The Kindness of Strangers – Supreme Court and Privacy for Third Parties
A trio of U.S. Supreme Court cases – on topics like cell phone records, rental cars, and overseas storage of Hotmail accounts may change how the Internet is configured and how IoT, cloud and outsourcing agreements are effectuated in the future. What all of these cases have in common is the disconnect between the individual about whom data is collected, and the entity that collects that data. This disconnect – which is ubiquitous in the Internet era – means that the data collected by IoT devices, transmitted over commercial networks, and stored by virtually every company or cloud service may not be entitled to the same legal protections that the same data would be entitled to if the data subject held that data on their own.
At first glance, the three cases have nothing to do with each other, and have nothing to do with the Internet. The first case, Carpenter v. United States, http://www.scotusblog.com/case-files/cases/carpenter-v-united-states-2/ involves the standard of proof necessary for the government to obtain access to what is called “historical cell site data” – a shorthand for having the phone company track your location. The lower court ruled that to get a “tower dump” which includes the location of either all users or to track where an individual user was in the past, the government needed only a court order – not a formal search warrant supported by probable cause and specifying exactly what to seize – in order to turn your cell phone into a government tracking device. One of the reasons the government asserts that no warrant is necessary to track your movements using your phone is that the cell tower records are the records of the cell tower owner – the phone company – not you. While they are records ABOUT you, they aren’t your records. Thus, you have voluntarily abandoned your privacy rights when you chose to share your location with the phone company, just as you have voluntarily abandonded your privacy rights when you share your location with Google Maps, your reading preferences with Amazon, your porn viewing preferences with your ISP and whomever. The case illustrates the problem with what is called the “third party” doctrine in the modern Internet age – the fact that virtually everything about you, from what time you wake up in the morning, your music preferences, when you leave the house, what you eat, how you sleep, your exercise patterns, your commnications – everything is being collected by an app, transmitted over a network and stored and used by some third party. Thus, you have either no or at least a diminished expectation of privacy because its not YOUR data – its their data about you.
The second case http://www.scotusblog.com/case-files/cases/united-states-v-microsoft-corp/ deals with the confidentiality – and the location of electronic mail, again with respect to the “third party doctrine.” When you send or receive email, it is typically stored and transmitted through various third parties, ISP’s, mail providers, servers, etc. In fact, the decentralized nature of the Internet is such that even if you set up and maintain a private email server (and that worked so well for HRC), unless you create a virtual point to point communications network with all the authentication and security that this entails, you are trusting your communications to some third party. End-to-end encryption does nothing to prevent interception of the communication while it travels through some third party network, server, router or application although it may prevent the intercepted communication from being useful to the intercepted party. By its nature, communications on the Internet have always been dependent on the kindness of strangers. The Supreme Court will be deciding whether Eurporean users of a Hotmail account are subject to having their emails intercepted and read with a U.S. search warrant in the United States (even though the communications are both made and stored outside the US) simply because the corporation that provides the services is a U.S. corporation. Here again, it’s important to distinguish between Microsoft being forced to turn over ITS records to the U.S. government (say, corporate documents, tax filings, etc.) wherever it may keep them because they are a U.S. company or to turn over its records to Bulgaria because it has an office in Sophia, and them being amenable to a search warrant in Redmond, Washington for YOUR records in Dublin, Ireland simply because IT – not you – are in Washington State. Effectively, everything you do online could be compelled to be produced by the most despotic and autocratic regime if any company that you deal with does business with, or has a bank account in, or has any contact with that despotic regime. Again, by “trusting” your data to a third party, your rights are delegated to whatever rights they may have, and if they can be compelled to produce your records, you are out of luck. Of course, this “problem” – to the extent that it is a problem – can be mitigated by having the emails that Hotmail stores encrypted with a key that only you hold – end to end encryption, but let’s face it, most people are simply too lazy to do this. So we can see how changes in the law will necessitate and facilitate changes in security.
The modern internet contains a series of dependent relationships – ISP’s, e-mail providers, cloud providers, app developers, content providers, cloud services, and hundreds of others. Data about us travels from place to place, entity to entity, person to person. The Internet mostly cares not about geography or even the technology – data travels, mostly through third parties. Limiting individuals’ rights to the data they personally create and store on their own computers at their own location seems to miss the point of privacy. An individuals’ privacy interest (if not their right) travels with the private data – and doesn’t stop either at the border or at the ownership of the container through which it travels. What the Supreme Court does in the next few months may determine whether privacy rights will depend on how data is transmitted, rather than on what kind of information it is. We wait with baited breath.