So it looks like the problem is the third-party doctrine, which is described as "the 1970s-era Supreme Court case holding that there is no privacy interest in data voluntarily given up to a third party like a cell phone provider."
But people aren't voluntarily giving cellular providers this data, right? I mean, I never saw that prompt on my phone asking if Verizon could have access to my ___location.
Of course the truth is Verizon/AT&T/others collect this data every time your phone hits a tower, but how many customers actually understand this? Is it outlined in the service agreement? I'll admit I've never actually read the whole thing before and just assumed it was the usual yadda yadda. But even if it did mention they collect ___location data, could I then opt-out or say I do not consent to have my ___location monitored and collected? Would that then protect me from data searches? Probably not...
I maintain a large amount of Wi-Fi networks in various locations across the US. While we have the ability to monitor the signal strength of every device and use trilateration to obtain a ___location, we don't do this. But, if we did, does that mean anyone our wireless picked up "voluntarily" gave me this data, and then I would have to give it up to law enforcement at a moments notice?
I'm getting really tired of seeing centuries old laws being cited in 2016's technology.
> I'm getting really tired of seeing centuries old laws being cited in 2016's technology.
Third party doctrine was articulated after the cell phone was invented. The whole "expectation of privacy" articulation of the 4th amendment is younger than Lisp (dating to 1967).
I understand that its slightly beyond the scope of this article, but it is important to note that many, many people give informed consent for Google et al to track their ___location history. Both Google Maps and Google Photos insist on enabling Location History on your account.
While Google has proven itself competent at ensuring warrants are valid, I do not feel that is enough protection. Warrants may be valid, but the idea that a single entity has access to my ___location history and can be compelled to produce it is a bridge to far, in my opinion.
Basically, people knowingly and willingly give up their privacy for features and convenience.
You voluntarily connected your cell phone to their cell towers. Why do they even have to tell you they're recording this information? If you don't want them to know where you are, howabout... don't connect to their fucking cell network.
If you go for a walk around your city, do you have this expectation that people who see you on the street aren't allowed to remember that they saw you out on the street? If you make a phone call to a business, they aren't allowed to record the fact that you called them, and from what number you called them?
My understanding of the argument is that the customer has no privacy interest if somebody they voluntarily gave information to (the phone company) voluntarily gives it to the police.
Which is hard to argue with: if you tell me a secret, you lose the ability to control the information. (you have no "interest" in my willingness to share the secret).
> third-party doctrine, the 1970s-era Supreme Court case holding that there is no privacy interest in data voluntarily given up to a third party like a cell phone provider.
I don't think the issue is how the cell phone companies give the info to the government (voluntarily or involuntarily), but rather that because you, the consumer, "gave" your ___location info to the cell phone company "voluntarily", you have no privacy rights with respect to that info.
Quotes because the definitions seem fuzzy to me (and to the defendant's lawyers, apparently).
The Supreme Court established a test for determining when a government search triggering Fourth Amendment protections has occurred in Katz v. United States (1967). The majority ruled that a government intrusion into an area where a person has a reasonable expectation of privacy constitutes a search within the meaning of the Fourth Amendment and thus requires a warrant issued upon a showing of probable cause.
Justice Harlan's concurrence in Katz, though not binding as it was not issued as the majority opinion, has provided the generally accepted two-prong test for determining when a reasonable expectation of privacy exists. Harlan defined an REP as when an individual has (1) displayed a subjective expectation of privacy (2) that society is prepared to recognize as reasonable. (1) and (2) are regularly referred to as the subjective and objective prongs respectively.
For an REP to exist, an individual must meet both prongs. To meet the subjective prong, the individual must make an effort to withdraw their activities from public view. If I close the curtains on my front windows, I have displayed a subjective intent to conceal whatever occurs behind those windows from public view. But that subjective intent must also be reasonable in the eyes of society.
For example, I can't walk into a crowded room filled with cops and scream, "No one listen to me!", proceed to discuss a plan to commit murder, and then claim I had an REP. I displayed a subjective intention to achieve privacy, but it is not one which society would view as objectively reasonable.
