Computers, Privacy & the Constitution

Searching Beyond Subpoenas: Warrant-Demanding Corporate Structure

-- By SethGlickman - 12 Mar 2021

Introduction

The Fourth Amendment guarantees “the right of the people … against unreasonable searches and seizures”, and requires authorities to produce a search warrant, generated by demonstrating probable cause, if they seek to obtain information from one’s “person, house, papers, [or] effects”(1). Unfortunately for individual privacy but fortunately for government prosecutors, the Fourth Amendment’s protection has been shunted off to a large degree by third-party doctrine, which holds that an individual whose records are stored with a third party has no Fourth Amendment rights with respect to those records, and that the government can compel record production without a search warrant (and thus without meeting the threshold a search warrant would require).

As technology progresses, increasing amounts and types of personal information ends up stored with a third party, and individual users may not be aware of the relatively lax standards required for the government to compel those third parties to give up their data. Congress bolstered individual privacy protection with 1986’s Electronic Communications Privacy Act (ECPA) but over the thirty five years since its passage, it has been interpreted in counterintuitive and confusing ways, and is sorely in need of reform.

This essay provides a high-level look at the issue, and proposes a structural solution for bringing the reality of third-party data privacy protection closer to the individual mental model of how it should work.

Most of Your Data Does Not Live in Your House

The Fourth Amendment provides protection against specific location-based searches and seizures. If an individual’s records are located in one’s house, they are protected; if they are located at one’s bank, they are not.

The Fourth Amendment vs. Third-Party Doctrine

Third-party doctrine applies to situations where individuals have voluntarily given information to a third party with “no reasonable expectation of privacy”. In the 1976 case United States v. Miller (2) the Supreme Court found specifically that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties (in this case, records at a bank), and highlights as justification that an individual’s information is “exposed to [the bank’s] employees in the ordinary course of business.” Thus, information which is stored with third parties lies outside of an individual’s Fourth Amendment rights, and as technological trends shift more to third-party cloud services, this covers an increasingly broad set of information.

Only if the employees of the cloud service in the ordinary course of business have access to the records? If so, then most of the data stored in the cloud, either encrypted at rest or processed in a virtual processor to which the provider does not ordinarily have access, might not be subject to Miller, in your view?
I hadn't considered this question in my first draft but I think that the main point here is the act of handing over your records to a third party (even if an employee would typically not view those records) puts it in their hands (and by corollary out of yours), and thus you have relinquished that protection.

Search Warrant vs. Subpoena

The Fourth Amendment vs. Third-Party Doctrine distinction matters because it affects the mechanism for obtaining information. Under the Fourth Amendment, the government is required to produce a search warrant, a relatively high threshold to meet which involves a showing of probable cause to prevent governmental abuse. Subpoenas face a much lower threshold, and through their use the government can far more easily compel a third party to produce information about an individual. It would thus be desirable to relocate this information back to within the auspices of the Fourth Amendment’s protections.

ECPA Title II

Congress took note of this disparity and attempted to address it with the 1986 passage of ECPA, which contained the Stored Communications Act (SCA) under Title II. The SCA sought to bring the heightened threshold of the search warrant to “stored wire and electronic communications and transactional records”(3). It covers two types of services: “electronic communication services” (ECS) and “remote computing services” (RCS). The line between the two can be counterintuitive: for example, a server containing email over 180 days old qualifies as “providing storage” and therefore RCS; if it has been held for 180 days or less it qualifies as ECS — unless an email has been opened, in which case it likely reverts to a classification of storage rather than communication, and therefore RCS.

Again, this distinction matters due to the retrieval mechanism: RCS-classified data production can be compelled via a subpoena combined with prior notice (and prior notice can be delayed for up to 90 days if it would jeopardize an investigation(4)), a far lower threshold than a search warrant.

The SCA, while a step in the right direction, is subject to two issues: (1) it can be altered by Congress at a later date through the normal course of legislation, and (2) it has large gaps which have only grown wider since 1986.

Home: Where Your Data's Heart is

Amending the SCA to require search warrants for more types of electronic third-party data would be helpful, but it requires a willing Congress. Instead, we should look at taking matters into our own hands, and re-defining the location of where our data is stored to align with the location-focused language of the Fourth Amendment.

My first instinct was to look to corporate structure, to find an organizational approach fostering a relationship between consumer and provider which would still fall under the Fourth Amendment’s protection. The 1948 case In re Subpoena Duces Tecum (5), contains a successful quashing of a subpoena of one partner to produce documents involving the other partners, and while it remains good law(6), the reality is that slapping the word “partnership” on an endeavor likely will not suffice. Instead, the most realistic way forward for concerned users is found in initiatives like FreedomBox which re-house someone’s online presence into, well, their own house. I would love to see a privacy-focused ISP distribute these to customers alongside other required hardware like modems and routers, and further encourage its adoption and use by disseminating bills and notices through FreedomBox? apps (with an optional opt-out to email).

Perhaps the other aspects of partnership, such as unlimited liability, would be relevant to consider? What does source code have to do with partnership? Why do you need franchise agreements? This proposition seems rather sweeping, and assumes that the magic lies in the word "partner," rather than the reality of the relationship. Why courts will find it impossible to go behind a supposed "partmership agreement" is not made clear. If this is really the central point of the essay, the next draft should remove other material in order to address this notion fully. If it is not the central subject, it's a massive distraction and in my view it should go.
Yes I agree - the reality of the relationship is what matters and not the magic word "partnership". It seemed appealing as I do still believe there is a massive, massive convenience and "free" factor (and on the flip side, inconvenience and "not free" factor which serves to hinder large-scale adoption of initiatives like FreedomBox? ), but I now think that the more realistic approach here is addressing those hurdles of inconvenience (perceived or real) and cost, now that FB's existence shows proof-of-concept.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Notes

1 : U.S. Const. amend. IV

2 : 425 U.S. 435

3 : 18 U.S.C. §§ 2701–2712

4 : 18 U.S.C. § 2705

5 : 81 F.Supp. 418

6 : See, e.g., Crop Associates-1986 v. C.I.R., 2000 WL 976792 (2000)


Navigation

Webs Webs

r6 - 17 May 2021 - 20:54:23 - SethGlickman
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM