Protecting Privacy in the Age of Big Data

Changes in technology mean that the Fourth Amendment protects a lot less than you think. But law professors (and Supreme Court justices) are redefining what privacy means in the 21st century.

sneakers movie

Edward Snowden’s leak of secret NSA programs designed to monitor has dominated the news in recent days, with no less than Daniel Ellsburg, perhaps the most famous leaker in American history, saying that the importance of Snowden’s leak goes beyond even his own leaking of the Pentagon Papers. Ellsburg’s leak helped stop the Vietnam war; he hopes Snowden’s will “roll back a key part of what has amounted to an ‘executive coup’ against the U.S. constitution“:

[W]hat is not legitimate is to use a secrecy system to hide programs that are blatantly unconstitutional in their breadth and potential abuse. Neither the president nor Congress as a whole may by themselves revoke the fourth amendment – and that’s why what Snowden has revealed so far was secret from the American people.

Except Ellsburg may not be right about that: whether or not the revealed NSA programs violate the Fourth Amendment. For a refresher, here it is:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The way constitutional law often works is by extended metaphor: we look for metaphors in past law to figure out how that law extends to the present. Looking at the Fourth Amendment, you might think that “secure” in your “papers” would be a pretty good start for the government not being able to monitor the contents of your e-mail, as the Guardian has reported about the PRISM program.

But “secure” has a broad meaning. I know, using Gmail, that Google monitors the emails I send in order to target advertising to me. So I’m actually sharing my deepest, darkest secrets with a giant company, under the belief that all they really care about is stuff I might want to buy, which in my experience they’re not very good at figuring out.

And that form of sharing—that I’m voluntarily giving my information to a third party—has implications for whether or not the government accessing it is constitutional.

A few years ago the University of Chicago held a symposium on surveillance law, after a number of revelations about the NSA’s monitoring of electronic communications had already broken. One of the contributions was from Christopher Slobogin, a professor of law at the University of Florida, writing on “Government Data Mining and the Fourth Amendment.” Slobogin writes:

The implications of Miller and Smith for data mining are fairly clear. These cases stand for the proposition that the government can obtain information about us from third parties without worrying about the Fourth Amendment. Since virtually all information obtained through data mining comes from third party record holders-either the government itself, commercial data brokers, or a commercial entity like a bank—its acquisition does not implicate the Fourth Amendment.

Miller held that a subpoena for bank information “was not a search because Miller could not reasonably expect his bank information to remain private.” A person using a bank, the Court held, “takes the risk, in revealing his affairs to another, that the information will be conveyed to the Government… even if that information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.”

Shortly after Miller, the Court followed up with Smith: “any expectation we might have that phone company logs are private is unreasonable because we know that phone companies keep records of the numbers we dial.”

So when I send emails, I “reveal my affairs to another” [Google] with the assumption that it will be “used for a limited purpose” [targeting advertising] and that they won’t betray my confidence by letting the NSA at my stuff. As Rebecca Rosen writes, “it seems that many of the legal questions will hinge on whether the Internet companies voluntarily participated in the program. If that is the case, that might be enough to satisfy any Fourth Amendment concerns.”

If you think this sounds crazy, you are not necessarily alone. Joining the Court in the 2012 case U.S. v. Jones (about whether sticking a GPS on a suspect’s car constitutes a search), Sonia Sotomayor wrote:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.

But note how Sotomayor couches this:

Perhaps, as Justice Alito notes, some people may find the “tradeoff ” of privacy for convenience “worthwhile,” or come to accept this “diminution of privacy” as “inevitable,” post, at 10, and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy.

This is really important: Fourth Amendment law takes into account a “reasonable expectation of privacy”; even the Smith opinion, writes Rosen: “recognized a distinction between that information – conveyed knowingly to the phone company – and the call’s contents. This distinction itself rests on an even older technological metaphor, one between a letter itself and the writing on its envelope, which would could not ‘reasonably’ expect to be private.” In other words, lots of post office employees will see who you’re writing a letter to, but they aren’t allowed to open it up.

But Google is allowed to open up your email, or at least its computers are. How do you test that against a reasonable expectation of privacy? Slobogin’s suggestion is to ask. He surveyed a group of jury pool members, asking them to rate the “relative intrusiveness” of different forms of policing. Lowest was a roadblock (30 on a scale of 100). Highest was a bedroom search (81 out of 100).

The intrusiveness of the NSA program would all rate highly: phone records at 74 (ahead of a patdown), credit card records at 75 (ahead of “search of car"), email addresses sent to and received from at 77, bank records at 80. 

It’s a tiny survey, and Slobogin isn’t saying the Supreme Court should just base what privacy is on it. Instead, he’s pointing out that what we think of as “private” changes with the technology we use and how we use it.

Another way to investigate what a “reasonable expectation of privacy” is comes from Lihor Strahilevitz, a University of Chicago law prof. His idea is that, in a networked, researched age, we can actually use social network theory to determine what a reasonable expectation of privacy actually is, not just what we think it is: “The goal here is to solidify the ‘privacy’ inquiry as an empirical question, rather than a highly contested normative matter":

Lacking both a computer model and an understanding of the science of social network analysis, judges have relied on their intutions to evaluate the likelihood of information dissemination in a counterfactual world. Judges seem to be asking themselves, ‘had the defendent not become involved, would I have expected this information to remain private were I in the parties’ shoes?’ I have suggested that this is the right question to be asking. But the answers that courts have provided seem to rely on guesswork more than anything else. We can use sociology to assess the accuracy of judges’ guesses, and perhaps to help them make better educated guesses.

Strahilevitz is looking at tort law, not Fourth Amendment law. But Slobogin ties it to his subject:

The implications of social network theory for data mining are straightforward. Unless it is part of a public record designed for consumption by everyone or describes an activity observed by strangers, the transactional information government seeks through data mining is rarely known outside our families (aside from the third-party institutions to which we provide it). Expectations that such information will remain “private” are reasonable from the social network perspective.

The government, particularly in the field of intelligence gathering, has shown itself to be remarkably creative in finding a legal basis for information gathering that the average person would find intrusive; should Fourth Amendment law change, it’s no guarantee that the feds would be hampered by it, at least not for awhile.

But the shock over the Snowden leaks and the ongoing coverage are still vital. The law is based on what we think about these things, in the form of reasonable expectation. As Sotomayor’s concurrence suggests, the courts do actually listen to us—as we disclose more and more information to third parties in the course of our daily lives, we gain different expectations for that information. The networked world has made that information easily accessible, but its lessons could provide protections as well, once the courts catch up.


Submit your comment