The Kindness of Strangers – Supreme Court and Privacy for Third Parties

A trio of U.S. Supreme Court cases – on topics like cell phone records, rental cars, and overseas storage of Hotmail accounts may change how the Internet is configured and how IoT, cloud and outsourcing agreements are effectuated in the future. What all of these cases have in common is the disconnect between the individual about whom data is collected, and the entity that collects that data. This disconnect – which is ubiquitous in the Internet era – means that the data collected by IoT devices, transmitted over commercial networks, and stored by virtually every company or cloud service may not be entitled to the same legal protections that the same data would be entitled to if the data subject held that data on their own.
At first glance, the three cases have nothing to do with each other, and have nothing to do with the Internet. The first case, Carpenter v. United States, involves the standard of proof necessary for the government to obtain access to what is called “historical cell site data” – a shorthand for having the phone company track your location. The lower court ruled that to get a “tower dump” which includes the location of either all users or to track where an individual user was in the past, the government needed only a court order – not a formal search warrant supported by probable cause and specifying exactly what to seize – in order to turn your cell phone into a government tracking device. One of the reasons the government asserts that no warrant is necessary to track your movements using your phone is that the cell tower records are the records of the cell tower owner – the phone company – not you. While they are records ABOUT you, they aren’t your records. Thus, you have voluntarily abandoned your privacy rights when you chose to share your location with the phone company, just as you have voluntarily abandonded your privacy rights when you share your location with Google Maps, your reading preferences with Amazon, your porn viewing preferences with your ISP and whomever. The case illustrates the problem with what is called the “third party” doctrine in the modern Internet age – the fact that virtually everything about you, from what time you wake up in the morning, your music preferences, when you leave the house, what you eat, how you sleep, your exercise patterns, your commnications – everything is being collected by an app, transmitted over a network and stored and used by some third party. Thus, you have either no or at least a diminished expectation of privacy because its not YOUR data – its their data about you.
The second case deals with the confidentiality – and the location of electronic mail, again with respect to the “third party doctrine.” When you send or receive email, it is typically stored and transmitted through various third parties, ISP’s, mail providers, servers, etc. In fact, the decentralized nature of the Internet is such that even if you set up and maintain a private email server (and that worked so well for HRC), unless you create a virtual point to point communications network with all the authentication and security that this entails, you are trusting your communications to some third party. End-to-end encryption does nothing to prevent interception of the communication while it travels through some third party network, server, router or application although it may prevent the intercepted communication from being useful to the intercepted party. By its nature, communications on the Internet have always been dependent on the kindness of strangers. The Supreme Court will be deciding whether Eurporean users of a Hotmail account are subject to having their emails intercepted and read with a U.S. search warrant in the United States (even though the communications are both made and stored outside the US) simply because the corporation that provides the services is a U.S. corporation. Here again, it’s important to distinguish between Microsoft being forced to turn over ITS records to the U.S. government (say, corporate documents, tax filings, etc.) wherever it may keep them because they are a U.S. company or to turn over its records to Bulgaria because it has an office in Sophia, and them being amenable to a search warrant in Redmond, Washington for YOUR records in Dublin, Ireland simply because IT – not you – are in Washington State. Effectively, everything you do online could be compelled to be produced by the most despotic and autocratic regime if any company that you deal with does business with, or has a bank account in, or has any contact with that despotic regime. Again, by “trusting” your data to a third party, your rights are delegated to whatever rights they may have, and if they can be compelled to produce your records, you are out of luck. Of course, this “problem” – to the extent that it is a problem – can be mitigated by having the emails that Hotmail stores encrypted with a key that only you hold – end to end encryption, but let’s face it, most people are simply too lazy to do this. So we can see how changes in the law will necessitate and facilitate changes in security.

The third case is about as far removed from the Internet as you can consider. In Byrd v. United States, a woman rented a car, and without the permission of the rental car agency, allowed her boyfriend to drive the car. In a subsequent search of the car without the boyfriend’s permission, the lower Court ruled that, because the boyfriend was not an authorized driver (authorized by the rental car agency, not the renter), the boyfriend had no expectation of privacy, and therefore the police could search at will with neither probable cause nor a search warrant. After all, it wasn’t really his car, right? Again, this case illustrates the bifurcation between possessory rights and ownership rights—which one gives rise to an expectation of privacy? On the Internet, we don’t “own” the data collected about us. We don’t even possess it in most cases. Sometimes we can access it, sometimes not. And the concept that a third party – a rental car company, an ISP, a cloud provider, whomever can control whether or not IT gives permission to search for and seize our property has broad implications. In Byrd, the “container” – the car belonged to the rental car company, and the driver exceeded the scope of his authorization to posess or use the container. So if you are late paying your cloud storage provider, you no longer “own” your data, and the police can search it without a warrant? You don’t technically “own” your home – the mortgage holder does (at least in states where the mortgage holder has title as opposed to a lien), and if you “exceed the scope” of your authorization then you are subject to search. Online, your privacy rights then become dependent on your adherence to all of the terms and conditions contained in your “terms of use” or “terms of service” or “end user license agreement” or software license agreement, rather than on whether its your data and you expect it to be private. The holder of the container becomes the broker of your privacy rights, not you.
The modern internet contains a series of dependent relationships – ISP’s, e-mail providers, cloud providers, app developers, content providers, cloud services, and hundreds of others. Data about us travels from place to place, entity to entity, person to person. The Internet mostly cares not about geography or even the technology – data travels, mostly through third parties. Limiting individuals’ rights to the data they personally create and store on their own computers at their own location seems to miss the point of privacy. An individuals’ privacy interest (if not their right) travels with the private data – and doesn’t stop either at the border or at the ownership of the container through which it travels. What the Supreme Court does in the next few months may determine whether privacy rights will depend on how data is transmitted, rather than on what kind of information it is. We wait with baited breath.

Mark Rasch

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 189 posts and counting.See all posts by mark