Beatrice Neilson
Congressional inaction on data privacy is leaving courts, corporations, and consumers in the dark, stranded and sacked with the responsibility of resolving some of the most complex problems of the digital age all on their own. Amid the chaos, social media companies collect vast amounts of user metadata for their algorithms,[1] foreign nation-state adversaries prey on user data to meddle in federal elections,[2] and law enforcement agencies blithely issue subpoena after subpoena, accessing mountains of sensitive civilian data with little more than a reasonable suspicion to back up their requests.[3] On either side of any one of these conflicts lie a panoply of different competing interests, all looking to Congress for a solution, but to no avail.
The last major data privacy law passed by Congress was the Electronic Communications Privacy Act of 1986 (ECPA). Quite obviously, technology has come a long way in the near four-decades since the ECPA was signed into law, and — to their credit — Congress has amended the ECPA and its titles a handful of times since 1986. But in an age when a person’s cell phone may house their financial information, location data, emails, text messages, call logs, personal calendars, and even their sensitive health data, the need could not be greater for national data privacy standards that are current, workable, and clear. One area in which the lack of sound data privacy standards is particularly detrimental is the realm of Fourth and Fifth Amendment protections in criminal investigations and prosecutions.
For instance, 18 U.S.C. § 2703(d), part of the Stored Communications Act of 1986 (SCA), (Title II of the Electronic Communications Privacy Act of 1986 (ECPA)), empowers law enforcement entities to access virtually any electronic communications or customer data stored by internet service providers (ISPs) through a court order. They can obtain one of these so-called “2703(d) orders” if they are able to demonstrate “specific and articulable facts showing that there are reasonable grounds to believe that the…information sought, [is] relevant and material to an ongoing criminal investigation.”[4] Given the fact that the SCA was last amended nearly three decades ago in 1994, section 2703(d) presents serious due process and privacy concerns in an age in which ISPs have access to user data that is extensive in quantity and extremely private in quality.
The Supreme Court has been notably reticent to weigh in on due process questions related to the SCA. The last major case to handle one of these questions was Carpenter v. United States (2018), in which the Court considered the constitutionality of the warrantless search and seizure of historic cell site location information (CSLI). CSLI can pinpoint an individual’s location within 50 square meters (about 530 square feet), and is triangulated and logged by ISPs whenever a user’s cell phone connects to a cell signal.[5] This includes both passive connections — such as receiving a text message or phone call — and active connections — such as accessing the internet using cellular data or placing a call.[6] ISPs store and analyze CSLI for business purposes, meaning they are records subject to disclosure under a 2703(d) order. In Carpenter v. United States (2018), the Federal Bureau of Investigation (FBI) identified the phone numbers of several suspects in a slew of armed robberies at RadioShack and T-Mobile stores around southeastern Michigan and northern Ohio in 2011. Federal prosecutors obtained court orders under section 2703(d) compelling a number of ISPs to disclose the suspects’ CSLI from inbound and outbound phone calls over a four-month period.[7] Petitioner Timothy Carpenter was one such suspect; his ISPs — MetroPCS and Sprint — gave federal prosecutors nearly 13,000 data points of CSLI collected over the span of 127 days. After being charged with six counts of robbery and six counts of carrying a firearm during a federal crime of violence, Carpenter moved to suppress the CSLI in evidence, arguing the government violated the Fourth Amendment by seizing the CSLI without a warrant backed by probable cause. The District Court denied the motion and Carpenter was convicted on eleven of twelve counts and subsequently sentenced to nearly one hundred years in federal prison. The United States Court of Appeals for the Sixth Circuit affirmed his conviction,[8] relying largely on the Fourth Amendment “third party doctrine” as outlined in Smith v. Maryland (1979).[9]
The third party doctrine stipulates that information disclosed to a third party is not subject to Fourth Amendment protections, because individuals relinquish their expectation of privacy over information they voluntarily disclose to third parties. This reasoning arises from an earlier doctrine outlined in Katz v. United States (1967), which states that the Fourth Amendment is violated when a search encroaches on an individual’s “reasonable expectation of privacy.”[10] In Smith v. Maryland (1979), the Court considered whether police violated the Fourth Amendment by warrantlessly installing a pen register at a telephone company to record the numbers dialing in and out of Petitioner Michael Lee Smith’s home. Applying the reasonable expectation of privacy test, the court determined “that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland 442 U.S. 743, 744 (1979).[11]
Before Carpenter, federal courts had largely construed the third party doctrine as a bright-line test: if the information is voluntarily conveyed to a third-party, it is not subject to Fourth Amendment protections. Full stop. But as the age of smartphones dawned, the Court needed to address whether the third party doctrine — befit for cases concerning such analog tools as pen registers — still applied in the digital age. Recognizing that “cell phone location information is detailed, encyclopedic, and effortlessly compiled,”[12] the Court tweaked the third party doctrine, requiring that law enforcement obtain a warrant before seizing CSLI.
