PRIVACY + SECURITY BLOG

News, Developments, and Insights

The U.S. Supreme Court has been notoriously slow to tackle new technology. In 2002, Blackberry launched its first smart phone. On June 29, 2007, Steve Jobs announced the launch of the original Apple iPhone. But it took the Supreme Court until 2014 to decide a case involving the Fourth Amendment and smart phones – Riley v. California, 134 S.Ct. 2473 (2014). This past summer, the Supreme Court issued another opinion involving smart phones – Carpenter vs. United States, 138 S.Ct. 2206 (2018).

I am thrilled to have had the opportunity to interview Bart Huffman, a partner in Reed Smith’s global IP, Tech & Data Group, about the Supreme Court’s recent foray into smart phones.

Bart has a systems engineering background and experience in privacy and information security matters that spans the modern history of the practice area. Bart is co-chair of the planning committee of the University of Texas Technology Law Conference (now in its 32nd year). He has served as a visiting fellow of the Center for Information Technology at Princeton University, and he is currently an adjunct professor, teaching Privacy: Personal Data Under US and EU Law, at the University of Texas School of Law. He holds a J.D. from the University of Texas and a B.S.E. from Princeton University in Civil Engineering & Operations Research with a Certificate in Engineering and Management Systems.

SOLOVE: The U.S Supreme Court has recently decided two important cases involving the Fourth Amendment and cell phones. Why are these cases significant? 

HUFFMAN: The two cases are Riley v. California, 134 S.Ct. 2473 (2014) and Carpenter vs. United States, 138 S.Ct. 2206 (2018). In both cases, the Court found that a warrant was required to search cell phone data. Riley involved data accessible on a phone seized “incident to an arrest,” and Carpenter involved subpoenas issued to wireless carriers for cell site location information (“CSLI”) concerning a suspect’s phone.

From a privacy perspective, these cases address the application of Constitutional law to the signature device of today’s information technology. Today’s mobile “phones” are mobile computers — far more powerful than most desktop computers of a decade or so ago. They are equipped with cameras, a microphone, GPS receivers and other geolocational tools, and various, sophisticated sensors, and they are continuously connected to a global cellular network. We use them for communications, work, travel, news, entertainment, socializing, content storage, and commerce. We carry them with us wherever we go (as stated in Riley, cell phones are “now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy”). From a law enforcement perspective, it is hard to imagine a better surveillance device and source of evidence.

But, as explained by Chief Justice Roberts writing for a unanimous Court in Riley, society cannot freely make use of all of that data consistent with established principles and traditions: “Privacy comes at a cost.” Pointing to the quantity, different types, and temporal reach of the data on a smart phone (and the invasive power of the use of that data in combination), the Court in Riley correctly observed that the digital evidence on smartphones is not like other objects. So the Court reverted to a “legitimate interests” analysis (that would be familiar to those who have worked with the GDPR) and determined that the government’s interests did not justify the far more substantial invasion of privacy interests involved.

More recently, in Carpenter, the Court was required to address locational data in the possession of third-party wireless carriers generated by individuals’ cell phones (for one individual, pinpointing approximately 12,000 locations over approximately 100 days). The case raised issues highlighted several years ago in a concurrence written by Justice Sotomayor in United States v. Jones, 132 S. Ct. 945 (2012). Although Jones involved a physical GPS tracking device placed on a physical vehicle (which was easily addressed under a trespass theory), Justice Sotomayor observed that, at some point, the ready availability of voluminous, intimate information could have an effect on individuals’ relationship with the government that is “inimical to democratic society.” With due regard for the Fourth Amendment’s purposes of curbing the arbitrary exercise of police power and limiting the comprehensive reach of police surveillance, Justice Sotomayor noted that “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.”

That was the issue in Carpenter – can the automatically generated, comprehensive, precise location data that is collected and maintained by third-party wireless carriers be obtained by the government without a showing of probable cause. The test is “reasonableness” (as it must be, given that the Fourth Amendment prohibits “unreasonable searches and seizures”). So the Court essentially found it “unreasonable” that a continuous stream of personal data generated by a mobile phone should be available to the government without a warrant, despite the fact that the data has already been disclosed to third-party wireless carriers? By extension, what about Internet search queries or purchase transaction histories that are “disclosed” to web browsers or payment service providers?

Riley and Carpenter are milestone instances of the Supreme Court applying historical principles to contemporary information technology. Riley says that smart phones are special, sophisticated tools that can be extraordinarily revealing of private details given how they are used by people today. Carpenter says that just because a private third party receives a vast amount of detailed information about the user of a smart phone does not mean that the government can obtain it from that third party with a mere subpoena.

SOLOVE: Is Carpenter a turning point in Fourth Amendment jurisprudence? Did the Court get it right? Or does the Court have more work to do in grappling with these issues?

HUFFMAN: Carpenter is likely a turning point, although there is certainly work to be done. Comparable to the Riley holding, the Carpenter majority hangs its hat on the fact that CSLI is just special – “deeply revealing” data with “depth, breadth and comprehensive reach” that is “inescapabl[y] and automatic[ally]” collected. The Court understands that the mechanical application of old rules to modern technology would lead to the wrong result. But the Court struggles with how to incorporate the dominating characteristics of today’s information technology within the doctrines of Constitutional law. The dissents in Carpenter would try to do so, effectively saying “if you use technology and share your data, that is your choice, and the government can get at it without probable cause,” in one opinion, or “if you still have something akin to a property interest in the data, it may be protected by the Fourth Amendment even if a third party possess it,” in the other. As a guiding principle in today’s world, the former seems inconsistent with “reasonableness,” and the latter seems to leave too much to factors such as industry-specific laws or product-specific terms of use.

SOLOVE: In what ways must the Court’s approach to the Fourth Amendment change in light of modern technology?

HUFFMAN: There is only so much that can be expected of the judicial branch in fashioning information barriers when digital data is readily available that evidences everything we do. As we increasingly become a society where use of information technology is not really a choice, and where data generation, distribution, and storage are not really controllable or understood, it is going to become increasingly difficult for judges to make privacy-based decisions based on historical statutes and precedent.

Justice Sotomayor “would ask whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the Government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on.” Presumably, most people would say “no”, but increasingly it seems likely that people who are overwhelmed by data and unaware of any clear boundaries would say “yes, unfortunately I would expect that.” It may get even more difficult to discern a “reasonable expectation of privacy” as technology continues to advance.

Naturally, Fourth Amendment law should align with privacy interests, including the right to be let alone and societal desires to permit non-perfect behavior and to promote freedoms of expression and association. We want the law to adapt to modern technology in a way that recognizes these interests while maintaining a reasonably fair playing field between the government and criminals. We want people to understand what the boundaries are and why they have been set.

SOLOVE: What would be your recommendations for policy in this area?

HUFFMAN: In the absence of clear direction from applicable precedent, courts are going to continue to have to make difficult decisions about values and privacy interests, from a variety of perspectives. As Justice Gorsuch stated in his Carpenter dissent:

Deciding what privacy interests should be recognized often calls for a pure policy choice, many times between incommensurable goods – between the value of privacy in a particular setting and society’s interest in combating crime. Answering questions like that calls for the exercise of raw political will belonging to legislatures, not the legal judgment proper to courts.

There is good sense in that. The courts can draw boundaries based on fundamental rights and established legal principles, but when it comes to the implications of ubiquitous mobile phone technology, Big Data, or the Internet of Things, the issues raised beg for policy development outside the facts of any single case.

People do not want to be continuously tracked, yet they enthusiastically embrace the benefits of the contextual use of comprehensive data. The public also cherishes safety, but as the UK has learned from the European Court of Human Rights (and as the U.S. has learned from the court of public opinion), public safety does not justify indiscriminate mass surveillance. There is more data than one could have imagined, and a search engine can find the most relevant “nugget” from all that data in less than a second. In the context of government access to third-party data, legal limits could result in the government having far less access to data about individuals than the private sector has, which may not always be the correct result.

For guidance, the United States’ Fourth Amendment prohibits “unreasonable” intrusions; the United Nation’s Universal Declaration of Human Rights prohibits “arbitrary interference” with privacy rights. The European Union has been the thought leader in modern data protection laws that recognize fundamental privacy principles.

It seems inevitable that the U.S. will also eventually pass comprehensive laws that embrace generally accepted privacy principles. Those principles – minimization, proportionality, transparency, technical and organizational protections, etc. – along with the historical objectives of Fourth Amendment doctrine, should direct policy development. Ultimately, the interests of the government (and the public it serves) must be balanced with the impact on societal values and data subjects’ rights. Policymakers should be selected from multiple disciplines as appropriate to assess factors such as the practical implications to law enforcement of requiring a warrant (or other procedural requirements), the availability of alternative methods for obtaining evidence, and the effectiveness of any privacy-protective measures.

Where digital data and modern technology are concerned, deference to laws developed consistent with modern data-protection policy work (of which the Stored Communications Act is not a good example) will almost certainly be more useful – and understandable – than ongoing attempts to apply historical legal doctrines developed in the context of physical data and arrests.

SOLOVE: Thanks, Bart, for your thoughtful answers. If you want to read more of Bart’s thoughts on these issues, check out his post on Princeton’s Center for Information Technology blog, Freedom to Tinker: “Privacy Comes at a Cost” – The U.S. Supreme Court’s Opinion in Riley v. California.

Additionally, Bart will be speaking at my upcoming Privacy+Security Forum at a session called Cyber Extortion: Doing Business with Crooks.

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 3-5, 2018 in Washington, DC), an annual event designed for seasoned professionals. 

This post was originally posted on LinkedIn.

NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.

The Privacy+Security Forum
(Oct 3-5, 2018 in DC)


GDPR and Privacy Awareness
Training by Prof. Solove

Click here to see our new course catalog.