Category: Privacy (Law Enforcement)


Overturning the Third-Party Doctrine by Statute: Hard and Harder

Privacy advocates have disliked the third-party doctrine at least from the day in 1976 when the Supreme Court decided U.S. v. Miller.  Anyone who remembers the Privacy Protection Study Commission knows that its report was heavily influenced by Miller.  My first task in my long stint as a congressional staffer was to organize a hearing to receive the report of the Commission in 1977.  In the introduction to the report, the Commission called the date of the decision “a fateful day for personal privacy.”

Last year, privacy advocates cheered when Justice Sonia Sotomayor’s concurrence in U.S. v. Jones asked if it was time to reconsider the third-party doctrine.  Yet it is likely that it would take a long time before the Supreme Court revisits and overturns the third-party doctrine, if ever.  Sotomayor’s opinion didn’t attract a single other Justice.

Can we draft a statute to overturn the third-party doctrine?  That is not an easy task, and it may be an unattainable goal politically.  Nevertheless, the discussion has to start somewhere.  I acknowledge that not everyone wants to overturn Miller.  See Orin Kerr’s The Case For the Third-party Doctrine.  I’m certainly not the first person to ask the how-to-do-it question.  Dan Solove wrestled with the problem in Digital Dossiers and the Dissipation of Fourth Amendment Privacy.

I’m going at the problem as if I were still a congressional staffer tasked with drafting a bill.  I see right away that there is precedent.  Somewhat remarkably, Congress partly overturned the Miller decision in 1978 when it enacted The Right to Financial Privacy Act, 12 U.S.C. § 3401 et seq.  The RFPA says that if the federal government wants to obtain records of a bank customer, it must notify the customer and allow the customer to challenge the request.

The RFPA is remarkable too for its exemptions and weak standards.  The law only applies to the federal government and not to state and local governments.  (States may have their own laws applicable to state agencies.)  Bank supervisory agencies are largely exempt.  The IRS is exempt.  Disclosures required by federal law are exempt.  Disclosures for government loan programs are exempt.  Disclosures for grand jury subpoenas are exempt.  That effectively exempts a lot of criminal law enforcement activity.  Disclosures to GAO and the CFPB are exempt.  Disclosures for investigations of crimes against financial institutions by insiders are exempt.  Disclosures to intelligence agencies are exempt.  This long – and incomplete – list is the first hint that overturning the third-party doctrine won’t be easy.

We’re not done with the weaknesses in the RFPA.  A customer who receives notice of a government request has ten days to challenge the request in federal court.  The customer must argue that the records sought are not relevant to the legitimate law enforcement inquiry identified by the government in the notice.  The customer loses if there is a demonstrable reason to believe that the law enforcement is legitimate and a reasonable belief that the records sought are relevant to that inquiry.  Relevance and legitimacy are weak standards, to say the least.  Good luck winning your case.

Who should get the protection of our bill?  The RFPA gives rights to “customers” of a financial institution.  A customer is an individual or partnership of five or fewer individuals (how would anyone know?).  If legal persons also receive protection, a bill might actually attract corporate support, along with major opposition from every regulatory agency in town.  It will be hard enough to pass a bill limited to individuals.  The great advantage of playing staffer is that you can apply political criteria to solve knotty policy problems.  I’d be inclined to stick to individuals.

Read More


“Brain Spyware”

As if we don’t have enough to worry about, now there’s spyware for your brain.  Or, there could be.  Researchers at Oxford, Geneva, and Berkeley have created a proof of concept for using commercially available brain-computer interfaces to discover private facts about today’s gamers. Read More


Bartelt’s Dog and the Continuing Vitality of the Supreme Court’s Tacit Distinction between Sense Enhancement and Sense Creation

