How Do We Draw a Privacy Line? As they hope for guidance from an upcoming Supreme Court decision, five interested observers discuss how hard it is to answer that question

Thursday, September 28, 2017 - 12:12

In June, the U.S. Supreme Court agreed to review Carpenter v. U.S., which concerns warrantless access to cellphone location records. This thrusts the high court smack into the murky intersection of digital evidence and the Fourth Amendment. Add in the different standards for disclosure of electronic communications held by third-party internet service providers under the Stored Communications Act, and you have a recipe for controversy and confusion. In the discussion below, our participants confront these and related issues from a variety of vantages: Sonya Judkins, manager of electronic discovery and compliance with Sprint; U.S. Magistrate Judge David Waxse from the U.S. district court in Kansas City, Kansas, a highly experienced judicial “maverick” on ESI searches; Don Myers, a Littler Mendelson shareholder and member of the firm’s e-discovery group; Dan Regard, a programmer and lawyer who is CEO of iDiscovery Solutions; and Hunter McMahon, director of data analytics for iDiscovery Solutions. Their remarks have been edited for length and style.

 

The Fourth Amendment to the U.S. Constitution protects “persons, houses, papers and effects” from unreasonable searches and seizures. How would this definition work in a digital world where devices communicate and interact with the world around them, or does the definition need to change?

David Waxse: The definition doesn’t need to change. Rather, we need more opinions explaining it because clearly it has to cover any information that appears to have a right of privacy. It’s not a question of how you define the information. It’s a question of whether you have an expectation of privacy regarding that information.

Dan Regard: I agree the definition does not need to change. We have jurisprudence already expanding the definition to include items such as electronic data. We do, however, need to rethink how we apply the Fourth Amendment in light of the evolution of technology.

Sonya Judkins: I concur completely.

Don Myers: The Constitution and its amendments weren’t written on a computer. They were written on parchment. Technology will keep changing. I agree with Judge Waxse and Dan that we need to keep thinking about those definitions and what they include because whatever technology we have today is probably going to be different tomorrow.

Hunter McMahon: I agree that the definition doesn’t necessarily need to change, but how we interpret the definition does, as does how individuals define what the expectation of privacy is. Where we have that expectation has changed, but the expectation itself has endured.

Waxse: Another way of looking at this is that when they wrote the Fourth Amendment,  they weren’t talking about protecting persons, houses, papers and effects. They were talking about protecting the privacy of individuals in those kinds of things. I think if we focus on privacy and not definitions of what is in the actual amendment, we’ll be better off.

How is probable cause under the Fourth Amendment different from reasonable grounds under the Stored Communications Act?

Regard: On the face of it, they have different definitions. Probable cause from a criminal law perspective poses a much higher standard; the other standard is much lower. That’s one of the concerns between the Fourth Amendment and the Stored Communications Act.

Waxse: Clearly, reasonable grounds was intended to be a lower standard than probable cause. That said, we need better definitions of both. I see opinions where I’m not sure how they got from one to the other.

Judkins: I think there’s a difference, as Dan was saying, as far as what the words reasonable and probable mean to me as a non-lawyer. I’m just trying to understand them. We could definitely use additional descriptions to clarify the difference.If you’re a non-lawyer on the receiving end of a subpoena, it’s hard, as Judge Waxse said, to understand what’s required. The more we discuss these meanings and provide examples, the further we will go toward clearing up confusion.

McMahon: Your Honor, do you think perhaps the lower standard under the Stored Communications Act was because of the original limitations allowed under that lower standard, as opposed to the difference between content and non-content, if you follow my logic?

Waxse: I try to avoid figuring out what Congress actually meant. It would be better if they attempted to more clearly define reasonable grounds because there are some opinions now that make it clear that, depending on the circumstances, it shouldn’t be a lesser standard.

Who might satisfy the definition of provider of electronic communication service or remote computing service under the Stored Communications Act?

Judkins: Speaking for myself, not on behalf of Sprint, I would definitely say that third parties can provide information. The point not usually taken, a point I don’t see in the act, is what this does to the provider. I’m often subpoenaed for documents from years and years ago. These requests don’t take into account what it does to the business – the costs and infrastructure required to retain these records. Providers such as me and companies such as mine can provide the information, but there’s a question about what we should have to provide and under what time frames and limitations, because that affects the business. I have a different opinion than many others, since I’m the one being asked to turn over the records.

Regard: It is written so broadly, and we’ve adopted cloud computing so widely around the world, that this could apply to almost any company that provides computing services to smartphone and computer users. Some portion of most telephone calls involves IP telephony. Very rarely do we see straight wire-to-wire communications from point A to point B. With respect to remote computing services, that sweeps in providers of email, text messaging, video, photography and almost any other internet-based service such as a game or health app or mapping app. It’s so universal that the question could be restructured as who doesn’t fall under this definition.

Waxse: One way of looking at it is how entities are labeled. Do they have information in electronic form? If they do, then they should fit under the statute.

Most internet of things (IoT) devices track and store more information than the user realizes. For example, in one recent case Fitbit tracking data was used to discredit a suspect’s account of his whereabouts at the time of a murder. In another case, a charge of arson and insurance fraud was brought based on heart rate data uploaded from the suspect’s pacemaker. Should a line be drawn regarding devices or types of data that should be subject to search and seizure? Where would you draw it?

McMahon: What data is getting stored is different from what data might be subject to search. The next delineation would be how the parties obtain the information. The discussion is not whether or not you can get to the information, such as heart rate data or GPS tracking. The question is whether it’s through the Stored Communications Act or a warrant. That’s the line we have to worry about. What burden does the government need to meet to obtain that information? And, on a closely related issue, what is the expectation of the citizen?

Regard: I agree that these devices may track and store more information than we realize. I don’t necessarily think, however, that those are the best examples. Most people would believe that a Fitbit tracks your whereabouts, and most people would believe that a pacemaker tracks your heart rate and could be interpreted to show excitement or passivity. What concerns me is when it tracks something you may not be aware of.

For example, most people do not know that their iPhone has a barometer. There’s no application native to the iPhone that shows you the barometer setting, but you can download one. That barometer is so precise, we can calculate when you’ve changed floors in a building. Over time, we can extrapolate whether you changed floors using the stairs, an elevator or an escalator. That’s information you might not have known was being captured. My company sees this quite often in dealing with historical information for investigations, civil litigation and government regulatory investigations.

Going forward, outside the context of civil litigation, where there are checks and balances through the discovery process, and protective orders or motions to compel, there absolutely should be better definitions around what is subject to the Stored Communications Act or any other methods that don’t have the level of scrutiny that the Fourth Amendment requires for a warrant.

Waxse: Again, one of the important issues is not how we define these devices, but what device is recording or storing. You’re protecting that information, not the mechanism for getting that information. I was shocked last night when our neighbor had his music on too loud. My wife knew that you could get a decibel measurement through your phone. She got the reading, checked the city’s website, and discovered he was in violation. The information is now on her phone about my poor neighbor’s violation of the law.

Judkins: Devices and their capabilities are going to change at a rapid pace. The source of the information, what we’re trying to track, is definitely what we need to follow. Whether it’s a Fitbit or an Xbox, you need to figure out where the information is.

As someone responsible for transferring that information, when we connect people via cell phones or other devices, we’re making a connection so that they can pass on the information. The information around that information, such as co-location sites or whatever we’re tracking, is for me, as a corporate insider, tracked to perform a service to the business. Yet government and law enforcement is entitled to that if they meet a standard. I think that’s reasonable. I just don’t know how long it should be available. I can’t be tracking that for 10 years for one person. That’s unreasonable. Again, we need to put some definitions around the information that we’re trying to get and why we need it. It’s not unreasonable to think that we should be able to provide that.

Myers: Should there be a line? It’s difficult to draw lines when the technology is changing so rapidly. Someday soon there may not be any facts in dispute because the technology is going to show them. If I’m going to rob a bank, my potential defense is, “I wasn’t there.” You could look at the GPS on my car. You could look at my Fitbit. You could look at my smartphone and see GPS data there.

Regard: That is the Carpenter case. You put your finger right on it. It’s important to recognize that the nature of the problem has changed. There was a time when this information wasn’t recorded and we could talk about whether you are entitled to record and examine it. Now that it is recorded, we should expand the conversation. We could take some direction from Europe on this issue. The European model focuses very strongly on the legitimate purpose for the use of data and whether it exceeds the consent granted by the user. We’re not talking about a civil context. We’re talking about a government context, and often a criminal context under the Fourth Amendment. It’s time for us to address usage and applicability rather than existence and non-existence.

McMahon: Doesn’t it go one step further? It’s not just the data and the usage of it, but the ability to analyze the data. Even if the data was recorded five, 10, 20, 30 years ago, the ability to use the data has changed.

Regard: There’s no question. We have at least four major vector problems with the data that we see today. One is that companies are recording this information out of a well-founded belief that information is an asset, even if they don’t know how to use the asset yet. When a law enforcement agency uses the Stored Communications Act to acquire data legitimately that goes back months, years or more, it’s available even if the law enforcement agency had no intent a year ago or a decade ago to check my information. That’s very different.

The second is the volume issue. Almost any data in sufficient volume ultimately will disclose patterns of very sensitive information such as religious preferences, sexual preferences, gender issues. This is especially true for location information.

The third vector is that we can now do exhaustive analysis with artificial intelligence and neuro-network algorithms that allow us to try an endless permutation of patterns and possibilities until something useful emerges. That far exceeds a human’s ability to detect those patterns.

Finally, we can combine two or more sets of data and develop a resonance that you would never see in a single set. When you have that data, the degree and granularity of insight it gives into the activities of employees is unprecedented.

Waxse: I think again we need to focus on the reason we’re concerned about this. The primary reason is to protect individual privacy. If you go back to that basic question – is this something that should be protected? – that’s where the line is.

What is a reasonable expectation of privacy?

Waxse: I don’t think it’s possible to come up with an objective definition. A reasonable expectation of privacy is what the court that’s reviewing it says it is. It’s a multifactor analysis. No definition will allow us to see, for this particular information, which side of the privacy line it is on.

One of the scary things I see when looking at the big picture is that more and more people don’t have any idea about a reasonable expectation of privacy. You see teenagers sexting and putting things on the internet you couldn’t imagine them being willing to give up their privacy on. It’s clear that it’s a changing definition. Let’s hope we can figure out how to protect the concept of privacy.

Regard: It definitely is changing. At conferences and in think tanks we analogize it to a spectrum or gauge that vacillates between cool and creepy. Technology is cool. It helps us. It tells us what we want to know until it becomes creepy. That seems to be the ever-moving line between what is reasonable and what is not reasonable.

Technology companies, in their quest, which I’m thankful for, to provide better services and tools and capabilities, are constantly nudging that line between what would be helpful for the consumer and what would be intrusive and big brotheresque. Many of us have had the experience of waking up and our iPhone tells us it’s going to take a little longer to get to work this morning. You wonder how it knows where my work is, and why it thinks I’m going to work. It’s calculated the day of the week and your patterns and the route you usually take. It’s creepy, and then we get cool with it. We come to expect it, and our meter has moved.

McMahon: Dan is right that our expectations of privacy have changed. We know that certain things are recorded. We know that your smart TV knows what shows you like and Netflix knows what movies you want to watch. We understand that and we appreciate it. But having the government or somebody else come in and search and seize that information without my knowledge, or without probable cause, is a new level of consideration. I think there’s a distinction between me using that for my own convenience within my home versus somebody else coming in and getting that information about me.

Judkins: I completely agree. As a consumer, if I opt in and know that my Beats earphones are recording what music stations I’m listening to so I can get more music like this, that’s helpful from a consumer perspective. What I struggle with is the government or any other agency telling me, “Hey, we expect you to do such and such because that’s your pattern.” What if I change? What if I got a new job? What if my life shifted and I’m taking care of an elderly parent and I have to wash twice as much? People expect to have some privacy in their personal life. When someone from the outside is looking in at you, that’s when it becomes creepy to me. That’s my yuck factor.

On the business side, my company protects the privacy of our consumers and the people that are supporting us, such as our shareholders. It’s all in the art of disclosure. If I know I’m assigning or approving something, that’s one thing. But that line is gray sometimes.

Myers: As someone said earlier, people may not even be aware of what data is being tracked about them. You might have your own reasonable expectation of privacy, but if you don’t even know what’s being tracked, your definition might change when you get to that creepy factor. Why are they keeping all of this information on me? What would happen if it got out? People may have a sense of what that reasonable expectation of privacy is, but if they don’t know the extent of what is going on, it may change the more they learn.

Regard: Even when people do know what is being recorded, they don’t understand the full impact of what analysis of that data can reveal. My concern is that it’s not just about knowing, it’s fully appreciating the impact.

Judge Waxse: There are two realms of privacy. One regards the government, where you get into the constitutional or statutory issues. The other regards an individual’s interaction with other individuals. Generally, that’s protected by statutes or provisions allowing you to sue the individual who has disclosed your private information. These are separate worlds that don’t actually work the same way, but we have to be aware of both.

Considering the level of data synchronization through cloud providers, which enables a standard user experience from device to device, are cloud storage providers housing cached copies of private user data fair game for law enforcement requests?

Waxse: The easy answer is yes. They’re fair game as long as they comply with the Constitution and the statutes.

Judkins: I agree.

Regard: I don’t think people understand that when they are personally in control of their data the legal standard for the government to get that data is different than when you give that data to a third party. You lose a level of control as you gain a level of utility and functionality. They can go straight to that third party, and the standard can be very different. You may not even be told that they are requesting that data.

Waxse: To go back to Carpenter, it may be the Supreme Court will give us a better understanding of what protections are there or aren’t there.

Regard: And maybe technology will solve some of these problems. There are companies promoting that they can synchronize your data between multiple devices, but the data en route is fully encrypted and they don’t have the keys to unencrypt it. It’s available, but it’s not readable to anyone else. That’s a privacy solution. I don’t know that it satisfies all the government’s interest. There’s an argument on the other side that there are times when we want the government to have access to information. We just want to make sure that it’s a protected and considered access.

What, if any, potential spoliation or preservation issues do you see arising in today’s increasingly connected world?

Judkins: In my role at Sprint, I am responsible for issuing preservation orders and legal holds to thousands of people working for our company. It is difficult at times issuing an order and actually preserving data and having possession of it. It continues to become increasingly difficult because we are so connected. Like most companies, at Sprint we have multiple third-party providers with whom we collaborate. I’m issuing out holds for hundreds of people and they all have different devices. They’re all working different hours. Some are remote. Some are international. A whole different set of laws and privacy regulations may apply. For businesses, it’s getting harder, not easier. There’s no easy button, as some government agencies may think, no matter how big or small you are. The bigger you are doesn’t mean it’s easier. At a large company like ours, it makes it more complicated. That’s my opinion.

Regard: The layers of software and service providers and tools involved in transmitting a message from one person to another have increased exponentially. The idea of exactly where the data traveled, exactly which systems were involved, exactly where one could freeze or capture the information is increasingly complicated. That is one of the things that we do on a regular basis. We try to help companies, in an area that we’ve created that we call “application forensics,” understand how the data gets from point A to point B and what the costs and burdens are of preserving or even collecting that information.

Myers: Ask one question and you might get many answers as you learn about systems and everything that touches the data. Sometimes in the time it takes to understand everything, information is disappearing as you’re trying to learn about it to take appropriate steps for preservation. The more data and more systems involved, the more complex it gets.

McMahon: The complexity and the timeliness also can change over time with data validation. You need to be able to say, “The data we see today was the data of three years ago or five years ago.” We know the data models are the same. We know how the data and the points that the data reference are the same. We forget at times that these business applications are built for client use and satisfaction, not to respond to litigation. Their paper trail, if you will, may not be pristine. Making sure that the data reconciles to a point in time in the past is increasingly complicated.

