A lot of privacy-conscious individuals believe that so long as they store or transmit data on servers outside the jurisdiction they reside then their data is somehow immune from seizure by their local authorities. The fact is that if your government wishes to acquire data stored on certain overseas servers then there are legal means in place to potentially facilitate the long arm of the law to reach out and acquire your data.  I am not talking about Snowden like NSA government-backed “hacking” efforts; though I am sure such efforts always remains an option. No, I am talking about purely “legal” means with the direct help and knowledge from counties which may have access to the data being sought.

One of the main tools law enforcement has in their “tool-belts” to legally access overseas data is by making a request under a Mutual Legal Assistance Treaty.  A “Mutual Legal Assistance Treaties (“MLAT”) are legally binding obligations to assist one or more countries with documents and evidence. A request under an MLAT is transmitted on an administrative level and does not involve nearly as many steps as the traditional Letters Rogatory. 2

The United States Department explains MLATs “…allow generally for the exchange of evidence and information in criminal and related matters. [For example, i]n money laundering cases, they can be extremely useful as a means of obtaining banking and other financial records from our treaty partners. MLATs, which are negotiated by the Department of State in cooperation with the Department of Justice to facilitate cooperation in criminal matters…

The United States Government has MLAT agreements with the following countries: Antigua and Barbuda, Argentina, Australia, Austria, the Bahamas, Barbados, Belgium, Belize, Bermuda, Brazil, Canada, China, Cyprus, Czech Republic, Dominica, Egypt, Estonia, France, Germany, Greece, Grenada, Hong Kong, Hungary, India, Ireland, Israel, Italy, Jamaica, Japan, Latvia, Liechtenstein, Lithuania, Luxembourg, Malaysia, Mexico, Morocco, the Kingdom of the Netherlands (including Aruba, Bonaire, Curacao, Saba, St. Eustatius, and St. Maarten), Nigeria, Panama, Philippines, Poland, Romania, Russia, St. Lucia, St. Kitts and Nevis, St. Vincent and the Grenadines, South Africa, South Korea, Spain, Sweden, Switzerland, Thailand, Trinidad and Tobago, Turkey, Ukraine, United Kingdom (including Anguilla, British Virgin Islands, Cayman Islands, the Isle of Man, Montserrat, and Turks and Caicos), Uruguay, and Venezuela.

In addition, on February 1, 2010, 27 U.S.-EU Instruments/Agreements/Protocols entered into force that either supplemented existing MLATs or created new mutual legal assistance relationships between the United States and every member of the EU. (emphasis add is mine to highlight countries which host privacy solutions and/or are thought by some to be “out of reach”).

ProtonMail, shown in popular media such as the American TV Series Mr. Robot, uses end to end encryption to secure email traffic. ProtonMail claims they use client-side keys to encrypt emails which, in theory, would make it essentially impossible for them to decrypt any message. The ProtonMail Privacy Policy states: “We will only disclose the limited user data we possess if we receive notice from the Geneva Public Prosecutor’s office or the Swiss Federal Police regarding a court order that is coming from the two authorities we are legally obligated to recognize: the Cantonal Courts of Geneva or the Swiss Federal Supreme Court.”

ProtonMail is based in Switzerland and the United States has an MLAT in place. Though it is unlikely ProtonMail would be able to provide text of emails, as they appear not to possess the client side keys, it would be safe to assume they could provide IP addresses of the user, email addresses the user sends email to and receives email from, date and time stamps of email traffic, payment information the user provided ( provided the user purchased an upgraded account), password hash for the account (which could be useful if the user uses the same password accross other accounts in linking the user to those accounts as well) and other metadata.

So what about Russia? After all, Russia has refused to comply with United States efforts to extradite Edward Snowden. Well, the US and Russia do have an MLAT agreement. Based on reviewing various articles it would appear, extreme situations notwithstanding, that for the “every day” legal matter the US and Russians, historically, have a fairly mutual track record of complying with requests. An excerpt from The Stanford Journal of International Law seems to accurately summarize the bilateral Russia-US working relationship: “In terms of actually taking the testimony in Russia, the Russian authorities were fairly cooperative. Russian procuracy officials secured the presence of most of the witnesses requested, although an additional trip was necessary to secure the remaining witnesses. The procuracy also provided facilities in which to take the depositions; however, the United States provided the interpreters and videotaping equipment.3” So unless you stir up a global controversy that embarrasses the interests of the United States I would not count on strained US-Russia relations to be a surefire stopgap in having your data surrendered to US law enforcement agents.

Of course, if a foreign country, such as Russia, does reject an MLAT request the United States has other options. As documented in a 2012 North Carolina Journal of Law & Technology article I suppose they could always conduct an operation such as to:

…use a “sting” to get him to the United States. [The FBI] lured both Ivanov and his partner in cybercrime, Vasiliy Gorshkov, to Seattle to interview with a phony company, “Invita.” The men arrived in Seattle in November 2000 and were met by an undercover agent, who took them to the “Invita” office.” There, agents posing as “Invita” employees asked the Russians to demonstrate their hacking skills, using Invita computers. The hackers did not know the FBI had installed loggers-programs that record what is typed on a keyboard-on the computers. As Ivanov and Gorshkov demonstrated their skills, the loggers recorded what they typed, which included the usernames and passwords they used to access the tech.net.ru server-which was their kontora’s (i.e., their unofficial company’s) server in Russia. The server stored tools they needed for the hacking demonstration. After the demonstration was over, they were arrested. Without getting a search warrant, FBI agents retrieved the usernames and passwords the loggers recorded and used them to access the tech.net.ru server and download 250 gigabytes of data. The agents did not let Russian authorities know what they were doing. Gorshkov and Ivanov were subsequently indicted…1

1. Brenner, Susan W. “Law, Dissonance, and Remote Computer Searches,” North Carolina Journal of Law & Technology vol. 14, no. 1 (Fall 2012): p. 43-92.

2. Coggins, Paul; Roberts, William A. “Extraterritorial Jurisdiction: An Untamed Adolescent,” Commonwealth Law Bulletinvol. 17, no. 4 (October 1991): p. 1391-1412.

3. DeVille, Duncan. “Waiving a Red Flag in Court: Obtaining and Using Witness Testimony from the Former Soviet Union,” Stanford Journal of International Law vol. 39, no. 1 (Winter 2003): p. 99-116.