Following this line of analysis, the Supreme Court held in Smith v. Maryland (1979) that any information committed to the care of a third-party is not protected by the Fourth Amendment. In Smith, the Court evaluated whether an individual had an REP in his pen registers (phone company records of the phone numbers dialed from a particular phone line). The Court held that there is no REP where a person voluntarily exposes their information to public view because that person has not displayed a subjective intent to assert their privacy.
The doctrine may have been on shaky ground even back in 1979, but certainly the justices deciding the case could not possibly have imagined the world we live in now, where we routinely store our most private information on servers in the hands of third-parties.
Clearly the doctrine needs some rethinking. As it stands, law enforcement can access incredibly detailed personal information about a person without a warrant. It is nearly impossible to show a subjective expectation of privacy while still functioning as a member of society since we are so dependent on phones.
Personally, I would start by arguing that company privacy policies and password protections indicate a subjective intent to remove electronically-stored personal information from general view. The shear quantity of data being stored indicates to me that any reasonable person would never expect another individual to actually inspect their emails or cell phone ___location data. We are voluntarily committing the information to unthinking computers which are theoretically secure against unauthorized human intrusion, not to actual human beings.
But my instinct is to go farther. The amount of information about an individual collected by networked devices and corporations increases exponentially every year. With the internet-of-things and wearable tech on the rise, the problem is only going to grow. Cell phone ___location data, heart rate measurements from fitness trackers, dietary information from calorie-tracking apps, complete and detailed purchasing histories from credit card statements, statuses and pictures posted on social media, etc. etc. etc. Each individual datum may be meaningless on its own, but like a jigsaw, when put together they can reveal the most intimate details of a person's life. And there's essentially no way to opt out.
So I think we need an opt out method. I think people should be able to assert that the information resulting from a private commercial arrangement is private between the parties and that this should have equivalent effect to a confidentiality privilege (like doctor-patient or attorney-client privilege). A company's terms of service could then include a clause that says something like, "Any information gathered during the provision of these services is to remain private between the parties." If the government can get a warrant, then they can access the information. With so many multiplying avenues for individuals to unintentionally give up their privacy rights, there should be a simple, straightforward method for individuals to reassert those rights.
Heh. I broke down after six months of not having one and settled on a flip phone.
The amount of social and logistical requirements these days almost entirely necessitates a phone on you 24/7. It's frightening how much everyone relies on everyone having a phone, including companies. Looking at you, airbnb.
It was voluntary to get rid of my cell phone, but it was hardly voluntary to go back.
It may be difficult to live without one, but I'm pretty sure that legally, the agreement to let the provider do whatever with your data comes at the point of activation.
This whole "open data" and "Freedom of information" thing is really falling short on me these days. As I keep going further in attempting to get Chicago's office of the mayor's communication records, I keep getting more and more push back. 4/5 times it's essentially, "We don't have the infrastructure to make your request possible." The remainder is either incompetence or "malice".
Why does it take an extreme amount of effort, a year and a half (and counting!) to receive government communications (which is considered within the public ___domain) when these guys have such amazing ease doing the same towards the general public? It's unbelievable.
Here's part of a response I got today after requesting communications - including email - for six of the numbers's communications, derived from [0]:
The email system’s tool set cannot identify the department where an email user works, and therefore, a search cannot be based on a department. Parameters that would assist the Mayor’s Office in conducting an email search include: (1) the e-mail address of the account you wish searched; and (2) the e-mail address of each individual’s mailbox, if you seek e-mail correspondence to and from two individuals.
After dozens of these, the only way I read responses like that is, "We're not clever enough, or willing enough to work with other departments to help you out. You're probably going to give up after this rejection, but if you don't, you'll give up eventually."
To get around that, I submitted a FOIA request to their IT FOIA group requesting the ___domain names/sent times for all emails sent out of the mayor's office. Just so that I can get the the timeframes for the Mayor's office to search through.
And.. just to add to the fun in attempting to prevent more rejections, another request to their IT department to send me their DNS resolution logs for the timeframe in [0]. Oddly, I don't think they can claim unduly burdensome on this one, either, since it's just pulling log files with maybe some awk commands and some nslookups on a machine outside their network to check if it's in "public ___domain".
Spilled milk, etc. Mayor's office said that about the linked spreadsheet, too.
If that happens, then I'll either look somewhere else for equally relevant information, or just focus more on the two other ongoing legs. :)
A rejection like that isn't necessarily a bad thing with research like this. Knowing about what's available and what's not is incredibly useful and makes similar requests easier in the future. It also helps gauge how a group will handle a request. For example, knowing that the FOIA officer consistently doesn't know FOIA that well means I don't have to bug my lawyer as much.
This seems ridiculous, it's pretty clear that the government had enough evidence to justify a warrant to for the ___location data- they had already obtained one to search the phones. The difference here is purely procedural, of course the court is going to refuse to overturn a guilty verdict just because they asked for a court order instead of a second warrant. And now we have this shitty law.
There should be nothing - NOTHING - that is searchable/obtainable without a warrant. The entire point is that more than one person has to review the desire to collect information.
Want to draw my BAC? Put a judge on staff at the hospital. The point is not to encourage drunk driving, it's that the law gives no single person dominion over another, that one person cannot by force of law exert state-backed power over another.
I realize this would set up a bunch of rubber-stamp courts, but even that is light years better than warrantless anything.
Edit: the entire point is there are some rights we value over everything - including safety.
If you want that to be the law, you need to amend the Constitution to create an unconditional warrant requirement, rather than a reasonableness requirement and standard for using warrants.
A burning building is both an immediate threat to folks inside the building, and can be a threat to life to folks outside the building. That would be silly, however there should be accountability paperwork outside. In addition, many fires are reported by alarm systems or folks calling for emergency help - they asked for such a thing. There should be accountability paperwork, signed off by a court, before they start investigating - and the investigator should be a trained public official, not an insurance investigator.
In home murder? Assuming they got an emergency call or the cop happened to hear screaming, etc - yes, they should go in. Once folks are safe, however, everything else should require a warrant and paperwork should be filled out regardless for accountability reasons.
The whole point with the courts being involved is that even if it is after the incident, it brings a certain amount of accountability. We can change things so that different folks rotate the resopnsibility, include folks like prosecutors and public defenders and other private lawyers, and some things will basically be rubber-stamped (like investigating a fire or after they stopped the murder in progress).
In some cases, it is better to pass a law stating that a specific thing is allowed without a warrant, however, so that the courts don't have to get involved. A breathalyzer, for example, isn't invasive and good for public safety. Drawing blood should require a warrant and a trained professional in a clean environment, however. That could change if we have tests that are the equivalent of a finger prick for blood sugar as the risks are lower - we just aren't there yet.
> Would you allow firefighters to enter a burning building without a warrant?
Firefighters enter buildings for public safety, not to search for contraband or evidence.
> What about entering a home to stop an in-progress murder?
That is only allowed in rare exigent circumstances[1] that involve the imminent danger. While the plain view doctrine can apply in such a situation, exigent circumstances do not allow for searching in places that normally require a warrant.
> The argument that a court should be required in all circumstances is pretty silly.
Requiring a warrant in all circumstances where the government wants to search and/or seize evidence is a cornerstone of a free society. Warrants are a trivial barrier if there is a legitimate investigation with any evidence at all. The "probable cause" requirement is a very low barrier.
Some people complain that warrants are "rubber stamped" too easily, but getting the "stamp of approval" is the goal. It's easy to start skipping[3] simple requirements like "probable cause", so a warrant acts as a check and audit trail that at least some minimal procedure was followed.
I'm aware of all of these things. But as your second citation points out, an officer legally entering a building during an exigent circumstance may confiscate and/or use as evidence anything found in 'plain view'.
> Requiring a warrant in all circumstances where the government wants to search and/or seize evidence is a cornerstone of a free society. Warrants are a trivial barrier if there is a legitimate investigation with any evidence at all. The "probable cause" requirement is a very low barrier.
We just went over a variety of obvious exceptions to the warrant requirement. You can argue that these are exceptional cases to be sure, but it is certainly not true that a warrant is always required nor should it be (as the comment I was responding to said).
A very slightly less clear-cut example is BAC, as the parent commenter mentioned. It is completely impractical to get a warrant in DUI cases. It would either be a completely meaningless waste of everyone's time, or it'd literally be a rubber stamp, where a cop calls up and receives the warrant with zero interaction or consideration from the judge. And I don't know about you, but i'd rather not open the door to true rubber-stamping of warrants. Because once you start doing that, it's only a matter of time until they start doing it with things that aren't so trivial.
I'm pretty sure that if a firefighter breaks into my house to put out a fire the cops still have to have had a warrant for anything found in the house to be admissible in court.
I think a simpler point to make would be that no one should have special standing in the legal system except when issued a specific warrant. If one person can get this data without a warrant, then why would there be any kind of barrier against anyone else requesting this type of data for whichever individuals they feel like investigating/stalking/whatever? If there is a problem with that then someone has a responsibility to protect this data from EVERYONE who lacks a warrant.
This is ridiculously naive and unreasonable. I'm sure it sounds great to young, engaged people, but would it be impossible to implement. The cost alone would be prohibitive. It's great to have ideals, but the rest of us have to operate in the real world where silly things like money and the number of judges a cop has access to actually matter.
And what happens when someone's in danger, but the police officer is handcuffed by your proposed amendment? Witnesses heard a fight, or a gun shot, but they can't go into the house without a warrant. I'm sure I'll get a lot of downvotes for this around here, but you haven't thought this through. At all.
I can make up scenarios too! But, unless they're likely they're meaningless... Ticking timebombs are movie plots, not real life.
Yes, I actually want the state to be willing to allocate some resources (spend money) to access my personal data. Anything else invites abuse.
In what scenario do you propose that witnesses heard a fight (and where death/major harm is at risk) and yet the officer still needs to contact my provider for the ___location of the fight? If the witnesses heard the fight, have them point to where. If they can't, how do you know if was me and how do you know which cell user to ask for data on? You don't, hence the scenario is a joke not reality.
In the near future, criminals will learn to leaves their cellphones at home while committing crimes, using burner phones for any contact they need during that time.
Which, incidentally, is advice that the Shadowrun tabletop RPG gives freely as advice to would-be players...
> leaves their cellphones at home while committing crimes, using burner phones for any contact they need during that time
That's getting a lot harder to do in practice. OPSEC is hard when you have to care about stuff like overlapping usage of the burner so the movement logs of the regular phone stopping don't correlate with when the burner starts moving.
Zoz gave a great overview[1] of modern cellphone OPSEC at DEFCON 22.
Criminals have long ago started doing this. The ones that want to stay out of jail, that is. Not that that will help them much because even then they still leave quite a bit of digital detritus to use as a means of tracing them.
The only way to commit a crime and not be caught immediately will be guy in a non-contamination suit on a bicycle.
One of the seasons of the popular TV drama The Wire [1] revolved around drug dealers using burner phones for communication, making it really difficult for the police to wiretap them. So the idea has been out there for quite some time now.
But people aren't voluntarily giving cellular providers this data, right? I mean, I never saw that prompt on my phone asking if Verizon could have access to my ___location.
Of course the truth is Verizon/AT&T/others collect this data every time your phone hits a tower, but how many customers actually understand this? Is it outlined in the service agreement? I'll admit I've never actually read the whole thing before and just assumed it was the usual yadda yadda. But even if it did mention they collect ___location data, could I then opt-out or say I do not consent to have my ___location monitored and collected? Would that then protect me from data searches? Probably not...
I maintain a large amount of Wi-Fi networks in various locations across the US. While we have the ability to monitor the signal strength of every device and use trilateration to obtain a ___location, we don't do this. But, if we did, does that mean anyone our wireless picked up "voluntarily" gave me this data, and then I would have to give it up to law enforcement at a moments notice?
I'm getting really tired of seeing centuries old laws being cited in 2016's technology.