Congress Must Act Now to Protect Data Privacy
The Fourth Amendment was established in a time when privacy expectations could be articulated through a simple maxim that “every man’s home is his castle.” In the 21st century, however, our most private information is often guarded not by walls or with a key, but by the companies — Microsoft, Verizon, and the like — that provide us with access to the data cloud. In a perfect world, the technologies of today would be met with the same principles that were laid out in the Fourth Amendment by our founders. Unfortunately, that is easier said than done. Technology has added lots of complications, and we are left trying to figure out what a reasonable search is in the age of the data cloud. Much of the doctrine of the Fourth Amendment is based on definitions that are ill-equipped for dealing with challenges in the era of cloud computing. For instance, do emails, location information, and other data and documents stored in the cloud fall within the Fourth Amendment’s protection of “The right of the people to be secure in their persons, houses, papers, and effects”?
Moreover, lack of notice to the person whose property is being searched has become a big problem in the digital era. Traditional searches of one's home or car are, as a practical matter, difficult to keep secret from the property’s owner. In contrast, absent legal protections, it is easy for the government to search electronic data that is held by a third party without the owner of the data ever finding out about it, assuming the government has the cooperation of the third party.
That is just one of several ways in which the third-party doctrine, which holds that people who voluntarily convey information to a third-party such as a bank or a telephone company have no reasonable expectation of privacy in the information conveyed, results in a gaping hole in Fourth Amendment protections in this new age. When applied to the data cloud, this relatively narrow third-party exception granted to law enforcement becomes a broad license for the government to monitor virtually all the data we transmit in our day-to-day lives. One would have to virtually opt out of our high-tech society to evade this license. That should not be a required trade-off for enjoying the protections of the Fourth Amendment, especially when the government has lawful alternatives for achieving its law enforcement needs.
The Supreme Court is set to weigh in on the fate of the third-party doctrine this fall when it hears United States v. Carpenter. If the court rules in that case that the government’s search of location information held by cell phone service provider was unreasonable, it could help to update the third-party doctrine by requiring better protection of location data and other components of the data cloud. Then again, if an entire class of technology needs to be exempt from a legal doctrine, there may be a problem with the doctrine itself. At the end of the day, it may be that the third-party doctrine has become irreconcilable with the Fourth Amendment and needs to be discarded. However, it is highly unlikely that the Supreme Court will go that far anytime soon.
Congress’s enactment of the Electronic Communications Privacy Act (ECPA) in 1986 gave some hope that the privacy protections provided by the Fourth Amendment in the physical world would be transferred to the new technological mediums in which private “papers and effects” are stored online. However, since the ECPA’s passage, we have seen more than three decades of additional technological advancement that Congress could not foresee in 1986. After many failed attempts by Congress to modernize ECPA, our digital privacy rights are left inadequately protected by a law that was designed to protect the contents of email thirty years ago.
Last week, Sen. Mike Lee (R-Utah) and Patrick Leahy (D-Vt.) introduced legislation, the ECPA Modernization Act, intended to address this problem. The act’s most important provision removes a major flaw in the ECPA that limited its effectiveness, specifically the provision allowing data stored longer than 18 months to be accessed by government agencies without a warrant. The modernization act requires a warrant even for older data. Additionally, the Modernization Act would make it more difficult for the government to deny or delay notice to the subscriber whose data is being searched, while also providing individuals with the remedy of suppression when information is obtained in violation of ECPA. Another commendable provision in the bill calls on the Federal Communications Commission and Government Accountability Office to study law enforcement’s use of stingray devices to do an end-run around the requirements of the warrant process.
“Americans expect and deserve strong, meaningful protections for their emails, texts, photos, location information and documents stored in the cloud,” Leahy said. “It is long past time that Congress updated our federal laws to better protect Americans’ privacy,” added Lee. The ECPA Modernization Act is a laudable effort to strengthen the warrant requirements for third-party data collection and guard the Constitutional right to due process when digital property is being searched. With the modernization act pending in the Senate and United States v. Carpenter pending in the Supreme Court, there is new hope that our institutions will succeed in applying the founder’s Fourth Amendment principles to the brave new high-tech world.
Ashley Baker is the director of public policy at the Committee for Justice, a nonprofit group that seeks to uphold the Constitution and support constitutionalist judges.