Speaking to a public audience recently, Justice Elena Kagan stated what many know to be true: that privacy “will be one of the most important issues before the Court in the decades to come.” Tal Kopan,Elena Kagan Talks Diversity and (Dis)agreement on the Supreme Court, Politico (Dec. 14, 2012), http://www.politico.com/blogs/under-the-radar/2012/12/elena-kagan-talks-diversity-and-disagreement-on-the-151963.html. The same will also likely be true for Congress.
The Court and Congress are confronting privacy issues at an increasing pace. In the last few years, the Supreme Court has decided cases concerning GPS tracking, Privacy Act damages, the right of information privacy, medical records privacy, and workplace privacy. See EPIC Amicus Curiae Briefs, EPIC, https://epic.org/amicus. In the current term, the Court is considering the scope of the Drivers Privacy Protection Act, the use of drug detection dogs, standing to challenge unlawful wiretapping, the compelled disclosure of DNA, and possibly the application of the Stored Communications Act. See id.; Maracich v. Spears, EPIC, https://epic.org/amicus/dppa/maracich; Maryland v. King, EPIC, https://epic.org/amicus/dna-act/maryland/default.html; Jennings v. Jennings, 2012 WL 4808545 (S.C. 2012). Meanwhile, Congress is considering bills on data breach notification (Data Security and Breach Notification Act of 2012, S. 3333, 112th Cong.), data brokers (Natasha Singer, Senator Opens Investigation of Data Brokers, N.Y. Times, Oct. 11, 2012, at B3), locational tracking (Location Privacy Protection Act of 2011, S. 1223, 112th Cong.), e-mail privacy (Electronic Communications Privacy Act Amendments Act of 2012, H.R. 2471, 112th Cong.), cybersecurity (Cybersecurity Act of 2012, S. 2105, 112th Cong.), aerial drones (Drone Aircraft Privacy and Transparency Act, H.R. 6676, 112th Cong.), and warrantless wiretapping (Foreign Intelligence Surveillance Act Amendments Act Reauthorization Act of 2012, H.R. 5949, 112th Cong.).
The right to privacy is a work in progress. Even if courts and legislatures often look to the other to do the hard work—see, e.g., Roberson v. Rochester Folding Box Co., 171 N.Y. 538, 545–46 (1902);Olmstead v. United States, 277 U.S. 438, 465–66 (1928); United States v. Jones, 132 S. Ct. 945, 962–63 (2012) (Alito, J. concurring)—in this article, we argue that both branches have a significant role to play. As new technologies, new business practices, and new government programs challenge well-established concepts of privacy, neither jurists nor lawmakers can afford to sit on the sidelines.
New Surveillance Techniques
Rapid innovation in surveillance technologies allows the government to see, hear, and aggregate data in new ways. By combining various tracking methods, law enforcement can create mosaic profiles of individuals’ lives. Case law created in the era of the trap and trace device, copper wire, and alligator clips no longer protects individuals from the expansive scope of new surveillance techniques.
Police Are Using Phone Tracking as a Routine Tool see also In re Historic Cell-Site Location Wireless Firms Are Flooded by Requests to Aid Surveillance “Stingray” Phone Tracker Fuels Constitutional Clash
Aerial Surveillance and Drones
A drone is an unmanned aerial vehicle, flown either autonomously or via remote control. Coming in all shapes and sizes, drones range from military warplanes to insect-sized devices. Richard M. Thompson II, Cong. Research Serv., Report R42701, Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses 2 (Sept. 6, 2012), http://www.fas.org/sgp/crs/natsec/R42701.pdf. Drones are designed to undertake constant, persistent surveillance to a degree not feasible by other methods. “Drones are smaller, can fly longer, and can be built more cheaply than traditional aircraft.” Id. at 15. In addition to the typical cameras, GPS, and communications equipment one would expect on a surveillance aircraft, drones carry increasingly advanced sensor packages. Some use gigapixel cameras that can track objects sixty-five miles away from an altitude of 20,000 feet. Drones may also carry thermal infrared cameras, license plate readers, and three-dimensional laser radar imagers. Id. at 3. In the near future, government agencies may outfit drones with facial recognition sensors or imaging technologies that can see through walls and ceilings.Id. at 4, 13. A petition before the Federal Aviation Administration seeks a public rulemaking on privacy regulations for drone use in the United States. Unmanned Aerial Vehicles (UAVs) and Drones, EPIC, https://epic.org/privacy/drones/ (last updated Dec. 7, 2012). Several bills have been introduced in Congress limiting the warrantless use of drones. See Drone Aircraft Privacy and Transparency Act, H.R. 6676, 112th Cong. (2012); Preserving American Privacy Act of 2012, H.R. 6199, 112th Cong.; Preserving Freedom from Unwarranted Surveillance Act of 2012, S. 3287, 112th Cong.