Judkins: I agree 100 percent. I do that every day – trying to track things from six years ago where you have legacy systems or you’ve merged and your partner brought in their old systems. It’s very difficult to pinpoint. It’s very difficult to get a request to find a document regarding an event 10 years ago. Sometimes the people are gone. Sometimes we have the systems, maybe on backup tape, but nobody knows how to run it because it hasn’t been used for so long. People don’t take into account how hard it is to actually preserve and access information.

Waxse: Another issue we haven’t discussed in regard to spoliation or preservation is the need to get rid of data that isn’t needed. It compounds these problems if your normal method of operation is to save everything. If you have a good information management protocol so you aren’t saving data you don’t need in the future, it diminishes this problem.

Assume SCOTUS determines it’s not a search and or doesn’t require a search warrant. What options will consumers have to avoid such surveillance?

Regard: There are some extreme actions one could take such as opting out of participation in the electronic community, although I don’t think that’s very practical. Since that’s not an option, encryption and other techniques may help minimize the amount of information that’s accessible even as we’re increasing the number of devices we have.

McMahon: I think that’s right, Dan. There are steps we can take to minimize the information. If we are following encryption protocols, we can mask it. There are certain things that, if you are on the grid, are simply going to be tracked, like the towers in which my cell phone pings, what WiFi I’m on. There are many elements that I cannot avoid if I’m connected at all. That element is where we need to look from an expectation of privacy standpoint.

Judkins: To take that a step further, when you turn on your cellphone, you want service. To make that happen, it has to connect. For my corporation to provide the service, it has to be on and we have to do certain things. We don’t know when you’re going to make a call. We don’t know when you want to send a text. We provide that service in advance so that when you do turn it on that stuff is there for you. You can encrypt things and take other steps, but at some point, as Dan said, if you’re on the grid, you’re going to be tracked. It has to be that way for the service to happen.

Myers: There’s nothing you can do short of moving into a cave or the woods and shunning everything. You’re going to leave a footprint. You just can’t avoid it, can you?

McMahon: I don’t think so. If you are communicating with anybody beyond post-it notes in your house, you’re going to be tracked somehow.

Regard: We don’t track ourselves. We have dashboard cams and traffic cams and other things that will track you for you.

Waxse: Even if you go to the woods and don’t have any of your electronic equipment, some satellite is photographing whatever you’re doing in the woods.

Please weigh in on Carpenter and where you think the Supreme Court will go with it.

Regard: I don’t think it’s clear. In U.S. v. Jones, the Supreme Court said that attaching a GPS device without a warrant was a step too far. Then, we have Carpenter v. U.S. asking whether or not the U.S. should be able to track location using a man’s cellphone. The cellphone definitely has location information, but they were only taking the information when he made specific phone calls. I don’t think it’s crystal clear. If they went after his GPS location whether he made a phone call or not, I think it’d be much more equivalent to a GPS device. In that case, I think that the Supreme Court would have required a warrant. From a technology and legal perspective, I certainly think that the court should deny this. Whether they deny it or approve it, however, they should give some clear guidelines so we have a framework to analyze similar situations in the future.

Waxse: I have no idea where they’re going to end up. Where I hope they end up is with a focus on privacy and not on the methods being used to either get through your privacy concerns or to better protect your privacy. If we could get more focus on the purpose of these protections, we might get better opinions and decisions.

Judkins: I agree. The privacy and the expectation of privacy need some clarification.

Myers: I don’t know where the court is going to go, but if we could get some definitions or clear guidelines, that would be very helpful.

McMahon: I’ll echo what everyone else has said. An explanation or framework around how an expectation is given or obtained is needed. We need the ability to traverse different technologies and not just this technology or this situation. As technology changes, we don’t want to have to continuously redefine things. We’d rather analyze it within a framework so that we understand what the expectation of privacy is and understand the standards that need to be followed.