chevron-down Created with Sketch Beta.

Litigation News

Spring 2020, Vol. 45, No. 3

Privacy in the Digital Age

Amy Mattson


  • Courts uphold personal privacy rights by restricting searches of electronic devices.
  • Unlike physical containers, smart devices offer access to unprecedented troves of information so vast that when law enforcement rummages through them, the intrusion into personal privacy may be substantial.
Privacy in the Digital Age
aire images via Getty Images

Jump to:

From photos labeled with dates, descriptions, and GPS coordinates to banking information and attorney-client communications, our gadgets increasingly carry the contents of our lives. And unlike physical containers, smart devices offer access to unprecedented troves of information, storage wells so vast that when law enforcement rummages through them, the intrusion into personal privacy may be substantial. As the U.S. Supreme Court recognized in Riley v. California in 2014, allowing police to scrutinize digital records “is quite different from allowing them to search a personal item or two.”

The Riley Court unanimously rejected warrantless cell phone searches incident to arrest, noting that although technology allows persons to carry millions of files in hand, it “does not make the information any less worthy of the protection for which the Founders fought.” But since that decision and other touchstone digital privacy rulings by the high court, the law continues to wrestle with the extent to which electronic devices should receive special protections under the Constitution.

Defining the Scope of Digital Searches

In Alasaad v. Nielsen, the U.S. District Court for the District of Massachusetts ruled that citizens’ Fourth Amendment guarantee against unreasonable search and seizure mandates that federal border agents harbor a reasonable suspicion of criminal behavior before searching smartphones and computers. However, the court declined to require that agents have probable cause and secure warrants to conduct searches, a higher standard advocated by the plaintiffs’ lawyers at the American Civil Liberties Union and Electronic Frontier Foundation. The court also stopped short of ordering the government to erase data it had obtained from the plaintiffs’ devices.

A few states away, in another battle over privacy rights, a divided Pennsylvania Supreme Court in Commonwealth v. Davis ruled the Fifth Amendment protection against self-incrimination prohibits the state from ordering a suspect to disclose the passcode to a lawfully seized but encrypted computer. A 4–3 majority reasoned that the information that could be obtained by learning the passcode was not a “foregone conclusion,” constituting an exception to Davis’s Fifth Amendment privilege as the state had argued.

The decisions reflect growing tensions between the needs of law enforcement and citizens’ interests in keeping sensitive data confidential, according to ABA experts. But while the scales may have tipped toward the government prior to Riley and the advent of the smartphone, courts today tend to give deference to personal privacy rights when assessing what protections digital data is afforded.

Standing to Sue on the U.S. Frontier

Alasaad arose when 11 travelers—10 citizens and one lawful permanent resident—sued the heads of the U.S. Department of Homeland Security, Customs and Border Protection (CBP), and Immigration and Customs Enforcement (ICE), disputing seizures and searches of their smartphones and laptops at U.S. ports of entry. The plaintiffs, who included a National Aeronautics and Space Administration (NASA) engineer, two journalists, and a Harvard graduate student, argued that the searches and seizures of their devices violated the Fourth and First Amendments.

Border agents had reviewed privileged communications between one of the plaintiffs and her lawyer, as well as other sensitive information such as NASA work product and photos of a female plaintiff and her daughters without their headscarves, a violation of their religious beliefs. In addition, the government retained some of the plaintiffs’ devices for two weeks or more. They compiled observations about the devices’ contents, including social media posts, and made copies of seized data.

The defendants moved to dismiss the action, challenging in part the plaintiffs’ standing to seek relief on the premise that their risk of future injury was “too speculative.” Denying the motion, the district court ruled the travelers had stated plausible Fourth and First Amendment claims. All plaintiffs had a higher probability of future searches than the general population due to their frequent international travel and prior recorded encounters with ICE and CBP, the court concluded.

Both parties moved for summary judgment. The plaintiffs asked the court to declare the U.S. agencies’ practices unconstitutional and bar the agencies from searching personal electronics without a warrant supported by probable cause. They also argued for expungement of all information retained from their devices, including passwords. In turn, the defendants again challenged the plaintiffs’ standing to seek relief. The agencies contended that only around .007 percent of several hundred million travelers had their devices searched by CBP in a calendar year. The plaintiffs’ likelihood of being subjected to future searches was therefore “exceedingly low,” the defendants claimed.

In rejecting the defendants’ argument, the district court noted that the defendants’ numbers were “under-inclusive.” There was evidence that not all searches resulted in a report, and the number of searches cited did not include those conducted by ICE. Further, the government’s statistics did not speak to the probability of future searches because the defendants’ databases tended to flag previously searched individuals for repeat screening. The retention of the plaintiffs’ information thus constituted an ongoing and future harm sufficient to seek relief, the district court said.

The Fourth Amendment and the Border Search Exception

The district court then turned to the plaintiffs’ claim that border searches without a warrant based on probable cause violated their Fourth Amendment protections against unreasonable search and seizure. It noted that the Supreme Court has recognized several exceptions to the amendment’s guarantees, including searches at U.S. borders. But the court also acknowledged the lack of a clear legal precedent to guide whether or to what extent the Fourth Amendment applies to searches of smart devices at ports of entry.

In the absence of direction from the high court, the defendants had relied on a CBP directive that availed itself of the border search exception. The directive, also adopted by ICE, distinguished “basic” from “advanced” electronic searches. Advanced searches involved a digital forensic examination—i.e., the use of external software to review, copy, or analyze an electronic device’s contents—and required reasonable suspicion of contraband. All other searches were basic and required no showing of cause.

The Supreme Court has held that no cause to search is necessary where border agents are conducting routine inspections. However, non-routine and non-cursory searches require reasonable suspicion. That is, they require a particularized and objective basis to suspect an individual of criminal activity. Specifically, as the district court noted, “the distinction between routine and non-routine does not turn upon the frequency of such searches, or the label the government may ascribe to it, but the degree of invasiveness or intrusiveness of the search.”

In evaluating whether the searches to which the plaintiffs were subject fell within either of these categories, the district court found Riley instructive, noting that the defendants’ searches implicated the same privacy concerns at stake in that case. The searches conducted by the defendants were invasive, allowing border agents to access “a wealth of personal information,” including emails, texts, social media posts, and photos. In sum, they were more than routine, or more than “a brief look reserved to determining whether a device is owned by the person carrying it across the border, confirming that it is operational and that it contains data.” The court thus held that the non-cursory searches of the plaintiffs’ electronic devices without reasonable suspicion violated the Fourth Amendment.

However, the district court stopped short of imposing the heightened requirement that the government obtain a warrant supported by probable cause to search digital data, as the plaintiffs had requested. It reasoned that “governmental interests are different at the border” than in the U.S. interior and acknowledged that the law must strike a balance between individual privacy rights and national security.

Future of Border Searches Uncertain

To support its stance, the district court noted that “even if the CPB’s and ICE’s adoption of a reasonable suspicion standard for advanced searches is not a concession that such standard is constitutionally required, it is at least an acknowledgement that the legal tide is turning in this direction.” Further, it observed that “the seeds of applying reasonable suspicion in the border context have already been laid by several Circuits post-Riley.”

While no court has yet required a warrant to forensically search a smart device at the border, the Fourth Circuit and Ninth Circuit Courts of Appeal have ruled that intrusive searches of electronic gadgets require a particularized suspicion of criminal activity. Both circuits concluded that a forensic investigation of digital devices exceeded the scope of a routine border search because of its comprehensive nature. The risk of exposing private information in a detailed data dive goes beyond that which might result from merely scanning the contents of a travelers’ baggage, the circuit courts said.

But the search of the cell phone at issue in Riley was conducted pursuant to an arrest, and the Eleventh Circuit Court of Appeals limited the decision’s application to those facts in its 2018 opinion in United States v. Touset. “We see no reason why we would permit traditional invasive searches of all other kinds of property but create a special rule that will benefit offenders who now conceal contraband in a new kind of property,” the court stated. According to the court in TousetRiley does not apply to searches at the border, where citizens have diminished privacy expectations.

Ultimately, the future of border search cases remains uncertain, says Zesara C. Chan, San Francisco, CA, chair of the ABA Section of Litigation’s Access to Justice Committee. “The Massachusetts district court leaves open a continuing dialogue on implementation of the reasonable suspicion standard which could continue to be intensely fact-driven on a case-by-case basis for some time,” she surmises. ABA member and former chief of the Criminal Division of the U.S. Attorney’s Office for the Eastern District of New York James D. Gatta agrees. “As technology evolves, courts will have to evolve their reasoning as to what level of cause needs to be shown with respect to electronic device searches at the border,” he notes.

First Amendment Claims and Border Seizures

Concluding its constitutional rulings, the district court considered the plaintiffs’ contention that searches of their devices containing expressive materials violated First Amendment guarantees to freedom of speech and association. In denying summary judgment on that question, the court found nothing to suggest the plaintiffs were targeted for search due to their speech or associations. The government’s searches were patently content neutral, and it was unclear what less restrictive methods the defendants could have employed to reduce the burden on the travelers’ freedoms, the court said. Further, because the reasonable suspicion standard adopted for non-cursory border searches of electronic devices could also be applied to searches raising First Amendment concerns, the court determined it need not rule on the issue.  

The court similarly declined to issue a nationwide injunction with regard to border seizures or make a broad ruling on whether seizure of the plaintiffs’ devices for extended periods was proper under the Fourth Amendment. It noted the touchstone test for any detention of an electronic device was “reasonableness,” a term the Supreme Court has been reluctant to define by imposing “hard and fast time limits.” The district court was likewise unwilling to do so, instead reiterating only that seizure of a device to be searched requires reasonable suspicion and may continue for only a reasonable length of time.