Suspicionless Profiling with Aggregated Data
Government databases are increasingly interlinked to allow law enforcement to create sophisticated profiles of individuals, even those not suspected of any wrongdoing. These databases take advantage of cheaper computing power, increasingly sophisticated data mining techniques, the proliferation of personal information, and lax enforcement of the Privacy Act. The National Counterterrorism Center (NCTC), within the Office of the Director of National Intelligence, is compiling profiles of U.S. citizens, regardless of suspicion, by aggregating entire databases from other government agencies. Julia Angwin, U.S. Terror Agency to Tap Citizen Files, Wall St. J., Dec. 13, 2012, at A1. The NCTC can keep data on innocent civilians for up to five years so they can be analyzed for suspicious behavior and can disclose the information to foreign governments. The types of databases implicated include financial records, health records, and any other records held by a cooperating federal agency. State-level “fusion centers” integrate data from state and federal databases, though a recent Senate report calls into question the effectiveness of this program. Federal Support and Involvement in State and Local Fusion Centers:Rpt. of the Perm. Subcomm. on Investigations, S. Comm. on Homeland Sec. & Gov’t Affairs (Oct. 3, 2012).
Facial Recognition and Biometrics
Biometric data are physical traits used to substantially or uniquely identify an individual. Many of these traits, like fingerprints and iris data, are immutable characteristics. Facial recognition automates identification by extracting a human face from a still or video image, measuring points on the face, and comparing the measurements to an authenticating database. See generally Biometric Identifiers, EPIC, https://epic.org/privacy/biometrics.
Because biometric data are immutable characteristics, their use creates risks to personal privacy. “The key social issue surrounding biometrics is the seemingly irrevocable link between biometric traits and a persistent information record about a person.” Nat’l Research Council, Biometric Recognition: Challenges and Opportunities 85 (The Nat’l Academies Press 2010). Individuals typically cannot control the release of their biometric information; one’s picture can be taken on any public street. The U.S. military uses handheld devices to collect and analyze biometric information (including faces, fingerprints, and iris data) of civilians in war zones, and law enforcement agencies have discussed the domestic use of the devices. Thom Shanker, To Track Militants, U.S. Has System That Never Forgets a Face, N.Y. Times, July 14, 2011, at A1. See also Letter from Marc Rotenberg, President, EPIC, to Robert Gates, Sec’y of Def. (July 27, 2007), available athttp://www.epic.org/privacy/biometrics/epic_iraq_dtbs.pdf.
Genetic data are the fingerprint technique of the modern era. Not only do they elevate the role of forensic science, but they have also led to new laws requiring the compelling production of genetic information and massive new databases of DNA material that are currently used for identification but that could be used to identify genetic traits. Noting the rapid advances in the use of genetic data, the Presidential Commission for the Study of Bioethical Issues recommended “a consistent floor of privacy protections covering whole genome sequence data regardless of how they were obtained.” Pres. Comm’n for the Study of Bioethical Issues, Privacy and Progress in Whole Genome Sequencing, at v (Oct. 2012). These policies should protect individual privacy by prohibiting unauthorized whole genome sequencing without an individual’s consent. “Only in exceptional circumstances should entities such as law enforcement or defense and security have access to biospecimens or whole genome sequence data for non-health related purposes without consent.” Id. at 6.
