|
AlexUballezFirstPaper 2 - 16 May 2010 - Main.AlexanderUballez
|
| |
| META TOPICPARENT | name="WebPreferences" |
|---|
| |
<
< | The ‘reasonable expectation’ test and technology | | | | |
<
< | The Fourth Amendment does not explicitly protect privacy. However, the court has extrapolated an inherent privacy protection: a person must “exhibit[] an actual (subjective) expectation of privacy and . . . that . . . expectation [must] be one that society is prepared to recognize as ‘reasonable’” Katz v. US, 389 U.S. 347, 361 (1967) (Justice Harlan, concurring); see also Kyllo v. US, 533 U.S. 27, 33 (2001). The rationale in the Katz decision protected conversations held within a phone booth because the user has entered a “temporarily private place whose momentary occupants’ expectations of freedom from intrusion are recognized as reasonable.”
Basing Constitutional protections on reasonable societal expectations is dangerous because it allows both the strictest protections of privacy and the most egregious transgressions, with no standard to differentiate between the two. A reasonable expectation of privacy would be altered by a government announcement that they will be randomly monitoring private phone calls. And who can reasonably say that rational actor expects any level of privacy with information stored online? The reasonable expectations standard could be interpreted to offer stronger protections of privacy, based on actual expectations and not technological capabilities, but its indeterminacy makes it woefully inadequate as a Constitutional standard.
‘Traditional’ privacy concerns.
The Katz analysis has resulted in some surprising conclusions when applied to the rapidly evolving world of technology. The 8th Circuit found that the user of a cordless phone, does not have the same “justifiable expectation of privacy for their conversations” that the user of the cord-ed phone, despite maintaining every privacy-suggesting element of a traditional phone call (dialing a single number to speak to a specific person, for example). Tyler v. Berodt, 877 F.2d 705 (8th Cir. 1989). They also found that a person publicly sharing files on an open wi-fi network retains no reasonable expectation of privacy. US v. Ahrndt, 2010 WL 373994 (2010)
Under this standard, users are responsible for discovering and countering the potential technological security weaknesses of their communication technology (the court did not address potential civil remedies against manufacturers for failure to warn). Is the same true of someone who uses WEP encryption on their wireless router instead of WPA? The 8th Circuit analysis suggests that it is unreasonable to expect that WEP encryption protects the privacy of a user’s network.
This analysis seems unfaithful to the ‘reasonable expectations’ interpretation of the Fourth Amendment. Removing the cord from a home phone changes the user’s expectation of privacy as much as using a phone booth instead of a home phone does – not at all. The prevailing interpretation relies too heavily on the susceptibilities of technology and not enough on social or individual reasonable expectations.
Third-party doctrine.
The “third-party doctrine,” establishes that a person cannot have a reasonable expectation of privacy in information they disclose to a third party, and therefore denies all Forth Amendment protections. This loophole has been exploited in government investigations via two main pathways: the use of undercover agents and confidential informants to record conversations directly, and the access to administrative or business records that are increasingly recorded by third-party banks, credit card companies, cell phone companies, and various internet-based companies (from ISPs to webmail to Google).
Secret Agents
In handling recorded surveillance of undercover/confidential informants, the third-party doctrine assumed that an actor retained no reasonable expectation of privacy for information turned over in conversation – an implicit consent/waiving of privacy rights. This argument relies on a definition of privacy that is zero-sum: once something is no longer a secret, one cannot reasonably expect it to be private (and assume, instead, that it is public).
In the world of blogs and youtube, we know all to well that an admission to a third party can very quickly become very public. Under the reasonable expectations rule, a rational actor can no longer expect any admission to a third party to remain absolutely private.
Remotely (third-party) stored records
Administrative and business records fall into two general categories: pen register type ‘who, when, where’ transaction facts, and substantive ‘what’ content records. The logic for tracking pen register type monitoring is the analogue to the police tail – in a land before technology a cop would simply follow you from your house to the bank. The substantive records, although sometimes protected by statute (Pen Register, RFPA, HIPAA) or privilege, are not protected at a Constitutional level. The argument for accessing these records relies on the user assuming of risk of disclosure by choosing to make use of the service or store information with a third party.
Protection of these records is of the utmost importance because (most) all of modern society runs off of someone else’s server. Justice Marshall, dissenting in Smith v. Maryland, 442 US 735, 749-750 (1979), argued that there is no assumption of risk if “as a practical matter, individuals have no realistic alternative,” unless they are “prepared to forgo use of what for many has become personal or professional necessity.” In this situation, a person “cannot help but accept the risk of surveillance.”
Consent Searches: [4th, p.50]
An alternate view of the ‘reasonable expectations’ doctrine is that it is not a reasonable expectation of privacy doctrine at all, but instead a concession doctrine. This means that the intercepted communications from cordless phones and records of bank statements are reasonably expected to be private, but the use of insecure technology or third parties serve as voluntary waivers of the privacy right.
Fourth Amendment rights can be waived through consent, but the burden is on the prosecution to prove the voluntariness of the consent and the awareness of the right of choice [Bumper v. North Carolina, 391 US 543 (1968)] [Johnson v. US, 333 US 10, 13 (1948)]. In the case of informants, presumably some avoidable risk was taken by confiding confidential information in another. However, it is stretch to
Consent is not voluntary when an officer asserts a right to search and the searchee yields to this assertion. [Amos v. US, 255 US 313 (1921)]
Abandoning the ‘reasonable expectation’ test.
Salvaging the reasonable expectations test may involve distinctions based on traditional understandings of communication, instead of on the capabilities of technology. Reasonable expectations would be maintained, regardless of susceptibility to hacking or interception, when the communication models the type that have traditionally been covered – person to person communications made in private – and that carry the reasonable ‘American’ expectations for private communication. Built into this definition may be an ‘average non-malicious use’ provision that excepts communications that an average person, going about their normal activities, would overhear. Unfortunately, even this seemingly basic ‘return’ to reasonable expectations does not fix the arbitrariness of the standard, nor would it hedge against future abuse.
While there is theoretical merit to this argument, in practice it is over inclusive. In a time before universal monitoring, a person who valued their privacy could rely on ‘natural’ processes (physical distance, the passage of time, fading memory) to keep their secrets – now that constant surveillance is possible, a person who values their privacy retains no such ‘natural’ defenses. This not only puts the criminal at a tremendous disadvantage, but also threatens the innocent person who does not want the entire world to know (for example) his or her sexual orientation, expectations for privacy are limited to those things they keep to themselves. In a world where illegal acts are not the only things people wish to keep secret, treating an admission to a limited audience as a public status update betrays any reasonable conception of privacy.
Reliance on subjective expectations or societal assumptions of risk is a perilous approach to Constitutional rights. Reasonable expectations are not based on a constant theory of protected areas. They reflect changing technology, the pre-regulation response taken by potential criminals and law enforcement, and the eventual regulations themselves.
Proposal:
In communications: Presumption of privacy (must make public) vs. affirmative act to secure (must make private)
In storage: “common carriers” are protected.
Orwell was an optimist
4th: Reasonable expectation of privacy
Radio
Cordless phones (why does removing the cord destroy the expectation)
Wireless
Email (why does removing the envelope destroy the expectation)
We don’t punish people for not locking their front door.
Substitution effects/Functional Role
As much as protecting privacy rights in electronic 3rd party facilitators may protect some criminal activity achieved through outsourcing, the countervailing privacy violations resulting from unencumbered access to the minute-by-minute record of every life outweigh the disadvantage imposed by requiring a warrant.
Clarity/Predictability
In terms of technology, I will examine the ‘reasonable expectation’ test in two broad categories. First, ‘traditional’ individual expectations and interactions involving specific devices such as cordless phones, home wi-fi networks, and other potentially ‘public’ uses of technology. I call these traditional because their treatment mirrors experiences such as holding a conversation in a public area or posting a sign in your front yard. The second group concerns interactions with (and through) third parties such as confidential informants, bank records, SMS services, and webmail. These are unique in that the third-party doctrine sets a blanket exception for all communications to third parties, automatically waiving any expected right to privacy.
-- AlexanderUballez - 16 May 2010
|
|
|
AlexUballezFirstPaper 1 - 16 May 2010 - Main.AlexanderUballez
|
|
>
> |
| META TOPICPARENT | name="WebPreferences" |
|---|
The ‘reasonable expectation’ test and technology
The Fourth Amendment does not explicitly protect privacy. However, the court has extrapolated an inherent privacy protection: a person must “exhibit[] an actual (subjective) expectation of privacy and . . . that . . . expectation [must] be one that society is prepared to recognize as ‘reasonable’” Katz v. US, 389 U.S. 347, 361 (1967) (Justice Harlan, concurring); see also Kyllo v. US, 533 U.S. 27, 33 (2001). The rationale in the Katz decision protected conversations held within a phone booth because the user has entered a “temporarily private place whose momentary occupants’ expectations of freedom from intrusion are recognized as reasonable.”
Basing Constitutional protections on reasonable societal expectations is dangerous because it allows both the strictest protections of privacy and the most egregious transgressions, with no standard to differentiate between the two. A reasonable expectation of privacy would be altered by a government announcement that they will be randomly monitoring private phone calls. And who can reasonably say that rational actor expects any level of privacy with information stored online? The reasonable expectations standard could be interpreted to offer stronger protections of privacy, based on actual expectations and not technological capabilities, but its indeterminacy makes it woefully inadequate as a Constitutional standard.
‘Traditional’ privacy concerns.
The Katz analysis has resulted in some surprising conclusions when applied to the rapidly evolving world of technology. The 8th Circuit found that the user of a cordless phone, does not have the same “justifiable expectation of privacy for their conversations” that the user of the cord-ed phone, despite maintaining every privacy-suggesting element of a traditional phone call (dialing a single number to speak to a specific person, for example). Tyler v. Berodt, 877 F.2d 705 (8th Cir. 1989). They also found that a person publicly sharing files on an open wi-fi network retains no reasonable expectation of privacy. US v. Ahrndt, 2010 WL 373994 (2010)
Under this standard, users are responsible for discovering and countering the potential technological security weaknesses of their communication technology (the court did not address potential civil remedies against manufacturers for failure to warn). Is the same true of someone who uses WEP encryption on their wireless router instead of WPA? The 8th Circuit analysis suggests that it is unreasonable to expect that WEP encryption protects the privacy of a user’s network.
This analysis seems unfaithful to the ‘reasonable expectations’ interpretation of the Fourth Amendment. Removing the cord from a home phone changes the user’s expectation of privacy as much as using a phone booth instead of a home phone does – not at all. The prevailing interpretation relies too heavily on the susceptibilities of technology and not enough on social or individual reasonable expectations.
Third-party doctrine.
The “third-party doctrine,” establishes that a person cannot have a reasonable expectation of privacy in information they disclose to a third party, and therefore denies all Forth Amendment protections. This loophole has been exploited in government investigations via two main pathways: the use of undercover agents and confidential informants to record conversations directly, and the access to administrative or business records that are increasingly recorded by third-party banks, credit card companies, cell phone companies, and various internet-based companies (from ISPs to webmail to Google).
Secret Agents
In handling recorded surveillance of undercover/confidential informants, the third-party doctrine assumed that an actor retained no reasonable expectation of privacy for information turned over in conversation – an implicit consent/waiving of privacy rights. This argument relies on a definition of privacy that is zero-sum: once something is no longer a secret, one cannot reasonably expect it to be private (and assume, instead, that it is public).
In the world of blogs and youtube, we know all to well that an admission to a third party can very quickly become very public. Under the reasonable expectations rule, a rational actor can no longer expect any admission to a third party to remain absolutely private.
Remotely (third-party) stored records
Administrative and business records fall into two general categories: pen register type ‘who, when, where’ transaction facts, and substantive ‘what’ content records. The logic for tracking pen register type monitoring is the analogue to the police tail – in a land before technology a cop would simply follow you from your house to the bank. The substantive records, although sometimes protected by statute (Pen Register, RFPA, HIPAA) or privilege, are not protected at a Constitutional level. The argument for accessing these records relies on the user assuming of risk of disclosure by choosing to make use of the service or store information with a third party.
Protection of these records is of the utmost importance because (most) all of modern society runs off of someone else’s server. Justice Marshall, dissenting in Smith v. Maryland, 442 US 735, 749-750 (1979), argued that there is no assumption of risk if “as a practical matter, individuals have no realistic alternative,” unless they are “prepared to forgo use of what for many has become personal or professional necessity.” In this situation, a person “cannot help but accept the risk of surveillance.”
Consent Searches: [4th, p.50]
An alternate view of the ‘reasonable expectations’ doctrine is that it is not a reasonable expectation of privacy doctrine at all, but instead a concession doctrine. This means that the intercepted communications from cordless phones and records of bank statements are reasonably expected to be private, but the use of insecure technology or third parties serve as voluntary waivers of the privacy right.
Fourth Amendment rights can be waived through consent, but the burden is on the prosecution to prove the voluntariness of the consent and the awareness of the right of choice [Bumper v. North Carolina, 391 US 543 (1968)] [Johnson v. US, 333 US 10, 13 (1948)]. In the case of informants, presumably some avoidable risk was taken by confiding confidential information in another. However, it is stretch to
Consent is not voluntary when an officer asserts a right to search and the searchee yields to this assertion. [Amos v. US, 255 US 313 (1921)]
Abandoning the ‘reasonable expectation’ test.
Salvaging the reasonable expectations test may involve distinctions based on traditional understandings of communication, instead of on the capabilities of technology. Reasonable expectations would be maintained, regardless of susceptibility to hacking or interception, when the communication models the type that have traditionally been covered – person to person communications made in private – and that carry the reasonable ‘American’ expectations for private communication. Built into this definition may be an ‘average non-malicious use’ provision that excepts communications that an average person, going about their normal activities, would overhear. Unfortunately, even this seemingly basic ‘return’ to reasonable expectations does not fix the arbitrariness of the standard, nor would it hedge against future abuse.
While there is theoretical merit to this argument, in practice it is over inclusive. In a time before universal monitoring, a person who valued their privacy could rely on ‘natural’ processes (physical distance, the passage of time, fading memory) to keep their secrets – now that constant surveillance is possible, a person who values their privacy retains no such ‘natural’ defenses. This not only puts the criminal at a tremendous disadvantage, but also threatens the innocent person who does not want the entire world to know (for example) his or her sexual orientation, expectations for privacy are limited to those things they keep to themselves. In a world where illegal acts are not the only things people wish to keep secret, treating an admission to a limited audience as a public status update betrays any reasonable conception of privacy.
Reliance on subjective expectations or societal assumptions of risk is a perilous approach to Constitutional rights. Reasonable expectations are not based on a constant theory of protected areas. They reflect changing technology, the pre-regulation response taken by potential criminals and law enforcement, and the eventual regulations themselves.
Proposal:
In communications: Presumption of privacy (must make public) vs. affirmative act to secure (must make private)
In storage: “common carriers” are protected.
Orwell was an optimist
4th: Reasonable expectation of privacy
Radio
Cordless phones (why does removing the cord destroy the expectation)
Wireless
Email (why does removing the envelope destroy the expectation)
We don’t punish people for not locking their front door.
Substitution effects/Functional Role
As much as protecting privacy rights in electronic 3rd party facilitators may protect some criminal activity achieved through outsourcing, the countervailing privacy violations resulting from unencumbered access to the minute-by-minute record of every life outweigh the disadvantage imposed by requiring a warrant.
Clarity/Predictability
In terms of technology, I will examine the ‘reasonable expectation’ test in two broad categories. First, ‘traditional’ individual expectations and interactions involving specific devices such as cordless phones, home wi-fi networks, and other potentially ‘public’ uses of technology. I call these traditional because their treatment mirrors experiences such as holding a conversation in a public area or posting a sign in your front yard. The second group concerns interactions with (and through) third parties such as confidential informants, bank records, SMS services, and webmail. These are unique in that the third-party doctrine sets a blanket exception for all communications to third parties, automatically waiving any expected right to privacy.
-- AlexanderUballez - 16 May 2010
|
|
|
|
|
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
|
|