But as vital a case as Carpenter was in curbing undue encroachments on Fourth Amendment protections, it was not perfect. For one, Carpenter was not shy in defining its narrowness: “[o]ur decision today is a narrow one. We do not express a view on matters not before us…[and]…[w]e do not disturb the application of Smith and Miller.”[13] In all fairness, given the possible implications for the Court’s entrenched case law surrounding the third party doctrine, the majority’s caution was understandable. But it remains glaringly obvious throughout the opinion that the decades-old foundations of the third party doctrine have begun to crack amid the advent of the digital age. For one, if CSLI is subject to Fourth Amendment protections because, inter alia, it is “detailed, encyclopedic, and effortlessly compiled,” why is a user’s debit or credit card purchase history not? Certainly, the Court has been clear in its position that bank records are unequivocally subject to third party doctrine,[14] but in an age in which cash usage is at an all-time low,[15] and digital wallet usage is on the rise,[16] bank records are just one area among many where the digital age has made it virtually impossible not to disclose personal financial information to third parties. Surveys conducted at the Pew Research Center suggest an overwhelming majority of Americans believe that it is impossible to navigate daily life without having their data collected by private companies and/or the government.[17] The same survey suggests that nearly 80% of Americans are concerned about the use of their data by private companies, and roughly 64% are concerned about government usage of private data.[18] If Katz v. United States still means anything, and “the Fourth Amendment protects people, rather than places,”[19] surely the Supreme Court should recognize that consumers have an expectation of privacy over their digital data — an expectation they believe companies and government entities are violating.
Furthermore, CSLI represents just one type of highly-sensitive information for which law enforcement entities can seek orders for disclosure under the SCA. Section 2703(d) empowers law enforcement to obtain virtually any electronic communications or ISP-held records, including customer names, addresses, call logs, internet protocol (IP) addresses, phone numbers, credit card numbers, and bank account information. Today, users store large quantities of highly-sensitive data on their cell phones, and ISPs possess more user data than ever.[20] For example, Apple’s “Health” app, allows users to log their physical activity, medications, sleep data, and even menstrual cycles.[21] Later this year, Apple plans to roll out a new “journaling” app, which will analyze user behavior, daily activity, user location, and even track which people users spend time with.[22] At a certain point, either Congress or the courts must draw a line as to how readily accessible to law enforcement information of this sensitivity can reasonably be. And although the courts may be tasked with resolving these challenges in the interim, given the fact that the balancing of law enforcement and privacy interests is delicate, particular, and case-specific,[23] it is a balance best rectified through legislative remedies, as opposed to flexible, multi-factor judicial tests.
But even assuming that neither Congress nor the Supreme Court intends to abrogate the applicability of the third party doctrine to any digital data or sensitive user information information, pressing questions related to the interpretation of the SCA remain wide open. For instance, the SCA sets only two substantive limits on the issuance of 2703(d) orders, allowing courts to “quash or modify” orders that “are unusually voluminous in nature” or pose “an undue burden on…provider[s].” Congress offers no indication to courts as to the intended application of these vague guidelines. To date, the Supreme Court has not construed the language of the unusually voluminous or undue burden clauses of section 2703(d), leaving open the possibility for numerous hypothetical legal dilemmas to arise.
One such dilemma relates to the question of encrypted data. Between 2008 and 2019, the Department of Justice has submitted over sixty applications before federal judges and magistrates seeking to compel ISPs to write software in the aid of decrypting sensitive user data.[24] Because many ISPs encrypt user data for privacy purposes, law enforcement is occasionally unable to decrypt data in their possession using the tools at their disposal. In other words, the question of decryption is as much a Fifth Amendment question as it is a Fourth Amendment question. Government entities may lawfully possess a cell phone seized during a warranted search, but lack the resources to unlock it. And as the Supreme Court ruled in Riley v. California, “The police generally may not, without a warrant, search digital information on a cell phone seized from an individual who has been arrested.”[25] The federal government has thus made it a practice to seek court orders compelling ISPs to write special software that bypasses security features or decrypts user data so that investigators can access it. This practice gave way to a public controversy in 2016, when Apple publicly fought a DOJ-sanctioned All Writs Act order compelling Apple to write software that would allow federal investigators to access the iPhone of San Bernardino terrorist attacker Syed Rizwan Farook.[26] The heated legal battle was short lived, however, as the FBI secured a private contract to unlock the phone before litigation began. And whereas in the past, federal prosecutors typically sought to compel ISPs to aid in criminal investigations via the All Writs Act due to its broad allowances, the DOJ has since reassessed its strategy for compelling ISP compliance after a number of high-profile defeats in All Writs Act litigation.[27] But regardless of whether federal prosecutors seek to compel user data decryption under the All Writs Act or the SCA, courts have yet to rule in any meaningful way on the limits of government power in compelling such action at all. Federal judges and magistrates still regularly greenlight applications by the Justice Department for decryption orders under the All Writs Act,[28] and the courts have yet to determine whether the undue burden clause of section 2703(d) of the SCA precludes the issuance of decryption orders thereunder.
Basic principles of justiciability dictate that an ISP cannot assert the Fourth and Fifth Amendment rights of their customers in court, and few tools are at ISPs’ disposal to fight decryption orders — assuming, that is, that an ISP so chooses. Large-scale ISPs like Google and Apple work with federal investigators on a daily basis to aid in criminal investigations.[29] They cannot then, for practical reasons, reasonably fight every warrant, 2703(d) order, subpoena, or decryption request. The Supreme Court continues to deny certiorari in data privacy cases,[30] leaving lower courts to decide these convoluted cases with few nationwide guidelines or directives from the High Court. So, for the time being, customers’ hands are tied in securing the privacy of their own digital data. Until Congress or the Supreme Court acts, courts will continue to navigate the minefield of balancing the age-old competing interests of personal privacy and law enforcement. What is indisputable, however, is that no one interest in this balance is limitless;it is for this reason, firstly and foremostly, that clear and current national data privacy standards must be developed.
[1]Dylan Curran, Are you ready? This is all the data Facebook and Google have on you, THE GUARDIAN (2018), https://www.theguardian.com/commentisfree/2018/mar/28/all-the-data-facebook-google-has-on-you-privacy (last visited Apr 2023).
[2] Young Mie Kim, New Evidence Shows How Russia’s Election Interference Has Gotten More Brazen, BRENNAN CENTER FOR JUSTICE (2020), https://www.brennancenter.org/our-work/analysis-opinion/new-evidence-shows-how-russias-election-interference-has-gotten-more (last visited Apr 2023).
[3] Jay Greene, Tech giants have to hand over your data when federal investigators ask. Here’s why., THE WASHINGTON POST (2021), https://www.washingtonpost.com/technology/2021/06/15/faq-data-subpoena-investigation/ (last visited Apr 2023).
[4] 18 U.S.C. § 2703(d) (2018).
[5] Washington Journal of Law, Technology & Arts, Cellular Privacy: Supreme Court Rules to Protect Historical Cellphone Location Data, WASHINGTON JOURNAL OF LAW, TECHNOLOGY & ARTS (2019), https://wjlta.com/2019/02/18/cellular-privacy-supreme-court-rules-to-protect-historical-cellphone-location-data/ (last visited Mar 23, 2023).
[6] Id.
[7] Carpenter v. United States 138 S. Ct. 2206-2208 (2018).
[8] Id at 2209.
[9] See: Smith v. Maryland 442 U.S. 735, 741 (1979).
[10] Katz v. United States 389 U.S. 360, 361 (HARLAN, J., concurring).
[11] See also: United States v. Miller 425 U.S. 435 (1976).
[12] Carpenter v. United States 138 S. Ct. 2216 (2018).
[13] Id at 2223, 2224.
[14] See, e.g.: United States v. Miller, supra
[15] Michelle Faverio, More Americans are joining the “cashless” economy, PEW RESEARCH CENTER (2022), https://www.pewresearch.org/short-reads/2022/10/05/more-americans-are-joining-the-cashless-economy/ (last visited Apr 2023).
[16] David Chang, More Americans Are Using Digital Wallets Than Ever. Which One Should You Choose Right Now?, THE MOTLEY FOOL (2022), https://www.fool.com/the-ascent/personal-finance/articles/more-americans-are-using-digital-wallets-than-ever-which-one-should-you-choose-right-now/#:~:text=Since%20the%20start%20of%20COVID (last visited Apr 2023).
[17] Brooke Auxier et al., Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information, PEW RESEARCH CENTER (2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/ (last visited Apr 2023).
[18] Greene, supra.
[19] Katz v. United States 389 U.S. 347 (1967).
[20] Ben Brody, Internet service providers have so much data on you, PROTOCOL, Oct. 25, 2021, https://www.protocol.com/policy/isp-ftc-data (last visited Apr 2023).
[21] In the post-Dobbs landscape, menstrual cycle data may be a valuable tool for state and local prosecutors enforcing anti-abortion laws.
[22] Aaron Tilley, WSJ News Exclusive | Apple Plans iPhone Journaling App in Expansion of Health Initiatives, THE WALL STREET JOURNAL, (2023), https://www.wsj.com/articles/apple-plans-iphone-journaling-app-in-expansion-of-health-initiatives-690b2c8b (last visited Apr 23, 2023).
[23] In other words, the balance of interests may vary depending on the case. For example, a multinational corporation’s investment banking records may carry different privacy interests from an everyday user’s online banking account. In terms of a law enforcement interest, investigators may have more compelling grounds to seek a records disclosure order if the investigation relates to more serious criminal activity such as terrorism.
[24] Jennifer Luo, Decoding Pandora’s Box: All Writs Act and Separation of Powers, HARVARD JOURNAL ON LEGISLATION 258-260 (2019), https://harvardjol.com/wp-content/uploads/sites/17/2019/05/HLL105_crop.pdf (last visited Apr 30, 2023).
[25] Riley v. California 573 U.S. 373 (2014).
[26]Arjun Kharpal, Apple vs FBI: All you need to know, CNBC (2016), https://www.cnbc.com/2016/03/29/apple-vs-fbi-all-you-need-to-know.html (last visited Apr 2023).
[27] Kate Conger, Have we seen the last of the All Writs Act in the encryption fight?, TECHCRUNCH (2016), https://techcrunch.com/2016/04/25/have-we-seen-the-last-of-the-all-writs-act-in-the-encryption-fight/.
[28] Lou, supra.
[29] Greene, supra.
[30] Sara Merken, U.S. Supreme Court nixes appeal over forced password disclosure, REUTERS, May 17, 2021, https://www.reuters.com/business/legal/us-supreme-court-nixes-appeal-over-forced-password-disclosure-2021-05-17/ (last visited Apr 2023).