Don't Tread on My Metadata
Do you classify Edward Snowden -- the former National Security Agency contractor contractor charged with espionage, and runner-up for Time's "Person of the Year" -- as a hero or a traitor? Your answer likely depends on your opinion of the NSA programs he helped publicize via his leaking of highly classified documents. In this week's revelations, we learn that the NSA deploys agents to infiltrate online gaming communities, and that it uses the Google tracking cookies we thought were responsible only for that eerie and annoying targeted advertising. We also learned recently that the NSA collects “nearly 5 billion records a day on the whereabouts of cellphones around the world.” Earlier this year, we learned that the NSA has been continuously collecting phone record “metadata” of all Verizon customers for the last seven years. The NSA also accessed email and other forms of Internet communication -- including Skype voice and video communications -- via a secret program called Prism. Director of National Intelligence James Clapper described these programs as “acquiring” information only about foreigners, and yet “49-plus percent of the communications [intercepted and stored under the Prism program] might be purely among Americans….”
Whatever you think of Snowden, his actions have drawn significantly more attention to the NSA’s intrusive programs. Now the question is: will anything be done about them?
Proponents of the programs have noted that, although data collection is performed without probable cause or particularized suspicion, only transactional metadata, not the content of communications, is collected. Moreover, their proponents continue, these programs make it easier for the government to identify and track suspected terrorists, and therefore strike the right “balance” between privacy and security. In addition, some argue, the programs are perfectly legal: according to the “third-party doctrine,” there is no “reasonable expectation of privacy” in metadata we share with our phone companies, Internet service providers, etc., and the collection of metadata is authorized by the Patriot Act or the FISA Amendments Act.
In this article, I’ll first discuss the third-party doctrine, including its history and the types of cases to which is has been applied. Then I will propose a better way of dealing with cases typically thought to fall under this doctrine. Finally, I will use the common law of contract to answer the charge that eliminating the third-party doctrine will prevent government from using secret agents in law enforcement.
I. The Third-Party Doctrine
The third-party doctrine says that the Fourth Amendment does not apply when you share information with a third party -- e.g., your bank, your phone company, Facebook -- and then the third party, in turn, shares the information with the government. Most legal scholars believe this is the case because, once you share the information with a third party, you no longer have a “reasonable expectation of privacy” in it, and therefore the government’s obtaining it is not a “search.” When the Fourth Amendment does not apply, statutes such as the Patriot Act or the FISA Amendments Act may authorize the government’s broad information gathering and aggregating activities, without the requirement of a warrant based on probable cause and particularized suspicion.
The doctrine first arose in a series of cases called the “secret agent” cases. Think of Tony Soprano divulging information about the operation of his illegal businesses to a government informant, and the informant later turning that information over to the government prosecutor, who uses it to indict and prosecute Soprano. The fact that the Fourth Amendment does not protect the Tony Sopranos of the world probably does not bother us. But starting in the early 1970s the doctrine was held to apply, not only to the Tony Sopranos of the world, but also to you and me (I am assuming that none of us is in the mafia) when we share information with third parties in the ordinary course of doing business and living our lives.
Considering the third-party doctrine’s disturbing implications, one would think that it would have been overturned – or its application severely limited – by now. I did find one scholar who argued that the Supreme Court has long refused to apply the third-party doctrine “in a strong form.” But others I’ve read have either defended the doctrine, or argued only that it should be modified to accommodate the realities of the “digital age.” (For my presentation of and commentary on the scholarly arguments given in favor of and against the third-party doctrine, I refer you to my forthcoming article in St. John’s Law Review.)
The member of the legal profession who got me thinking critically about the third-party doctrine is someone with whom I typically have little in common: Supreme Court Justice Sotomayor. In her concurring opinion in United States v. Jones, she calls for the doctrine to be reexamined:
[I]t may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers.
It seems that Sotomayor might be ready to overturn the third-party doctrine in an appropriate case. I hope she will have the opportunity to do so, and that she and the Court will consider my proposed alternative.
II. An Alternative Proposal
My proposal rests on a free-market model for the protection of informational privacy that I first presented in my dissertation, and then finally defended in print several years ago. I have suggested that we return to the era of protecting privacy on the basis of our rights to property and contract, as was the case before a famous 1890 law review article written by Warren and Brandeis. In other words, I reject the so-called “right to privacy.” You don’t want someone to see or hear what you’re doing in your home? Lock your doors, close your windows and shut your blinds. You want to keep your financial information private? Well, before the government started compelling the bulk collection and reporting of financial data, something for which we can thank the third-party doctrine, you could protect your financial privacy simply by having a confidentiality clause in your contract with your bank.
