Privacy Matters
Earlier today, Apple released its first major ad focused exclusively on privacy. It may not seem like a big deal, but Apple’s (and Facebook’s) recent privacy campaign could be the necessary catalyst that transforms public opinion and inspires Congress to consider more serious federal regulations. While I won’t hold my breath, what would such a process entail?
The Fourth Amendment protects the public’s right to be “secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” As the Supreme Court began to hear cases concerning privacy issues, it focused its rulings on protecting against a physical trespass. However, the Court realized half a century ago that Fourth Amendment protections apply to persons, not to objects or places. Under the precedent set by the landmark case Katz v. United States, a subject’s expectation of privacy must satisfy a two-prong test. First, anyone asserting their Fourth Amendment privileges must “have exhibited an actual expectation of privacy” and, second, that expectation must “be one that society is prepared to recognize as reasonable.” When a plaintiff has sufficiently met both factors and their privacy has been breached by law enforcement, the government’s actions are then considered a search. However, one can unwittingly give up their Fourth Amendment rights if they convey information to a third party.
This third-party doctrine is based on the theory of consent: a person opting to give their information away assumes the risk that a third party could share that information with the government. Yet, the doctrine has its limits. Content, for instance, is still protected; a service provider cannot grant law enforcement access to listen to a phone call without the proper warrant. Under the current interpretation of the law, a smartphone user placing a call is granted an expectation of privacy with regards to the contents of their conversation, but not regarding their location throughout that call. Do laymen really think that way? While the third-party doctrine should not be summarily dismissed, its application must be updated in line with how society understands privacy in the digital age. Requiring that a person exhibit an explicit expectation of privacy is not realistic.
Last year, the Supreme Court issued a 5-to-4 decision in Carpenter v. United States. Authoring the majority opinion, Chief Justice Roberts indicated that the third-party doctrine should not extent to cell-site location information (CSLI). Citing the precedent set by United States v. Jones in 2012, Roberts asserts society’s reasonable expectation that law enforcement should not track or record individuals’ every movement. He maintains that “historical cell-site records present even greater privacy concerns than the GPS monitoring considered in Jones,” since “[t]hey give the Government near perfect surveillance and allow it to travel back in time to retrace a person’s whereabouts, subject only to the five-year retention policies of most wireless carriers,” adding that, today, a cellphone is “almost a feature of human anatomy.” Claiming that CSLI is approaching precision levels akin to GPS, Roberts concluded that since it is nearly impossible for cellphone users to avoid leaving behind any trail of location data, they are not voluntarily assuming the risk of sharing that data, so the third-party doctrine does not apply.
In his dissent, Justice Thomas focuses on the ownership of the data that was collected rather than whether a proper search was executed. Citing the late Justice Scalia’s opinion in Minnesota v. Carter, Thomas argues that “[t]he most glaring problem with [the reasonable expectation of privacy] test is that it has no plausible foundation in the text of the Fourth Amendment.” Thomas further rejects Carpenter’s claims on the basis that his CSLI belongs to the carriers, Sprint and MetroPCS, concurring with Justice Kennedy that “[c]ell-site records […] are no different from the many other kinds of business records the Government has a lawful right to obtain by compulsory process.” In layman’s terms, the minority held that CSLI records fall under the third-party doctrine because the data is owned by a third party. While in this case data ownership applied to cellphone carriers, the same argument can be just as easily employed against personal information obtained by internet service providers (ISP) or content providers. Given the Court’s narrow decision, in addition to differing opinions from lower courts, Congress finds itself — as usual — in a privileged position from which to address the citizenry’s growing privacy concerns.
It is imperative to consider the evolution of technology and any implications that may derive from proposed legislation. While congressional intervention would primarily apply to smartphones presently, it should undoubtedly account for future advancements. Newer devices like smartwatches already feature cellular connections and built-in GPS capable of tracking a user’s location independent from a paired smartphone. Assuming the pace of innovation remains steady, it is reasonable to conclude that the number of internet-connected devices — and the data generated from them — will be orders of magnitude greater within the next decade.
The emergence of wearables and the internet of things (IoT) in recent years has already introduced complex privacy challenges. As more and more products become connected, smartphones — being the center of control — will gain access to even more data. For the most part, users will consent to data collection without the intent to share the data publicly. With the California Consumer Privacy Act (CCPA) set to go into effect on the first day of 2020, the Golden State legislature has brought digital privacy to the forefront of the national debate over data protection. As more states begin to address the complex nature of compliance with the European Union’s General Data Protection Regulation (GDPR) implemented last May, the time has come for America’s own omnibus bill to apply federal privacy regulations.
