Privacy is, today, effectively illegal.
On a typical day, we share information about ourselves with several “third parties”: Internet service providers, social media companies, stores, banks, and more. Thanks to technology, this sharing makes our lives richer and more convenient.
Enter the “third-party doctrine.” It says that, once we share information with a third party, the Fourth Amendment warrant requirement no longer applies. In other words, the government may obtain whatever information we share with third parties, without presenting a warrant based on probable cause and particularized suspicion. All your data belongs to the U.S. government—unless there’s a statute protecting it.
Even when a statute protects data from government’s prying eyes, it typically requires the government to produce something less than probable cause and particularized suspicion. Moreover, once the government has obtained assorted pieces of information about you, all it takes is a president’s “pen and phone” to combine databases across alphabet-agency lines. Soon all of the data about your daily activities is collected in one place, accessible to any politician, bureaucrat—or hacker.
What’s the solution, besides living a monastic life off-the-grid? We could hope companies such as Apple to continue to improve their encryption technology, so we’re not sharing much information with third parties when we’re using their products or services. That could work, so long as government doesn’t crack the encryption or—worse—ban encryption technology altogether, as even some better politicians have suggested. We could advocate for the legislative equivalent of the Fourth Amendment’s warrant requirement. And that might work, if privacy remains popular with enough voters. Otherwise the legislation will simply be repealed when political winds shift.
Enduring, reliable protection for the data we share with third parties must come from the Fourth Amendment. This is precisely the opportunity presented by Carpenter v. United States, soon to be heard by the Supreme Court.
Carpenter concerns the application of the third-party doctrine to Cell Site Location Information (CSLI) collected by service providers. Petitioner Carpenter argues that, unlike other data shared with a third party, longer-term cell phone location data (here collected for 127 days) is something in which one has a “reasonable expectation of privacy.” (“Reasonable expectation of privacy” is the standard the court uses to determine whether a search has occurred within the meaning of the Fourth Amendment.) Accordingly, Carpenter argues that the third-party doctrine should apply neither to longer-term cell phone location data nor to similarly sensitive data: “There is no basis in [the Supreme] Court’s jurisprudence for extending Smith and Miller [cases extending the third-party doctrine to ‘ordinary business records’] to CSLI, both because the information is more sensitive, and because it is not voluntarily shared with a third party in any meaningful way.”
Once you extend the scope of the third-party doctrine to “ordinary business records,” how do you draw even a semi-bright line, particularly one for which there is a principled rationale? How long is the “long term” over which one’s data is collected before one’s expectation of privacy becomes “reasonable”? Why shouldn’t digital information be subsumed if analog is? How sensitive is sensitive? And so on.
The court should overturn Smith and Miller and return the third-party doctrine to its original scope: sharing information with government agents in the course of criminal activity. Although the lack of a bright line beyond this scope is one sign of a problem, there’s a more important one: In Miller, the first case in which the court extended the doctrine beyond the criminal context, it never justified its decision to do so.
Such justification is due because, although there’s good reason to believe that one has no legitimate expectation of privacy in information shared with third parties in the course of criminal activity, we have no reason to assume a lack of legitimate expectation when sharing information during normal activities of daily life. The distinction lies in the common-law doctrine of illegal contract, which says that courts will not uphold any agreement the purpose of which is to achieve an illegal end. If Tony Soprano makes an “arrangement” with a “business associate,” it’s unenforceable—including any promise made to keep the arrangement a secret.
Drawing upon a property and contract-based conception of privacy, I’ve argued that the doctrine of illegal contract makes the third-party doctrine, as originally conceived, superfluous.1 I hope others will see that this common-law doctrine provides the court with a principled reason—one firmly rooted in our legal traditions—to limit the third-party doctrine to criminal contexts and to stop treating the rest of us like criminals.
This approach would also be consistent with the property-based conception of the Fourth Amendment that Justice Antonin Scalia was developing in the years before his death. Justice Neil Gorsuch, please pick up Scalia’s mantle in Carpenter and help the court to legalize privacy. This opportunity expires soon.