Supreme Court and Private (Privacy) Property

The U.S. Supreme Court heard oral arguments Nov. 29 in a case that could radically transform not only privacy law and the way we look at the Fourth Amendment, but also could restructure the way cloud providers, IoT companies, data analytics firms and even your doctor, lawyer and accountant keeps their records.

The case is Carpenter v United States, and the court is considering the level of proof the government needs to obtain what are called “historic cell site data,” or generically, to track your location by cell phone. Obviously, one of the big issues here is the right of privacy with respect to location data, how much your location reveals about you, how long the government can track your movements without a warrant and whether the court should impose a higher standard for government retrieval of location data than that of merely obtaining your phone bill (or indeed, whether this should be better left to Congress).

No Party Like a Third Party

But, underlying this whole debate over location data and privacy is a concept first enunciated by the Court decades ago—what is called the “third party doctrine.” Under that doctrine, if you voluntarily entrust your information to a “third party” then you run the risk that the third party will turn that data over to someone else—including the government—either voluntarily or subject to some legal process. Your act of turning those records over to a third party means you have no expectation of privacy in those records, and that you run the risk that they will be further disclosed. As Benjamin Franklin once quipped, “Two may keep a secret, provided one of them is dead.”

Under the third-party doctrine, the government was able to get a stalking/robbery suspects’ phone records which showed that he was calling and stalking his robbery victim for two days, or to get bank or other financial records (including sales receipts, credit card charges) from the bank, merchant or credit card company, again either voluntarily or with a simple subpoena. No warrant necessary. And this happens every day—not just in criminal investigations, but in civil, administrative, divorce … all kinds of cases. In general, if a document exists, it is subject to subpoena.

Party Like it’s 1979

You can learn a lot about someone from records held by third parties. In 1979, when the court firmly established the doctrine, you could get people’s phone bills, medical records, sales receipts, hotel signatures (you used to have to sign in to a hotel), travel records, financial records and even their correspondence (well, at least half of it). Problem is, it’s not 1979 anymore.

In 2017, third parties hold information that is much more detailed, and much more sensitive about individuals. Assuming you are a millennial and use technology a lot, your cell phone or Amazon Echo wakes you up—and a third party has a record of when your alarm went off, and even to what song. Your Google Home, Amazon Echo and Vizio television are all listening to you—at least for the “wake up” word, if not more. Your doorbell is taking pictures, your thermostat is monitoring your movements. Your lights are turned on and off over the internet while your Fitbit is transmitting your pulse, blood pressure and movements to a third party. Your provider knows what TV news you are watching, and what radio station you are streaming.  And all this before you get out of bed. Every electronic conversation you have—by cell phone, chat, instant message, e-mail, jabber, etc., is stored, recorded, transmitted and analyzed by a third party. Which means that all that data is available not just for data mining but for compulsory legal process—subpoena or search warrant.

And it’s only going to get worse—or better, depending on your view of the balance between privacy and utility.

In the future, wearables and implantables will gather even more sensitive data, and data from which even more sensitive information will be gleaned. Eyeglasses or contact lenses will pull data from the web when we meet someone. Using augmented reality, when we meet someone at a party, we won’t have to elbow our spouse in the ribs to ask, “Who is that?” but our contact lens will display their name, their spouse’s name, their kids names and how we know them and when we last met. LinkedIn on steroids. But all of this data will be shared with some third party. Which means it is subpoenable.

Standard of Proof

The short answer for the court in Carpenter is whether the government could get the defendant’s cell location data from MetroPCS with a simple court order, or whether it had to get a search warrant. A search warrant requires probable cause, specificity, and a certain degree of narrowness. It’s a fishing license, but a narrowly tailored one—a pole rather than a net.

More significantly, the court may choose to decide the practical impact of the third party doctrine in its entirely. Do people really know what information they are “voluntarily” providing to third parties, or indeed what third parties they are disclosing them to? Do people really read and understand end user license agreements, software license agreements, privacy policies, terms of use and terms of service?  As Chief Justice Roberts noted at oral argument, “You really don’t have a choice these days if you want to have a cell phone.”

Whose Data is it, Anyway?

Subsumed in the third-party doctrine is the question of “ownership” of data. When you write a check—literally an order to the bank where you have deposited funds ordering them to “pay to the order of …” the payee, a certain number of dollars and no cents, the bank’s record of that transaction is their record of what you told them to do. When you make a phone call, the fact of the call (number dialed, duration, etc.) is the phone company’s record of how you used their service. Same with e-mail routing (non-content) information.

When you store your files at Iron Mountain or the local U-Haul self-storage, the contract you sign or the video surveillance logs are the records of the company, but the data, files or whatever you actually store are yours. The government could no more subpoena the contents of your boxes or storage locker from the company (though they could get a search warrant for them) than they could compel your landlord to search through your bedroom and produce the pot you hid in the third drawer from the top, waaaaay in the back. Some data is yours, stored with a third party, some data is that of the third party.

And some is mixed.  And that’s the problem.

Privacy as Property – and Vice Versa

During oral arguments, the newest justice, Gorsuch, raised an interesting point. He asked whether Carpenter, the user of the cell phones whose location data was collected by MetroPCS and turned over to the police, had a property interest in the data created by, stored by and transmitted by the cell carrier. Gorsuch noted, “[f]ocusing on the property-based approach, … what do we know about what state law would say about this information? So say—say a thief broke into T-Mobile, stole this information and sought to make economic value of it. Would you have a conversion—would your client have a conversion claim, for example, under state law?” If information is “property” and the data subject has a property right to information (irrespective of who creates it or who “owns” it) then the “taking” of that information might be a “conversion” (the tort of taking property for one’s own use) and might implicate the Fourth Amendment’s right to be secure in one’s “person, places, houses and effects against unreasonable searches and seizures.”

It’s not the first time the court has used the concept of private property to protect location privacy. In a previous case called U.S. v. Jones, the government placed a GPS tracker on a suspect’s car without a warrant. The court found the physical act of placing the tracker on the car to interfere with the car owner’s property rights with respect to the car, but expressed no binding opinion on the privacy rights of the car owner.

A Bundle of Rights

So, is privacy a property right? If some third party creates, collects, and stores personal data about you, do you have a right to control that data, even if you don’t “own” it?

It’s not as silly a thought as you might think. When we think of “property” we tend to think of physical things—land, cars, furniture or even ephemeral things such as intellectual property, copyrights,  trade secrets, patents, etc. We can even have a property right in the air above us, the ground below us, and the sunlight that shines on us. In fact, “property” is whatever a government is willing to enforce. In the copyright arena, the rights of the copyright holder are referred to as a “bundle of rights”—like a bundle of sticks. A right to possess, a right to exclude others from possessing, a right to use, a right to copy, a right to destroy, etc.

That’s not how we typically think of privacy. Privacy—particularly “information” privacy—is though of more as a kind of use limitation. Information collected for one purpose should be used for that purpose exclusively. We “give up” our data to an entity in order to get a specific benefit. When that data is collected without knowledge or consent, or used in ways that exceed the express or implied consent, we feel that our privacy has been violated.

Common-law privacy was, in the words of Oliver Wendell Holmes, “The right to be left alone.” Information privacy is the right of our data to be left alone.

If we think of privacy as a “property” right of the data subject, then that right has value. Violations of that right subject the one who violates it to actual monetary damages—for the violation alone. The loss of privacy (property) is the harm itself. You don’t have to show that you were denied employment, suffered ridicule or suffered emotional distress to obtain damages. The loss of the “property” which is privacy is sufficient.

Valuing of (and valuation of) privacy also means that companies that collect, store, transmit, analyze and use private data will now be able to put a price on that data. The data certainly has value to them. They slice and dice it, analyze it, collate it, sift and filter, aggregate and scrutinize it. But if that data is “breached” or used improperly, they contend (and courts mostly agree) that there’s no real harm to the data subject.

What justice Gorsuch was hinting at—and only very slightly—is that a data subject retains an interest in the data collected about them. They retain an interest in its protection, its use and its—well, privacy. And maybe that privacy interest is a property interest.  If so, it’s a game changer for data privacy, data security and the Fourth Amendment itself.

Sponsored Content
Upcoming Webinar
Your Resolution for 2018: Five Principles For Securing DevOps

Your Resolution for 2018: Five Principles For Securing DevOps

Organizations in today’s market must strike a balance between competitive differentiation and meeting evolving compliance standards-particularly related to software security. They need to obtain faster release and deployment cycles, improved collaboration between business stakeholders and application development and operations teams, and automation tools. DevOps, an innovative organizational and cultural way ... Read More
January 18, 2018
Mark Rasch

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 25 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 8 posts and counting.See all posts by mark