Cybersecurity and Law Enforcement

Electronic Data - Criminal - Y.MM.png

Privacy from the government in a changing world

Back when the Founders recognized our privacy needs against the government, there were just two parties: the individual and the government. The Fourth Amendment limited the government’s right to search individuals. Searches had to be “reasonable.” They still do.

Cybersecurity and Law Enforcement

But the scene has become more complicated with the introduction of third parties who hold our personal information. In the past 60 years, the law has been trying to keep up with technological changes in how our information is held and revealed to the government. With the emergency of major technology companies like Google, Apple and Facebook, we are in something of a Wild Wild West.

You may recall a few major stand-offs between tech giants and the government on handing over consumer data. For example, after the San Bernadino shooting, the government asked Apple to help it override the security features in the shooter's iPhone. Apple had its reasons to refuse.

What are the incentives of tech companies in supporting their consumers and their own security features? How does that interfere with the government's interests. Is our law adapting to address the technological changes?

Expanding the Fourth Amendment

Originally, the Founders envisioned protecting us from searches to ourselves (searches on the person) and our physical property. People have a right to be secure in their “persons, houses, papers and effects.” Since then, the Fourth Amendment has come a long way.

In 1967, the Supreme Court altered the conception of the Fourth Amendment. In Katz v. United States, the Court recognized the Fourth Amendment protects people, not their property. The Fourth Amendment applies where someone has a “reasonable expectation of privacy.” In Katz, the court recognized that Katz had a reasonable expectation of privacy in a public phone booth — despite that he obviously wasn’t the owner of the property — and the government was not allowed to wiretap the phone booth without getting a warrant. The warrant is a Fourth Amendment requirement in which the government must show (to a judge) that it has probable cause to believe the search is justified. That’s what makes the search “reasonable,” as the text of the amendment says.

Introducing third parties

Soon things got more complicated. Because of how consumership changed (or grew) in the second half of the 1900s, our personal information came to sit in the hands of numerous companies like banks and telecommunications companies. The government, on its mission to get information quickly, struck an idea. Let’s just go to the bank to get Mr. Miller’s financial transactions. Or maybe we can ask the telephone company if Mr. Smith called the number we’re looking for.

Those two cases went up to the Supreme Court. Did Miller and Smith have “reasonable expectations of privacy” in their information that was stored with the bank or telephone company? The Court ruled no in both cases (U.S. v. Miller (1976) and Smith v. Maryland (1979)). The Supreme Court ruled that you don’t have a reasonable expectation of privacy in information that you voluntarily give to a third party.

Congress recognized that those rulings left large gaps in our protections from government search. It didn’t seem right that the government could work around the Fourth Amendment by going to companies offering consumer services. So Congress passed the Stored Communications Act in 1986. The new law set limits on the government’s ability to access our data in the hands of third parties. Some situations require the government to get a regular (Fourth Amendment-type) warrant and other situations place less stringent requirements on the government.

The last word from the Supreme Court

The Supreme Court recently indicated that it might be re-evaluating the precedents in Miller and Smith. Or at least that the Court is reconsidering what it means to “voluntarily” give information to a third party. In Carpenter v. U.S. (2018), the Court said a person does not voluntarily give a mobile phone provider its location data. The Court said we don’t exactly “share” that information just because we use our cell phones, so the Fourth Amendment warrant requirement applies. The ruling recognizes the reality of the consumer world today.

Modern third parties (third parties on steroids)

Yes, the government passed the Stored Communications Act in 1986 to help protect our information in the hands of third parties. But 1986 was still very different than today: Google didn’t exist. Facebook didn’t exist. Apple had gone public and was just starting to rival Microsoft in the computer space.

These tech beasts now have access to loads of our personal data. It’s nearly impossible to avoid. Yet the government can ask the tech companies for our info when we won’t comply with the government’s requests. The government often must follow procedures of the Stored Communications Act. But these third parties are powerful. While they do comply with government subpoenas for our information a lot of the time (80+ percent), the tech companies have incentives to keep our information private.

The tech giants have so much power (financial, social and informational) that they can choose to disobey. They can pay for a lawsuit, and sometimes they do (see, e.g. U.S. v. Microsoft).

But what’s at stake for the companies?

Modern third parties have incentives to support their customers. For one, they want to keep their public reputations. Consumers are their base. They want to show that they support us. That’s how they get paid.

Furthermore, the companies spend tons of money on encryption systems — all to make better products and to benefit their customers. Letting the government in could be the start of larger security breaches. Recall when the government was after Apple to get access to the phone data for the San Bernardino shooter. The government actually wanted Apple to make new software to allow the government in. Apple denied and was willing to fight it. Apple didn’t want to undermine its own security features.

The current face-off

Now we occasionally have face-offs between tech giants and the government. As the American Bar Association reports, the government has a few options when tech companies don’t obey their requests. They can either pursue litigation against the tech companies: not a cheap or quick endeavor. Or they can try to break into the tech companies’ security systems themselves.

If the government finds ways to break in, does that harm consumer privacy in the long run? If the government can get in, who else can?


Inspiration for this report

This American Bar Association report inspired our infographic report: Cat-and-mouse game: Customers demand cybersecurity, law enforcement wants easier access to evidence (October 2018).

Thanks, ABA.