In an article published on Lawfare earlier this week, Susan Hennessey and Christopher Mirasola analyze a set of Chinese government rules regarding the collection and use of electronic data during criminal investigations by China’s law enforcement authorities. Released in September 2016, the regulations authorize the Ministry of Public Security, which oversees law enforcement, public safety, and domestic counterintelligence, to, “through the Internet, extract electronic data originating from storage media located overseas or remote computer information systems” in the course of criminal investigations.
In their article, Hennessey and Mirasola call this part of the rules “a potentially rather alarming development [that seems] to authorize the unilateral extraction of data concerning anyone (or any company) being investigated under Chinese criminal law from servers and hard drives located outside of China.” According to Hennessey and Mirasola, this represents “a dramatic departure from the U.S. view that the ordinary prohibitions on law enforcement operating in a foreign territory without permission apply to the remote search of electronic evidence.” They note, however, that “these regulations do not depart from China’s understanding of cyber sovereignty.”
This assessment of these Chinese regulations both overstates their significance and obscures the similarity between the Chinese government’s approach to law enforcement authorities’ access to data located beyond their jurisdiction and the practice of the U.S. government on this issue.
Chinese law often has as much to do with codifying existing government practice as it does with authorizing and prescribing new government action. In this case, it is hard to believe that the Ministry of Public Security (MPS) has spent the last twenty years completely avoiding accessing electronic data because there were not clear regulations from the Supreme People’s Court and the Supreme People’s Procuratorate about how that data should be accessed and handled. Instead, these regulations were likely drawn up in accordance with standard MPS practice, formalizing an existing approach to accessing electronic data in criminal investigations.
Nor does the authority outlined in the September 2016 regulations differ in spirit from the approach that U.S. law enforcement agencies have adopted in recent years. When U.S. criminal investigators discover that there may be evidence related to a crime stored on a computer system physically located outside the United States, they have two options for accessing it.
Their first option is to request that the relevant law enforcement authority in the country where the electronic data is physically located access the data and share it with them. This is a convoluted and time-consuming process; as a result, it is unpopular among many law enforcement officers, and some have argued that it is insufficient for criminal investigations that are time sensitive.
The second option available to investigators depends on who has control and ownership of the data in the foreign country. If the data is stored on a computer system owned and operated by a subsidiary of a U.S. corporation, law enforcement officers can request that a judge issue a warrant requiring that the corporation hand over the data. This is the subject of an ongoing dispute between the Department of Justice (DoJ) and Microsoft, regarding a court order demanding that Microsoft turn over data related to one of its customers that is physically stored on a server located in Ireland. The Second Circuit Court of Appeals found that the government does not have the authority to compel the disclosure of electronic data stored overseas to the government. Nevertheless, just last month, the DoJ sought and obtained an order to compel Google hand over data held overseas, which Google is contesting.
This view of the importance and justice of government access to overseas electronic data for criminal investigations is the same as that espoused in the September 2016 Chinese regulations. Both governments believe it is their right to access this data. Fortunately for the U.S. government, it has jurisdiction over the vast majority of the world’s largest online service providers, and so it sees compelling them to hand over data as the most expedient route for solving crimes.
The Chinese government, on the other hand, does not have this option, and so it must take recourse to the next best thing: accessing computer systems directly. Whether the U.S. government compels a company to hand over data or the Chinese authorities simply take it, the intent and effect are the same.
This is not to say that the U.S. legal process—law enforcement seeking a warrant from a judge appointed by an elected official, the company targeted by the warrant having the opportunity to contest it in court, and so on—is equivalent to the Chinese legal process. The U.S. legal system is orders of magnitude more transparent, open, and accountable than the Chinese system. However, despite a legitimate legal process, the U.S. government compels companies to hand over data because it can, and in cases where it can’t, the U.S. government is happy to resort to hacking into a remote computer system to access data, albeit with a court order.
Both governments seem to hold that they have sovereignty over data stored beyond their borders when it comes to criminal investigations. And that’s a position all of us—citizens of China and citizens of the United States—should find alarming.