Countries have mismatched legal assistance treaties, conflicting laws, and differing norms. Indeed, there is currently no comprehensive framework for how to successfully navigate cross-border jurisdictional disputes, especially those involving the digital economy. Such a patchwork of laws and rules may have been somewhat acceptable before the advent of the digitally-integrated global economy. Now they are not. No one nation can solve this problem alone. Settling questions of jurisdiction over data will require global reforms. However, the United States can and should lead the way on these reforms, and this report offers a path forward.

For the complete 38-page report go to:

Bruce Hulme, CFE, BAI

ISPLA Director of Government Affairs


Powered by Wild Apricot. Try our all-in-one platform for easy membership management