Computers, Privacy & the Constitution

Can the Law Save Us? The Search for Protection from Government Collection of Online Data

-- By RichardZemsky - 25 Apr 2012

We live in the digital age. It means technology promoting convenience in our lives, bringing us the information that we want when we want it, and connecting us with friends and others with similar interests. It also means troves of personal data, sampled often and stored indefinitely. Confronted with this realization, the question (hopefully) arises — what can we do to protect our digital privacy? Protection is required not just from would-be evildoers, like the hacker stealing credit card data, but from the purveyors of the very technology we use — purveyors who recognize that the data they can collect about us may just be worth billions.(1) Solutions can be found in the social, technological,(2) and legal contexts, where legal includes both redress to the courts as well as prospective legislation. This paper explores the viability of legal solutions for online data privacy.(3)

Legal steps to address online data privacy concerns are informed by measures already taken regarding electronic surveillance and tracking. This term the Supreme Court handed down its decision in United States v. Jones in which the Court held that a GPS tracker placed on a car to monitor its movements constituted a search within the meaning of the Fourth Amendment.(4) Finding protection in the Fourth Amendment involves two inquiries — first, whether a government action amounts to a search, and second, whether that search was proper. The Jones Court only addressed the first question. It recognized two applicable tests.(5) The Katz test asks whether there was a violation of a “reasonable expectation of privacy,”(6) while the traditional common-law trespassory test examines whether the government intruded on one’s property. Determining whether an online collection of data constitutes a search would fall within the Katz test. Where a user has not expressly shared the data with the government or where the user has taken measures to keep the data private or restricted from public access, there is a reasonable expectation of privacy. In the trial courts, such an analysis would likely involve a fact-based examination of a website’s terms of service, which should specify the website’s privacy policy regarding personal data collection. If a site promises to keep user data confidential or even sell such data on an anonymous-only basis, the user should be able to expect privacy. Any government access of the user data should thus constitute a search.

If government accessing of online user data is a search, the next inquiry is whether such a search is proper. Here, protection may be found in federal statutes. The Electronic Communications Privacy Act of 1986 should provide safeguards.(7) Specifically, 2518(3) identifies the basis on which a may authorize electronic surveillance. Applying a standard of probable cause, the judge must determine that the subject of the requested surveillance committed a crime, is in the process of doing so, or is about to do so, and the crime must fall within the enumerated list in 1216. Additionally, there must be a probable cause belief that the surveillance will intercept communications relating to the crime and the devices or places targeted are often used by the subject. There is also a requirement that normal investigative procedures either failed, are unlikely to succeed, or are dangerous. So the statute seems robust in its ability to limit electronic surveillance to investigations closely tied to a specific crime in which the surveillance is expected to produce useful results. However, it is not actually clear that the Act operates against online data collection by the government. While such data may fall under “electronic communication,” the government may argue that data already collected by a third party (typically, a website or Internet application) no longer constitutes a communication that can be intercepted. Therefore, the government may be able to bypass the Act and subpoena existing data caches. Critically, a court-ordered subpoena may issues without meeting the probable cause standard. Some courts issue subpoenas simply when they are sought in “good faith.”(8) Particularly in cases of criminal investigations, courts may be more likely to issue the subpoenas desired by law enforcement. Therefore, it is unclear that the existing surveillance laws provide any real help in protecting online data privacy.

Moreover, the government has sought to ensure access to online and wireless communications.(9) Blackberry is known for its encrypted message system, and Voice over Internet Protocol (VoIP? ) calling services like Skype were also (at the time) incompatible with wiretapping. The government wanted a backdoor to these technologies, like it already enjoyed with the traditional telephone and broadband networks.(10) In the past year, Skype prepared to implement a backdoor system called Lawful Interception to facilitate law enforcement wiretapping.(11) An ACLU study revealed, “Most law enforcement agencies do not obtain a warrant to track cell phones, but some do, and the legal standards used vary widely.” (12)

The new awareness about law enforcement tracking of cell phone location has led to calls for change. Utah Representative Jason Chaffetz introduced the Geolocation Privacy and Surveillance (“GPS”) Act in the House.(13) A counterpart bill was introduced in the Senate.(14) The bills would require a warrant to obtain any geolocation information, even from cell phone providers.

The government push to obtain GPS and location data and the murky standards surrounding law enforcement’s ability to obtain cell phone location data in particular, reveal the perilous state of privacy in the United States today. United States v. Jones showed that the Fourth Amendment can still provide privacy protection in the digital age, but redress in the courts is backward looking only. It does not protect privacy prospectively, except for any deterrent role that may be provided by the threat of exclusion of evidence in court. Legislation can better serve the role of active privacy protection, and it should be employed to this end. The proposed GPS Act moves in the right direction, but it should be extended to online data collection, with safeguards that mirror the requirements for authorization of surveillance found in the Electronic Communications Privacy Act.


Notes

1 : See SEC Form S-1 Registration Statement for Facebook, Inc., http://www.sec.gov/Archives/edgar/data/1326801/000119312512034517/d287954ds1.htm (last visited Apr. 25, 2012) (announcing Facebook’s $5 billion IPO and reporting its 2011 net income as $1 billion).

2 : Technological measures to address privacy concerns, if they are to make any meaningful difference, will have to develop to the point that the perceived benefits of adoption outweigh the inconvenience imposed. The success of technological responses to privacy concerns is thus linked to the social perception of the gravity of the problem and the corresponding willingness to address the problem.

3 : Digital data privacy concerns extend far beyond online data collection and retention, implicating cell phone tracking and even automatic highway toll payment systems. This brief paper, however, will focus on Internet-based data, which extends to smart phone activity. United States v. Jones, 132 S. Ct. 945, 949 (2012).

4 : United States v. Jones, 132 S. Ct. 945, 949 (2012).

5 : The Court stated that the Katz test “added to, not substituted for, the common-law trespassory test,” which itself examines whether government intrusion upon “persons, houses, papers, and effects” amounts to a search. United States v. Jones at 952.

6 : Katz v. United States, 389 U. S. 347, 360 (1967) (Harlan, J. concurring).

7 : 18 U.S.C. 2510-2520 (1988).

8 : See John Doe No. 1 v. Cahill, 884 A.2d 451 (Del. 2005) (rejecting a mere “good faith” standard, instead requiring actual proof of a violation of law for a subpoena to reveal the identity of an anonymous Internet poster in a civil lawsuit).

9 : See Charlie Savage, “U.S. Tries to Make It Easier to Wiretap the Internet,” (Sept. 27, 2010), available at http://www.nytimes.com/2010/09/27/us/27wiretap.html?pagewanted=all (last visited Apr. 25, 2012).

10 : See Communications Assistance to Law Enforcement Act, 47 U.S.C. 1001-1021 (1994).

11 : See Steven Norris, “Microsoft and Skype set to allow backdoor eavesdropping,” (Jul. 1, 2011) available at http://memeburn.com/2011/07/microsoft-and-skype-set-to-allow-backdoor-eavesdropping/ (last visited Apr. 25, 2012).} The existence of government concern in this area and the industry’s willingness to cooperate is a disheartening indicator of the privacy landscape among data-gathering websites, like Facebook and Google.

In addition to GPS tracking, law enforcement now uses cell phones to obtain geolocation information. Sprint revealed that it allowed law enforcement to ping GPS data 8 million times over the course of a year between 2008 and 2009.{{“Feds ‘Pinged’ Sprint GPS Data 8 Million Times Over a Year” (Dec. 1, 2009), available at http://www.wired.com/threatlevel/2009/12/gps-data (last visited Apr. 25, 2012).

12 : “Cell Phone Location Tracking Public Records Request,” (Apr. 6, 2012), available at http://www.aclu.org/protecting-civil-liberties-digital-age/cell-phone-location-tracking-public-records-request (last visited Apr. 25, 2012).

13 : H.R. 2168 (introduced Jun. 14, 2011).

14 : S.1212 (introduced Jun. 15, 2011).


Navigation

Webs Webs

r3 - 11 Jan 2013 - 21:48:53 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM