When it comes to technology privacy cases, judges often focus on side issues instead of tackling the big questions.
Last week, the New York Court of Appeals issued a ruling that could have ensured that law enforcement requests for text, photos, videos, and other data in New York state are not dragnets. In the case in question, the Manhattan District Attorney’s Office had presented Facebook with 381 search warrants as part of a disability fraud investigation. Facebook counsel Thomas Dupree Jr. argued that the warrants were overbroad and lacked particularity, and if the judges had agreed with him, it would have created an important precedent.
But instead of addressing the privacy issues, the court chose to look at a much more narrow jurisdictional question of whether warrants for information under the Stored Communications Act are more akin to administrative subpoenas, which are appealable. The majority ruled that orders related to warrants in criminal proceedings cannot be appealed.
In a blistering dissent, Judge Rowan Wilson agreed with Dupree. Wilson called for searches and seizures of telecommunications to be subject to a higher standard of review, quoting Justice Louis Brandeis’ 1927 opinion in Olmstead v. United States: “The evil incident to invasion of the privacy of the telephone is far greater than that involved in tampering with the mails … as a means of espionage, writs of assistance and general warrants are puny instruments of tyranny when compared with wiretapping.”
The majority’s reluctance to wade into the privacy issues in the case is not unique to this opinion. In privacy cases, some courts have sidestepped sweeping pronouncements involving new technologies. In these instances, they tend to prefer narrowly tailored decisions. Sometimes, instead of a pivotal privacy decision, they rule on jurisdictional or other procedural issues. Some judges urge the legislature to address privacy issues that arise from changes in technology. Sometimes there isn’t enough technical information. But whatever the excuse, many courts are not effectively handling these privacy invasions.
Privacy isn’t mentioned in the Constitution, but a body of law has evolved since the adoption of the Bill of Rights. Perhaps most prominent are cases exploring the Fourth Amendment, especially ones that analyze the constitutionality of searches. The trickiest privacy areas lie where technology and criminal procedure meet. Illegal searches of homes and people tend to get more constitutional protections—and sympathy—than comprehensive searches of electronic footprints. In cases involving warrants, judges tend to defer to law enforcement. Some are reluctant to award digital privacy protections, especially when they involve suspicious or criminal behavior.
Some courts won’t delve into privacy at all. In United States v. Ganias, U.S. Army Criminal Investigation agents seized 11 hard drives that were copied and retained for a fraud investigation. For more than two years, the government failed to find on them any data relevant to the original investigation. But then another warrant for the data was issued as part of a tax evasion probe, which led to a conviction. The defendant moved to suppress the evidence became it stemmed from the seized hard drives. The U.S. Court of Appeals for the 2nd Circuit held in May that in this case, there was no Fourth Amendment violation. The court determined that the agents acted in good faith when they relied on a warrant that was properly issued and had no reason to believe the warrant was flawed, rather than explore “the complex and rapidly evolving technological issues, and the significant privacy concerns.” A petition for Supreme Court review was denied.
At times, courts have avoided making grand privacy declarations by saying that U.S. law doesn’t apply to the communications at hand. In July the 2nd Circuit ruled that the government could not force Microsoft to provide customer emails on a server in Dublin because the messages were outside of U.S. jurisdiction. According to the opinion, the Stored Communications Act “neither explicitly nor implicitly … envision[s] the application of its warrant provisions oversees.” Because privacy invasions occur when and where data is seized, the warrant was invalid. The confusing decision seemed to be an unwitting win for privacy.
The fact that many of these cases involve the cloud, which can scatter data across jurisdictions, confuses things further. In August, the FBI received a warrant for three Google accounts for a trade secrets investigation, but the company responded that it could not produce electronic records stored outside the United States. Like Facebook and Microsoft, Google asserted that the warrant was overbroad “because it does not describe with particularity which services there is probable cause to search.” The government responded that it wanted all of the data. The Eastern District of Pennsylvania determined in a February ruling that even though some of the data were stored overseas, “the fluid nature of Google’s cloud technology makes it uncertain which foreign country’s sovereignty would be implicated when Google accesses the content of communications.” The court went on to explain that Google’s architecture not only divides user data among centers but also “partitions user data into shards” and that “data automatically moves from one location … to another.” In other words, the information wasn’t protected because Google can’t (or won’t) say which sovereignty would be implicated when Google accesses the communications.
Indeed, the Microsoft decision may not be a privacy victory after all, because of what appears to be an emerging split. This week, a magistrate judge in Florida ordered that the government could obtain Yahoo emails in a criminal investigation even though some of the communications or data associated with it may be stored outside the United States. Part of the rationale was that the warrant functioned more like a subpoena because it requires Yahoo to disclose information under its control. The order cited the 2nd Circuit’s conclusion that the focus of the Stored Communications Act’s “warrant provisions is on protecting users’ privacy interests in stored communications.” In other words, the requirement that a warrant show probable cause that a crime has been committed at the place to be searched or that evidence exists at that location addresses the privacy concerns. In February, a Milwaukee magistrate judge followed this reasoning in a case involving warrants for the disclosure of two Google accounts regardless of where the data might be stored. When Google requested the court to address “the complex and important issues” that the warrant application raised, the court said that because Google did not file a motion to quash the warrant, it could not review the order.
Even when courts actively advocate for privacy interests, they are limited by the fact that many existing privacy doctrines are in danger of becoming stale. One of the prime examples of this is the Katz standard, named for a Los Angeles gambler who used a public telephone to place bets. The FBI wiretapped a public telephone and charged him with wagering information across state lines. In 1967, the Supreme Court ruled that attaching a listening device to the outside of the phone booth was unconstitutional because it constituted an illegal search. The Fourth Amendment “protects people, not places,” wrote Justice Potter Stewart. The ruling established the “reasonable expectation of privacy” standard.
But applying the Katz standard can be complicated for new technologies, even though it is cited frequently. Privacy advocates celebrated Katz because the Fourth Amendment prohibition against illegal searches and seizures was expanded to protect telephone conversations in public phone booths. But data is now borderless. The Katz standard is based on a telecommunications infrastructure that no longer exists.
Another privacy standard that hasn’t stood the test of time is the third-party doctrine, established in the 1970s, which says that the government can access documents that people voluntarily disclosed to banks, schools, utilities, internet service providers, and others. For instance, the 381 warrants that the Manhattan District Attorney’s Office sought were for information that users had happily shared with Facebook. It has become increasingly controversial because new technologies afford law enforcement and others access to data that would not have been compromised in previous years. In the 2012 case U.S. v. Jones, Justice Sonia Sotomayor noted in a concurring opinion that “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.”
Perhaps the best example of this is cellphone location data. Law enforcement agencies are increasingly using devices, like the Stingray, that allow officers and other law enforcement officials to essentially track cellphones. They work by mimicking cell towers to deceive providers into sending location data. It’s powerful technology—but courts are not uniform on whether there is a “reasonable expectation of privacy” in cellphone location data. There is now a split among federal appeals courts over whether a warrant is required for cell site location information from these devices. In United States v. Graham, the U.S. Court of Appeals for the 4th Circuit decided that a warrant wasn’t required to use cell site location information from T-Mobile, an armed robber’s cellphone provider, because there was no search under the Fourth Amendment. The 6th Circuit similarly ruled last year that the government does not need a warrant to access cell site location data. But last summer, the U.S. District Court for the Southern District of New York held in United States v. Lambis that a simulator Drug Enforcement Agency agents used to pinpoint a user’s location violated the Fourth Amendment because there was no warrant. The opinion offers a good reminder of why the third-party doctrine, like many involving privacy, is outdated: “With the cell-site simulator, the Government cuts out the middleman and obtains the information directly. Without a third party, the third party doctrine is inapplicable.”
It was a good decision from the federal judge who, in 2013, upheld the National Security Agency’s bulk collection of data. (The decision was appealed to the 2nd Circuit, which declared the program unconstitutional.) Courts can’t keep sidestepping the fact that increasingly sophisticated data is subject to the whims of law enforcement and Silicon Valley. The inconsistencies and lack of uniformity are not only baffling but also too important to dodge.