US - UK wires

Data Access Agreement offers a new path for UK – US data requests

Requesting data for the purposes of law enforcement may be about to become a little easier for the British Government. The Data Access Agreement (DAA) went live on Monday this week. The DAA is authorised by something called the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which itself has come under fire in the past for a variety of privacy reasons.

The agreement is intended to speed up the process of data requests made by one nation to another with regard to telecommunications providers in the other region’s jurisdiction. The idea is for this to be the exclusive preserve of “preventing, detecting, investigating and prosecuting serious crimes such as terrorism and exploitation”.

Why wasn’t this possible previously?

A slower pace of law enforcement requests

Prior to the advent of DAA, things worked quite differently. US law prohibited organisations from sharing certain kinds of data in response to a foreign government making a direct request. What this meant in practice was the possibility that crucial evidence might never materialise throughout an investigation. An example of this is a delay in obtaining messages sent via Facebook in relation to the murder trial.

Considering how easily cybercrime can begin in one country and end in another, this wasn’t optimal from the point of view of law enforcement on both sides of the Atlantic. Though other means exist for these kinds of requests to be made, they’re viewed as being rather slow.

DAA aims to change all of that, to a mixed response from some of the folks looking on in certain privacy circles..

How does DAA work?

According to UKGOV, the process is as follows:

“The DAA works by requiring each party to ensure their laws permit a telecommunications operator to lawfully respond to direct requests for DAA data made by a relevant public authority in the other party’s jurisdiction. It does not create any new powers as it requires that all DAA requests are compliant with the relevant existing domestic obligations a public authority is bound by.

Our agreement will maintain the strong oversight and protections that our citizens enjoy and does not compromise or erode the human rights and freedoms that our nations cherish and share. It protects our citizens by improving both nations’ ability to fight serious crime while maintaining the democratic and civil liberties standards that we stand for and promote around the world.”

In terms of some of the safeguards against overreach, the US release has this to say:

“The Data Access Agreement sets out numerous requirements that must be met for US or UK authorities to invoke the Agreement. For example, orders submitted by US authorities must not target persons located in the UK and must relate to a serious crime. Similarly, orders submitted by UK authorities must not target US persons or persons located in the United States and must relate to a serious crime. US and UK authorities must also abide by agreed requirements, limitations and conditions when obtaining and using data obtained under the Data Access Agreement.”

Watching out for Big Brother

While this may all sound rather reassuring, there are some counterpoints to the above. One bone of contention raised in The Register article on this subject is around concerns over consistency with privacy and legal commitments. According to the linked paper, there are so-called protection gaps in the agreement which could “potentially undermine the rights of third-country persons”.

Elsewhere, the CLOUD act has been criticised by the Electronic Frontier Foundation in the past, and it’s not hard to miss the potential for errors with regard to creeping overreach or mistakes in speedy data transfer on tight deadlines. According to legal analysis, it seems likely that this time limit could be as short as seven days. We’ll have to see how this one plays out, but it’s sure to be a fraught time for legal departments everywhere as businesses get to grips with the new request rules.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.