When the Supreme Court ruled yesterday in the case of Riley v. California, it definitively told the government to keep its warrantless fingers off your cell phone. But as the full impact of that opinion has rippled through the privacy community, some SCOTUS-watchers say it could also signal a shift in how the Court sees the privacy of data in general—not just when it’s stored on your physical handset, but also when it’s kept somewhere far more vulnerable: in the servers of faraway Internet and phone companies.
In the Riley decision, which dealt with the post-arrest searches of an accused drug dealer in Boston and an alleged gang member in California, the court unanimously ruled that police need a warrant to search a suspect’s phone. The 28-page opinion penned by Chief Justice John Roberts explicitly avoids addressing a larger question about what’s known as the “third-party doctrine,” the notion that any data kept by a third party such as Verizon, AT&T, Google or Microsoft is fair game for a warrantless search. But even so, legal analysts reading between the opinion’s lines say they see evidence that the court is shifting its view on that long-stewing issue for online privacy. The results, if they’re right, could be future rulings from America’s highest court that seriously restrict both law enforcement’s and even the NSA’s abilities to siphons Americans’ data from the cloud.
Digital Is Different
The key realization in Roberts’ ruling, according to Center For Democracy and Technology attorney Kevin Bankston, can be summarized as “digital is different.” Modern phones generate a volume of private data that means they require greater protection than other non-digital sources of personal information. “Easy analogies of digital to traditional analog surveillance won’t cut it.”
Daniel Solove, a law professor at George Washington Law School, echoes that sentiment in a blog post and points to this passage in the opinion:
First, a cell phone collects in one place many distinct types of information—an address, a note, a prescription, a bank statement, a video—that reveal much more in combination than any isolated record. Second, a cell phone’s capacity allows even just one type of information to convey far more than previously possible. The sum of an individual’s private life can be reconstructed through a thousand photographs labeled with dates, locations, and descriptions.
That argument about the nature of digital collections of personal data seems to apply just as much to information held by a third party company as it does to information held in the palm of an arrested person’s hand. And Solove argues that could spell trouble for the third-party doctrine when it next comes before the Court. “The Court’s reasoning in Riley suggests that perhaps the Court is finally recognizing that old physical considerations—location, size, etc.—are no longer as relevant in light of modern technology. What matters is the data involved and how much it reveals about a person’s private life,” he writes. “If this is the larger principle the Court is recognizing today, then it strongly undermines some of the reasoning behind the third party doctrine.
The Court’s opinion was careful not to make any overt reference to the third-party doctrine. In fact, it includes a tersely-worded footnote cautioning that the ruling’s arguments about physical search of phones “do not implicate the question whether the collection or inspection of aggregated digital information amounts to a search under other circumstances.”
But despite the Court’s caveat, its central argument in the opinion—that the notions of privacy applied to analog data are no longer sufficient to protect digital data from warrantless searches—doesn’t limit itself to physical access to devices. And the opinion seems to hint at the Court’s thoughts on protecting one sort of remotely-stored phone data in particular: location data.
The Logic of Location Data
The Riley ruling cites an opinion written by Justice Sonia Sotomayor in the case of US vs. Jones, another landmark Supreme Court decision in 2012 that ended warrantless use of GPS devices to track criminal suspects’ cars. GPS devices, Sotomayor wrote at the time, create “a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.” Roberts’ reference to that opinion in Tuesday’s ruling seems to acknowledge that the sensitivity of GPS device data extends to phone location data too. And there’s little logical reason to believe that phone data becomes less sensitive when it’s stored by AT&T instead of in an iPhone’s flash memory.
With Riley and Jones, “we’ve now seen two indications that the Supreme Court is rethinking privacy for stored data,” says Alex Abdo, a staff attorney at the American Civil Liberties Union. “Neither raises the question directly, but they both contain clues into the mindset of the court, and they both suggest that there’s another victory for privacy in the waiting.”
“If I were to guess,” Abdo adds, “I would predict that the Supreme Court will make good on its suggestion that the third-party doctrine doesn’t make sense in the context of cloud storage.”
The ripples from Riley may extend to the NSA’s surveillance practices, too.
The ripples from Riley may extend to the NSA’s surveillance practices, too, says Jennifer Granick, director of Civil Liberties at Stanford Law School’s Center for Internet and Society. She points out that the NSA has used the same third-party doctrine arguments to justify its collection of Americans’ phone data under section 215 of the Patriot Act. “What will this mean for the NSA’s bulk collection of call detail records and other so-called ‘metadata’?” she asks in a blog post. “The opinion suggests that when the Court has that question before it, the government’s approach may not win the day.”
Thanks to the caveat footnote limiting its significance to physical searches of phones, the Riley ruling likely won’t set any precedent useful for privacy activists just yet. But the CDT’s Kevin Bankston says it hints that the Supreme Court has acknowledged the need for new privacy protections in the age of mobile computing. “The Court is clearly concerned with allowing access to data in the cloud or on cell phones without a warrant. And that’s likely indicative about how they’ll approach things like cell phone location tracking and NSA surveillance in the future,” Bankston says. “The fourth amendment for the 21st century will be quite different from the fourth amendment in the 20th century.”
No comments:
Post a Comment