Habeas Data_Privacy vs. The Rise of Surveillance Tech
Page 11
Justice Marshall dissented, explaining that even if people knew that the phone company has the ability to monitor calls for its own internal purposes, “it does not follow that they expect this information to be made available to the public in general or the government in particular.”
As he continued: “Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes.”
Moreover, it makes no sense, he argued, to discuss the assumption of risk in a phone call when “individuals have no realistic alternative.” After all, in cases like Hoffa v. United States, where the criminal was done in by a confidant, that person had the choice of whom to trust with their information. Here, by contrast, someone who wants to make a phone call has only one option.
“In my view, whether privacy expectations are legitimate within the meaning of Katz depends not on the risks an individual can be presumed to accept when imparting information to third parties, but on the risks he should be forced to assume in a free and open society,” he concluded.
* * *
Just as, in the wake of Katz, Congress passed the 1968 Omnibus Crime Control Act, so too was there a desire to modernize federal law in the wake of Smith to expressly include electronic and voice communications. The Office of Technology Assessment, which existed from 1972 until 1995, came out with an 82-page report that examined “Electronic Surveillance and Civil Liberties.”
“Telephones, credit cards, computers, and cameras did not exist. Although the principle of the fourth amendment is timeless, its application has not kept abreast of current technologies,” the report states.
Congress largely adopted many of these proposed changes as part of the 1986 Electronic Communications Privacy Act (ECPA), which updated the Omnibus Act. One section of the law, known as the Stored Communications Act (added in 1986 and updated subsequently), requires that a “provider of an electronic communication service” hand over any non-content metadata that is “relevant and material to an ongoing criminal investigation.”
Yet another portion mandates that pen registers can only be authorized via a court order that includes an affirmation from the prosecutor “that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation.” Both of these are less legal standards than probable cause, the standard for search warrants and tracking surveillance. (Wiretaps, again, require even more from the government—they require super-warrants.)
Still, actual pen registers are hardly the issue anymore. In contemporary society, the amount of data that one person generates online is vast. A person generates data through their Internet service provider, through the websites that they interact with, what they search for, what they buy, who they correspond with on social media, and, increasingly, where they do it from. After all, Internet Protocol addresses are geographic, and mobile devices contain GPS and location data that can easily be obtained by the company in question, and by extension, the government—often without our knowledge.
The advent of ever-increasing digital devices—devices that individuals personally interact with, which have the ability to retain more information—means that this issue is more pressing than ever.
The third-party doctrine says that Katz doesn’t apply to metadata. It’s almost a modern-day extension of the line from the Olmstead wiretapping case from the 1920s, when Chief Justice Taft wrote: “There was no searching. There was no seizure.” His argument seems almost laughable to us today. Of course conducting a wiretap was a search—in the eyes of Justice Marshall, though it was not a search of a tangible object obtained by traversing someone’s doorway, it was certainly a search of intangible information.
In the late twentieth and early twenty-first centuries, the notion that there is no recognized constitutional privacy interest over data that we are obliged to share with private companies seems equally silly. How, after all, are we supposed to go about conducting our modern lives using all kinds of services that require us to give up data?
Fundamentally, it seems quite odd that (technically speaking) traditional postal mail has more protections—law enforcement cannot open it in most circumstances without a warrant—than any other form of modern communication. (However, since United States v. Warshak, a case that will be addressed more fully in Chapter 6, there has been a de facto warrant requirement for the content of e-mail.) This problem has been remarked upon by legal scholars for decades now. In 1990, Lewis Katz, a professor at Case Western Reserve University, was one of the earliest to articulate some of the major flaws of the third-party doctrine.
“It poses an untenable choice,” he wrote, echoing Marshall’s dissent. “An individual can withdraw from all contact with others and with society by not dealing with people, by not venturing outside, by not using banks, telephones, mail, garbage collection and other services, and maintain the type of informational privacy available to his eighteenth century forbearer. But it is impossible to lead an eighteenth century life today.”
There is a vast amount of legal scholarship that lambasts this seemingly anachronistic rule. As Orin Kerr, a law professor at the University of Southern California, and one of the nation’s top digital privacy legal scholars, quipped in a February 2009 article, “A list of every article or book that has criticized the doctrine would make this the world’s longest law review footnote.”
Most privacy law scholars have reached the conclusion that the third-party doctrine can no longer be clearly applied in a modern society. But Kerr, by contrast, mostly remains a defender of the third-party doctrine. He’s argued that the notion “ensures that the same basic level of constitutional protection applies regardless of technology.”
As Kerr sees it, the fact that Smith used a telephone to call his victim—as opposed to say, shouting at her from the street—is immaterial. The police can view anyone in public doing anything. But in reality, that’s not how police investigations work. Until technology enabled a mass collection of phone numbers, or license plates, or anything else, there was simply a physical and financial limit to what law enforcement could do: they were forced to expend resources on only the most important targets.
