Computers, Privacy & the Constitution
It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.

Searching Beyond Subpoenas: Warrant-Demanding Corporate Structure

-- By SethGlickman - 12 Mar 2021

Introduction

The Fourth Amendment guarantees “the right of the people … against unreasonable searches and seizures”, and requires authorities to produce a search warrant, generated by demonstrating probable cause, if they seek to obtain information from one’s “person, house, papers, [or] effects”(1). Unfortunately for individual privacy but fortunately for government prosecutors, the Fourth Amendment’s protection has been shunted off to a large degree by third-party doctrine, which holds that an individual whose records are stored with a third party has no Fourth Amendment rights with respect to those records, and that the government can compel record production without a search warrant (and thus without meeting the threshold a search warrant would require).

As technology progresses, increasing amounts and types of personal information ends up stored with a third party, and individual users may not be aware of the relatively lax standards required for the government to compel those third parties to give up their data. Congress bolstered individual privacy protection with 1986’s Electronic Communications Privacy Act (ECPA) but over the thirty five years since its passage, it has been interpreted in counterintuitive and confusing ways, and is sorely in need of reform.

This essay provides a high-level look at the issue, and proposes a structural solution for bringing the reality of third-party data privacy protection closer to the individual mental model of how it should work.

Most of Your Data Does Not Live in Your House

The Fourth Amendment provides protection against specific location-based searches and seizures. If an individual’s records are located in one’s house, they are protected; if they are located at one’s bank, they are not.

The Fourth Amendment vs. Third-Party Doctrine

Third-party doctrine applies to situations where individuals have voluntarily given information to a third party with “no reasonable expectation of privacy”. In the 1976 case _United States v. Miller_(2) the Supreme Court found specifically that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties (in this case, records at a bank), and highlights as justification that an individual’s information is “exposed to [the bank’s] employees in the ordinary course of business.” Thus, information which is stored with third parties lies outside of an individual’s Fourth Amendment rights, and as technological trends shift more to third-party cloud services, this covers an increasingly broad set of information.

Search Warrant vs. Subpoena

The Fourth Amendment vs. Third-Party Doctrine distinction matters because it affects the mechanism for obtaining information. Under the Fourth Amendment, the government is required to produce a search warrant, a relatively high threshold to meet which involves a showing of probable cause to prevent governmental abuse. Subpoenas face a much lower threshold, and through their use the government can far more easily compel a third party to produce information about an individual. It would thus be desirable to relocate this information back to within the auspices of the Fourth Amendment’s protections.

ECPA Title II

Congress took note of this disparity and attempted to address it with the 1986 passage of ECPA, which contained the Stored Communications Act (SCA) under Title II. The SCA sought to bring the heightened threshold of the search warrant to “stored wire and electronic communications and transactional records”(3). It covers two types of services: “electronic communication services” (ECS) and “remote computing services” (RCS). The line between the two can be counterintuitive: for example, a server containing email over 180 days old qualifies as “providing storage” and therefore RCS; if it has been held for 180 days or less it qualifies as ECS — unless an email has been opened, in which case it likely reverts to a classification of storage rather than communication, and therefore RCS.

Again, this distinction matters due to the retrieval mechanism: RCS-classified data production can be compelled via a subpoena combined with prior notice (and prior notice can be delayed for up to 90 days if it would jeopardize an investigation(4)), a far lower threshold than a search warrant.

The SCA, while a step in the right direction, is subject to two issues: (1) it can be altered by Congress at a later date through the normal course of legislation, and (2) it has large gaps which have only grown wider since 1986.

Home is Where the Heart is: Your Data Should Live in Your House


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Notes

1 : U.S. Const. amend. IV

2 : 425 U.S. 435

3 : 18 U.S.C. §§ 2701–2712

4 : 18 U.S.C. § 2705


Navigation

Webs Webs

r3 - 12 Mar 2021 - 17:36:20 - SethGlickman
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM