A trio of U.S. Supreme Court cases – on topics like cell phone records, rental cars, and overseas storage of Hotmail accounts may change how the Internet is configured and how IoT, cloud and outsourcing agreements are effectuated in the future. What all of these cases have in common is the disconnect between the individual about whom data is collected, and the entity that collects that data. This disconnect – which is ubiquitous in the Internet era – means that the data collected by IoT devices, transmitted over commercial networks, and stored by virtually every company or cloud service may not be entitled to the same legal protections that the same data would be entitled to if the data subject held that data on their own.
At first glance, the three cases have nothing to do with each other, and have nothing to do with the Internet. The first case, Carpenter v. United States, http://www.scotusblog.com/case-files/cases/carpenter-v-united-states-2/ involves the standard of proof necessary for the government to obtain access to what is called “historical cell site data” – a shorthand for having the phone company track your location. The lower court ruled that to get a “tower dump” which includes the location of either all users or to track where an individual user was in the past, the government needed only a court order – not a formal search warrant supported by probable cause and specifying exactly what to seize – in order to turn your cell phone into a government tracking device. One of the reasons the government asserts that no warrant is necessary to track your movements using your phone is that the cell tower records are the records of the cell tower owner – the phone company – not you. While they are records ABOUT you, they aren’t your records. Thus, you have voluntarily abandoned your privacy rights when you chose to share your location with the phone company, just as you have voluntarily abandonded your privacy rights when you share your location with Google Maps, your reading preferences with Amazon, your porn viewing preferences with your ISP and whomever. The case illustrates the problem with what is called the “third party” doctrine in the modern Internet age – the fact that virtually everything about you, from what time you wake up in the morning, your music preferences, when you leave the house, what you eat, how you sleep, your exercise patterns, your commnications – everything is being collected by an app, transmitted over a network and stored and used by some third party. Thus, you have either no or at least a diminished expectation of privacy because its not YOUR data – its their data about you.
The modern internet contains a series of dependent relationships – ISP’s, e-mail providers, cloud providers, app developers, content providers, cloud services, and hundreds of others. Data about us travels from place to place, entity to entity, person to person. The Internet mostly cares not about geography or even the technology – data travels, mostly through third parties. Limiting individuals’ rights to the data they personally create and store on their own computers at their own location seems to miss the point of privacy. An individuals’ privacy interest (if not their right) travels with the private data – and doesn’t stop either at the border or at the ownership of the container through which it travels. What the Supreme Court does in the next few months may determine whether privacy rights will depend on how data is transmitted, rather than on what kind of information it is. We wait with baited breath.