The New Parole Ankle Bracelet: Your Smartphone

As usual, this technological transformation has outrun the law by miles. If you don’t know off the top of your head how the law applies to digital devices, you are not alone. Our informal survey (of five office mates, plus the first five people who didn’t walk away when we started asking questions at a party) reveals that the average user doesn’t know his or her privacy rights when it comes to smartphone data. Nor does research help. The federal and state courts faced with these questions give inconsistent answers.

And there are a lot of questions. Here are a few: Is your “private” data less so when stored in the cloud? What should apply to information you post or send on social networks—the user’s contract or a Fourth Amendment expectation of privacy? Is your answer different for Facebook and Twitter? What about the fact that your cell phone, in order to work, sends your location many times per second to the company’s cell phone towers? Does that mean you have no ability to protect that moment-by-moment map of your wandering? (Do you begin to understand why Osama Bin Laden ordered his couriers to take the battery out of their phones an hour before they came to him?) And we haven’t even mentioned consumer-ready spy software or the latest fingerprint scanning on smartphones.

If your head isn’t hurting yet, think about how “situational issues” affect this debate. The government versus your ex is easy. How about civil subpoenas to Twitter versus a National Security Letter? (No objection, no trace, no warning.) Then there are variations that depend on to whom the data or communication was sent or where it was sent, whether the device is employer-issued, the extent to which the user attempted to protect the data, the policy of the service provider or employer in the face of requests or demands for the data, and on and on. We’re not even beginning to discuss how all these rules change if you’re coming across a U.S. border. Just assume you should eat your phone before landing.

Current Case Law

So let’s try to give you some structure, rather than merely bombarding you with law school exam–type questions. Current case law being used by courts to decipher issues related to cell phones traces its lineage back to a 1979 case involving landlines (long before that term was coined), Smith v. Maryland, 442 U.S. 735 (1979), in which the U.S. Supreme Court ruled that the Fourth Amendment did not protect a phone subscriber from having the government use “pen registers” to record the number called, the time of the call, and—by inference, because phones didn’t move—the caller’s location. (For those with an antiquarian bent, a “pen register” was a device that could be attached to your phone line at the telephone company and “write out” the numbers called by moving a pen on paper with magnets. Almost as antiquated, the “call trap” catches the incoming calls. You may therefore see references to a “pen/trap” authorization in the early cases.)

The point of the case was the Supreme Court’s conclusion that neither the user nor the call recipient had an expectation of privacy in the information recorded because both had contracted with the telephone company for the service and the recording of the numbers, time, and location was necessary for providing the service or billing for it. Why should you care, especially given that we’re writing about private rights, not government surveillance? Because the Smith analysis is what current courts are using, or trying to distinguish, as they deal with the more intricate arguments arising from a cell phone. (For example, is your cell phone a phone or your personal home library? Does downloading an app that requires you to reveal your location, such as Google Maps or Foursquare, mean that you have agreed that your location information is open to the world at all times?)

What in this voyeuristic age is a “reasonable expectation of privacy,” given that people catalogue their lives and post pictures, videos, or their commentary on Facebook, Instagram, Twitter, or Vine, sometimes on an hourly basis, sometimes sober and sometimes not? People catalogue not only their own lives but also the lives of others. For instance, you may be surprised to run across your photo on someone else’s Facebook page, taken (and labeled with your name) by a friend or even a perfect stranger, on a girls’ night out, after one too many drinks, doing the Elaine Benes move on the dance floor—not quite the image of an esteemed lawyer you cultivated over the years, is it? While this may horrify those over the age of, say, 35, young adults who grew up with social media may not even blink an eye at this issue. Is a “reasonable” expectation of privacy determined by one’s age and social media habits?

Cellphone-Specific Issues

Now let’s discuss a few things unique to cell phones that can throw a curve to both you as a user and a court hearing a case involving these issues. First, “spy apps” that can be placed on your phones. Second, how text messaging (on Twitter, for example) may be treated differently than calls. Finally, what about how cell phones affect “public space” issues—government cameras versus, for example, the guy next to you on the bus using his phone to take a video.

Spy programs allow the user to intercept and monitor smartphone activities. Companies like StealthGenie and Mobile Spy tout and sell software that allows anyone, including your ex, to intercept, monitor, and track your smartphone remotely and invisibly; to spy on calls, SMS messages, instant messages, emails, calendar activities, videos or photos, Internet browser history and bookmarks, and GPS location; and even to listen to the phone’s surroundings. Go back and read that sentence again.

This is the stuff of spies and corporate espionage, but it is now marketed to ordinary people who suspect their spouse of extramarital affairs, employers who want to monitor employee activities, and vigilant parents keen on keeping tabs on their teenagers. In reality, you don’t even need to be a genius hacker or employ mobile-phone spy services. You can simply download from the Internet step-by-step instructions that will allow you to easily hack the computers and smartphones of unsuspecting java drinkers at your local Starbucks—or allow someone else to monitor you.

How can this be? Unauthorized hacking is not legal. Hence, mobile-phone software companies typically issue a disclaimer that the software consumer is solely responsible for complying with the applicable laws. An example is Mobile Spy’s disclaimer:

It is a federal and state offense in most countries to install monitoring/surveillance software onto a phone which you do not own or have proper authorization to install. It may also be an offense in your jurisdiction to monitor the activities of other individuals. . . . You must always notify a person they are being monitored if they are over age 18. Federal or local law governs the use of some types of software; it is [the] responsibility of the user to follow such laws.

But StealthGenie’s website touts its ability to spy without detection: “You literally have complete access and control of the phone you want to monitor and the best part is, the application is completely hidden and works in stealth mode.” The companies provide the tools to “push the boundaries” but exhort consumers to use the software within the boundaries of the law. (Remember radar detectors?)

What laws exist to protect privacy on smartphones? Even though there are laws that apply to smartphone data, they were first written when audio cassettes and handheld calculators were the newest high-tech inventions, and they require some serious updating. Other than the Fourth Amendment, which prohibits unreasonable searches and seizures, the Wiretap Act is the central law that regulates communications. It was passed in 1968 (codified in 18 U.S.C. §§ 2510–22) and now broadly prohibits the intentional interception, use, or disclosure of wire and electronic communications unless a statutory exception applies. See 18 U.S.C. § 2511(1). One exception is consent. In most states, consent from just one person to the conversation—even if that person is the one doing the recording—is enough. But be careful. The following states employ the “two-party consent” law: California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. In those states, all parties to the communication must consent to recording if one of the parties harbors an objectively reasonable expectation of privacy. In some states, however, it might be enough if all parties to the conversation know that it is being recording and proceed with the communication anyway, even if they do not voice explicit consent. Thus, privacy rights may depend on where the communication took place.

In addition, the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2701, prohibits unlawful access by third parties or law enforcement to stored telephone, cellular, and electronic messages, and to transactional records (subscriber-identifying information, logs, and toll records). It also applies to voice-mail systems, pagers, chat logs, web-streaming video, voice over Internet protocol, and the recording or videotaping of private face-to-face conversations. The ECPA creates civil and criminal penalties for anyone who intentionally intercepts, uses, or discloses any wire or oral communication by using an electronic, mechanical, or other device, or who accesses without authority a wire or electronic communication while in storage. The statute defines “interception” as the “aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Electronic storage is “any temporary, immediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”

The ECPA has been criticized as being out of date. Recognizing this, Senator Patrick Leahy (D-VT), who authored the original 1986 ECPA, introduced a bill in 2013 to amend it. He stated when introducing it that “[p]rivacy laws written in an analog era are no longer suited for privacy threats we face in a digital world.” But the proposed amendment does not go far. It would require that a warrant be obtained before any emails, not just those less than 180 days old, could be reviewed. Currently, all you need is an administrative subpoena to review emails more than 180 days old. Some law enforcement interest groups are pushing back and asking for even easier access to private data. For instance, they are asking that service providers be required to retain and turn over records of text messages without a search warrant if requested by law enforcement. They are also asking that law enforcement be permitted to conduct warrantless geolocation tracking to aid in the early stages of investigations when probable cause has not yet been established.

Amendment or not, federal and state laws make it clear that one cannot wiretap, intercept, or obtain electronic messages without authorization. What is unclear, however, is what constitutes authorization and what constitutes a reasonable expectation of privacy when you voluntarily provide information such as your whereabouts, photos, videos, reviews, comments, and communications to social media networks, acquaintances, or service providers.

