From The President: Third-Party Doctrine in the Age of COVID-19

Although businesses and individuals were sharing information and data with third-party vendors long before the COVID-19 outbreak, use of remote work tools is sure to endure long after the outbreak passes, making privacy concerns even more important.

Access to The Champion archive is one of many exclusive member benefits. It’s normally restricted to just NACDL members. However, this content, and others like it, is available to everyone in order to educate the public on why criminal justice reform is a necessity.

The Third-Party Doctrine

In 1979, the Supreme Court in Smith v. Maryland solidified what is now known as the “third-party doctrine” by holding that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”{1} 1  See Smith v. Maryland, 442 U.S. 735, 743-44 (1979) (individuals have no actual or legitimate expectation of privacy in information they voluntarily relinquish to telephone companies). In large part, the Court relied on United States v. Miller, a case it decided three years earlier, involving warrantless access to a defendant’s bank account records.{2} 2  United States v. Miller, 425 U.S. 435 (1976). In Miller, the Court held that the defendant “can assert neither ownership nor possession” of the bank’s business records.{3} 3  Id. at 440. “The depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the government [] even if the information is revealed on the assumption that it will be used only for a limited purpose.”{4} 4  Id. at 443.

The third-party doctrine relies on two primary justifications. The first centers on “property interests” — an individual cannot assert either ownership or possession over the business records of another.{5} 5  Id. at 440, 442 (1976). Second, a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties. Plainly put, the Fourth Amendment is not violated when the government seizes information voluntarily conveyed or revealed to a third party without a warrant.{6} 6  Supra note 1.

The “technology” at issue in Smith (pen registers) and Miller (microfilms of checks and deposit slips) was relatively simple and non-invasive as compared to the technology used almost daily in our personal and professional lives and those of our clients. This reliance on technology has only ballooned with the recent pandemic brought about by the COVID-19 virus. Around the country, businesses and schools have effectively shut down to help slow the spread of the virus. Indeed, as of April 7, 2020, all but five states had “stay at home” orders in place, effectively shuttering brick and mortar businesses and offices.{7} 7  See Which States and Cities Have Told Residents to Stay at Home, N.Y. Times (April 7, 2020), available at https://www.nytimes.com/interactive/2020/us/coronavirus-stay-at-home-order.html. For the vast majority of individuals and companies, remote work was no longer an option but a necessity. At the same time, most individuals and companies do not have the resources to build their own private email servers, document clouds, or videoconferencing centers. Indeed, the videoconferencing company Zoom has seen its daily user numbers swell from 10 million users last year to nearly 200 million users in March 2020.{8} 8  Privacy Cannot Be a Casualty of the Coronavirus, N.Y. Times (April 7, 2020), available at https://www.nytimes.com/2020/04/07/opinion/digital-privacy-coronavirus.html; See also Most People Just Click and Accept Privacy Policies Without Reading Them — You Might Be Surprised at What They Allow Companies to Do, CNBC (Feb. 7, 2019), available at https://www.cnbc.com/2019/02/07/privacy-policies-give-companies-lots-of-room-to-collect-share-data.html.

Central to the functioning of these remote work services is the collection of user data, both voluntary — such as uploading documents to a hosted cloud, or sending emails — and passive — such as the collection of IP addresses of points of service, and the date, time and location of activity on mobile and computer apps.{9} 9  Most People Just Click and Accept Privacy Policies Without Reading Them — You Might Be Surprised at What They Allow Companies to Do, CNBC (Feb. 7, 2019), available at https://www.cnbc.com/2019/02/07/privacy-policies-give-companies-lots-of-room-to-collect-share-data.html. Moreover, data collection policies are purposely written to be confusing to the average consumer, inducing users of these services to quickly “click through” privacy policies and accept all the terms of service.{10} 10  Id.

More importantly, as is being discovered now, the cost of connecting to the internet is the transfer of vast amounts of personal data to corporations using it to generate profit — further obliterating any expectation that your data remains confidential.{11} 11  Zoom Rushes to Improve Privacy for Consumers Flooding Its Service, N.Y. Times (April 8, 2020), available at https://www.nytimes.com/2020/04/08/business/zoom-video-privacy-security-coronavirus.html. Whether the data collection is voluntary or passive, the point is that information is being conveyed to third parties, potentially obliterating any “reasonable expectation of privacy” that an individual might otherwise possess under current Fourth Amendment jurisprudence.

Where We Stand

In United States v. Jones,{12} 12  United States v. Jones, 565 U.S. 400, 404 (2012). In Jones, the Court held that law enforcement officers violated the Fourth Amendment when they attached a GPS tracker to the bottom of a suspect’s vehicle for 28 days without a warrant. involving GPS tracking, Justice Sotomayor wrote a concurring opinion that questioned the third-party doctrine’s place in modern society:

[I]t may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. … I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.{13} 13  Id. at 417-18 (Sotomayor, J., concurring).

Justice Sotomayor nevertheless joined the Court majority’s opinion in Carpenter v. United States, which largely preserved the third-party doctrine, creating only a limited exception for cell-site location information (“CSLI”).{14} 14  United States v. Carpenter, 138 S. Ct. 2206 (2018).

In Carpenter, the defendant was the supposed leader in a series of store robberies. During its investigation, the government subpoenaed the defendant’s wireless service carrier, that in turn produced the defendant’s CSLI showing the location information of the defendant’s cellphone for incoming and outgoing calls. This request totaled nearly 13,000 points of location data over a period of 129 days. In reaching its opinion, the Court was confronted with two intersecting lines of jurisprudence: “The first set of cases address[ed] a person’s expectation of privacy in his physical location and movements.{15} 15  Id. at 2215 (citing United States v. Jones, 565 U.S. 400 (2012) (holding that the FBI engaged in an unlawful trespass when it installed a GPS tracking device on the defendant’s car without a warrant)).” The second set of cases addressed the third-party doctrine.{16} 16  Carpenter, 138 S. Ct. at 2216 (internal citations omitted).

Continue reading below

Coronavirus Resources

NACDL to Focus on Service and Support for Members, Clients, and Community Throughout Virus Emergency

Learn More

Despite the fact that CSLI data is stored in the hands of third parties, the Carpenter Court found a legitimate Fourth Amendment privacy interest in such data.{17} 17  Id. at 2219. Underpinning the Court’s ruling was the realization that “a cellphone — almost a feature of human anatomy — tracks nearly exactly the movements of its owner” and “apart from disconnecting the phone from the network, there is no way to avoid leaving behind a trail of location data[,]”thus leaving the government with a near perfect tracking system of every citizen, if left unchecked.{18} 18  Id. at 2218, 2220. Importantly, however, the Carpenter majority left open whether other types of personal data, held by third parties, might also escape the traditional third-party doctrine.{19} 19  Id. at 2262.

Because Carpenter’s holding applies only to a narrow subset of records, subsequent lower court decisions have attempted to limit Carpenter’s holding and impact. In United States v. Hood, the First Circuit held that Carpenter does not apply to administrative subpoenas sent to smartphone messaging service providers for subscriber information — information associated with the user’s account, such as IP addresses, and date and time of service — even though the information enabled the police to determine his precise location when he logged on to the messaging application, as well as the date and time of those digital transmissions.{20} 20  See United States v. Hood, 920 F.3d 87, 91-92 (1st Cir. 2019). Hood argued that the IP address data that the government acquired from Kik without a warrant — which concerned Hood’s internet activity only on Kik and only over a four-day span — was not materially different from the CSLI that was at issue in Carpenter. By contrast, the court maintained that an IP address, standing alone, does not disclose an individual’s location; instead, the government must take the IP address obtained by the subpoena to an internet service provider to discover the user’s precise location.{21} 21  Id. at 92. Other courts have similarly held Carpenter inapplicable to fixed video monitoring,{22} 22  See, e.g., United States v. Kubasiak, No. 18-cr-120-pp, 2018 WL 4846761 (E.D. Wis. Oct. 5, 2018); United States v. Kay, No. 17-cr-16, 2018 WL 3995902 (E.D. Wis. Aug. 21, 2018). location-revealing bank records,{23} 23  See United States v. Frei, No. 3:17-cr-00032, 2019 WL 189826, at *1-3 (M.D. Tenn. Jan. 14, 2019). online shopping histories,{24} 24  See United States v. Schaefer, No. 3:17-CR-00400-HZ, 2019 WL 267711, at *5 (D. Or. Jan. 17, 2019). and records from internet service and email providers.{25} 25  See United States v. Tolbert, No. 14 CR 3761, 2019 WL 2006464, at -- endnote

Nevertheless, there appears to be a glimmer of hope for privacy rights. In the context of IP address tracking cases, at least one district court has rejected a bright-line rule denying IP address information Fourth Amendment protection, and instead has developed a fact-intensive inquiry. In United States v. Kidd,{26} 26  United States v. Kidd, 394 F. Supp. 3d 357 (S.D.N.Y. 2019). the district court found that the circumstances at issue in that case presented a substantial unresolved question as to whether the location information conveyed by IP address information is sufficiently similar in kind to that conveyed by CSLI to warrant the application of Carpenter — for example: Does the provider collect IP address information when the customer is not affirmatively using the service? Did the customer use the service on a cellphone while connected to a cellular network, and if so, how geographically accurate was the resulting IP address information while on the cellular network?{27} 27  Id. at 367–68.

Conclusion

As the public debate surrounding data collection and privacy technology heats up, it is important to remember what is at stake. Though the public debate has been primarily focused on corporate prying by IT firms into our daily existence, it should not be forgotten that under current Fourth Amendment jurisprudence, anything that we share with these corporations and service providers is fair game for the government to seize without a warrant. The issues surrounding data privacy and voluntary disclosure are not easy issues to solve, as observed in a recent article concerning privacy rights in the New York Times:

Many companies make it exceedingly difficult to opt-out of data collection, burying permissions deep on their websites or frequently changing privacy policies that dictate how and how often personal information can be harvested. Once you start using some services it can also be hard to stop, particularly if your files or photos are stored there, a desirable feature among tech companies known as lock-in.{28} 28  Supra note 8.

Although individuals and businesses were sharing information and data with third-party vendors long before the COVID-19 outbreak, use of remote work tools is sure to endure long after the outbreak passes, making privacy concerns facing both individuals and businesses even more important. The heightened prevalence of data sharing and digital communication underscores the importance of defense counsel’s working knowledge of these digital platforms. As highlighted by the court’s questions in Kidd, defense counsel’s understanding and ability to answer a court’s questions regarding the difference between passive and active data collection, the ability to acquire or discern personal location data, and the kind of data that is shared is critical to protecting vital Fourth Amendment privacy interests moving forward into the future.

NACDL’s Fourth Amendment Center is available to assist in litigating these issues.

About the Author

Nina J. Ginsberg, a founding partner at DiMuroGinsberg, P.C., in Alexandria, Virginia, has practiced criminal law for more than 35 years. She has represented individuals and corporations in a wide range of matters, with a focus on national security law, white collar investigations and prosecution, financial and securities fraud, computer crime, copyright fraud, and professional ethics.

Nina J. Ginsberg (NACDL Member)
DiMuroGinsberg, P.C.
Alexandria, Virginia
703-684-4333
nginsberg@dimuro.com
www.dimuro.com
@DiMuroGinsberg

 

Endnote

  1. See United States v. Tolbert, No. 14 CR 3761, 2019 WL 2006464, at *3 (D.N.M. May 7, 2019); United States v. Kidd, 394 F. Supp. 3d 357, 364 (S.D.N.Y. 2019) (citing an exhaustive list of district court opinions addressing IP data: United States v. Germain, No. 18 CR 26, 2019 WL 1970779, at *4 (D. Vt. May 3, 2019) (finding no reasonable expectation of privacy in internet service company records obtained via subpoena after the government collected IP address information for defendant’s email account through a search warrant served on Google); United States v. McCutchin, No. 17 CR 1517, 2019 WL 1075544, at *3 (D. Ariz. Mar. 7, 2019) (analogizing IP address information to the return address on envelopes to find that the defendant did not have a privacy interest “in the IP address used to connect his home with the internet”); United States v. Felton, 367 F. Supp. 3d 569, 575 (W.D. La. 2019) (applying third-party doctrine to find that there is no reasonable expectation of privacy in IP address information associated with defendant’s access of the U.S. Postal Service website to track a package of methamphetamine); United States v. Rosenow, No. 17 CR 3430, 2018 WL 6064949, at *10-11 (S.D. Cal. Nov. 20, 2018) (finding no reasonable expectation of privacy in “recent” IP address information associated with Yahoo.com and Facebook.com accounts)). (^ continue reading ^)