Last Term, in an amicus brief in United States v. Jones, 565 U.S. __, several colleagues and I highlighted the Supreme Court’s long, albeit not always clearly stated, history of distinguishing between sense-enhancing and sense-creating technologies for Fourth Amendment purposes.  As a practical matter, the Court has consistently subjected technologies in the latter category to closer scrutiny than technologies that merely bolster natural human senses.  Thus, the use of searchlights, field glasses, and (to some extent) beepers and airplane-mounted cameras was not found to implicate the Fourth Amendment.  As the Court explained, “[n]othing in the Fourth Amendment prohibit[s] the police from augmenting the sensory faculties bestowed upon them at birth with such enhancement as science and technology” may afford.  460 U.S. at 282 (emphasis added).  In contrast, the Court has held that technologies that create a new capacity altogether, including movie projectors, wiretaps, ultrasound devices, radar flashlights, directional microphones, thermal imagers, and (as of Jones) GPS tracking devices, do trigger the Fourth Amendment.  To hold otherwise, as the Court has stated, would “shrink the realm of guaranteed privacy,” leaving citizens “at the mercy of advancing technology.”  533 U.S. at 34-36.

In fact, of the landmark cases involving technology and the Fourth Amendment during the past 85 years (from United States v. Lee, 274 U.S. 559, in 1927 to Jones in 2012), only in one instance did the Supreme Court appear to deviate from this distinction between sense enhancement and sense creation.  In that case, United States v. Place, 462 U.S. 696, and its successors, City of Indianapolis v. Edmond, 531 U.S. 32, and Illinois v. Caballes, 543 U.S. 405, the Court held that the use of trained narcotics-detection dogs (more apparently similar to using a new capacity than merely enhancing a natural human sense) did not implicate the Fourth Amendment.  In our amicus brief in Jones, we rationalized Place, Edmond, and Caballes by arguing that dogs were unique, being natural biological creatures that had long been used by the police, even in the time of the Framers.  Further, we argued, a canine sniff, unlike the use of, say, a wiretap or a thermal imager, “discloses only the presence or absence of narcotics, a contraband item.”  462 U.S. at 707 (emphasis added).  Still, the apparent ‘dog exception’ was rankling. Read More


Some Thoughts On Florida v. Jardines

Amidst all of the discussion of gay marriage at One First Street NW today, you may have missed that the Supreme Court decided Florida v. Jardines.  In a five-four opinion by Justice Scalia, the Court held that bringing a police dog within the curtilage (in this case, the front porch) of the home to sniff for drugs constitutes a search for purposes of the Fourth Amendment.  As Orin Kerr predicted, the opinion turned on the lack of implied consent to approach with a dog, which converted the detectives’ action into a trespass.  Justices Thomas, Ginsburg, Sotomayor, and Kagan joined Justice Scalia’s opinion.  Justice Alito wrote for the dissent, joined by Justices Kennedy, Breyer, and the Chief Justice.  Justice Kagan, joined by Justices Ginsburg and Sotomayor, wrote separately to note that they “could just as happily have decided [the case] by looking to Jardines’ privacy interests.” Read More


“The Future of Drones in America” Hearing

I got the chance to testify at a hearing of the full Senate Judiciary Committee about the domestic use of drones yesterday. The New York Times has this coverage and, for aficionados of torts, I talk about intrusion upon seclusion with Senator Dick Durbin in this clip from NBC News. Should you get a chance to watch the hearing in full, Senator Al Franken’s thoughts at the end were particularly vivid. My written and oral comments were similar to those outlined in my previous post: privacy law places few limits on the use of drones for surveillance, but we should be very careful in crafting any drone-specific legislative response.  It happens that, about when I was testifying, my students were taking a final where one of the questions involved a drone filming a private party.  I feel they had fair notice that this might be on the exam.


New Edition of Solove & Schwartz’s Privacy Law Fundamentals: Must-Read (and Check out the Video)

Privacy leading lights Dan Solove and Paul Schwartz have recently released the 2013 edition of Privacy Law Fundamentals, a must-have for privacy practitioners, scholars, students, and really anyone who cares about privacy.

Privacy Law Fundamentals is an essential primer of the state of privacy law, capturing the up-to-date developments in legislation, FTC enforcement actions, and cases here and abroad.  As Chief Privacy Officers like Intel’s David Hoffman and renown privacy practitioners like Hogan’s Chris Wolf and Covington’s Kurt Wimmer agree, Privacy Law Fundamentals is an “essential” and “authoritative guide” on privacy law, compact and incredibly useful.  For those of you who know Dan and Paul, their work is not only incredibly wise and helpful but also dispensed in person with serious humor.  Check out this You Tube video, “Privacy Law in 60 Seconds,” to see what I mean.  I think that Psy may have a run for his money on making us smile.