The Fifth Amendment and Compelled Digital Testimony

In Commonwealth v. Davis, the Pennsylvania Supreme Court ruled that the Fifth Amendment’s protection against self-incrimination extends to prohibiting law enforcement from forcing a criminal suspect to turn over the password to his computer. As a matter of first impression, the court considered whether a suspected child pornographer could be compelled to orally disclose a 64-character password, despite arguments that the disclosure was testimonial in nature and thus shielded by the Fifth Amendment.

The case arose when agents at the Office of the Attorney General traced an IP address linked to a child pornography file-sharing network to the defendant appellant’s home. Law enforcement executed a search warrant and seized a desktop computer. The appellant told police that he lived alone and was the computer’s sole user but refused to disclose the password to the device. He admitted to having previously watched legal pornography on the computer but also noted that he had been convicted for child pornography in the past.

Following his arrest, the appellant spoke openly to law enforcement officers about watching pornography, and indicated that he particularly liked watching a specific age range of children. When asked again for the password to his computer, he responded that he could not remember it, and that even if he could, it would be like “putting a gun to his head and pulling the trigger” because “we both know what is on there.” The defendant was charged with two counts of disseminating child pornography and two counts of criminal use of a communication facility.

The Commonwealth filed a pretrial motion to compel the defendant to divulge his password, and he responded by invoking his Fifth Amendment right against self-incrimination. The trial court granted the Commonwealth’s motion to compel. In its decision, the court noted that “whether an action of production is testimonial is whether the government compels the individual to use the contents of his own mind to explicitly or implicitly communicate some statement of fact.”

Citing the U.S. Supreme Court in Fisher v. United States, the court stated that acts of production do not involve testimonial communication if the facts to be conveyed are a “foregone conclusion.” That is, the defendant’s testimony would “add little or nothing to the sum total of the government’s information.” Such was the case at hand, the court concluded, because the defendant’s password would not provide the Commonwealth with any new evidence but simply permit them to retrieve what was already known.

The defendant filed an interlocutory appeal, and the Superior Court affirmed the trial court’s ruling. It found that applying the foregone conclusion exception to the Fifth Amendment was proper, as the government had met its three-prong burden under Fisher to establish that (1) it knew the evidence it demanded existed, (2) the defendant had the evidence in his possession, and (3) the evidence was authentic. The appellant’s statements to police indicated a high probability his computer contained child pornography, there was no question the appellant owned the computer and possessed its password, and the password was self-authenticating, the court ruled.

Foregone Conclusion Exception Does Not Apply to Passwords

On appeal to the Pennsylvania Supreme Court, the appellant argued that providing a password to unlock digital data was no different than providing a combination to unlock a safe, which the U.S. Supreme Court has held to be testimonial. Further, the appellant contended that the foregone conclusion exception as detailed in Fisher did not apply to computer passwords.

Conversely, the Commonwealth argued the existence, location, and authenticity of the password at issue was a foregone conclusion. Revealing the password would not add to the government’s information because the password itself did not divulge details about the computer or its contents, it argued. Ruling in favor of the appellant, the supreme court emphasized the narrowness of the foregone conclusion doctrine, noting that the U.S. Supreme Court has never applied it outside the context of paper document disclosure. Commonwealth could not have already known the facts sought to be compelled because it was soliciting not merely access to the device, but all the files contained therein, the court said.

Though the state high court did acknowledge the “ever increasing difficulties faced by law enforcement in light of rapidly changing technology,” it nevertheless agreed with the defendant appellant that an electronic password was the equivalent to a wall safe combination and could not be compelled.

Moving Toward Greater Digital Privacy Protections

According to ABA experts, the Alasaad and Davis decisions indicate a trend toward protecting data stored on electronic gadgets. “The courts have recognized the volume of highly personal information that resides on smart devices and the privacy interests at play,” says Karen L. Neuman, Washington, DC, ABA member and former chief privacy officer with the U.S. Department of Homeland Security. “Judges are trying to differentiate between physical and electronic data, and we can expect courts making this distinction to continue,” she comments.

“The U.S. Supreme Court in Riley was very clear that digital is different,” observes Gatta. “Whereas the balance between public safety and freedom from intrusion may have tipped toward the government before smart technology, courts are paying deference to individual privacy interests in smart devices,” Gatta opines.

However, both Neuman and Gatta caution that attorneys should still take extra care with client information stored on their phones or laptops, particularly when traveling. “Avoid traveling with locally stored data, turn off devices, and make sure they are password protected,” Neuman advises. “Always be aware that if you have sensitive information in your possession when traveling, there is a lower expectation of privacy at the border,” Gatta adds.

Related Resources