Police data access requests to grow with US CLOUD Act treaty

A treaty with the United States to expedite the sharing of data for law enforcement purposes is predicted to lead to a jump in requests to US tech companies operating in Australia, according to the Attorney-General’s Department.

But the agreement negotiated under the US Clarifying Lawful Overseas Use of Data (CLOUD) Act is still expected to be overwhelmingly in Australia’s favour, with local tech companies to be subject to “very few requests”.

A parliamentary inquiry is current scrutinising the Australia-US Cloud Act agreement, which will come into effect by the end of this year, after the two nations reached agreement in December 2021 following two years of negotiations.

Legislation in the form of the Telecommunications Legislation Amendment (International Production Orders) Act passed with bipartisan support in June 2021 to establish a framework that allows “reciprocal cross-border access to communications data”.

The treaty will allow Australian law enforcement agencies to request data directly from a US tech company operating in Australia when investigating a serious crime without having to go through the US government, and vice versa.

Serious crimes are considered those with a maximum penalty of three or more years imprisonment such as ransomware attacks, the sabotaging of critical infrastructure over the internet, and child sexual abuse.

Capitol Hill

Speaking at a hearing on Wednesday, first assistant secretary for the Electronic Surveillance and Law Enforcement Policy Division at the Attorney-General’s Department, Andrew Warnes, said the treaty would speed up the process of obtaining data from the US.

Most requests through the existing Mutual Legal Assistance (MLA) regime – to be circumvented by an International Production Order (IPO) – currently take at least 12 months to be approved, delaying investigations.

“The ability for an Australian law enforcement agency to issue an IPO via the designated authority to a US provider could actually reduce the response time… to hours. [Companies] don’t quite think that’s quite realistic, but we do think it will reduce it to days or weeks, rather than months or years.”

Mr Warnes said this “significant improvement” would likely lead to an increase in data request to US providers from Australia, as law enforcement agencies are currently using the slow MLA mechanism for only the most serious crimes.

“The biggest thing that gets missed here sometimes, is it’s the investigations that aren’t happening. Because if you’re a state or territory police officer and you have a very big caseload on and you realise that one of your investigations is going to require MLA… you might move on,” he said.

“So, what happens is that only the most serious crimes, the absolute top end, end up going through MLA, and I think you can tell that by the numbers because…I still think the numbers are incredibly small for the amount of data that we know the US holds.

“And I think you’ll find that the numbers – when this agreement is up and running – are multitudes of times larger because mutual assistance is putting the finger in the dam. Because of the built-in inefficacy, you’re actually stopping a whole range of crimes from being investigated and solved.

“So, I think you will see more and more requests going across once agencies realise that this data is there, and it can help them solve serious crime.”

Mr Warnes also said that while there is nothing to “compel US companies under US law to comply with an Australian order”, US providers would be subject to civil penalties if they rejected a validly issued court order.

But he said that, as the tech companies had “backed in the US CLOUD Act agreement”, the government is “not expecting compliance problems”, bar perhaps “new providers that don’t want to comply”.

In February 2018, Apple, Facebook (Meta), Google, Microsoft and Oath sent a joint letter to two US Senators supporting the proposed CLOUD Act, which they said “provides a logical solution for governing cross-border access to data”.

Mr Warnes also noted that while the agreement is reciprocal, allowing the US government to request data from local tech companies, the Attorney-General’s Department is “expecting very few requests from the US”.

“This is based on historical experience in receiving mutual legal assistance request from the US and the limitations on what Australian source data can be accessed under the agreement,” he told the committee.

Mr Warnes also rejected any suggestion that IPO’s could be used as a “bulk data fishing exercise”, with safeguards built into the order to prevent law enforcement agencies from targeting individuals en masse.

“There has to be a target account, a target person, it can’t be some sort of bulk data fishing exercise. That is not at all what is contemplated in the agreement,” he said.

Do you know more? Contact James Riley via Email.

Leave a Comment