A distinct “right to privacy” is not only superfluous; it’s immoral, because it tends to displace and undermine our fundamental rights to property and contract. Ironically, because our rights to property and contract enable us to achieve states of privacy, the consequence of recognizing a distinct right to privacy is less privacy protection. The recent revelations about intrusive NSA programs are just the latest examples. In an earlier article, after reviewing the 1970s business records cases, I wrote:
If the controlling standard in these cases had been one’s right to property, along with one’s right to use his property to enter into contracts, then a man’s privacy would not be dependent on others’ opinions about…whether his expectations are reasonable. Rather, it would depend solely on his ability to produce values and to trade those values for the means to protect the privacy he seeks. Of course, the government could still issue warrants to compel third parties to disclose information that has been entrusted to them. But at least then the disclosure of information would depend on factors such as particularized suspicion and limited scope of search….
Applying the above model to the third-party situation would be straightforward: An individual has a contract with a third party – a bank, a phone company, an ISP. The contract contains a provision according to which the third party promises, as part of the consideration for the customer’s money and patronage, to keep his information private. If the third party reveals a customer’s private information, it has breached the contract and must pay damages accordingly. Moreover, the government, in order to compel the third party to breach its contract with you, would need to get a search warrant or the equivalent, based upon probable cause and particularized suspicion. If it failed to do so, the modern remedy would likely be the exclusionary rule, but I would prefer to return to the traditional trespass model of the Fourth Amendment; by analogy here we might charge the government with tortious interference with contract.
Suppose, for example, the police found, on a publicly available Internet discussion forum, a post by a person who says he wants to blow up participants and spectators at the Boston Marathon. If the police discovered this early enough, such that the threatened attack was not imminent, then they could go to a judge, present the evidence they have amounting to probable cause and pointing to a particular individual or group of individuals, and get a warrant. The warrant would compel the forum host to reveal the IP address of the post’s author, which could then lead the police to the real person, who could then be investigated, as appropriate. If a threat were imminent, criminal procedure would allow for an exception to the warrant requirement; this would be no less true in cyberspace than it is in physical space. What would be gone, on my model, are the days of government engaging in such practices as compelling banks to compile and hand over data about all transactions in excess of $5,000, regardless of who engaged in them, and then combining that data with data produced by another “third party” -- e.g., Facebook -- and then running searches on the combined database with no warrant, no probable cause, no particularized suspicion.
III. Addressing an Objection: Illegal Contracts
I have not yet explained how I would treat Tony Soprano’s basement conversations with government informants. It is this type of “secret agent” case that made the third-party doctrine seem plausible in the first place. If there is a way to protect the privacy of third-party transactions only for the majority of us, who do not engage in illegal behavior, wouldn’t that be ideal? Thankfully, the common law of contracts provides a rule that allows us to address these “secret agent cases” in a way that is consistent with my overall model for the legal protection of privacy.
At common law, illegal contracts are not enforceable. An illegal contract is one whose subject matter -- the thing to be done pursuant to the contract, the consideration provided for at least one of the parties’ promises -- is illegal.
The defense is not just a relic taught in law schools and tested on bar exams: One scholar methodically examined all the federal and state court cases in which any defense falling into the broader category of “public policy” was employed during the latter half of 2009. He found that defenses based on a violation of a statute or regulation -- among these are defenses based on illegal contracts -- had the highest success rate, 59%.
In one case, a court refused to enforce a promissory note in excess of $30,000, a substantial portion of which was still due and payable, because a small fraction of the note’s total amount, $1,500, was in consideration of a gambling debt. If such cases are representative, it seems that a court presented with an illegal contract could similarly deny enforcement of any explicit or implicit provision promising to keep private any information shared pursuant to the contract. Tony Soprano’s revelations to a secret agent could therefore be shared with the government and used to prosecute him, without a warrant or probable cause. No third-party doctrine is required.
Conclusion: Beyond the Third-Party Doctrine
The choice we’ve been given -- invasive government programs and security on the one hand vs. privacy and vulnerability on the other -- is a false alternative. Moreover, getting rid of the third-party doctrine is necessary, not because one has a “reasonable expectation of privacy” in information shared with a third party, but rather because the third-party doctrine fails to recognize and protect our rights to property and contract within the context of government law enforcement activity. In fact, as I have argued elsewhere, the reasonable expectation standard of Katz is itself flawed and should be eliminated. The final goal should be to recognize that property and contract, rather than subjective evaluations of someone’s expectations, are the foundations of privacy.
Courts and legislators should use the opportunity created by outrage over the NSA’s overreach to reconsider the third-party doctrine and, ultimately, our whole model for the legal protection of privacy.
(Artwork created using a modified Shutterstock.com file.)