Kerr also notes that under his preferred definition of the third-party doctrine, it should only continue to exist to preserve the government’s right to access metadata, or non-content information. He analogizes it to address information physically written on a package, which is then carried to the neighborhood post office.
However, a critical difference—as evidenced by the Section 215 program—is that in a purely analog world it would be physically impossible for a set of humans to capture the routing information of all packages being transmitted nationwide. In short, technology enables far more surveillance at far lower cost than any non-digital scenario ever could. Scholars and judges differ as to exactly how the third-party doctrine should be changed. Should it be dependent on how sensitive the data is? Should it be determined by whether a person “knowingly” or “voluntarily” gave up that data? The law remains unclear.
In 2012, in the case of United States v. Jones, Justice Sonia Sotomayor became the first member of the Supreme Court within the last decade to explicitly describe the third-party doctrine as “ill-suited to the digital age.” (This case will be explored further in Chapter 9.) “I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year,” she continued.
* * *
There is one case, still pending, that may force the antiquated third-party doctrine of Smith into the twenty-first century. In the fall of 2017, the Supreme Court heard Carpenter v. United States to determine whether cell-site location information (CSLI) should be treated as simple metadata, and therefore not require a warrant. Or, as the American Civil Liberties Union (AC
LU) claims, does extensive location information provided by a cell phone—which was not initially contemplated by the Stored Communications Act or the Supreme Court in Smith—require a warrant?
This case, more than any other in recent history, is a contemporary analog to Smith. The Supreme Court is expected to issue a decision in 2018.
The case began in April 2011, when four men were arrested for armed robberies at RadioShacks and T-Mobile stores in Detroit and its environs. One of those men quickly confessed, and said that he had participated in robberies of nine stores in Michigan and Ohio between December 2010 and March 2011. The one who confessed gave the FBI his own phone number and the numbers of his fellow suspects.
The following month, the FBI applied for three court orders to obtain 127 days’ worth of “transactional records” for 16 different phone numbers. Among the information the government wanted was the “cell site information for the target telephones,” which they hoped would provide evidence that two of the suspects—Timothy Sanders and Timothy Carpenter—among others, were in the vicinity of the robberies at the time they occurred. Eventually, Carpenter and the others were charged.
Specifically, the government sought a d-order, named for the provision of the Stored Communications Act, 18 USC 2703(d). That law requires companies provide some telecommunications records—essentially, metadata—when “specific and articulable facts show” that the data sought is “relevant and material to an ongoing criminal investigation.” Perhaps all this sounds acceptable. But it is far different (and far less precise) than the legal permission required in other kinds of searches: that is, of course, a warrant that requires a showing of probable cause.
This is not a trivial distinction. A d-order does not, as the Fourth Amendment mandates for warrants, require as much particularity. A warrant also mandates a signed and sworn affidavit (“on oath or affirmation”) regarding the “places to be searched and the things to be seized” that a d-order application does not.
“That’s important because judges give a lot more scrutiny to a warrant application than they do a d-order,” Nathan Freed Wessler, Carpenter’s ACLU attorney, told me.
Before trial, the defendants attempted to suppress the cell-site records on the grounds that those records required a warrant, but the district court denied them. They appealed up to the 6th US Circuit Court of Appeals, which ruled against them. Court filings authored by Wessler and other lawyers argue that 127 days of data is simply too vast, too potentially revelatory of a person’s constitutionally protected behavior.
In short, the government should be required to get a warrant. Plus, just like in Katz and Smith, the government could have sought a warrant, but chose not to.
“Assuming that they could have shown probable cause, I think there’s a strong argument that the data would be tied to the actual investigation,” Wessler added.
They either would have had to limit the information that they wanted or they would have had to provide an explanation to the court of why that whole four-month date range, [was needed]. That particularity requirement is what keeps the government in check. If they get a warrant for my house, because they think I stole washing machines off of a truck, it means they’re allowed to look at my closet big enough to hide a washing machine but not my sock drawer. Those limitations have a lot of historical importance limiting the government’s power.
The appeals court relied extensively on Smith, saying that the CSLI—admittedly less precise than GPS data, but still potentially revelatory—is effectively the same thing as the Baltimore robber’s call records that the government obtained decades ago.
The 6th Circuit called out the ACLU’s arguments on appeals as having “considerable irony,” given that in its view, post-Smith, Congress has already established a middle ground through the 1986 ECPA. As the three-judge panel wrote:
The Katz standard asks whether the defendants’ asserted expectation of privacy “is ‘one that society is prepared to recognize as reasonable[.]’ ” Smith, 442 U.S. at 740 (quoting Katz, 389 U.S. at 361). Here, one might say that society itself—in the form of its elected representatives in Congress—has already struck a balance that it thinks reasonable.
And what does Sachs make of this case, now decades removed from Smith v. Maryland? How would he have ruled if he were sitting on the 6th Circuit ruling on Carpenter? His prosecutorial roots still shine through.
“I would have felt constrained by the logic of Smith from our highest court,” he e-mailed, noting that he probably would have “reluctantly” joined the conservative majority currently on the 6th Circuit, and ruled in favor of the government.
But I also would have drawn comfort from the presence of a judicial order under the Stored Communications Act requiring a “reasonable showing” for believing the records to be “relevant and material to an ongoing investigation.” I recognize that this is not a warrant based on probable cause; but it is a slice of judicial oversight that attempts to accommodate advanced technology in pursuit of crime on the one hand, with the constitutional right of privacy, on the other. Along with the Smith logic that I helped create (oblivious to its potential for mischief down the road) I would have gotten over the hump.
In short, absent further guidance from the Supreme Court, he would defer to the older precedent. However, were Sachs hypothetically on the Supreme Court when Carpenter was to be decided, he would probably rule the other way: “Katz has outlived its usefulness as a constitutional tool,” and he certainly wouldn’t have allowed the NSA metadata program to rely on the Smith ruling.
“I believe Katz must be replaced with a test that balances the constitutional right to privacy with public safety in the context of twenty-first-century technology,” he concluded. “And, good old Smith is no longer a legitimate precedent for the massive surveillance undertaken in FISC Docket Number BR 13-109. It never was.”
Sachs, who attended oral arguments for Carpenter, e-mailed me the following day that he thought Wessler was “professional and persuasive.”
“I think the Court will attempt to create a digital-age Fourth Amendment doctrine, but there is no certainty what shape it will take,” he wrote.
CHAPTER FOUR
When Big Brother Rides in the Back Seat
The system was kind of kept confidential from everybody in the public. A lot of people do have a problem with the eye in the sky, the Big Brother, so in order to mitigate any of those kinds of complaints, we basically kept it pretty hush-hush.
—SGT. DOUG IKETANI
LOS ANGELES SHERIFF’S DEPARTMENT (2014)
July 27, 2012
Las Vegas, Nevada
At one of the world’s most well-known hacker conferences, DEF CON, Mike Katz-Lacabe didn’t stand out, even if he did sit in the front row.
As a middle-aged man with a protruding belly, a formidable salt-and-pepper beard, and a friendly smile, Katz-Lacabe was seated wearing a black T-shirt (the de facto DEF CON uniform) amidst hundreds of fellow conference attendees. Like these other digital security professionals, he was there to learn about all the new scary ways that devices could be threatened, and how to fight back. He was a regular, having attended DEF CON for over a decade.
The 45-year-old was attending a talk given by two American Civil Liberties Union (ACLU) lawyers and two technologists: “Can You Track Me Now? Government and Corporate Surveillance of Mobile Geo-Location Data.”
“We are in a constitutional moment for location tracking,” ACLU lawyer Ben Wizner began the talk (less than a year later, Wizner became Edward Snowden’s lawyer).
“This year, a unanimous Supreme Court held that when the police put a GPS device on a car and track a driver’s location over a prolonged period—that’s a search under the Fourth Amendment.” That is, a search that must be validated with a warrant. “They had never held that before. But we all know that the police probably do that thousands of times per year.”
Over the course of about 100 minutes, the four-person panel outlined the myriad w
ays that location information can be obtained through mobile phone tracking, and how law enforcement can legally access that data. But, the panel only briefly addressed other ways that someone’s location could be tracked or monitored, such as the license plate on a car.
When the panel was over, and the room began to empty out, Katz-Lacabe made a beeline for Catherine Crump, one of the ACLU attorneys.
As an experienced ACLU attorney, she was used to people approaching her with cockamamie theories about government surveillance. She’d even stopped answering her phone at her Lower Manhattan office because she’d otherwise be tied up with people who had a “wild theory about the microchip implanted in their head.”
But Katz-Lacabe was different.
“I know all about [license plate readers (LPR)] and in fact, I have this photograph [of me] in my driveway getting out of the car,” he told her, explaining that he had gotten a whole cache via a public records request, and promised to send it to her later that day.
Standing immediately beside Katz-Lacabe was Jennifer Valentino-DeVries, then a reporter with the Wall Street Journal—she immediately asked him for an interview and he was happy to oblige.
“He struck me as an old-school California nerd,” she told me, recalling the first time they met.
“It’s a particular type of nerd, you don’t necessarily find them all the time. He had this combination of a little bit of paranoia that comes from knowing what the technology can do, but he was not one of the hard-core DEF CON hackers. He’s an old-school guy and he brought his daughter to DEF CON—he seemed like a sweet, reasonable person.”