New techniques make it less necessary for government agents to have probable cause to detain a particular person, to examine his possessions, or even to view his naked body. The Transportation Security Administration (TSA) now routinely uses whole body–imaging devices to peer under the clothes and into the possessions of air travelers. The image resolution of these scanners is so high that they are equivalent to a digital strip search. See Whole Body Imaging Technology and Body Scanners, EPIC, https://epic. org/privacy/airtravel/backscatter. Following a decision from the D.C. Circuit Court of Appeals, the TSA must offer travelers an alternative search and conduct an administrative rulemaking to assess the health and privacy risks of body scanners. EPIC v. Dep’t of Homeland Sec., 651 F.3d 1 (D.C. Cir. 2011). Still, the Department of Homeland Security is developing new mobile body scanner technology that can be deployed outside airports at other mass transit hubs, in vans capable of scanning vehicles on public roads, and for monitoring crowds in public areas. EPIC v. DHS (Mobile Body Scanners FOIA Lawsuit), EPIC, https://epic.org/privacy/body_scanners/mobile_body_scanners/default.html. The Department of Homeland Security is also exploring new techniques for “pre-crime” detection that claim to determine scientifically the likelihood that someone will commit a crime. SeeScience and Technology Directorate Human Factors and Behavioral Sciences Division Projects, Dep’t of Homeland Sec., http://www.dhs.gov/st-hfd-projects#6. See also Minority Report (DreamWorks, Amblin Entertainment, 20th Century Fox, Cruise-Wagner Productions & Blue Tulip 2002).
The Role of the Court
While these new techniques raise far-reaching concerns about the scope of government surveillance authority and the rights of individuals, the Supreme Court’s recent decision in United States v. Jones, 132 S. Ct. 945 (2012), suggests that the Court is ready for the challenge. In that case, the Court unanimously ruled that a Fourth Amendment search occurred when police attached a GPS tracker to a car. Id. Justice Antonin Scalia’s opinion for the Court said that the physical attachment of the GPS device violated the Fourth Amendment because it was a trespass.
Justice Samuel Alito, joined by three other justices, observed that the traditional reasonable expectation of privacy test does not permit the police to “secretly monitor and catalogue every single movement of an individual’s car for a very long period.” Id. at 964 (Alito, J., concurring). Justice Sonia Sotomayor agreed with Justice Alito’s concurrence that GPS monitoring impinges on privacy expectations, but she also anticipated larger matters ahead. “I would ask whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the Government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on.” Id. at 956 (Sotomayor, J. concurring). Combining Sotomayor’s concurrence with Alito’s creates a five-member “shadow majority” finding that GPS tracking is about more than physical tracking. As Justice Sotomayor explained, “making available at a relatively low cost such a substantial quantum of intimate information about any person whom the Government, in its unfettered discretion, chooses to track—‘may alter the relationship between the citizen and government in a way that is inimical to democratic society.’” Id.
The Supreme Court gets it. In Jones, the justices are not debating over whether there is a right to privacy; they are arguing over the scope and formulation of that right. Perhaps it is the trespass theory of Justice Scalia; the expectation of privacy test in Katz set out by Alito, Katz v. United States, 389 U.S. 347 (1967); or a hybrid suggested by Sotomayor. But critical to all of the analyses is that the particular device does not matter; it is the underlying activity that is at issue.
Lower Courts in Disarray, Focused on the Nature of Technology
State and federal courts are having difficulty engaging with evolving surveillance methods. Whereas the Supreme Court in Jones was able to generalize from a particular conduct, the lower courts get bogged down. The state and circuit courts tend to give too much focus to how a technology works, rather than the underlying activity. As a result, the lower courts create a messy patchwork of precedents that both compromise Fourth Amendment protections and dictate confusing standards to law enforcement.
For example, courts are reaching conflicting results on the legality of warrantless cell phone tracking. The Sixth Circuit held that there is no reasonable expectation of privacy in location signals broadcasted by cell phones. United States v. Skinner, 690 F.3d 772 (6th Cir. 2012). By contrast, the Third Circuit, interpreting only the Stored Communications Act and not the Fourth Amendment, held that a magistrate judge may require the government to show probable cause to obtain cell phone site location information. In re Application of United States for an Order Directing a Provider of Elec. Commc’n Serv. to Disclose Records to the Gov’t, 620 F.3d 304 (3d Cir. 2010). A Fifth Circuit magistrate ruled that a warrant is required to use a Stingray to track cell phones and criticized the government for not understanding how its own technology works. In re Application of United States for an Order Authorizing the Installation and Use of a Pen Register and Trap and Trace Device, 2012 WL 2120492 (S.D. Tex. June 2, 2012). The Massachusetts Supreme Judicial Court recently ruled that a flip phone’s call log, but nothing else on the phone, can be searched incident to arrest. See Commonwealth v. Phifer, 463 Mass. 790 (2012). The Massachusetts court wrote, “We do not suggest that the assessment necessarily would be the same on different facts, or in relation to a different type of intrusion into a more complex cellular telephone or other information storage device.” Id. at 797.
