Posted by Collin Gaines
April 20, 2015
Corporations have a duty to maximize profits for their shareholders. In the digital world, the easiest way for companies to increase profits is to monetize the data from current users of these companies’ applications or technological products. For example, a consumer’s smartphone location is continuously shared through third-party applications everyday, all day. Many consumers are unaware of this business strategy and indeed, view it as an intrusion. A study by Carnegie Mellon University, in 2014 determined that “concise privacy-relevant information” frequently was shared including location, phone contact lists, calendar and call logs. Indeed, during the study, a participant received a message stating, “Your location has been shared 5,398 times with Facebook, Groupon, GO Launcher EX and seven other apps in the last 14 days.” Such a message demonstrates the volume in that consumers information is shared. In fact, the researchers found “that many popular Android apps tracked their users an average 6,200 times per participant over a two-week period, or about every three minutes!” Therefore, the ever increasing “smartphone addiction” that is taking place in society today, has lead to an erosion of the 4th Amendment Constitutional right to privacy.
In particular, the Fourth Amendment protects individuals against unreasonable searches and seizures by the government, affording individuals the right “to be secure in their persons, houses, papers, and effects against unreasonable search and seizure.” In Riley, the Supreme Court held:
[T]he Fourth Amendment was the founding generation’s response to the reviled “general warrants” and “writs of assistance” of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity. Opposition to such searches was in fact one of the driving forces behind the Revolution itself.
Thereby, the U.S. Supreme Court established that the Fourth Amendment protects individual privacy and has attempted to adopt the Fourth Amendment into modern life by balancing the interests in investigating crimes and the general public legitimate interest in privacy.
For example, before 1928, the constitutionality of government initiated electronic surveillance was controlled by the Supreme Court decision in Olmstead v. United States. In Olmstead, government actors obtained evidence from bootleggers’ homes and offices using warrantless wiretaps. The Court rejected the defendant’s constitutional challenge, adopting a narrow reading of the Fourth Amendment holding that the government did not physically trespass on the defendants’ property; therefore, the government did not perform a constitutional search.
However, a number of years later, the Supreme Court in Katz v. United States changed its position on the constitutionality of electronic surveillance, reversing the Olmstead decision. In Katz, FBI agents placed a recording device on the outside of a public telephone booth to eavesdrop on the conversations of a specific individual they suspected was engaged in illegal gambling. The Court used similar wording to the Olmstead decision holding:
[T]he Fourth Amendment protects people, not places. What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. . . . But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.
This ruling also provided a test to decide whether an individual’s right to privacy has been infringed and has led to Katz becoming the seminal case about whether information is protected by the Fourth Amendment from government initiated electronic surveillance. The two part test, found in Justice Harlan’s concurring opinion states:
As the Court’s opinion states, “the Fourth Amendment protects people, not places.” The question, however, is what protection it affords to those people. Generally, as here, the answer to that question requires reference to a “place.” My understanding of the rule that has emerged from prior decisions is that there is a twofold requirement, first that a person has exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as “reasonable.” Thus, a man’s home is, for most purposes, a place where he expects privacy, but objects, activities, or statements that he exposes to the “plain view” of outsiders are not “protected” because no intention to keep them to himself has been exhibited. On the other hand, conversations in the open would not be protected against being overheard, for the expectation of privacy under the circumstances would be unreasonable.
In Mancusi v. DeForte, the Supreme Court adopted Justice Harlan’s test, and further clarified the test in Smith v. Maryland holding that the subjective prong means, “The individual has shown that ‘he seeks to preserve [something] as private.” Also in Berger v. New York the Supreme Court determined that the Fourth Amendment should be applied to any legal scheme which to authorize unconstitutional physical invasion and electronic search for “general purposes,” without reasonably believing that a crime is being committed. Therefore, individuals should be able to control personal information against Fourth Amendment search and seizure by manifesting a subjective reasonable expectation of privacy.
Despite the Court’s holding in Katz protecting citizens’ reasonable expectations of privacy, Congress later found it necessary to enact the ECPA to adequately protect citizens’ Fourth Amendment rights in this age of ever-advancing technology.
The Third Party Doctrine in the Cloud Computing Age
Under the Fourth Amendment, a “person has no legitimate expectation of privacy in information he voluntarily turns over to third parties,” a concept widely known as the “third-party-disclosure doctrine.” The Supreme Court reasoned that when a person reveals information to a third party, they assume the risk that the third party may disclose it to the Government. The Supreme Court echoed these sentiments in Katz when the Court held, “[w]hat a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection.” As a result, the Fourth Amendment does not prohibit the Government from obtaining information disclosed to a third party because any reasonable expectation of privacy is destroyed when the risk of disclosure is assumed.
Recent court decisions have also done little to determine if the third party doctrine applies to electronic communications to issues that arise regarding cloud servers. The most recent and analogous case is Riley. In Riley, the government acknowledged that modern cell phones differentiated themselves from pen registers due to the vast amount of content they stored. The government stated in its brief that, “unlike a pen register, the search of a cell phone is a Fourth Amendment ‘search,’ because the owner has a property right in the phone entirely apart from any reasonable expectation of privacy in its contents.” The Riley Court additionally recognized the privacy interest in protecting electronic communications stating:
To further complicate the scope of the privacy interests at stake, the data a user views on many modern cell phones may not in fact be stored on the device itself. Treating a cell phone as a container whose contents may be searched incident to an arrest is a bit strained as an initial matter. See New York v. Belton, 453 U.S. 454, 460, n. 4, 101 S.Ct. 2860, 69 L.Ed.2d 768 (1981) (describing a ‘container’ as ‘any object capable of holding another object’). But the analogy crumbles entirely when a cell phone is used to access data located elsewhere, at the tap of a screen. That is what cell phones, with increasing frequency, are designed to do by taking advantage of ‘cloud computing.’ Cloud computing is the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself. Cell phone users often may not know whether particular information is stored on the device or in the cloud, and it generally makes little difference. See Brief for Electronic Privacy Information Center in U.S. Sup. Ct. No. 13–132, at 12–14, 20. Moreover, the same type of data may be stored locally on the device for one user and in the cloud for another.
The United States concedes that the search incident to arrest exception may not be stretched to cover a search of files accessed remotely—that is, a search of files stored in the cloud. See Brief for United States in U.S. Sup. Ct. No. 13–212, at 43–44. Such a search would be like finding a key in a suspect’s pocket and arguing that it allowed law enforcement to unlock and search a house. But officers searching a phone’s data would not typically know whether the information they are viewing was stored locally at the time of the arrest or has been pulled from the cloud.
Unfortunately, the Riley court issued a narrow decision and did not address if the third-party doctrine applies to digital data. The Court held, “Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life,’ The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought.”
It remains unclear if individuals’ electronic communications are protected from government intrusion on cloud servers. Even in U.S. v Jones the Supreme Court held that, “It may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.” Until such time arrives, individuals should protect their private location, data and communications. Consumers should also proceed with caution when consenting to various applications’ requests and terms before downloading the applications on their smartphones or personal computers.