FISA and the USA PATRIOT Act: Reforms and Legal Implications

Lizzie Evanko

Congress passed the Foreign Intelligence Surveillance Act (FISA) in 1978, in an effort to establish a legal framework for the physical and electronic surveillance of foreign entities. FISA allowed the federal government to collect intelligence on any foreign power (or agent of a foreign power) suspected of terrorism or espionage. The act in turn created the Foreign Intelligence Surveillance Court (FISC, or FISA courts, colloquially) to supervise the requests and uses of federal surveillance warrants. The FISA court established judicial review of the covert surveillance activities being carried out, but due to the sensitive nature of intelligence collection methods and information, these courts maintain a high level of secrecy to protect national security.

Congress passed FISA in response to the uncovering of government surveillance abuses (many of which occurred under the Nixon administration). The act made many surveillance practices legal and created a system to oversee the process of surveillance. However, FISA has been repeatedly amended, most notably following the attacks on September 11, 2001. One of the major amendments to FISA was the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, or simply, the Patriot Act. While FISA limited the federal government’s surveillance capabilities to foreign actors, the Patriot Act vastly expanded surveillance permissions, establishing the ability to surveil US persons. Specifically, Section 215 of the Patriot Act, colloquially known as the “business records” provision, allows for investigative agencies to obtain secret court orders which require third parties (like telephone companies and other businesses) to hand over records and any other “tangible things” deemed relevant to a national security investigation. In most criminal cases, the burden of proof for a search warrant typically requires probable cause, which is based on an “officer’s reasonable belief, based on circumstances known to that officer, that a crime has occurred or is about to occur.” However, Section 215 remains particularly controversial, because some “thing” being relevant to a national security investigation is an extremely low burden of proof for the government to be able to secretly obtain records of virtually any kind. There does not need to be probable cause regarding a specific crime that has occurred or is about to occur for a warrant to be granted.

While many people would oppose government surveillance for the most part, there are arguments to be made in its favor. First, surveillance allows the federal government to develop intelligence and protect the American people from a large number of national security threats, like intellectual property theft, espionage, or terrorism. By using surveillance, the government is able to effectively target and incarcerate foreign agents that wish to do the United States harm, and the known possibility of surveillance may deter these agents from following through with their potential hostilities. Second, FISA and other surveillance acts create legal, transparent pathways for the government to eliminate investigatory barriers to gaining intelligence and building cases. Whereas other governments may keep their surveillance capabilities secret, FISA and the Patriot Act clearly outline what the federal government is allowed to do. Additionally, these acts allow the government to gain intelligence and build cases in legal ways. Lastly, one of the major arguments in favor of acts like FISA and the Patriot Act is that government surveillance will not directly affect most law-abiding citizens. In other words, “if you haven’t done anything wrong, you have nothing to fear,” so, unless one is a threat to national security (in which case we should hope such a threat is being surveilled), surveillance cannot pose a direct threat.

While these arguments stress the importance of FISA, there are similarly many arguments to be made against it. For one, even though FISA and the Patriot Act may make certain forms of surveillance legal, it is questionable whether or not the Patriot Act, in particular, violates some constitutional rights. For example, in Brandenburg v. Ohio, the Supreme Court of the United States determined that the First Amendment protects speech advocating for illegal activities, unless said language is intended and likely to incite “imminent lawless action.” This precedent established that even if one were to only speak about illegal activities, they may not necessarily be charged with illegal incitement. However, with the Patriot Act, free speech is significantly less protected, as the standard of probable cause for surveilling a subject is much more vague, and thus more easily met. For example, a surveillance order may be issued based on a person’s internet activity, book purchases, or published writings. These actions should fall under their First Amendment right to freedom of speech, but the Patriot Act allows for surveillance based on these actions, which is arguably violating their freedom of speech. Furthermore, recipients of search orders are prohibited from notifying others of the search, which further hinders their First Amendment rights.

The Patriot Act also violates aspects of the Fourth Amendment, which establishes that the government cannot “conduct a search without obtaining a warrant and showing probable cause to believe that the person has committed or will commit a crime.” However, under the Patriot Act, the government can conduct secret searches without showing probable cause that the subject has committed or will commit a crime. The Fourth Amendment also guarantees notice to a person whose privacy has been violated by a search or seizure, whereas the Patriot Act does not guarantee notice, even after a subject has been investigated. Such notice is also a part of the Fifth Amendment’s guarantee to due process, so the lack of required notice by the Patriot Act could also be interpreted as a violation of the Fifth Amendment. The Sixth Amendment states that “in all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury… and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor…” However, because almost all FISA information is classified, including its collection methods, many defendants are denied these important Sixth Amendment rights. Confidential informants’ identities are not revealed, refusing the defendants’ rights to confront their witnesses, and they are furthermore barred from accessing much of the information that led to their arrest in the first place. Moreover, the only people allowed to review FISA information are those with security clearances, so any details about collection methods are kept secret, making it impossible for a defendant to face a jury of their peers. Subjects of national security investigations or trials are thus left in the dark, which could be a violation of the Sixth Amendment.

There are other objections to FISA and the Patriot Act as well. For instance, some argue that the secret nature of surveillance proceedings leaves the federal government with too much unchecked power. With the secret nature of FISA information, witnesses, and collection methods, there is little supervisory oversight, and there is even less judicial oversight. The only judges and attorneys that are able to review FISA information are those with security clearances, and none of that information can surface in front of a jury or open courtroom. This leaves the information to be reviewed by a select few who are responsible for the entire proceeding. Judges of the FISA Court are hand-appointed by the Chief Justice of the Supreme Court with no say from Congress, and hearings are entirely closed to the public. How judges make decisions in these backroom discussions is entirely unknown to defendants and juries. A telling statistic about the decision-making of the FISA Court is that from the Act’s passing in 1979 to 2012, the court signed off on 33,942 warrants and denied only 12. This rate is significantly higher than similar warrant passage rates seen in the federal court system. Furthermore, FISA allows (in some cases) for warrantless search and seizure, making the nature of prosecutions that use information gained without a warrant more suspect. It has also been proven that FISA and the Patriot Act have, in fact, been overused. In 2013, whistleblower Edward Snowden leaked information “about the NSA’s ‘PRISM’ and ‘Upstream’ programs, which involve the NSA working closely with companies like Google, Facebook, AT&T, and Verizon to conduct warrantless surveillance of Americans’ international communications on a massive scale.” This evidence proved that the surveillance capabilities granted by FISA and the Patriot Act were being abused.