Similarly, the South Carolina Supreme Court recently ruled that a defendant did not violate the Stored Communications Act by hacking into another person’s e-mail account. The court ruled that an e-mail kept on a Yahoo! server after being read did not constitute a “backup.” Jennings v. Jennings, 2012 WL 4808545, at *3 (S.C. Oct. 10, 2012). A concurring justice instead said the statute only protects received, yet unopened, e-mail. Id. at *6 (Toal, C.J., concurring). A third justice concurred but said the statute only protects the service providers’ backup copy of the e-mail, not the e-mail recipient’s. Id. at *7 (Pleicones, J., concurring). This case in particular calls out for review by the Court.
Courts and Congress Should Focus on Activity, Not Technology
Both courts and Congress share responsibility for safeguarding individuals’ privacy from advancing technology and overzealous government surveillance. As Justice Sandra Day O’Connor once explained, “with the benefits of more efficient law enforcement mechanisms comes the burden of corresponding constitutional responsibilities.” Arizona v. Evans, 514 U.S. 1, 17–18 (1995) (O’Connor, J., concurring).
Privacy protection under the Fourth Amendment is first and foremost the responsibility of the courts. As Justice Louis Brandeis famously wrote, “[t]he makers of our Constitution . . . conferred, as against the government, the right to be let alone—the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment.” Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting). When new technologies allow the government to invade individuals’ lives in novel ways, courts should engage the key question: the nature of the activity surveilled. Courts need to draw bright lines that recognize the extraordinary amount of information available in modern communications technology. All private messages, whether e-mail, text, phone call, or old-fashioned letter, should receive equal protections, regardless of third-party common carriers. See Ex parte Jackson, 96 U.S. 727, 733 (1877). As Justice Sotomayor explained in Jones, “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.” United States v. Jones, 132 S. Ct. 945, 957 (2012) (Sotomayor, J., concurring). Individuals’ expectations of privacy are tied to their activity and anonymity, not specific technologies. Furthermore, courts should not turn a blind eye to “the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files.” Whalen v. Roe, 429 U.S. 589, 605 (1977). In particular, courts should limit suspicionless government profiling and programmatic surveillance of innocent persons.
Congress has a concurrent duty to protect privacy as well. It was the Court’s decision in 1967 that set the course for the modern right to privacy, but it was the congressional legislation the following year that gave meaning to that right. Katz v. United States, 389 U.S. 347 (1967); Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. No. 90-351, 82 Stat. 197. Congress needs to fill gaps in existing laws and establish clear guidance in areas unlikely to receive ample adjudication. Specifically, Congress should enact warrant requirements for drone surveillance, persistent location tracking, and the contents of all private electronic communications. Because of well-established exigency exceptions, robust warrant requirements assure innocent parties that they are not being unduly watched without compromising the effectiveness of law enforcement. And state legislatures need not wait for lawmakers in Washington to act. Nowhere is the argument for state experimentation in the “laboratories of democracy” better exemplified than in this area of rapidly changing technology. New State Ice v. Liebman, 285 U.S. 262, 311 (1932) (Brandeis, J., dissenting) (“a single courageous State may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.”).
Forty years ago, Samuel Alito, then an undergraduate at Princeton, wrote, “The erosion of privacy, unlike war, economic bad times, or domestic unrest, does not jump to the citizen’s attention and cry out for action. But by the time privacy is seriously compromised it is too late to clamor for reform. We must begin now to preserve privacy, and the first step is for Americans to understand the threats to privacy we now face and the threats inherent in our technological society.” Samuel Alito, Report of the Chairman, in The Boundaries of Privacy in American Society 7 (1972). Because the Constitution empowers both the courts and Congress to protect privacy, each has a responsibility to step forward and help the law evolve in concert with evolving technologies.
Marc Rotenberg is president of the Electronic Privacy Information Center (EPIC) and teaches privacy law and open government at Georgetown University Law Center. He frequently testifies before Congress on emerging privacy issues. David Brody is the EPIC Appellate Advocacy Fellow and a graduate of Harvard Law School.