In Honor of Alan Westin: Privacy Trailblazer, Seer, and Changemaker

Privacy leading light Alan Westin passed away this week.  Almost fifty years ago, Westin started his trailblazing work helping us understand the dangers of surveillance technologies.  Building on the work that Warren and Brandeis started in “The Right to Privacy” in 1898, Westin published Privacy and Freedom in 1967.  A year later, he took his normative case for privacy to the trenches.  As Director of the National Academy of Science’s Computer Science and Engineering Board, he and a team of researchers studied governmental, commercial, and private organizations using databases to amass, use, and share personal information.  Westin’s team interviewed 55 organizations, from local law enforcement, federal agencies like the Social Security Administration, and direct-mail companies like R.L. Polk (a predecessor to our behavioral advertising industry).

The 1972 report, Databanks in a Free Society: Computers, Record-Keeping, and Privacy, is a masterpiece.  With 14 case studies, the report made clear the extent to which public and private entities had been building substantial computerized dossiers of people’s activities and the risks to economic livelihood, reputation, and self-determination.  It demonstrated the unrestrained nature of data collection and sharing, with driver’s license bureaus selling personal information to direct-mail companies and law enforcement sharing arrest records with local and state agencies for employment and licensing matters.  Surely influenced by Westin’s earlier work, some data collectors, like the Kansas City Police Department, talked to the team about privacy protections, suggesting the need for verification of source documents, audit logs, passwords, and discipline for improper use of data. Westin’s report called for data collectors to adopt ethical procedures for data collection and sharing, including procedural protections such as notice and chance to correct inaccurate or incomplete information, data minimization requirements, and sharing limits.

Westin’s work shaped the debate about the right to privacy at the dawn of our surveillance era. His changing making agenda was front and center of  the Privacy Act of 1974.  In the early 1970s, nearly fifty congressional hearings and reports investigated a range of data privacy issues, including the use of census records, access to criminal history records, employers’ use of lie detector tests, and the military and law enforcement’s monitoring of political dissidents. State and federal executives spearheaded investigations of surveillance technologies including a proposed National Databank Center.

Just as public discourse was consumed with the “data-bank problem,” the courts began to pay attention. In Whalen v. Roe, a 1977 case involving New York’s mandatory collection of prescription drug records, the Supreme Court strongly suggested that the Constitution contains a right to information privacy based on substantive due process. Although it held that the state prescription drug database did not violate the constitutional right to information privacy because it was adequately secured, the Court recognized an individual’s interest in avoiding disclosure of certain kinds of personal information. Writing for the Court, Justice Stevens noted the “threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files.”  In a concurring opinion, Justice Brennan warned that the “central storage and easy accessibility of computerized data vastly increase the potential for abuse of that information, and I am not prepared to say that future developments will not demonstrate the necessity of some curb on such technology.”

What Westin underscored so long ago, and what Whalen v. Roe signaled, technologies used for broad, indiscriminate, and intrusive public surveillance threaten liberty interests.  Last term, in United States v. Jones, the Supreme Court signaled that these concerns have Fourth Amendment salience. Concurring opinions indicate that at least five justices have serious Fourth Amendment concerns about law enforcement’s growing surveillance capabilities. Those justices insisted that citizens have reasonable expectations of privacy in substantial quantities of personal information.  In our article “The Right to Quantitative Privacy,” David Gray and I are seeking to carry forward Westin’s insights (and those of Brandeis and Warren before him) into the Fourth Amendment arena as the five concurring justices in Jones suggested.  More on that to come, but for now, let’s thank Alan Westin for his extraordinary work on the “computerized databanks” problem.



