In this excerpt from our new Digital Privacy initiative, Christopher Slobogin from Vanderbilt Law School explores how best to construct legal approaches that will allow the government to harness The Cloud’s investigative potential, while also limiting the opportunities for government abuses.
You can read the full text of Slobogin’s white paper at our special section, A Twenty-First Century Framework for Digital Privacy, at https://constitutioncenter.org/digital-privacy
It is now a commonplace that virtually everything we do is memorialized on databases—databases which, for brevity’s sake, this paper will refer to as The Cloud, despite the fact that not all the data this paper discusses is found there. These databases—the servers of Google, Netflix, and Apple; the memory banks of phones, closed circuit cameras, “smart cars,” and satellites; the computers in commercial establishments and government agencies—track an astonishing range of our intimate daily activities, including financial transactions, Internet connections, travel routes, tax information, and medical treatment, as well as more prosaic matters such as employment and residence history, utility usage, and car malfunctions. The question addressed here is when the government should be able to gain access to this wealth of personal information for law enforcement and national security purposes.
In the United States, answering that question requires consulting a welter of statutes and a few Supreme Court decisions. For instance, when the government wants to access information stored on a computer or found in texts or emails, federal and state laws usually require a warrant, issued by a judge who has found probable cause that the communication will lead to evidence of wrongdoing. However, if officials want an already opened communication or one that has been on a server for over 180 days, then they may only need to show that the communication is “relevant” to an investigation, a much lower standard than probable cause, albeit an assertion that is challengeable by the target, as occurs with an ordinary subpoena. And if the communication sits on a “private” server (for instance, a private university or employer), no court process is required.
When law enforcement officials seek records outside the communications context, a wide array of statutes may be applicable. As a general matter, bank, educational, and even medical records can be obtained with a mere subpoena, which the target often does not find out about unless and until prosecution occurs. In a host of other situations, such as accessing camera footage or obtaining data about credit card purchases or past travel routes, most jurisdictions do not require police to follow any judicial process, but rather allow them to obtain the information at their discretion and that of the data holders.
In theory, the Constitution, and in particular, the Fourth Amendment, could have something to say about all of this. The Fourth Amendment requires that the government act reasonably when it engages in a “search” or “seizure,” and the courts have held that, for many types of searches, this reasonableness requirement can only be met with a warrant. However, this requirement only applies to government actions that are considered “searches.” The Supreme Court has defined that word very narrowly, to encompass only those actions that infringe “reasonable expectations of privacy” or that involve some type of physical intrusion. Most relevant here are the Court’s decisions holding that expecting constitutional protection from government acquisition of information surrendered to third parties—whether they be internet service providers, banks, or phone companies—is not reasonable, since we “assume the risk” that those third parties will decide to give that information to the government. As discussed below, this “third party” doctrine has seen some erosion in recent years, but it remains the reason that, other than when access to the content of communications is involved, the Fourth Amendment has very little impact on the government’s ability to obtain information, even when it relies on technology to do so.
While many have inveighed against the laxness of both statutory and constitutional law, the most popular counter-proposal—that Cloud access by the government should require a judicial warrant—has problems of its own. Conceptually, a warrant requirement glosses over the intuition that a large number of situations, while involving a viable privacy claim vis-à-vis the government, do not merit the full protection of a warrant. Practically, it would handcuff legitimate government efforts to nab terrorists and criminals. A more nuanced approach is necessary.
That approach should begin with an assessment of the varying motivations that drive the government’s use of The Cloud. Cloud-searches can come in at least five different guises: suspect-driven, profile-driven, event-driven, program-driven, or volunteer-driven. Some Cloud access by the state is aimed at getting as much information as possible about individuals suspected of wrongdoing. Other efforts do not start with a particular suspect, but rather with a profile of a hypothetical suspect, purportedly depicting the characteristics of those who have committed or will commit a particular sort of crime. A third type of Cloud-search starts neither with a suspect nor a suspect profile but with an event—usually a crime—and tries to figure out, through location and related information, who might be involved. Fourth, so as to have the information needed for suspect-, profile-, and event-driven operations at the ready, government might initiate data collection programs. Finally, the government also relies on citizens to come forward on their accord when they find incriminating information about another person.
Each of these Cloud-based endeavors are distinct from the other four. Each calls for a different regulatory regime. Below is a sketch of what those regimes might look like. While they borrow from Fourth Amendment jurisprudence, the principles developed here fill a void because, to date, that jurisprudence has had little to say about Cloud searches. Until the Supreme Court weighs in, policymakers are working pretty much on a clean slate in this area.
Read more at: https://constitutioncenter.org/digital-privacy/policing-and-the-cloud