Text Messages

Text messages are now one of the most common forms of communication. The average adult sends or receives about 42 text messages per day. State of Rhode Island v. Patino, No. P1-10-1155A, 2012 R.I. Super. LEXIS 139 (R.I. Super. Ct. Sept. 4, 2012). Young adults send or receive about 88 text messages per day, and the average American teenager sends an average of 3,146 text messages per month. An astounding statistic, but not surprising to parents of teenagers. They know that for their teenagers, and many young adults, text messages have replaced phone calls and in-person conversations as the primary form of communication.

But, unlike phone calls or in-person conversations, texts are readily accessible to others and can be uploaded online. Even if no spy software is used, unless you change your phone’s privacy settings, any nosy person sitting near you can view text message notices on your phone screen. And once the text message leaves your own phone, can you reasonably expect it to remain private? What about the reality that the text recipient can take a screen shot of your text message and post it on Instagram or Facebook, instantly transforming your intimate message to an unintended, and sometimes career-destroying, public declaration?

Anthony Weiner learned this the hard way. In 2013, the former member of the U.S. House of Representatives and New York mayoral candidate blew a promising political career when his extramarital sexting to young women went public and then viral. It remains to be seen whether he will sue the website that publicly disclosed the messages. Generally speaking, civil lawsuits are based on one or more of the following categories of invasion of privacy: intrusion of solitude (physical or electronic intrusion into one’s private quarters); public disclosure of private facts (the dissemination of truthful private information that a reasonable person would find objectionable); false light (the publication of facts that place a person in a false light, even though the facts themselves may not be defamatory); and appropriation (the unauthorized use of a person’s name or likeness to obtain some benefits). (See the article by Kate Brimsted on page 63 of this issue for a discussion of Europe’s privacy laws.)

Public figures like Weiner, however, are not afforded the same privacy protection because they already have placed themselves within the public eye, and their activities can be considered legitimate public interest. Moreover, based on Weiner’s earlier experience with Twitter in 2011 when his accidental tweet of an explicit photo led to his resignation from Congress, it seems that he should have known better.

Another public figure, Tony Parker, a renowned basketball player for the San Antonio Spurs who was married to actress Eva Longoria, did file suit. He sued the website X17 for defamation and invasion of privacy for publishing text messages he allegedly sent to a French model. But the case settled quickly with X17 publishing an apology. So the case offers no clarification about whether your understanding of the intended recipient, or your knowledge that he or she can publish it to the world, controls.

Courts are just beginning to grapple with the issue of reasonable expectation of privacy in text messages. Thus far, they are split. In Washington, courts ruled that no reasonable expectation of privacy exists in the text messages stored on another person’s phone. See State of Washington v. Roden, 169 Wash. App. 59 (Wash. Ct. App. 2012). The court held that the text sender “impliedly consented to the recording and/or interception of the text messages” on the other person’s phone and that as a user of text message technology, the defendant must have known the mobile phone would record and store his text messages.

A Rhode Island court reached the opposite conclusion. In State of Rhode Island v. Patino, No. P1-10-1155A, 2012 R.I. Super. LEXIS 139 (Sept. 4, 2012), a criminal case, the Superior Court of Rhode Island found that a person does have a reasonable expectation of privacy in text messages stored on one’s own phone or on the recipient’s phone. In reaching this conclusion, the court noted that text messages were like oral conversations and “should be viewed as a single entity due to their interdependent nature and form.” The court commented that to hold that there was no reasonable expectation of privacy would give police a work-around by which they could view text messages on a recipient’s phone without a warrant and seek a warrant only after confirming the usefulness of the text messages.

A court in Montana arrived at the same conclusion when addressing the discoverability of text messages. In State of Montana v. Johnson, No. DC-12-352, 2012 Mont. Dist. LEXIS 39 (Mont. Dist. Ct. Nov. 21, 2012), the victim voluntarily turned over her mobile phone to the police. Some 29,000 text messages were downloaded from the victim’s phone, and the state produced redacted copies of many of the requested text messages, arguing that the victim’s right of privacy was implicated. The defendant asked the court to review, in camera, the redacted text messages. As in State of Rhode Island v. Patino, the court upheld the privacy of the text messages and noted that “the risk that a text message will be viewed by someone other than the intended recipient is simply too remote to eliminate a person’s objectively reasonable belief that his or her text message will, in fact, be viewed only by the intended recipient.”

In a civil wrongful termination suit, Kamalu v. Walmart Stores, Inc., No. 13-cv-00627, 2013 U.S. Dist. LEXIS 116590 (E.D. Cal. Aug. 15, 2013), a federal court in California addressing the discoverability of mobile phone records held there is “no expectation of privacy in call origination, length and time of call because no content information is involved.” It remains to be seen whether the outcome will be different if the text contents are sought.

Privacy rights in texts can be limited when they are sent from employer-issued devices. In City of Ontario v. Quon, 130 S. Ct. 2619 (2010), the U.S. Supreme Court held that an employer may review texts on an employer-issued pager if for “legitimate work-related purposes.” In that case, police officers with the city police department sued their employer, the city, because it read sexually explicit text messages they had sent on employer-issued pagers. The police officers claimed their Fourth Amendment rights to privacy had been violated. The U.S. Court of Appeals for the Ninth Circuit ruled in the police officers’ favor. The Supreme Court disagreed, finding that the warrantless search was not an unreasonable violation of the officers’ Fourth Amendment privacy rights because it was motivated by the city’s attempt to address excessive pager usage by requesting from the service provider transcripts of the pager text messages, which were then used to determine the cause of exceeding the plan limit. The Supreme Court, however, declined to provide a broad ruling addressing employees’ privacy expectations on employer-issued mobile phones, noting that it might have greater implications for the future.

Videos, Photos, and Sound Recordings

Just as screenshots of texts can be published online, photos, videos, and other data on a smartphone can be instantly uploaded onto Facebook, Instagram, Vine, Twitter, or other social media sites. Although there is no decisive case law, courts are beginning to see cases alleging privacy violations from unauthorized postings of videos, photos, and recordings. Where the recording was made sometimes makes a difference. Generally, you have a right to capture images in public places (unless it is prohibited for security reasons), but you do not always have a right to record what people say pursuant to the Wiretap Act and related state laws discussed above.

In some cases, videos, photos, or data obtained in what is arguably public space, however, can be deemed to violate privacy. For instance, Google is currently facing class action lawsuits by wireless users whose private information such as personal emails, usernames, passwords, videos, and documents were accessed by Google’s Street View fleets, which drove around with Wi-Fi antennas to collect data. Google argued that an exemption to the federal wiretap law applied because the information was obtained in public space. The Ninth Circuit Court of Appeals disagreed and, in September 2013, issued a decision finding that no exemption applied because data transmitted over an unencrypted Wi-Fi network were not readily available to the public.

In another case, Zimmerman v. Board of Trustees of Ball State University, 940 F. Supp. 2d 875, (S.D. Ind. 2013), college students created a fake Facebook profile of a 15-year-old high school girl. When their former roommate arrived at a movie theater to meet the fictitious girl, the students videotaped him and posted it on YouTube with a title labeling him a pedophile. Although the video was taken in the lobby of a public movie theater, the university nonetheless found that the students had violated his right of privacy and the student handbook.

Even when data were recorded at home and not in public, some courts have nonetheless held there was no reasonable expectation of privacy. In Caro v. Weintraub, 618 F.3d 94 (2d Cir. 2010), the court found no reasonable expectation of privacy where the plaintiff participated in a conversation that occurred in his own kitchen. In this case, the plaintiff’s stepson recorded a conversation without the consent of his dying mother and stepfather using an iPhone application. The stepson later used the recording in a probate action after his mother had passed away. The stepfather filed suit against the stepson, but the district court dismissed the complaint, finding, among other things, that the stepfather had no reasonable expectation of privacy in the conversation. The Second Circuit affirmed.

One website called thedirty.com (“The Dirty”) has 20 million views a month and 181 million a year, and it invites anyone to submit postings, which may include pictures or videos about anyone, either a public figure or a private individual. In 2013, The Dirty published sexting and videos sent by Anthony Weiner to a twentysomething woman. The Dirty has been sued multiple times but has largely escaped liability because the content is posted by third parties and not the website itself. For example, in S.C. v. Dirty World, LLC, No. 11-CV-00392-DW, 2012 U.S. Dist. LEXIS 118297 (W.D. Mo. Mar. 12, 2012), an individual sued The Dirty website and the website owner for invasion of privacy and defamation, among other claims. The case arose from a posting entitled “Nasty Church Girl,” which claimed that the plaintiff had slept with her boyfriend. The post also included a photo of the “Nasty Church Girl.”

The Dirty argued in a motion for summary judgment that the action was barred by the Communications Decency Act (CDA). Under 47 U.S.C. § 230(c)(1) of the CDA, “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” This section immunizes website operators from liability for content provided by another “information content provider.” A website will lose immunity if it is also an information content provider, which is defined as “any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.” 47 U.S.C. § 230(f)(3). Because a third party undisputedly wrote and submitted the “Nasty Church Girl” post and the defendants did not alter it, the CDA immunity turned on whether the defendants were “responsible, in whole or in part, for the creation or development of” the post. The plaintiff argued that they were responsible because they encouraged the development of what is offensive about the content through the tenor of the website and the website owner’s actions in commenting on posts and interacting with his readers.

The court disagreed. In determining that the defendants did not qualify as information content providers, the court noted that they did not pay for the posts, materially contribute to the posting, or know or knowingly speak to the author or induce a post specifically directed at the plaintiff, and they did not otherwise alter the substance of the post. Therefore, the court held, the CDA immunity applied, and the court granted the motion for summary judgment without deciding the issue of whether there was defamation or a violation of privacy rights. Based on decisions such as this, to benefit from CDA immunity, it would be wise for website operators to avoid direct communication with the posters and not alter postings, pay posters, expressly encourage specific types of posting, or comment on or encourage discussions based on postings.

So now we come back to the question of whether your phone’s broadcasting of your location should be dealt with under the various “public space” cases or whether it should be limited to the private contractual analysis discussed above. At least one federal court has ruled that if someone has his or her smartphone turned on, the person’s geolocation does not deserve protection under the Fourth Amendment. In In re Smartphone Geolocation Data Application, No. 13-MJ-242, 2013 U.S. Dist. LEXIS 62605 (E.D.N.Y. May 1, 2013), a case involving an investigation by the Drug Enforcement Administration, the court held that “given the ubiquity and celebrity of geolocation technologies, an individual has no legitimate expectation of privacy in the prospective location of a cellular telephone where that individual has failed to protect his privacy by taking the simple expedient of powering it off.” The court pointed out that because smartphone applications allow users to track the locations of people with similar interests, cellphone customers should not expect a right to privacy in their location.

Not surprisingly, the American Civil Liberties Union (ACLU) disagrees. Chris Soghoian, a principal technologist and senior policy analyst at the ACLU, commented in Free Future (May 15, 2013, www.aclu.org/blog/free-future) that the opinion was “ridiculous.” He noted that “someone might be happy to share their location with a few friends by ‘checking in’ using Foursquare while at a music festival, but not want law enforcement to access that same information,” and that “they would still reasonably expect that their location a week later at an Alcoholics Anonymous meeting or abortion clinic should remain private. Sharing location data isn’t and shouldn’t be all or nothing.”

Civil Litigation

How does this apply to civil litigation? Google is facing consumer actions alleging that it violated the federal Computer Fraud and Abuse Act as well as California’s Unfair Competition Law by allegedly transmitting users’ geolocation data and other personal information to app developers. The amended complaint alleges that Google’s actions run counter to the company’s terms of service, which state that it does not disclose personal information without opt-in consent. It also makes a novel allegation that consumers were harmed because Google’s information sharing depleted consumers’ batteries and consumed their data. Apple is likewise facing a class action in a federal court in Northern California for allegedly collecting geolocation data on its users through smartphones and tablets even after the geolocation feature was turned off.

Given the ever-increasing dependence on smartphones and other technology that erodes privacy, we can expect to see more such litigation in the years to come. Generally, whether one has a reasonable expectation of privacy in smartphone data depends on, among other things, the following factors: where the photos, videos, or recordings were made or the communication was made; the nature and context of the data; whether the device was personal or work-issued; whether the user agreed to authorize disclosure or waived his or her privacy rights; whether data are easily accessible (e.g., one’s location and photos through apps); and the scope of the service provider’s and employer’s policies.

It’s no longer science fiction. Like it or not, we are living in a world in which smartphones, social media, and the Internet have blurred earlier distinctions between what you should expect about privacy in your home as opposed to everywhere else. The smartphone intertwines us in cyberspace and subjects our personal data to exposure as never before. In this voyeuristic, hyper-connected world, it seems we need to participate and, to the extent possible, direct the lawmakers and courts to define our privacy rights in a way that accurately reflects how technology has upended earlier analyses. In the meantime, you may want to shut off your phone if you don’t want to be located, think twice about texting that off-color joke about your partner (especially on a firm-issued smartphone), and avoid posting or texting a photo while enjoying a Vesper martini.