Computers, Privacy & the Constitution

The average layman and the Third Party doctrine

-- By SeanTan - 13 Apr 2018

Introduction

The Fourth Amendment currently protects privacy based on the “reasonable expectations” of defendants. This doctrine, introduced in Katz v. United States 389 U.S. 347 (1967), was designed to “permit the Fourth Amendment to respond to changing technology” (Daniel Solove, Fourth Amendment Pragmatism, 51 BCLR 1511, 1519). Unfortunately, much of its promise has been undone by the Third-Party doctrine.

The Third Party Doctrine and Ignorance

The Third-Party doctrine holds that a person who voluntarily conveys information to a third party has no reasonable expectation of privacy because she “assume[s] the risk” that the information would be revealed to the Government (Smith v. Maryland, 442 U.S. 735, 737 (1979); United States v. Miller, 425 U.S. 435, 442-43 (1976)). This has been applied in the context of pen registers (Smith) and bank records (Miller), and could potentially be extended to cellphone location records (Carpenter v United States). This is a disconcerting trend. As technology develops, more and more personal data is delivered into the hands of third-party intermediaries (such as cloud services or phone companies), which the Third-Party doctrine removes from the protection of the Fourth Amendment.

Unfortunately, the average layman is seemingly oblivious to the fact that she has traded away her constitutional protection through utilizing cloud services or the GPS on her phone. Against this stands the doctrine of ignorantia juris non excusat, which deems individuals to be cognizant of the Third-Party doctrine, placing on them the onus to structure their affairs accordingly. However, the stakes are simply too high. The Fourth Amendment “was intended to function as a barrier to government overreach and as a catalyst for other constitutional rights, notably freedom of speech and freedom of association, which are essential to a healthy democracy” (Michael W. Price, Rethinking Privacy: Fourth Amendment “Papers” and the Third Party Doctrine, 8 J. Nat'l Sec. L. & Pol'y 247, 260), a role that is more crucial than ever in a world where the very acts of reading, communication and association create records in the hands of third parties. In these circumstances, the law cannot afford to let individuals suffer the consequences of their ignorance, but must instead provide common sense principles that are designed to deliver adequate privacy protection to the average, ill-informed, layman.

Reforming the third party doctrine

The Third-Party doctrine falls short of this ideal. The main problem is that the doctrine is framed as an assumption of risk by an individual that “the information will be conveyed by [the third party] to the Government (emphasis added)” (Smith, quoting Miller). This is artificial - most laypersons do not take the Government as their threat level, and hence are unlikely to think about privacy in those terms. Take for instance the phone records in Smith. A layperson could probably be forgiven for thinking that her phone records were private because, of course, they are – albeit in relation to everyone but the Government. Since the average layman does not think of privacy in relation to the Government, the way she handles her private documents will not be ordered on that basis. A solution needs to be found in order to close the gap.

One way this could be achieved is by altering the behavior of third parties through legislation. For instance, it is possible to envisage legislation requiring service providers to encrypt the data they have received in such a way that it is difficult for them to comply with a request for disclosure (e.g. by putting in place genuine end-to-end encryption or committing to not storing the keys on their servers). Unfortunately, there is little reason to believe that Congress would be willing to push through such a bill. Indeed, if the political will were to exist, it would arguably be more elegant to simply eliminate the Third-Party doctrine rather than to shape behavior around an artificial construct. Another possibility could be to limit the permissibility of disclosure to certain enumerated situations, as was done in the case of the Health Insurance Portability and Accountability Act (HIPAA). Protection in this case would come directly from the statute, removing the need for the Fourth Amendment to shoulder the burden. However, even if this could be formulated, it is quite likely that the resulting text would lack the flexible qualities of the “reasonable expectations” standard, which may affect its effectiveness as a safeguard for privacy in the future.

To my mind, the ideal approach is not to skirt the problems with the Third-Party doctrine but to tackle them head on. Given the record of legislative inaction at the federal level (some states such as California have been more proactive in enacting privacy legislation at the state level, but state practice is uneven and it is desirable to have an overarching federal safeguard in this case), the Supreme Court should seize the next opportunity to modify the Third-Party doctrine in a way that conforms with the layman’s conception of privacy. Fortunately, this does not require a wholesale renovation. As previously mentioned, the main difficulty with the doctrine is that it is based on the assumption of risk that “the information will be conveyed by [the third party] to the Government (emphasis added)”. My proposal is that privacy should only be forfeited where an individual can reasonably be said to assume the risk that “the information will be conveyed by [the third party] to the public”.

Conclusion

To be clear, I am not suggesting that the above proposal will solve all (or even most) of the issues with the Fourth Amendment. For one, shifting the focus of the Third-Party doctrine towards the public instead of the Government may have implications for the practice of wire-tapping (though reconciliation does not appear to be impossible). More fundamentally, the “reasonable expectations” standard is not anchored in the text of the Fourth Amendment, and its foundations may creak in future. Nevertheless, I believe that this tweak would go a significant way in mitigating one of the more problematic areas in the Fourth Amendment jurisprudence and is worth further consideration.

(999 words)

The route to improvement is to take your points seriously, spend less time making them and more time considering what comes next.

For example, suppose there is legislation requiring parties retaining and processing data gathered from the public to be encrypted at rest and in flight. Suppose that legislation does not provide for backdoors or other mandatory defects in the crypto. Does the existence of that legislation modify the assumption of the risk of disclosure by putting technical barriers to disclosure, and thus increasing the correlation between the subjective expectation of privacy and the Fourth Amendment requirement? Does legislation like HIPAA that blocks unauthorized disclosure change the Fourth Amendment logic? And so on. Perhaps if you spend fewer words on the premise, which you have adequately shown, you can spend more on these potential routes out of the problem as you define it.

Thank you. The post has been amended to take into account the comments.

-- SeanTan - 11 May 2018

 

Navigation

Webs Webs

r3 - 11 May 2018 - 10:18:59 - SeanTan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM