So for decades the question of what kinds of data can be easily seized by the government has been determined largely by two more specific questions: Would a person reasonably expect the data to be kept private? And has the data been voluntarily handed over to some third party?
In an online world, the answer to that second question is almost always yes. Third parties — including but not limited to your internet service provider, your email provider or your cellphone company — transmit and process and store almost all of your data. Allowing those third parties to carry your data, even though there’s really no way to avoid them if you want to be online at all, theoretically makes much of it legally fair game for the government to collect without a warrant.
The actual written contents of your emails and other online communications are still protected by the Fourth Amendment under the Electronic Communications Privacy Act (so long as they’re less than six months old). But location data falls into the nebulous category of metadata, or information about electronic communications, that is not protected under the act. That’s ostensibly because the metadata is less personal and revealing than the communications themselves. Except that metadata about where you are and whom you’re communicating with and what IP address you’re using is often every bit as revealing as the contents of the messages you send.
Still, it came as a little bit of a surprise last summer, when the Supreme Court ruled in Carpenter v. United States that a week’s worth of cellphone location data records were protected by the Fourth Amendment, despite being stored by a third-party cellphone provider, because “an individual maintains a legitimate expectation of privacy in the record of his physical movements.” (The court did leave open the possibility that it might be legal for the government to see location data for a shorter period than a week).
In many ways, the Carpenter ruling was a victory for privacy advocates and signaled the Supreme Court’s willingness to rein in third-party doctrine a little bit in an era when almost all of our communications are handled by intermediary companies. But it was also a stark reminder of how much our Fourth Amendment protections depend on what we — and, more important, what our judges — legitimately expect in terms of privacy.
Some Supreme Court justices have been roundly (and often deservedly) mocked for their ignorance about basic everyday technologies, such as text messages and email. But one advantage to having an older, less tech-savvy judiciary is that their ideas about privacy were formed during an earlier era when it might well have been reasonable to expect that the police would not be able to obtain a week’s worth of detailed location information about you.
In United States v. Jones, decided in 2012, the court ruled that a warrant was required to collect someone’s location data using a GPS device attached to his car. The majority ruling held that the Fourth Amendment applied because it protected the car from being tampered with, but in a concurring opinion Justice Samuel Alito argued that it was actually the location data — not the car — that deserved Fourth Amendment protection. By way of explanation, he wrote, “Society’s expectation has been that law enforcement agents and others would not — and indeed, in the main, simply could not — secretly monitor and catalog movement of an individual’s car for a very long period.”
For many people, especially those of us who grew up with ubiquitous location-tracking devices, to say nothing of ubiquitous large-scale data breaches, that is no longer our expectation. Does that mean we lose our Fourth Amendment protections for the information we no longer expect to be secret?
In March, the Senate confirmed Allison Rushing’s nomination as a judge on the Court of Appeals for the Fourth Circuit. At 36, she became the youngest federal judge in the country. In many ways, a younger and presumably more tech-savvy judiciary is a good thing for deciding cases that revolve around modern technologies. But at the same time, the Supreme Court and other courts have been reluctant to erode the Fourth Amendment’s protections for data like location information because it seems reasonable to them that people would expect that material to be private. They themselves expect it to be private. As that expectation shifts with a younger judiciary, then so too may those protections.
Today, our ideas about what is — and what should be — private are changing fast. As we routinely hand over more and more information about ourselves, our communications, our locations and our activities to tech companies, predicating our legal privacy protections on what we expect, rather than what we think people deserve or have a right to, is deeply problematic.