Cyber Security

Evolving Technology &Privacy Law: CAN THE FOURTH AMENDMENT CATCH UP? Borowski, Samuel Mark; Midler, Aaron; Taleyarkhan, Pervin . Scitech Lawyer ; Chicago  Vol. 8, Iss. 4, 

(Spring 2012): 14-17.

ProQuest document link

FULL TEXT "Technology is changing people's expectations of privacy." Such was the insightful pronouncement from the bench

in a recent oral argument where social media was undoubtedly on one justice's mind.1 And why shouldn't it be?

Technology and the law have always had a give-and-take relationship in the privacy realm, with technology rising

to the detriment of privacy before the law balances anew. In recent decades, this trend has been most evident in

the rise of electronic communications technologies, and the emergence of social media only marks the opening of

a new frontier.

Social media has by and large revolutionized how we interact with the world. Using one's smartphone and a social

media site like Facebook or Google+, one can email (or conduct a live chat with) distant friends; reach out and

make new ones; and share one's day-to-day experiences with them all, or even with the world. Whether we are

sharing pictures of our latest excursion, or the details of the excursion itself, social media has enabled us to live

our lives in a world where geographical separation is no longer an impediment to communication.

But even as social media has allowed us to expand our networks and to share our lives in remarkable ways, what

effect does its debut have on our privacy? Some would say it has eviscerated it, in part because what one shares

openly with the world no longer can be reasonably considered private. That much seems true, but it could also be

that our conceptions of privacy are evolving in ways that have outpaced the law. When looking at what's

happening in the realm of electronic communications, this conclusion seems more likely. Simply put, the law has

failed to keep pace.

Electronic Communications and the ECPA

Privacy in one's electronic communications is governed by the Electronic Communications Privacy Act (ECPA).

First enacted in 1986, the catalyst for this legislation was the Supreme Court's earlier decision in United States v.

Miller, which introduced the concept of third-party disclosure to Fourth Amendment law. Basically, if a person

knowingly gives data to a third party, according to the logic of Miller, any Fourth Amendment privacy interest in

that information is lost. Under Miller, any electronic communication sent via a third-party service provider falls

outside of the Fourth Amendment. Absent the ECPA, law enforcement authorities could acquire and scrutinize that

information without the need for a warrant. With the ECPA, however, it is a bit more complex.

The ECPA attempts to balance the privacy needs of society against law enforcement's need to conduct thorough

investigations of criminal activity. Organized in three acts (which include the Wiretap Act, the Stored

Communications Act, and the Pen Register Act), the legislation attempts to balance society's opposing interests

through a sliding scale: information with little privacy value is easily accessible, and therefore has loose procedural

safeguards, whereas information with great privacy value receives stringent procedural protection.

Numerous examples of how this scale is applied abound. Under the Wiretap Act, law enforcement must meet,

among other things, a probable cause requirement and certify that all other investigative methods have failed

before a judge will authorize eavesdropping on private communications. This is largely due to the sensitive

information likely to be contained in a personal conversation.

In contrast, under the Pen Register Act, the procedural protections are more lax. Law enforcement may track

incoming and outgoing phone calls and emails by merely certifying to a court that the information likely to be

obtained is relevant to an ongoing criminal investigation - a far lower burden than probable cause.The names,

email addresses, and telephone numbers collected by these pen registers have little privacy value under the

statute. And herein lies the rub: advancing technology has yielded pen registers with more sophisticated

capabilities than in the not-so-distant past. Consequently, where Congress has provided procedural protections in

the law via the ECPA, it has done so in a way that codified the technology and social values of the 1980s, not

today. In other words, the ECPA has not adapted to the technologies of the twenty-first century.

Yesterday's Law, Today's Technology

Pen registers are but one example where the law has failed to adapt. In the beginning, "pen registers" (or "inkers")

were machines that could print Morse Code dots and dashes directly onto paper tape.2 The dots and dashes

represented signals of varying frequencies and corresponded to the signals being sent from a caller's phone. The

dots and dashes, when translated, provided the phone number a caller was dialing, but not the contents of the call

itself. Thus, when the Supreme Court first wrestled with their privacy implications in Smith v. Maryland, 442 U.S.

735 (1979), the Court found that police investigators could use pen registers without implicating the Fourth

Amendment.

In the three decades since then, pen registers have become increasingly sophisticated, their evolution paralleling

that of cellular technology, and have provided a corresponding insight into our lives. No longer do phone

companies rely on dots and dashes or paper tape. Today's phone companies are about wireless cellular

technologies and Wi-Fi signals, all of which allow us to be increasingly mobile.3 As such, when using a modern cell

phone, no longer is merely only the number that is being dialed provided to the phone company. Also included now

is the user's location, which is essential for the user's cell phone to communicate with the nearest radio tower,

regardless of where that user may be. As a result, a by-product of modern cellular technologies is the fact that

phone companies can essentially "track" the user through mapping the signals, based on the distances between

the cell phone and the towers it is constantly communicating with.4

A user's location, as opposed to merely the numbers he or she is dialing to complete a call, seems to be a bit

different under the Fourth Amendment, but not under the ECPA (so long as a pen register is used). That does not

mean that is the way it should be; nor does it mean such technologies do not warrant additional judicial scrutiny.

Or at least one judge does not think so.

In the District Court of Arizona, one judge has captured the spotlight by taking a moment to scrutinize the pen

register's capabilities and to openly question whether this technology could still be categorized as falling outside

the Fourth Amendment and solely under Title III of the ECPA.5 The pen register in that case appears to have

provided the user's location information to law enforcement, a capability arguably outside the definition of a pen

register under the ECPA.6 Whether such capabilities takes it outside ofthat domain, though, is still unresolved,

given that the issue has since been mooted by certain stipulations of the Justice Department.

This controversy underscores how technology can outpace the state of the law, but it is also true that the law can

be left behind by the society it is meant to protect. In terms of privacy, it means that long-heralded legal standards

may no longer be robust enough to match society's expectations, as evidenced by its behavior. This perhaps is

nowhere more true than in society's use of email, which has markedly evolved since the ECPA was first enacted.

Society and Its Cloud: The Privacy Clock Is Ticking

In 1986, email was not the be-everywhere-at-once system it is today. There were few options for an email user to

store messages online, or "in the cloud." Instead, most systems required the user to download messages to a

home computer and view them there.The ECPA took account for this standard behavior and focused only on

protecting those emails for the first six months over which they were stored. But for emails that have been in

"electronic storage" for longer than six months, the ECPA, through the Stored Communications Act, provides

relatively little protection. Law enforcement agents need only subpoena these emails from a service provider, with

no need for judicial oversight (as opposed to emails stored for fewer than six months, which are protected by a

warrant requirement) .

Twenty-five years ago, this limited protection for emails "in the cloud" was not problematic. Because most email

resided on an individual user's home machine, the Fourth Amendment provided strong protection for these

communications; the government cannot simply enter a home and rifle through its contents without probable

cause. The ECPA, insofar as it played any role at all in protecting an email user's privacy, played only a minor one

to ensure the email was protected until download was most likely to have occurred.

Today, email services have migrated to the web, and the minor role the ECPA once played has morphed into a

major one, making its limitations apparent. With today's free web access email, users never need to download a

single message to their home computer anymore; it can all be stored "in the cloud." And with gigabytes of storage

space available, users of these accounts need never throw anything away, turning their in-boxes into digital filing

cabinets. Consequently, there is a disconnect between the ECPA, which treats emails older than six months as

having little privacy value, and modern users, who see their in-box as an extension of their home.

In other words, since the original passage of the ECPA, society's expectations of privacy have changed, as has the

technology we use every day. Technology has made our lives more mobile, and to enhance our mobility, we are

increasingly relying on third-party service providers for email, communications services, and, in the context of

social media, the ability to reach our far-flung family, friends, and business associates. But as the ECPA has failed

to take notice of these changing societal behaviors, our privacy jurisprudence under the Fourth Amendment is

beginning to shift in ways that could have profound implications for electronic communications, and by extension,

social media.

Third-Party Disclosures and the Fourth Amendment

The third-party disclosure doctrine holds that if a person knowingly gives data to a third party, the Fourth

Amendment protection in that information is lost. Historically, this has been true, and as was described earlier, the

effect of the thirdparty disclosure doctrine on electronic communications was one of the driving forces behind the

ECPA. This effect has been in part because the doctrine itself lacks any nuance. Rather, it focuses on whether

information has been disclosed, and not on the circumstances surrounding that disclosure.7 Once disclosed, that

is the end of the privacy inquiry, and the result is that privacy protection is lost.

Hints of nuance, though, are beginning to emerge in the jurisprudence. Admittedly, the nuance has long been there.

Justice Blackmun was the first to introduce it, suggesting in Smith that, when applying the third-party disclosure

doctrine, volition may be one circumstance courts could consider. Unfortunately, the presence of volition in the

context of dialing a phone number is not a compelling indicator of nuanced analysis, because the act of dialing the

number is not so much a voluntary act as it is a necessary one. But where there is no volition, does the third-party

disclosure doctrine still apply? A recent decision in the Third Circuit provides a clue.

In that decision, rather than addressing pen registers under Title III of the ECPA, the panel tackled the privacy that

one has in cell site location information (CSLI). CSLI is a by-product of cellular communications methodologies

and provides a user's location information for the purposes of making a call, even when a call is not being made.

The panel addressed whether in revealing a user's location, CSLI should be protected within a user's reasonable

expectation of privacy8

Bouncing between two Supreme Court precedents, United States v Knotts9 and United States v. Karo,10 the panel

concluded that location information could be protected if it reveals the details inside a person's home. But outside

ofthat revered domain, the privacy interests may not be as strong.The case was remanded for the trial court to

determine the scope of the privacy interests at stake, but when looking into the privacy of one's location as

revealed by CSLI, the panel in the Third Circuit seemed to think that volition may be key. In their words, "a cell

phone customer has not Voluntarily' shared his location information with a cellular provider in any meaningful

way," suggesting that the circumstances by which information is disclosed could make a difference as to whether

the third-party disclosure doctrine should apply.

In terms of social media, volition could make all the difference, but not necessarily for the better. Using one's

smartphone and a social media site, one can essentially broadcast his or her location twenty-four hours a day,

usually with much more fidelity and accuracy than is available through CSLI information. Thus, if one willingly

shares his location information using his cell phone and through a social media site, then it does not necessarily

follow that the person has manifested an expectation of privacy in any of his location information, whether it is

available through social media or as through retrieval of CSLI. In other words, even if the third-party disclosure

doctrine evolves to accommodate society's changing behaviors in view of existing technologies, it is unlikely to

shield the volitional acts of social media users in order to protect them.

If volition is not the answer, another approach could be to conduct a finer analysis of what constitutes a disclosure

in the context of electronic communications and social media. A panel from the Sixth Circuit Court of Appeals has

taken this approach recently in Warshak v United States.11 In that case, the panel indicated that a service provider

must have access to a user's electronic information, and not solely the ability to access that information, for a

disclosure to result. As an example, the court compared the sending of an email to the making of a phone call.

Under Katz, individuals retain a reasonable expectation of privacy in the substance of their telephone

conversations, despite those conversations passing through a telephone service provider's system. The Warshak

court, when completing the comparison, saw no reason why that logic should not extend to email and other forms

of electronic communication as well.

It may, however, be some time before the courts take a definitive step in amending Fourth Amendment

jurisprudence on this point.The Sixth Circuit has since vacated the previously cited Warshak opinion, and the

Supreme Court of the United States, in City of Ontario v. Quon12 dodged the question of reasonable expectations

of privacy in the context of electronic communications entirely. In QHOH, the plaintiff had sued the police

department of Ontario, California, for alleged violations of his Fourth Amendment rights. The plaintiff, himself a

police officer, had been investigated by the department during the course of a review of the department's text

messaging plan. In ducking the issue and in what seems a likely signal to other courts, the Court stated that, when

faced with emerging technology, "the judiciary risks error by elaborating too fully on ... [its] Fourth Amendment

implications . . . before its role in society has become clear." Thus, to avoid risking any error, the Supreme Court

chose to proceed by assuming arguendo that Quon had a reasonable expectation of privacy rather than by

determining whether one existed.

Most recently, in United States v. Jones13 the Court sidestepped the issue again, despite the fact of its

prominence in the decision's concurrence and dissent. Writing for the majority, Justice Scalia returned to a pre-

Mi'fler Fourth Amendment analysis, relying on the fact that the government interfered with Jones's personal

property - his car - to address the Fourth Amendment concerns. In deciding the case on these narrow grounds, the

majority sidestepped the reasonable expectation of privacy analysis entirely and left the constitutional questions

unanswered. But that does not mean all privacy questions have to remain so. As Justice Scalia pointed out,

sometimes the best answer comes not from the courts, but from Congress.

Updating the ECPA

In the near future, the more likely source of guidance on this issue could come from Congress, which has the

power to update the ECPA or enact new law. Senate Bill 1011, introduced by Senator Patrick Leahy (D-VT) in May

2011, largely follows the course of action suggested by the Digital Due Process Coalition, a group of nonprofit and

for-profit organizations (including Google, Microsoft, and the ACLU) by introducing a number of statutory privacy

safeguards. Some of these safeguards include: a prohibition on unrequested, voluntary disclosure of customer

information by service providers; a warrant requirement for access to all emails, regardless of how long it is stored;

and a warrant or subpoena requirement for geolocation data.

At the time of this writing, congressional support for the bill appears to be split along party lines. Although S. 1011

is currently under examination by the Senate Committee on the Judiciary, democratic leaders, such as Senator

John Kerry (D-MA), have come out in support of the bill, while prominent republicans, like Senator Charles Grassley

(R-IA) have cautioned against tinkering too strongly with striking the balance between law enforcement and

privacy interests.14

These debates will likely continue. Whether they be within legislative chambers, the open forums of social media,

or the judicial chambers of our courts, all will agree that as technology evolves, so does the law. And while

technology tends to outpace our changing conceptions of privacy, in time, the law catches up. In other words, what

is clear is that the law must move forward, by hook or by crook. Our GPS devices and smartphones are not likely to

disappear anytime soon, and the number of constitutional questions that they raise will only increase as our lives

become more intricately entwined around our communications technologies. It won't be long before answering

these questions becomes unavoidable for both the Supreme Court and Congress.

Footnote

Endnotes

1. See Transcript of Oral Argument at 43, United States v. Jones, 132 S. Ct. 945 (2012).

2. Nigel Linge, Before the Phone, COMPUTER NETWORKING ANDTELECOMMUNICATIONS RES., University of

Salford, available at www.cntr. salford.ac.uk/conims/beforethephone.php.

3. Batul Nafisa Baxamusa, History of Cell Phones, BUZZLE. COM, available at wwwbuzde. com/articles /historyof-

cell-phones.html.

4. Ian James Samuel, Warrantless Location Tracking, 83 N.Y.U L. REV. 1325, 1327 (2008).

5. See Jennifer Valentino-Devries, ' Stingray ' Phone Tracker Fuel Constitutional Clash, WALL ST. J. at Al, Sept. 22,

2011 (relaying the controversy as it played out at a recent hearing).

6. See 18 U.S.C. §206 (2006) (defining pen register without reference to location information as "a device or

process which records or decodes dialing, routing, addressing, or signaling information transmitted by an

instrument or facility . . . provided, however, that such information shall not include the contents of any

communication") . Notably, Congress has provided telecommunications carriers an exemption for location

information revealed by pen registers in 47 U.S.C. §1002(a)(2)(B).

7. See United States v. Miller, 425 U.S. 435, 442-43 (1976).

8. See In the Matter of the Application of the United States of America for an Order Directing a Provider of

Electronic Communication Service to Disclose Records to the Government, 620 F.3d 304 (3d Cir. 2010). 9. 460 U.S.

276 (1983).

10. 468 U.S. 705 (1984).

11. 490 F.3d 455, 468 (6th Cir. 2007), vacated, 532 F.3d 521 (6th Cir. 2008).

12. 130 S. Ct. 2619 (2010).

13. 132 S. Ct. 945 (2012).

14. Grant Gross, Senators: ?-surveillance Law Needs to Be Updated, PC WORLD (Apr. 6, 2011, 2:00 PM),

www.pcworld.com/businesscenter/ article/224440 /senators_esurveillance_law_ needs_to_be_updated.html.

AuthorAffiliation

Samuel Mark Borowski, a lawyer in Washington, DC, practicing in the areas of intellectual property and public

contract law, occasionally writes on issues related to law ana technology. Aaron Midier is a Chicago lawyer with an

interest in privacy law and is a recent graduate of Chicago-Kent College of Law. Pervin Taleyarkhan is a law

student at the Indiana University Robert H. McKinney School of Law. All are members of the Artificial Intelligence

&Robotics subcommittee in the ABA's Section of Science &Technology Law. DETAILS

Subject: Privacy; Social networks; Technology adoption; Attorneys

Location: United States--US

Classification: 9190: United States; 8305: Professional services not elsewhere classified; 5250:

Telecommunications systems &Internet communications

Database copyright  2019 ProQuest LLC. All rights reserved. Terms and Conditions Contact ProQuest

Publication title: Scitech Lawyer; Chicago

Volume: 8

Issue: 4

Pages: 14-17

Number of pages: 4

Publication year: 2012

Publication date: Spring 2012

Publisher: American Bar Association

Place of publication: Chicago

Country of publication: United States, Chicago

Publication subject: Law, Technology: Comprehensive Works, Sciences: Comprehensive Works

ISSN: 15502090

Source type: Scholarly Journals

Language of publication: English

Document type: Feature

Document feature: References

ProQuest document ID: 1018070796

Document URL: https://ashworth.idm.oclc.org/login?url=https://search.proquest.com/docview/1018

070796?accountid=45844

Copyright: Copyright American Bar Association Spring 2012

Last updated: 2012-06-01

Database: ABI/INFORM Collection