The courts have addressed some of these issues. Antoine Jones was convicted of drug-trafficking conspiracy, based on information collected by a GPS device that was put on his car, 24 hours after the warrant to place the device had expired. The Supreme Court, in United States v. Jones, rejected the lower court’s claim “that there is no reasonable expectation of privacy in a person’s movement on public thoroughfares,” and it held that the surveillance on Jones’s vehicle was a violation of his Constitutional rights. The case demonstrated that, again, the federal government had infringed upon the Constitutional rights of investigation subjects, and the Court set the precedent that, even when a crime has been committed, the rights of the accused take priority over law enforcement concerns. Another major case regarding the Constitutional violations of FISA and the Patriot Act is ACLU v. United States, in which the ACLU filed a motion following the Snowden documents’ release in June 2013. The motion requested the FISA Court “publish its opinions on the meaning, scope, and constitutionality of Section 215,” but was subsequently denied. The ACLU filed several other motions for review, all of which were denied. The ACLU then “filed a petition for writ of certiorari in the Supreme Court, challenging these rulings and asking the court to recognize a First Amendment right of public access to the FISC’s opinions—ensuring that the opinions are released with only those redactions necessary to prevent genuine harm to national security.” The Supreme Court denied the petition for writ of certiorari, arguing that not only should the lower court’s rulings be upheld because they were correct, but that the Supreme Court is also powerless to review the lower court’s decisions, even if they were found to be incorrect. In Justices Sotomayor and Gorsuch’s dissent, they state, “On the government’s view, literally no court in this country has the power to decide whether citizens possess a First Amendment right of access to the work of our national security courts.”

These cases all demonstrate a connecting theme: there is extremely little oversight or public understanding of FISA and the Patriot Act, and yet, there continue to be dangerous implications and failures of these acts. Especially going forward, since we live in an increasingly online society, these acts must be reconsidered. It is clear that the practices of government surveillance have implications that threaten the Constitutional rights of the American people. Regardless of FISA and the Patriot Act’s successes, the presence of so many examples of misconduct prove that a tool as powerful (and useful) as these acts needs to have more safeguards in place, and more information needs to be made publicly available for people to know to what risks these acts expose them.

Electronic Surveillance, the Fourth Amendment, and the NYPD’s “Muslim Surveillance Program”

Annie Akbar

In a letter to James Madison after the French Revolution had begun, Thomas Jefferson wrote, “The earth belongs always to the living generation… Every constitution, then, and every law, naturally expires at the end of 19 years. If it be enforced longer, it is an act of force and not of right.” Here, Jefferson is advocating for a periodic revision of the Constitution, one in which the citizenry rethinks its guiding document in light of the circumstances of a new era. When comparing our age to that of our Founding Fathers, it is not difficult to understand Jefferson’s sentiment. The advancement of our society, especially in terms of technology, has significantly affected the ways in which civil rights (and their infringement) appear. This is especially true when examining electronic surveillance and its implications for Americans’ constitutional liberties. For example, in Hassan v. City of New York (2015), the United States Court of Appeals for the Third Circuit held that, under the First and Fourteenth Amendments, the New York City Police Department’s “Muslim Surveillance Program,” in which electronic surveillance was used to “infiltrate and monitor Muslim life in and around New York City,” was unlawful. While this decision undoubtedly finds legitimacy in the aforementioned amendments, I contend that applying a modern interpretation of the Fourth Amendment—one rooted in “living constitutionalism,” or the idea that “constitutional law can and should evolve in response to changing circumstances and values”—can also prove the program’s illegality.

In Hassan v. City of New York (2015), lead plaintiff Syed Faraj Hassan and others associated with Islam testified that, since January 2002, the New York City Police Department (NYPD) used what was informally known as the “Muslim Surveillance Program” (also called “the Program”) to monitor the lives of Muslims and their businesses, mosques, organizations, and schools in New York City and neighboring cities and states. The Court of Appeals found that the plaintiffs—“persons associated with Islam who claimed to be targets of police surveillance program”—had standing to sue in federal court to “vindicate their religious-liberty and equal-protection rights” and that their claims were justified under the First and Fourteenth Amendments. It is clear why the Program, which “targeted Muslim American communities in New York, New Jersey, and beyond,” would violate the First and Fourteenth Amendments. However, employing the Fourth Amendment to assess the Program’s “sprawling and secretive human mapping and suspicionless surveillance program” may provide an additional legal foundation for the decision.

The Fourth Amendment affirms that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” In short, the Fourth Amendment outlaws unreasonable searches and seizures. The NYPD’s participation in the Program, though, constitutes an unreasonable search and seizure of data on Muslims in the greater New York area via electronic surveillance.

The plaintiffs in Hassan argued that the NYPD monitored Muslims in several ways, such as by taking pictures, shooting videos, and gathering license plate information of mosque attendees. Officers also pointed surveillance cameras at mosques, which they could then control remotely. Furthermore, the plaintiffs asserted that the NYPD would send undercover cops into mosques, student organizations, businesses, and neighborhoods that it characterized as “heavily Muslim” to listen in on sermons and conversations before reporting back to their department. These surveillance methods were not solely concentrated in New York City—they extended into New Jersey, Connecticut, Pennsylvania, and other areas of New York state. In addition, the NYPD collected information on the locations of religious schools, the religious affiliations of certain public establishments, the number of businesses operated or visited by Muslims, and the names of people involved with Muslim Student Associations (MSAs) in the area. The NYPD also “compile[d] databases of new Muslim converts who [took] Arabic names, as well as Muslims [who took] names that [were] perceived to be ‘Western.’”

The plaintiffs declared that the intelligence gathered by the NYPD through the Program was compiled into many reports. Such reports included information on Newark’s Muslim population, over 20 precinct maps of Newark showing the locations of mosques and Muslim businesses and the ethnic composition of the Muslim population, and “analytical report[s] on every mosque within 100 miles of New York City.”

From this, it is obvious that the NYPD’s program was meant to target Muslims and their daily activities, indicating religious discrimination that the Court of Appeals affirmed in its ruling. However, I assert that the Program’s electronic surveillance to collect an expansive collection of data by itself is sufficient to warrant a contravention of the Fourth Amendment.

Regarding the Fourth Amendment, the Court of Appeals utilizes Justice Scalia’s point in Whren v. United States (1996) about selective enforcement of the law: “[T]he Constitution prohibits selective enforcement of the law based on considerations such as race. But the constitutional basis for objecting to intentionally discriminatory application of laws is the Equal Protection Clause, not the Fourth Amendment.” While I agree with the appellate court’s reasoning, I believe that the Program’s methods of collecting people’s information, regardless of their religion, can be considered a Fourth Amendment infraction.

But first, does electronic surveillance even fall under the jurisdiction of the Fourth Amendment? In Katz v. U.S. (1967), a case involving electronic surveillance, the Supreme Court held that the Fourth Amendment protects “any place where an individual maintains a reasonable expectation of privacy.” In his concurring opinion, Justice Harlan stated that “a person has a legitimate expectation of privacy if he honestly and genuinely believes the location under surveillance is private.” Due to the separation of church and state found in the Constitution, places of worship are commonly regarded as private institutions—institutions in which a person “has a reasonable expectation of privacy.” Under this ruling, the Fourth Amendment prohibits unreasonable searches and seizures involving data collection through electronic surveillance—precisely the sort of search and seizure in which the NYPD engaged.

Now that this has been established, I will use the Fourth Amendment to provide further support for the decision in Hassan. According to the federal courts, the Fourth Amendment prohibits unreasonable searches and seizures by the government (and government agencies like police departments), but only those that are perceived as unreasonable from a legal standpoint. This is referred to as the reasonability requirement. Judges are to consider the main factors when determining whether or not a search was reasonable: the search’s infringement on a person’s Fourth Amendment rights and compelling interests that may allow for such an infringement. For an interest to be compelling, the government must use the “strict scrutiny test” to show that the interest is “important enough that it justifies infringing on a fundamental right, and [that its] infringement on rights is done in ‘the least restrictive’ or most careful way possible.” However, in Hassan, the Court of Appeals held that the “municipality’s assurance that police surveillance was justified by national-security and public-safety concerns did not satisfy its burden of producing evidence to overcome heightened scrutiny’s presumption of violation of equal protection.” Because the NYPD failed to prove that electronically surveilling Muslims was a compelling interest, the “Muslim Surveillance Program” fails to fulfill the reasonability requirement. Moreover, “least restrictive means” refers to a method that places “the least possible restriction on personal liberty and the exercise of rights.” While public safety and thus crime prevention are certainly compelling interests, the NYPD’s surveillance program is clearly not the least restrictive means possible to achieve its desired ends. This is due to its surveillance of basically all Muslims in the greater New York area, rather than just those on watchlists or things of that nature.

Though Fourth Amendment jurisprudence is beginning to incorporate electronic surveillance threats to privacy, an obstacle to this development may arise from originalists who disagree with applying the Fourth Amendment to this issue. These individuals proclaim that the “original meaning of search seems to be the ordinary meaning at the time [of the Fourth Amendment’s adoption] of ‘looking over or through’ or ‘examining by inspection’” and that an unreasonable search is only one that “violate[s] the common law rules for searches at the time of the Fourth Amendment.” However, taking into account the privacy and “search and seizures” problems that are related to electronic surveillance is crucial to upholding the protections of the Fourth Amendment. According to the Brennan Center for Justice, as cell phones, watches, cars, and other electronic devices become “smarter,” they “create detailed records about our private lives, potentially revealing not only where we have been but also our political viewpoints, consumer preferences, people with whom we have interacted, and more.” This information can be used by “law enforcement for use in investigations and prosecutions, and much of it is currently available without a warrant.” Thus, establishing legal limits to such electronic collection of data is a worthwhile endeavor to maintain the sanctity of our rights.

The idea of electronic surveillance and its potential infringement of people’s Fourth Amendment rights is one that warrants attention because, as technology continues to progress in terms of its abilities, so will the means by which data is collected. Without implementing proper legal restrictions on the use of data collection, the privacy of American citizens under the Fourth Amendment may be in danger.

The Content-Specific Doctrine: The Right to be Secure in Digital Effects

Xander de los Reyes

Amendment IV, US Constitution

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

INTRODUCTION

The Fourth Amendment’s original intent was to protect Americans from unreasonable searches and seizures. At the time they were drafting the Constitution, the Founding Fathers remembered these violations of privacy as physical trespasses committed by British officials against colonists. This raises the question: Were the seizures of letters from a desk drawer or the broad searches of one’s coat pockets unreasonable searches and seizures because they were physical in nature? Or were they violations of privacy because of the content searched and seized?

I argue that unreasonable searches and seizures can occur without physical intrusion. As technology becomes increasingly prevalent, violations of privacy can occur in non-physical realms (i.e., “cyberspace”). Although these violations lack the physical dimension that characterized early-American conceptions of Fourth Amendment violations, they can nonetheless rise to a level of invasiveness that can be seen as functionally equivalent and can thus fall within the scope of the Fourth Amendment’s prohibitions.

This piece proceeds in the following manner. First, I briefly outline the history of the Fourth Amendment and its original intent, which was to protect Americans’ privacy from improper searches and seizures. Next, I outline twentieth-century case law that has shaped modern understandings of the Fourth Amendment. In this section, I also introduce the third-party doctrine, a legal doctrine that is troubling given society’s contemporary dependence on technology. Then, I discuss technological consent—or the lack thereof. Finally, I introduce a new legal framework, the content-specific doctrine. Instead of focusing on the physical nature of a search or third parties involved, this doctrine considers the content of effects (personal belongings) seized to be the highest-order consideration. The content-specific doctrine can protect privacy, digital civil liberties, and Fourth Amendment rights in this technological age. 

HISTORY

Under British rule, colonists were subject to documents known as writs of assistance or general warrants. Authorized by these documents, British authorities could enter colonists’ homes without probable cause. They could search homes indiscriminately for prohibited items and seize them. Even worse for the colonists, these writs lasted throughout the ruling king’s life and six months past their death. These documents flagrantly subjected the colonists to unreasonable searches and seizures.

When King George II died in 1760, an opportunity to protest the warrants arose. An advocate General from Boston, James Otis, rose to the occasion. Otis resigned his post and opposed the writs’ renewal in court in February of 1761. He could have merely objected to renewal, but went further. He argued that the writs were incompatible with the English constitution and went on to say that the only valid writs were “special writs.” (These were analogous to today’s specific and narrow search warrants.) Otis’s argument in court was one of the first formal colonial challenges to British authority. Scholars have also cited it as one of the earliest instances of colonial inclinations toward independence.

Otis lost the case, but his passionate argument left impressions on attendees and those who later learned of the event. One of the audience members would recall Otis’s speech fifty-six years later in a letter to a friend:

Every Man of an immense crowded Audience appeared to me to go away, as I did, ready to take Arms against Writs of Assistants. Then and there was the first scene of the first Act of opposition to the Arbitrary claims of Great Britain. Then and there the Child Independence was born.

These are the words of John Adams, America’s first vice president and second president. For him, the colonial conception of privacy was not just something of value—it was the very thing that set the pursuit of independence in motion.

This incident demonstrates the tremendous extent to which the colonists and Founding Fathers valued privacy. The writers of the Constitution—as survivors of British rule and its indiscriminate supervision—knew the importance of individual privacy and sought to protect people against unreasonable searches and seizures.

Since the ratification of the Constitution, determining violations of the Fourth Amendment has been complicated. As the nation aged, new circumstances and considerations arose. The invention of new technologies like telephones and computers, in addition to the Americans’ increasing dependency on business and service providers, has complicated Fourth Amendment jurisprudence. A synopsis of how courts have responded to these changes will prove useful.

TWENTIETH-CENTURY CASE LAW

Unreasonable searches and seizures were inherently physical in nature during British colonial rule and the early generations of the United States. This remained the case until the late nineteenth century when the invention of the telephone allowed for non-physical violations of privacy. Today, with the internet and interconnected world, physicality is not a requirement for a violation of privacy. This transition has created an entirely new subset of privacy rights: digital civil liberties. Next, I briefly outline case law of the twentieth century to show how courts responded to these technological changes.

Olmstead v United States (1928)

During Prohibition, federal law enforcement was investigating Roy Olmstead, a suspected bootlegger. Agents installed wiretaps on his telephone without a warrant. The agents installed the wires in the basement of the building Olmstead resided in and dug up phone wires underneath the nearby sidewalk. Because no physical intrusions occurred against Olmstead, the government felt it did not need a warrant. Olmstead countered that the warrantless searches violated his Fourth and Fifth Amendment rights.

In a 5-4 decision, the Supreme Court ruled against Olmstead. Chief Justice William Howard Taft authored the majority opinion. In it, he stated that “unless there has been an official search and seizure of his person, or such a seizure of his papers or his tangible material effects, or an actual physical invasion of his house” then no violation of the Fourth Amendment occurred. This ruling created a precedent that reemphasized the Fourth Amendment’s focus on physical intrusions. For nearly four more decades, as technology developed and spread, this precedent would stand.

Katz v United States (1967)

Federal law enforcement was investigating Charles Katz, a man suspected of illegal gambling. Knowing Katz used public phone booths, the government, acting without a warrant, utilized devices capable of eavesdropping and added them to the exterior of a phone booth. After they collected incriminating evidence, agents charged Katz with eight counts of illegal transmission of wagering information across state lines. After being convicted, he appealed his conviction and argued that the warrantless monitoring of his phone call violated the Fourth Amendment.

Reversing course from Olmstead, the Court ruled 7-1 in favor of Katz. Delivering the opinion of the Court, Justice Potter Stewart stated that the Fourth Amendment, “protects people, not places.” The ruling also created the reasonable expectation of privacy test, which has two requirements:

  1. The person whose Fourth Amendment rights have supposedly been violated must have had a subjective expectation of privacy.
  2. That expectation must be one that society can recognize as reasonable.

An individual’s Fourth Amendment rights are thought to have been violated if both conditions are affirmatively met. Failure to satisfy either condition would result in the determination that privacy rights were not violated.

The Katz ruling overturned the decision in Olmstead. It became the first landmark Supreme Court case that extended Fourth Amendment rights beyond physical intrusions, and its reasonable expectation of privacy test is still used today.

Third-Party Doctrine

Two cases in the 1970s, United States v. Miller and Smith v. Maryland, created a legal framework known as the third-party doctrine. In both of these cases, the petitioners claimed that their Fourth Amendment rights were violated. The searches and seizures of each case lacked a physical component and involved a third-party, such as a phone company or bank. These circumstances forced the Court to confront when individuals’ expectations of privacy were reasonable.

In United States v. Miller, the government accused Mitch Miller of not paying a liquor tax on distillation equipment. To investigate, federal law enforcement subpoenaed two of Miller’s banks. Without a warrant, they obtained records of his accounts. These documents were subsequently used against Miller in court, where he was convicted. Miller appealed and argued that his Fourth Amendment rights were violated when his bank records were obtained without a warrant.

In Smith v. Maryland, Michael Lee Smith was believed to have robbed a woman. Law enforcement also suspected that he was continuously calling the victim to harass her about the robbery. To investigate, the government asked Smith’s phone company to install a “pen register,” or a device that captures numbers dialed but none of the content of a phone call. When records indicated that Smith dialed the victim’s phone number, law enforcement was able to get a search warrant to find further evidence. Smith was later identified by the victim in a line-up and then convicted of robbery. He argued that the pen register violated his Fourth Amendment rights and appealed.

The Supreme Court ruled against the petitioners in both Miller and Smith. According to the Court, both men voluntarily gave their information to third parties (Miller and his bank; Smith and his phone company). Doing so, in the Court’s view, undermines the first requirement of the reasonable expectation of privacy test. When individuals provide information to third parties, they abandon any subjective expectation of privacy. 

Taken together, the decisions in Miller and Smith created the third-party doctrine. Under it, the government’s acquisition of information from third parties does not require a warrant. The soundness of this ruling was debatable in the 1970s. Today, however, society relies deeply on many more third-party services—many of them related to technology and the internet. Therefore, the third-party doctrine exposes Americans to significant intrusions of privacy.

TECHNOLOGY & CONSENT

With each passing day, technology becomes more interwoven into life. Many Americans use some form of instant messaging like iMessage, WhatsApp, or Facebook Messenger to communicate with family, friends, and coworkers. Some utilize navigation applications like Google Maps, Apple Maps, and Waze. When the COVID-19 pandemic began to shut down daily operations in 2020, workplaces, academic institutions, and other organizations moved to video-conferencing services like Zoom, Google Meet, and Microsoft Teams. All of these aforementioned services—whether they are used to video-call with grandparents or to navigate to a political rally—require the consent of users. Recalling the third-party doctrine, the proliferation of technology seems thorny at best and dire at worst.

A concerning fact is that most individuals do not attentively read the terms of service for these services. (User agreements such as “terms and services” go by other names: terms and conditions, terms of use, end-user license agreement, service terms, etc. While some lawyers may say there are slight variations between these definitions, they all functionally refer to a contract between a user and a provider of some service. Within this legal article, all of these terms are used synonymously.) Clicking or tapping the “I agree” box or button is, in the most literal sense, a check in the box for many people. This fact is tacitly, and sometimes explicitly, recognized by service providers. Amazon Web Services (AWS), for example, has included a clause referring to a zombie apocalypse in §42.20 of its service terms. They state that a previously mentioned restriction shall not apply in the situation of:

[A] widespread viral infection transmitted via bites or contact with bodily fluids that causes human corpses to reanimate and seek to consume living human flesh, blood, brain or nerve tissue and is likely to result in the fall of organized civilization.

AWS’s inclusion of zombies in a legally-binding contract implies that many people do not read these terms. It is an “Easter egg” for some vigilant users—or scholars examining contractual consent and relationships—to find.

Other services have left even more ridiculous statements in their terms of service. Purple, a wireless network company in Manchester, UK, embedded a clause within their terms of service that bound those who agreed to 10,000 hours of community service. 22,000 people consented. A European security firm, F-Secure, created a publicly available wireless hotspot for people and included in its terms of service that “the recipient agreed to assign their firstborn child to us for the duration of eternity.” GameStation, a UK video game retailer, included in their terms of service that users’ agreement gave the company ownership of each user’s “immortal soul.” In 2019, a high school teacher in Georgia won $10,000 when she read the terms of service for travel insurance from Squaremouth, which stated that the company would provide a reward to the first person who contacted the company in response to reading their terms of service. These are half-comical, half-frightening examples of the lack of awareness that most users have about the contents of terms of service.

There are strong implications when the third-party doctrine, legally-binding terms of service, and users’ failure to read those terms are considered together. Most users of a service are required to agree to terms of service—i.e., contracts—to use said service. Thus, they have consented to give information to a third party, thereby rendering that information subject to the third-party doctrine. With humanity’s increasing dependence on technology and its abundance of terms of service, there must be a new legal framework for determining privacy rights and digital civil liberties.

THE CONTENT-SPECIFIC DOCTRINE

A doctrine that best protects Americans’ privacy is one that I call the content-specific doctrine. This framework emphasizes consideration of the content being searched and seized by the government. How information is obtained—be it physically or digitally—and a third party’s role are both considerations secondary to the content of a search. The doctrine’s primary concern is the qualitative features of the effects to be searched—the pages in a journal, the audio of a phone call, or the metadata of one’s social media account.

Content as Primary Focus

First, an example may elucidate why content is more important than physical circumstances or whether information was given to a third party. Consider the example of a “peeping Tom.” John is sexually interested in his coworker, Jane. Motivated by voyeurism, he hopes to obtain nude photos of Jane by standing outside her residence and covertly taking photos. Because modern cell phones are capable of capturing high-quality images—some of which are now capable of 100x zoom—John knows that he can easily capture these photos from outside Jane’s curtilage; he need not physically intrude.

Although no physical trespass may occur, this act is clearly immoral. The reason rests solely on the content of the information acquired: Jane, in her home, nude, and with an incredibly reasonable expectation of privacy. Normative judgments are independent of whether the trespass was physical in nature. Although this example does not involve the government, it is a clear example of why the content of what is obtained is more important than the physical circumstances of the acquisition.

Doctrine Use

Consider an example of law enforcement using the third-party doctrine to surveil an individual suspected of aiding women in getting abortions in a state where they have been banned or heavily restricted.1 Sarah, a resident of Texas, has publicly posted on social media that she wholeheartedly believes in bodily autonomy and would offer to drive women in need of an abortion to a provider. County sheriff’s deputies suspect Sarah of following through on her statements and driving low-income women in Houston to and from illegal abortion providers. They are able to see through Texas Department of Transportation records that she drives a Toyota Camry. Deputies find out that Toyota’s end user license agreement and privacy notice inform users that the company’s “ConnectedServices” collects data on vehicle owners, including location and voice recordings. Whether or not Sarah knows what she gave the car manufacturer permission to collect, deputies obtain records of her location and any voice recordings without a warrant.

In ascertaining whether Sarah’s Fourth Amendment rights were violated, the content-specific doctrine first considers the qualitative nature of the effects obtained by police—driving location data and audio recordings. This information can be incredibly personal to an individual. In daily life, most people assume that their whereabouts are not being tracked by others. Similarly, the conversations had in cars are assumed to be private in nature. The primary focus of the doctrine considers these features. In this instance, both categories of information are intimate and personal.

To help understand the content searched and seized, physically analogous scenarios can be helpful. Without technology, deputies would need to do at least one of two things to track Sarah’s whereabouts to the extent that Toyota’s data is functionally capable of doing: affix a GPS device to her vehicle or physically follow her whereabouts. Likewise, to record the conversations inside her vehicle, law enforcement would need to install a microphone inside the cabin of her Camry. In the absence of a warrant, these actions violate the Fourth Amendment.

Bringing these two ideas together yields an answer. The contents of the effects that deputies seek to obtain from Toyota—location and audio—are deeply personal. In physical circumstances, the search would be unreasonable without a warrant. Because the doctrine considers content as its primary focus, an answer is revealed: the government’s warrantless acquisition of Sarah’s location and voice recordings violated her Fourth Amendment rights.

The content-specific doctrine would not, however, protect the searches of Sarah’s public social media posts. The content, publicly available speech, is not as personal of information as location or audio recordings. Just as Sarah cannot reasonably expect that the words she utters in a  grocery store aisle are private, she cannot expect posts on public social media to be free from government observation.

Carpenter v. United States (2018)

An excellent example of actual legal thinking akin to the content-specific doctrine is the majority ruling in Carpenter v. United States. Suspecting Timothy Carpenter of robbery, the government obtained information from Carpenter’s cell phone service provider. Federal agents obtained “cell site location information” (CSLI) data that spanned 127 days. Over this duration, they collected 2,898 location points on Carpenter. This is an average of 101 data points per day. It can also be thought of as, on average, having one’s location documented and retroactively collected every 14 minutes and 15 seconds from August 20 until Christmas. The matter of the case focused on whether the acquisition of CSLI, without a warrant, violated Carpenter’s Fourth Amendment rights.

Fortunately for digital civil liberties, the Court ruled in favor of Carpenter. The majority opinion, authored by Chief Justice John Roberts, focused on the character of CSLI data and its investigative potential for law enforcement. The Chief Justice noted: “Given the unique nature of cell phone location records, the fact that the information is held by a third party does not by itself overcome the user’s claim to Fourth Amendment protection.” He further states that cell phone tracking is even more invasive than GPS-tracking a vehicle because individuals often leave their vehicles but most keep their cell phones on them at all times.2 He emphasizes this habitual proximity by noting that 12% of surveyed Americans confess to using their phones in the shower. The Chief Justice also notes that previous attempts by the government to recreate suspects’ past physical movements were limited by the sheer quantity of records and its ability to collect them. With CSLI, however, the government can achieve near-perfect surveillance. The Chief Justice states that: “Only the few without cell phones could escape this tireless and absolute surveillance.”

In ruling in Carpenter’s favor, the majority opinion functionally used the content-specific doctrine. Rather than determining the warrantless acquisition of Carpenter’s CSLI to be legal based on the third-party doctrine, the majority examined the content of the government’s search and seizure. The content, Carpenter’s whereabouts over a period of 127 days, was extremely sensitive information. The Court recognized this sensitivity and duly considered it to fall under the protections of the Fourth Amendment. In Carpenter, legal thinking similar to the content-specific doctrine recognized that the essence of information collected by the government was more important than the manner in which it was obtained.

It should be noted that the Court’s ruling in Carpenter was split: it was a 5-4 decision. Authoring the dissent, Justice Anthony Kennedy argued that CSLI data is no different than other business records that a third party maintains, and as such, the third-party doctrine should apply in Carpenter. This dissent was joined by Justices Alito and Thomas. The latter Justice filed an additional dissent that emphasized focusing on the physical nature of searches. In it, Justice Thomas discusses other Fourth Amendment precedents. He references a pre-Katz case where a “spike mike” (a microphone that can be physically driven through walls and other barriers for the purpose of eavesdropping) was inserted by federal agents into an individual’s home, without a warrant, which was clearly a physical violation of privacy. Justice Thomas makes this reference to support his disagreement with the Court’s decreased emphasis on physical circumstances since Katz.

Both dissents are grounded in reasoning that the content-specific doctrine would address. It would focus on the content obtained by the government. In this case, nearly 13,000 pieces of location information spanning a period longer than four months and documenting an individual’s physical movements. The content-specific doctrine would acknowledge the intimacy of this information and recognize that its warrantless seizure functionally creates an Orwellian surveillance state. Regardless of whether Carpenter consented to give this information to a third party (Justice Kennedy’s dissent) or the physical circumstances of the search and seizure (Justice Thomas’s dissent), the content-specific doctrine would find such government actions to violate the Fourth Amendment.

Opponents of the content-specific doctrine may say that it weakens the government’s ability to investigate crime. I acknowledge the government’s need to do so in order to maintain order. However, order can be maintained, and crime investigated, through legally granted search warrants. The Fourth Amendment states that, although people are free from unreasonable searches and seizures, they are not absolutely free from reasonable searches and seizures. Presumably, what constitutes a reasonable search is described in the amendment: those conducted with a warrant based on probable cause that “particularly [describes] the place to be searched, and the persons or things to be seized.” This wording was an attempt to prevent broad searches like those conducted under general warrants and writs of assistance.

In the digital age, such a warrant could coexist with the content-specific doctrine. Investigators’ efforts to obtain very specific information—say, a suspect’s whereabouts in a two-hour window on a specific date—could be seen as narrow enough to constitute a reasonable search and seizure. Of course, some privacy rights advocates may disagree (and I myself have hesitations). However, I acknowledge that the law must always seek to prioritize individual liberties while also conceding that some circumstances exist where those liberties can be narrowly encroached upon. Therefore, the content-specific doctrine is not at odds with the government’s acquisition of narrow and specific search warrants. Rather, it seeks to prevent, minimize, and rectify broad and warrantless searches in cyberspace—in other terms: unreasonable digital searches and seizures.

CONCLUSION

This article began with a question about the Founding Fathers’ conceptions of privacy: “Were the seizures of letters from a desk drawer or the broad searches of one’s coat pockets unreasonable searches and seizures because they were physical in nature? Or were they violations of privacy because of the content searched and seized?” After examining the Founding Fathers’ proclivities for privacy, it should be clear the transgressive character of unreasonable searches and seizures rested not on their physicality but on the government’s capture of private belongings and information. Privacy, for colonists and the Founding Fathers, was revered.

Knowing that non-physical violations of privacy exist, this article then considered twentieth-century Fourth Amendment case law, the third-party doctrine, and the implications of new technology. Taken together, they showed exploitative potential. In response, I provided a new legal framework for Fourth Amendment rights in cyberspace: the content-specific doctrine. Above physical circumstances or the role of third parties, the doctrine considers the content of information obtained by the government.

This doctrine will not magically settle all debates on privacy. It does, however, provide jurists with a way to consider Fourth Amendment rights in cyberspace. As technology becomes unavoidably interwoven into society, the content-specific doctrine can help protect Americans’ digital civil liberties. The people have a right to be secure in their digital effects.

1 Given how recent the overturn of Roe v. Wade 410 US 113 (1973) is, whether abortion-restricting states will explicitly ban aiding and abetting abortions is a matter of debate. However, because states generally make aiding and abetting other crimes illegal, it is not unreasonable to think such policies will exist, be they de jure or de facto.

2 A relevant and recent case involving the warrantless GPS tracking of a vehicle is Jones v. United States, 565 US _ (2012)

BIBLIOGRAPHY

“1870s – 1940s: Telephone.” Elon University. https://www.elon.edu/u/imagining/time-capsule/150-years/back-1870-1940/

“A case for reading the small print.” Magazine Monitor.  British Broadcasting Corporation. November 18, 2013. https://www.bbc.com/news/blogs-magazine-monitor-24992518

Allen, William B., and Jonathan Gienapp. “Against Writs of Assistance (1761).” National Constitution Center. https://constitutioncenter.org/the-constitution/historic-document-library/detail/james-otis-against-writs-of-assistance-february-24-1761

“AWS Service Terms.” Amazon Web Services. https://aws.amazon.com/service-terms/

Carpenter v. United States, 585 US _ (2018).

“Constitution of the United States of America: Analysis and Interpretation.” U.S. Government Publishing Office, 112th Congress, 2nd Session. June 27 2016. https://www.govinfo.gov/content/pkg/GPO-CONAN-REV-2016/pdf/GPO-CONAN-REV-2016.pdf

Farrell, James M. “The Writs of Assistance and Public Memory: John Adams and the Legacy of James Otis.” The New England Quarterly 79, no. 4 (December 2006): 535–536, https://www.jstor.org/stable/20474493

Fox-Brewster, Tom. “Londoners give up eldest children in public Wi-Fi security horror show.” The Guardian. September 29, 2014. https://www.theguardian.com/technology/2014/sep/29/londoners-wi-fi-security-herod-clause

“From John Adams to William Tudor, Sr., 29 March 1817.” National Archives. https://founders.archives.gov/documents/Adams/99-02-02-6735

Hern, Alex. “Thousands sign up to clean sewage because they didn’t read the small print.” The Guardian (July 14, 2017). https://www.theguardian.com/technology/2017/jul/14/wifi-terms-and-conditions-thousands-sign-up-clean-sewage-did-not-read-small-print

Katz v. United States, 389 US 347 (1967).

Miller v. United States, 425 U.S. 435 (1976).

Olmstead v. United States, 277 US 438 (1928).

“Privacy and protection,” Toyota, April 11, 2022. https://www.toyota.com/privacyvts

Schwartz, Matthew S. “When Not Reading The Fine Print Can Cost Your Soul.” National Public Radio. March 18, 2019. https://www.npr.org/2019/03/08/701417140/when-not-reading-the-fine-print-can-cost-your-soul

Silverman v. United States, 365 U. S. 505 (1961).

Smith v. Maryland, 442 U.S. 735 (1979).

“Toyota Vehicle End User License Agreement.” Toyota. https://www.toyota.com/privacyvts/assets/images/doc/Vehicle%20Software%20End%20User%20License%20Agreement%20Toyota.pdfUlanoff, Lance. “We need to talk about the Samsung Galaxy S22 Ultra’s zoom photography.” TechRadar. February 17, 2022. https://www.techradar.com/news/we-need-to-talk-about-samsung-galaxy-s22- ultra-zoom

When Two Worlds Collide: Evaluating Free Speech and National Security Claims around Trump’s WeChat Ban

by Nalin Ranjan

Introduction

Immigrants have come a long way from hopelessly striving toward the 20th-century ideal of full assimilation into American society. Descendants of Jewish immigrants, whom many believed could not be trusted, can now proudly take credit for developments in the sciences, politics, medicine, and the arts; blossoming Chinatowns have replaced enclaves that once shied away from any expression of their heritage for fear of persecution; Mexicans whose ancestors worked under poor conditions and compensation in the fields founded the United Farm Workers to ensure their voices were heard. The stories of immigrants who refused to merely conform to the expectations placed upon them are endless. They have long known that the immigrant experience entails keeping close to — and not abandoning — their unique cultures and communities.

It was thus that President Trump’s August 2020 ban on Chinese messaging service WeChat was met with large-scale trepidation amongst the Chinese-American community. For the unfamiliar, WeChat is the world’s third-largest messaging service and by far the most popular means of communication amongst first-generation Chinese immigrants, with nearly three million active daily users in the US. For many, it is the primary — if not only — means of keeping in touch with fellow Chinese immigrants and families back home. However, given its Chinese ownership, the app has been subject to intense scrutiny amid escalating tensions between the two countries. 

Legal action against the ban was swiftly taken, resulting in a preliminary injunction of the original order. And before further arguments were made, the Biden administration walked back the Trump-era restrictions. However, they also made it clear that they would continue probing the issue and that a further ban was not entirely out of the question just yet. In this article, I examine relevant constitutional arguments that may have been made in favor of the ban had further litigation continued. Whether or not the ban stands to constitutional muster will ultimately determine whether it is a legal restriction with unfortunate consequences or a fundamental violation of certain Americans’ right to communicate freely.

Background

President Trump initially issued Executive Order 13943 in August 2020, prohibiting “any transaction that is related to WeChat by any person, or with respect to any property… with Tencent Holdings Ltd [the parent company of WeChat]… or any subsidiary of that entity.” The order outlined seven restrictions — each prohibiting a certain type of transaction with WeChat or its parent company —that together would have immediately rendered WeChat services both useless and illegal to use. In particular, restrictions 1-4 would have crippled WeChat’s technological infrastructure and content-distribution backbone, while restriction 6, which bars “any utilization of the WeChat mobile application’s constituent code, functions, or services,” would have been nothing short of an explicit ban on using WeChat’s services for then-users in the United States. 

Make no mistake: most of the restrictions of the order could only be reasonably challenged in court by Tencent itself.1 But restriction 6, whose target is the American populace rather than a service/network/other technology managed by Tencent, could reasonably be challenged by American WeChat users, as it places an explicit restriction on a place Americans may go to express speech. My analysis hereinafter will focus on restriction 6, because 1) resolving first amendment challenges to restriction 6 entails tackling issues that would arise in challenges to other portions of the ban, and 2) first amendment challenges to restriction 6 most closely echo the concerns of American WeChat users, who are the most important stakeholders in this issue. 

Constitutionally, time, place, or manner (TPM) restrictions are permissible, but they must 1) apply equally to all forms of speech subject to the TPM restriction (i.e. be content-neutral), and 2) pass the test of intermediate scrutiny.2 Given that the ban seeks to impose a broad and sweeping restriction on the use of WeChat, it is clear that it passes the content-neutrality criterion: no particular message substance would be favored over another since all communication on WeChat would be prohibited. Thus, the only — albeit substantial — remaining obstacle that the ban must overcome is the test of intermediate scrutiny, which requires that a TPM restriction 1) serve a significant governmental interest unrelated to speech content, 2) be narrowly tailored, and 3) leave open adequate channels for communication. 

Does there exist a significant government interest that would be served by the ban?

As stated in President Trump’s initial executive order, the central motivation for issuing the ban is to protect national security. (The executive order clarifies that other threats, such as those to foreign policy and the economy, derive from the primary threat to US national security.) The precise definition of “national security” is somewhat elusive, but most would agree with the National Law Review’s characterization, which says that it “encompasses safeguarding the nation’s borders against foreign threats and terrorism… [which, in particular, may include] cyber-crimes, cyber-attacks, and other internet-based crimes.” And like most, we will grant that national security is a significant governmental interest unrelated to the particular content of restricted speech in this case.

Would the ban — as outlined in the original executive order and implemented in the Commerce Secretary’s addendum — prevent some action that gravely endangers US national security? The executive order would answer affirmatively, holding that the relevant action it prevents is the capture of “vast swaths of information from its users, which threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information.” This conclusion, however, is based on multiple unsound foundations.

First, the characterization of the information WeChat collects as “personal and proprietary” is misleading, if not plainly incorrect. Upon registering, users must agree to a privacy policy that explicitly describes how one’s information will be shared with other subdivisions of Tencent, service providers (middlemen providing services that enable the functioning of the app), third parties with whom the user interacts, advertising partners, and notably, governments/regulatory agencies that request it.  Of course, this finding is wholly unsurprising to the average WeChat user. In addition to the common knowledge that using an online service will expose one’s information to its administrator, there is also a common cultural element at play: many WeChat users, as first-generation Chinese immigrants, are familiar with the authoritative role the CCP takes in regulating the flow of information and communication. A sentiment of an anonymous user on tech forum SlashDot sums up the typical WeChat user’s attitudes on this issue: “WeChat is a great app, and I use it all the time. But I have never considered it to be private.” Ultimately, users are knowingly consenting to share their data with WeChat and its wide range of affiliates, so the suggestion that users’ “personal and proprietary” information will land into the hands of an actor that shouldn’t have access to it — including the CCP — is both legally and empirically incorrect. 

Second, the mere collection of “vast swaths of data” on consenting American users is not in itself a threat to national security, even if this data lands into the hands of presumed US adversaries like the CCP. It is certainly true that WeChat follows the typical social media company strategy of collecting a wide range of identifying information and day-to-day activity data from users that may compromise their individual privacy, but it is difficult to see how such perfunctory data could be used to threaten US national security as a whole. Knowledge of what certain consenting individuals are doing, where they are going, and what some of their preferences are seldom, if ever, provides the edge needed to engineer large-scale attacks on US citizens or institutions. And the US government has implicitly recognized this fact: the combined revenue of the data analytics and online advertising market — both heavily reliant on collection and exchange of highly specific personalized data — totaled almost $100 billion in 2020 with no indication of slowing down. These markets, which feature thousands of companies of varying sizes, are officially sanctioned — and even participated in — by the US government. Were the possession of terabytes of perfunctory data truly a prospect with imminent national security concerns, history suggests governmental oversight would be swift and uncompromising — or at the very least, more stringent than the lax attitude currently adopted that treats personal data as little more than an arbitrary, freely exchangeable good.3 

In short, there is little evidence to suggest that a blanket ban on the use of WeChat would significantly remedy any existing national security vulnerability.

Would the WeChat ban leave open adequate channels for communication?

As established in Ward v. Rock of Racism, “the basic test for gauging the sufficiency of alternative channels is whether the speaker is afforded a forum that is accessible and where the intended audience is expected to pass.” In other words, the subject of a TPM speech restriction must be afforded another venue in which the intended audience may reasonably participate in a similar capacity. Appellate court precedent has established this requirement as one admitting a strict interpretation. For example, refusal to grant a permit to the Million Youth March sufficiently close to the movement’s desired location in Harlem was ruled in 1998 to be a First Amendment violation, because the city’s proposed relocation to Randall’s Island would have “adversely affect[ed] plaintiff’s ability to reach its target audience” by “limit[ing] [the movement’s] reach to [only] those who make an affirmative decision to travel to [Randall’s Island].” 

The alternatives afforded to WeChat users, unfortunately, are quite worse than a two-mile walk eastward to Randall’s Island. As Peng notes in her testimony, the only available alternatives to contact relatives abroad are costly and provide vastly inferior functionality:

“Without WeChat, I will have to go back to the old way of buying calling cards and making expensive international calls. I will also not be able to reach all of my family members with one click. I will not be able to look at them through video calls with my own eyes. Nor can they see that I am well with their own eyes.” 

For the unfamiliar, the reason that Peng would have to go back to calling cards is that most apps that seem like viable alternatives (WhatsApp, Snapchat, Messenger, Line, etc.) are blocked by the Great Chinese Firewall

And for those whose only proficient language is Mandarin (or another dialect spoken in China),4 the lack of other Chinese-friendly messaging apps would all but require attaining sufficient proficiency in another language. Even if we discount the many cases where this is effectively impossible (e.g., for senior citizens), such a requirement would fundamentally run contrary to the American notion of free expression. Learning a particular language should never be an explicit prerequisite to communicate, nor is the government within its right to revoke access to platforms so as to implicitly institute this as a requirement.

Conclusion

For now, Chinese-American WeChat users can breathe a sigh of relief. Yet it is clear that the issue is far from resolved, as the Biden Administration has indicated that a subsequent restriction is well within the realm of possibility. However, amid ever-changing political headwinds, American WeChat users can cling steadfastly to the legal rock that is intermediate scrutiny. Indeed, striking down the Trump-era ban would have only required that one intermediate scrutiny criterion be unmet. That the ban spectacularly fails multiple criteria is a serious indication that subsequent administrations will need to dedicate genuine, good-faith effort to crafting a more measured response that does not irreparably sever certain Americans’ access to their most significant outlet of communication.

1 Foreign entities may bring suit in US courts; see Servicios Azucareros v. John Deere.

2 First developed in Craig v. Boren.

3 See this article, for example. Most data exchanged over US networks is unregulated. That is, most companies are not under any obligation not to share your data with third parties, who can in turn do as they wish with that data (including selling it again). And none of them are obligated to tell you what they do with your data.

4 No publicly available sources have an estimate on the true number of English-deficient WeChat users in the United States. But an extremely conservative estimate would likely lie in the hundred-thousands.

It’s Not Just Me, It’s Also You: How Shared DNA Complicates Consent

by Ethan Magistro

With just a sample of your DNA, you, your immediate family members, and many other distant relatives can be identified. Your genetic information can be used to determine you and your families’ insurance policies, expose medical conditions you didn’t even know you had, and, in the worst case, be used to identify and arrest someone you may be distantly related to. The deoxyribose nucleic acid (DNA) contained within every cell of our bodies holds intimate details about each of us. Yet when users send sample DNA to direct-to-consumer (DTC) testing kit companies, only their consent is needed to share information that belongs to many of their family members. Because of this, I argue we should drastically rethink our understanding of DNA. Rather than conceptualizing DNA as analogous to other types of private property that can be traded with individual consent, DNA trade should require the shared consent of family members. The difficulty in obtaining that consent points to a colossal need for the development of genetic privacy laws.

To understand why DNA should be understood as a form of shared property, it will be helpful to outline the economic and legal landscape of consumer genetic testing. The past few years saw a spike in interest for DNA testing and an explosion in the DTC testing kit market, which is dominated by AncestryDNA and 23andMe. Although the market has died down since then, worries about political and enforcement abuses of genetic information and medical privacy concerns are still in focus. 

Concerns about enforcement abuses of genetic information usually involve the Fourth Amendment, which protects citizens from unreasonable searches and seizures. This was exemplified in Maryland v. King, a U.S. Supreme Court case which held that genetic testing is similar to fingerprinting, and is therefore a reasonable search under the Fourth Amendment, to the chagrin of privacy advocates. The latter issue of medical privacy deals with Title I and II of the Genetic Information Nondiscrimination Act Of 2008 (GINA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), both of which are notoriously lackluster in protecting privacy, especially regarding DTC testing, which neither law protects. Beyond this, some states have genetic privacy laws with varying levels of consent required by companies. Many of them provide little extra protection. This lack of privacy protection has caused the DTC industry to mostly self-regulate, which has been spotty at best: in their privacy policies, some genetic-testing companies wrongly claim they comply with HIPAA, while some companies have no privacy policies at all.

A lack of strong DNA privacy laws presents an imminent threat to genetic privacy because of how valuable a sample of DNA can be. Genetic information’s longevity, immutability (you cannot change your DNA like you can a lost password) and predictive ability about future health make it extremely valuable. Yet DNA is unique in that it is able to identify an individual as well as their family members, since people share large portions of DNA with their relatives. This is why it has been so often used to gain leads in criminal cases

Being so valuable, it makes sense why shoddy privacy policies exploit a lack of laws to gain control of DNA. Deceptive policies mislead individuals to give away most of the control over genetic information, and, therefore, their family’s genetic information, without ever knowing it. With that control, companies can trade or exchange this data, often selling it to unknown third-party companies who can use it as they wish. Bigger companies like AncestryDNA or 23andMe are no safer. They may truthfully claim they do not sell your genetic data to third party companies, but the independent labs they send the sample to for analysis make no such guarantees

It is hard for consumers to notice that. A large company’s connection to third parties is often inconspicuously snuck into their privacy policies. Before it was shut down in late 2020, AncestryHealth, the division of AncestryDNA designed to identify genetic health risks, sent DNA samples to a third-party group called PWNHealth for analysis. A link to PWN’s privacy policy is at the very end of AncestryDNA’s terms and conditions, which itself is in small print at the bottom of the AncestryDNA webpage. PWNHealth’s privacy policy is far less robust than Ancestry’s. Two points stick out:

You have the right to request in writing that we restrict how your health information is used or disclosed. For most requests, under the law, we are not required to agree to your request.

and

“If you request that Ancestry delete your information held by Ancestry, such request will not result in the deletion of information held by PWNHealth. Such information will be retained by PWNHealth in accordance with applicable law and this Privacy Policy.”

It is clear that PWNHealth has no intention of removing or restricting its use of submitted genetic data. Even if PWNHealth claims that they will only trade “non-identifiable data,” the shocking ease with which genetic data can be re-identified makes this claim essentially worthless. So while AncestryDNA will not sell your genetic data, PWNHealth can and will.

Despite all of these concerns, PWNHealth is still acting within the law so long as a user consents to its terms of use and, therefore, how it uses your genetic data. But is an individual’s consent enough considering that their DNA sample contains information about their relatives? It should not be. DNA contains valuable, identifiable information about a user’s family and distant relatives that should not be shared without their knowledge. Instead, companies who offer DTC genetic testing should require consent from those with whom an individual shares the majority of their DNA.

Already that idea sounds burdensome. Should someone really have to call their parents, grandparents, and siblings if they want to understand more about their own medical information? What about those who are estranged from their families, or people who are adopted and do not know their biological relatives? Here, a middle path exists between individual consent and shared consent. Perhaps for medical information, relevant to an individual who may want to alter their lifestyle to decrease the risk of a condition manifesting, an individual should use a DTC without providing shared consent. A kit designed to find unknown relatives who may wish to remain private, on the other hand, should require companies to ask for consent from those relatives.

Yet this argument ignores the threat that third-party actors pose. The importance of genetic privacy is less about keeping individual issues private from the family and more about keeping familial DNA out of the hands of third parties like PWNHealth who can trade that genetic information and other groups who could de-identify it or sell it. If you must get a genetic test for medical reasons, it would be wiser to do so in a clinical setting, where HIPAA and GINA offer comprehensive privacy and protection. Without that same protection, DTC tests put many of your relatives’ information at risk.

What could a stronger form of shared consent look like in the DTC arena? One analogy that provides some insight comes from a complaint filed by the Federal Trade Commission (FTC) against Facebook in which the FTC challenged Facebook’s misleading privacy policies and deceptive practices. The complaint alleged that Facebook “told its users that they could limit those who could see their posts to just ‘Friends,’ when in reality—and without warning to the user—doing so would also allow developers of third-party applications used by their ‘Friends’ to access the post.” In other words, “third party applications” of a user’s Facebook friends could look at that user’s posts even if the user did not consent to that action.

This is not a perfect analogy. A post shared with a friend, which is then unwittingly shared with a third-party application, is not the same as DNA, which is physically shared by multiple people. Nonetheless, the FTC acted when Facebook gave third parties access to a user’s post, even when that user had no option to consent to this. In a case involving genetic data, it’s feasible that the FTC could challenge DTC companies for not adequately informing users that their familial genetic data, which they provided without their family’s consent, was now in third-party companies’ hands.

Like those users who had a reasonable expectation that only their friends would see their posts, people who have never taken a DNA test or given away a DNA sample would not expect their genetic information to be in the hands of a group such as PWNHealth. There is a reasonable expectation that genetic information is private. If someone wants to give away valuable information about you — even if it is partly their information too — they ought to seek out your consent.   

Ultimately, the easiest remedy for the lack of genetic familial privacy and the need for shared consent would be stronger genetic privacy laws. The lack of robust genetic privacy laws already leaves consumers unprotected against bad actors looking to profit from their DNA. As genetic testing technology improves and we become able to gain more information from smaller samples of someone’s genome, not having ownership over your DNA could pose a threat to your descendants in the future. Technology that fails to respect these repercussions and ignores the need for consent from multiple parties cannot continue to outpace legislation. Although the complexity of shared consent and its complication of privacy policies leave room for the FTC to police weaker terms and conditions, it would be far more beneficial for all parties if strict regulation, created through legislation, protected the blueprint of life.