Want To Protect Privacy? Get Off Social Media, Indiana Federal Court Says
Privacy issues surrounding social media abound, including what’s considered ‘content’ privacy and ‘non-content’ privacy
When the government wants to get data about you from someone other than you (a third party), does it need a search warrant issued by a judge or can it just use a simple subpoena, without probable cause and often without any judicial intervention?
That question has been vexing lawyers, judges, prosecutors, defense counsel and all manner of third parties since the U.S. Supreme Court in Carpenter v. United States ruled that to obtain someone’s cellphone location tracking data, a mere subpoena is not enough; a judge’s warrant was required. According to the ruling, people had a reasonable expectation of privacy in their location records, even if they were available from the phone company.
Carpenter represented a walk back from a long-established “third party” doctrine established by the court in Smith v. Maryland, wherein the court held that no warrant was necessary to get telephone call data (time, date, numbers, etc.) from the phone company. In Smith, the police were investigating a series of harassing calls made to a robbery victim whose purse (containing her ID) had been stolen a few days earlier. To trace the harassing calls, the Baltimore cops got a subpoena—not a warrant—for the unknown telephone number’s subscriber data. The Supreme Court said that no warrant was necessary because people know the phone company tracks calls, they voluntarily give up their phone number when they make a call, and they have no reasonable expectation of privacy in what they willingly disclose to the phone company. The Court also made a distinction between “content” information—listening in on the call—and “non-content” information—billing, numbers called, duration, etc., for which there is no privacy.
On June 3, the U.S. District Court, Northern District of Indiana addressed the question of whether the government, under federal law, could get certain information—registration information, billing records, records of session times and durations, and IP addresses and cookies—from a suspect’s Facebook account without a warrant. More simply, do Facebook (and other social media) users have a “reasonable expectation of privacy” in these billing records, session time, IP address and cookie information? And even more simply, whose records are they anyway? Is Facebook “non-content” information more like the phone records in Smith or more like the phone records (location data) in Carpenter?
The court decided that the target of the investigation had no expectation of privacy in the records that he “voluntarily disclosed to Facebook (either directly or through associated third-party websites or apps).” The court noted that “[r]easonable minds can debate whether, as a society, we want entities such as Facebook to log the kind of information contained in the Records. But what cannot be debated is that Facebook has this information only by virtue of individuals making an affirmative choice to provide it.” The records, the court ruled, “contain potentially personal information about [the defendant’s] life, but they contain no more than he chose to provide.” The IP address information, online and offline cookie data, session times, duration and other data “comes solely from [the] Defendant.”
We may one day wake up and find that Facebook or some other social network has become as indispensable as the cellphone and determine, as a society, that the information collected is deserving of constitutional protection. But that day is not today, and this case is not that case. On the basis of the record before the court, the records “fall[] comfortably within the scope of the
third-party doctrine” which continues, even after Carpenter, to apply to “business records that might incidentally reveal location information.” As such, the defendant had no reasonable expectation of privacy in the records, and no Fourth Amendment violation occurred when the government sought and obtained the records without a warrant.
I’m not so sure. Sure, the records sought—IP address, cookies, etc.—seem innocuous. If you use Facebook, you “give up” those records. But that’s not the test; the test under a “reasonable expectation of privacy” is, well, “reasonable expectation of privacy.” Do you expect this information to be available to others, not “did you give it up?” When you do searches on Google, whether it’s for hair restoration creams or erectile dysfunction drugs, you know you are “giving up” or sharing with Google and its search algorithms and analysts both the things you are searching for and your interests in what is being delivered. You are also tying those searches not only to your Google profile (most of the time) but also to your IP address, your browser and, well, you. Everything you read, everything you view, everything you watch is “shared” because you have “chosen” to view, read or search for it online. I suppose if you go to a newsstand (remember newsstands?) and buy a magazine (remember magazines?) with cash (remember cash?), you could still be said to have voluntarily shared your reading/purchasing practices with the newsstand employees and therefore have no expectation of privacy.
The idea that your privacy is dictated by the essential requirements of the media is, to my thinking, simplistic. You have an expectation of privacy in those things in which you have an expectation of privacy. The mere fact that Google, Facebook or someone else collects that data (and you know it) doesn’t mean that you don’t expect it to be private any more than the fact that you know that the phone company (and Google, your ISP, your cell provider as ISP and other apps) track your location. The question is whether a reasonable person believes that their browser history, search history and cookie data are private in spite of the fact that it is “shared” with some tech company or provider.
At the end of the day, almost all data is shared with someone. While that may diminish, it should not extinguish our privacy rights. If I publish something, I have no privacy rights in it. If I just use a technology, then it’s not black and white.
Although I must agree with one thing the Indiana court said: “If anyone needed more motivation to get off social media, consider the instant case.” By choosing to use social media, even the private stuff is public. They chose to share with Facebook (not users, but with the company), so no privacy for you! But in the Smith phone records case, Justices Marshall and Brennan in 1972 presciently observed that “[i]mplicit in the concept of assumption of risk is some notion of choice. … [U]nless a person is prepared to forgo use of what for many has become a personal or professional necessity, he cannot help but accept the risk of surveillance.” The dissenters went on to say, “whether privacy expectations are legitimate … depends not on the risks an individual can be presumed to accept when imparting information to third parties, but on the risks he should be forced to assume in a free and open society.” Cox didn’t “choose” to share cookie data with Facebook. He “chose” to use Facebook. That’s the choice the Indiana court says was fatal to his case.