Video Voyeurism

Recall that during the spring, a jury convicted Dahrun Ravi of criminal invasion of privacy along with a bias intimidation charge for surreptitiously using his webcam to live stream his roommate’s sexual encounter and for attempting to do so a second time.  Here comes word of another criminal invasion of privacy case, this time in Maryland.  Apparently, a Howard County man broke into the apartments of two young women, installing a video camera in their bathrooms and bedrooms.  The man has been charged with burglary and video surveillance “with a prurient interest.”  The man apparently knew the women, allowing him to steal and copy their apartment keys.  According to news reports, the suspect filmed himself installing the cameras.  Apparently, Maryland law aims to punish and deter sexualized privacy invasions by requiring proof of prurient interest.  Besides the Ravi case, another criminal matter that comes to mind is the Erin Andrews stalking case.  Much like the criminal case against Ms. Andrews’s stalker, prosecutors might also have charged the defendant with criminal harassment, that is, repeated conduct designed to cause victim substantial emotional distress with intent to cause substantial emotional distress.  On the civil side of things, the women can surely sue their harasser for tort privacy’s intrusion on seclusion, which protects against invasions of someone’s solitude or her “private affairs or concerns” that would be “highly offensive to the reasonable person.”  As I head off to speak at the Harvard Law Review’s symposium on Privacy and Technology where I will be commenting on Neil Richards’s excellent essay “The Dangers of Surveillance” (and as I write my book Hate 3.0: The Rise of Cyber Harassment and How to Stop It, forthcoming in Harvard University Press), this case could not be more timely.  You can check out David Gray’s and my response to Neil’s paper, a draft of which is posted on the HLR website.


Harvard Law Review Symposium on Privacy & Technology

This Friday, November 9th, I will be introducing and participating in the Harvard Law Review’s symposium on privacy and technology.  The symposium is open to the public, and is from 8:30 AM to 4:30 PM at Harvard Law School (Langdell South).

I have posted a draft of my symposium essay on SSRN, where it can be downloaded for free.  The essay will be published in the Harvard Law Review in 2013.  My essay is entitled Privacy Self-Management and the Consent Paradox, and I discuss what I call the “privacy self-management model,” which is the current regulatory approach for protecting privacy — the law provides people with a set of rights to enable them to decide for themselves about how to weigh the costs and benefits of the collection, use, or disclosure of their data. I demonstrate how this model fails to serve as adequate protection of privacy, and I argue that privacy law and policy must confront a confounding paradox with consent.  Currently, consent to the collection, use, and disclosure of personal data is often not meaningful, but the most apparent solution — paternalistic measures — even more directly denies people the freedom to make consensual choices about their data.

I welcome your comments on the draft, which will undergo considerable revision in the months to come.  In future posts, I plan to discuss a few points that I raise my essay, so I welcome your comments in these discussions as well.

The line up of the symposium is as follows:

Symposium 2012:
Privacy & Technology

Daniel J. Solove
George Washinton University
“Introduction: Privacy Self-Management and the Consent Paradox”

Jonathan Zittrain
Harvard Law School

Paul Schwartz
Berkeley Law School
“The E.U.-U.S. Privacy Collision”

Lior Strahilevitz
University of Chicago
“A Positive Theory of Privacy”

Julie Cohen
Georgetown University
“What Privacy is For”

Neil Richards
Washington University
“The Harms of Surveillance”

Danielle Citron
University of Maryland

Anita Allen
University of Pennsylvania

Orin Kerr
George Washington University

Alessandro Acquisti
Carnegie Mellon University

Latanya Sweeney
Harvard University

Joel Reidenberg
Fordham University

Paul Ohm
University of Colorado

Tim Wu
Columbia University

Thomas Crocker
University of South Carolina

Danny Weitzner


More on government access to private sector data

Last week I blogged here about a comprehensive survey on systematic government access to private sector data, which will be published in the next issue of International Data Privacy Law, an Oxford University Press law journal edited by Christopher Kuner. Several readers have asked whether the results of the survey are available online. Well, now they are – even before publication of the special issue. The project, which was organized by Fred Cate and Jim Dempsey and supported by The Privacy Projects, covered government access laws in AustraliaCanadaChinaGermanyIsraelJapanUnited Kingdom and United States.

Peter Swire’s thought provoking piece on the increased importance of government access to the cloud in an age of encrypted communications appears here. Also see the special issue’s editorial, by Fred, Jim and Ira Rubinstein.