June 13, 2019 Practice Points

The Third-Party Doctrine in the Wake of a “Seismic Shift”

The need for data privacy legislation to keep pace with technology.

By Steven J. Arango

More than 40 years ago, in United States v. Miller, 425 U.S. 435 (1976), the Supreme Court created the third-party doctrine. But at its inception, it was impossible for any judge—even Supreme Court justices—to appreciate how society’s reliance on technology would create a “seismic shift” in the doctrine’s reach. Carpenter v. United States, 138 S. Ct. 2206, 2219 (2018). Consider the fact that it was not until 30 years after Miller established the third-party doctrine that cloud storage became commercially available. Computer History Museum, The Storage Engine, 2006: Storage in the Cloud (Sept. 11, 2015). And by no means was its use as prevalent as it is today. Id. The Court tried to rein in the doctrine’s reach with Carpenter; perhaps it did. But until courts address warrantless searches of cloud data, it is pure speculation whether the data retain Fourth Amendment protections. To wait and hope for favorable application of Carpenter in these cases is to gamble with everyone’s cloud privacy.

Instead, Congress needs to address cloud privacy with legislation. Erin Murphy, “The Politics of Privacy in the Criminal Justice System: Information Disclosure, the Fourth Amendment, and Statutory Law Enforcement Exemptions,” 111 Mich. L. Rev. 485, 489 (2013). Cloud storage is a highly complicated area that requires a depth of fact-finding and deliberating not suited for the judicial system. Id. Of course, Congress has not always been reliable at legislating technological issues, but Congress’s struggles should not provoke a judicial response. Id. at 533.

Statutes provide much more latitude and stability than judicial precedent. Id. at 537. Statutes can require advance notice to the individual affected by the search, which gives the individual the ability to respond through legal channels. Id. Statutes can require a higher standard of proof than warrants, such as clear and convincing evidence. Id. Statutes can create exceptions. For example, national security issues are exempted from the Stored Communications Act’s (SCA’s) requirements. Mihailis E. Diamantis, “Privileging Privacy: Confidentiality as a Source of Fourth Amendment Protection,” 21 U. Pa. J. Const. L. 485, 500 (2018); Laurie Buchan Serafino,  “‘I Know My Rights, So You Go’n Need a Warrant for That’: The Fourth Amendment, Riley’s Impact, and Warrantless Searches of Third-Party Clouds,” 19 Berkeley J. Crim. L. 154, 191–92 (2014) (“FISA [Foreign Intelligence Surveillance Act] is considered exempt from the probable cause requirement because it is aimed at preventing terrorism, not just ordinary criminal wrongdoing.”). Finally, statutes can control the government’s use and storage of seized data. Murphy, supra, at 537. But the judiciary usually can only “regulate [the] acquisition of information.” Id. At their core, statutes provide broader, more stable protections than judicial precedent. Id. at 540.

Regrettably, only a small portion of cloud stored data is protected by federal law, specifically the SCA. Aaron J. Gold, “Obscured by Clouds: The Fourth Amendment and Searching Cloud Storage Accounts Through Locally Installed Software,” 56 Wm. & Mary L. Rev. 2321, 2333 (2015). Congress developed the SCA in the 1980s when commercial cloud usage was not a reality. Computer History Museum, supra. As a result, Congress created a framework that protected the only privacy concern at the time—electronic communications. Eric Johnson, “Lost in the Cloud: Cloud Storage, Privacy, and Suggestions for Protecting Users’ Data,” 69 Stan. L. Rev. 867, 877 (2017).

Cloud-based data that do not involve electronic communications are not protected. Id. at 883; Gold, supra, at 2333. Suppose you upload a spreadsheet with all your financial information to Dropbox—this type of information would not be protected by the SCA because there is no communication involved; but if a Gmail account backed up emails into Google Drive, this information would be protected. Id. In effect, most cloud data are unprotected by the SCA. Johnson, supra, at 877; Matthew McKenna, “Up in the Cloud: Finding Common Ground in Providing for Law Enforcement Access to Data Held by Cloud Computing Service Providers,” 49 Vand. J. Transnat’l L. 1417, 1430 (2016); Serafino, supra, at 185.

To address cloud privacy, Congress needs to expand the SCA to protect noncommunicative cloud data. Requiring probable cause and a warrant to access this information would be a welcomed change. But the “procedural protections” are what matter for cloud privacy, not the document required to obtain the information, such as a warrant or subpoena. Murphy, supra, at 519. Congress should require probable cause and notice to acquire personal cloud data. It should also create safeguards to prevent the “unauthorized exposure” of data and compel their destruction after their use. Id. at 520–21. Last, it should expand the national security exemption to cover these requirements. Id.

The government would violate this statute if it searched a personal cloud account or used seized information without meeting these requirements. The trigger for this statute may “over-protect [digital] records”—but it is better to over-protect than to under-protect this type of information. Orin S. Kerr, The Digital Fourth Amendment: Implementing Carpenter 28 (Oxford Univ. Press, USC Law Legal Studies Paper No. 18-29, forthcoming) (on file). And transparency and clarity are the hallmarks of a well-written statute. Id. Without these features, confusion and abuse are inevitable. Id. at 26; Secretary Michael Chertoff, Exploding Data: Reclaiming Our Cyber Security in the Digital Age 200 (Atlantic Monthly Press 2018). Employing this concrete standard reduces the chance of either occurring. Kerr, supra, at 28. Some may argue that this standard is too rigid. But suppose law enforcement enters your house without a warrant and searches your desk. Clearly, this type of entry and search is unlawful. Id. Why should personal cloud information be any different?

A legislative fix would also clarify this issue for defendants, prosecutors, and private companies. Murphy, supra, at 536. Defendants would know their rights, prosecutors would know their boundaries, and cloud providers would know when it was necessary to comply with the government. Id. As long as this area remains unlegislated, companies and individuals will face expensive litigation and difficult decisions. Id. Cloud providers do not want customers losing faith in their service, which is why they are likely to oppose data requests. Id. But a federal statute provides “legal safe harbors for compliance,” freeing companies from difficult ethical decisions and angry customers. Id.

Even with a privacy statute that protects cloud information, Congress must do more. Congress needs to create a law the forces it to revisit digital privacy statutes on a recurring basis. Keeping pace with rapid technological changes will not be easy. Id. at 540–41. Nor will bipartisan support on some issues. But with the constant evolution of technology, using 30-year-old statutes for digital privacy is a recipe for disaster. With this law, Congress will be forced to examine digital privacy protections more often than every 30 years.

Conclusion

Digital privacy is threatened without statutory protection. H. Brian Holland, “A Cognitive Theory of the Third-Party Doctrine and Digital Papers,” 91 Temp. L. Rev. 55, 58 (2018). To be sure, the government should have “the appropriate legal authority to provide security” and fulfill its constitutional role. Chertoff, supra, at 199. At the same time, people must maintain “a sufficient scope of privacy and autonomy necessary for [their] human dignity.” Id. Herein lies the inherent tension. But I believe the recommendations put forth by this article accommodate both essential principles.

For those who argue that my suggestions will allow people to “do things they shouldn’t be doing,” I respectfully disagree. Diamantis, supra, at 501. The proposed statutory amendment “allow[s] people to live core areas of their personal lives with the dignity that excludes onlookers.” Id. The United States is not a totalitarian country. Id. We have always warned against oppressive behavior in the physical world, and the digital world should be no different. Armed with wholesale cloud access, the government could “pursue personal vendettas, target the politically unpopular,” and trample on other civil liberties. Kerr, supra, at 26; Diamantis, supra, at 501; Chertoff, supra, at 200; Johnson, supra, at 869–70 (“In 1963, the Federal Bureau of Investigation wiretapped the phones of Martin Luther King, Jr. under the pretense of determining King’s ties to members of the American Communist Party. And after 9/11, the New York Police Department, with significant assistance from the Central Intelligence Agency, spent years monitoring Muslim neighborhoods and community centers.”).

Since 9/11, the government has received “greater investigative latitude,” but to extend this ability to warrantless searches of cloud services is unwise. Vania Mia Chaker, “Your Spying Smartphone: Individual Privacy Is Narrowly Strengthened in Carpenter v. United States, the U.S. Supreme Court’s Most Recent Fourth Amendment Ruling,” 22 J. Tech. L. & Pol’y 1, 12–13 (2018) (sign-in required). Although it is my belief that Carpenter protects cloud data from warrantless searches, this area is still “ripe for future Supreme Court review.” Kerr, supra, at 26. With Justice Brett Kavanaugh joining the bench, and a slim 5–4 majority in the Carpenter opinion, this issue is hardly settled in the courtroom. Dan Sewell, “Kavanaugh’s Support for Surveilling Americans Raises Concern,” AP News, Aug. 28, 2018 (“Supreme Court nominee Brett Kavanaugh has frequently supported giving the U.S. government wide latitude in the name of national security, including the secret collection of personal data from Americans.”).

And so Congress must act.

Steven Arango, a first lieutenant in the U.S. Marine Corps, is currently studying for the Florida Bar and will clerk for U.S. District Judge Fernando Rodriguez, Jr.,​ beginning in August 2019.

The views expressed in this article are those of the author and do not necessarily represent the views of the U.S. Marine Corps, Department of the Navy, Department of Defense, or the U.S. Government.


Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).