Computers, Privacy & the Constitution

View   r6  >  r5  ...
SethGlickmanFirstPaper 6 - 17 May 2021 - Main.SethGlickman
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Line: 20 to 20
 

The Fourth Amendment vs. Third-Party Doctrine

Changed:
<
<		Third-party doctrine applies to situations where individuals have voluntarily given information to a third party with “no reasonable expectation of privacy”. In the 1976 case _United States v. Miller_(1)

Why not an actual link instead of an inert footnote?

the Supreme Court found specifically that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties (in this case, records at a bank), and highlights as justification that an individual’s information is “exposed to [the bank’s] employees in the ordinary course of business.” Thus, information which is stored with third parties lies outside of an individual’s Fourth Amendment rights, and as technological trends shift more to third-party cloud services, this covers an increasingly broad set of information.

Notes

1 : 425 U.S. 435

>
>		Third-party doctrine applies to situations where individuals have voluntarily given information to a third party with “no reasonable expectation of privacy”. In the 1976 case United States v. Miller (2) the Supreme Court found specifically that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties (in this case, records at a bank), and highlights as justification that an individual’s information is “exposed to [the bank’s] employees in the ordinary course of business.” Thus, information which is stored with third parties lies outside of an individual’s Fourth Amendment rights, and as technological trends shift more to third-party cloud services, this covers an increasingly broad set of information.

Notes

2 : 425 U.S. 435

 
Only if the employees of the cloud service in the ordinary course of business have access to the records? If so, then most of the data stored in the cloud, either encrypted at rest or processed in a virtual processor to which the provider does not ordinarily have access, might not be subject to Miller, in your view?
Added:
>
>
I hadn't considered this question in my first draft but I think that the main point here is the act of handing over your records to a third party (even if an employee would typically not view those records) puts it in their hands (and by corollary out of yours), and thus you have relinquished that protection.
 

Search Warrant vs. Subpoena

Line: 40 to 36
 

ECPA Title II

Changed:
<
<		Congress took note of this disparity and attempted to address it with the 1986 passage of ECPA, which contained the Stored Communications Act (SCA) under Title II. The SCA sought to bring the heightened threshold of the search warrant to “stored wire and electronic communications and transactional records”(3). It covers two types of services: “electronic communication services” (ECS) and “remote computing services” (RCS). The line between the two can be counterintuitive: for example, a server containing email over 180 days old qualifies as “providing storage” and therefore RCS; if it has been held for 180 days or less it qualifies as ECS — unless an email has been opened, in which case it likely reverts to a classification of storage rather than communication, and therefore RCS.

Notes

3 : 18 U.S.C. §§ 2701–2712

>
>		Congress took note of this disparity and attempted to address it with the 1986 passage of ECPA, which contained the Stored Communications Act (SCA) under Title II. The SCA sought to bring the heightened threshold of the search warrant to “stored wire and electronic communications and transactional records”(4). It covers two types of services: “electronic communication services” (ECS) and “remote computing services” (RCS). The line between the two can be counterintuitive: for example, a server containing email over 180 days old qualifies as “providing storage” and therefore RCS; if it has been held for 180 days or less it qualifies as ECS — unless an email has been opened, in which case it likely reverts to a classification of storage rather than communication, and therefore RCS.

Notes

4 : 18 U.S.C. §§ 2701–2712

 
Changed:
<
<		Again, this distinction matters due to the retrieval mechanism: RCS-classified data production can be compelled via a subpoena combined with prior notice (and prior notice can be delayed for up to 90 days if it would jeopardize an investigation(5)), a far lower threshold than a search warrant.

Notes

5 : 18 U.S.C. § 2705

>
>		Again, this distinction matters due to the retrieval mechanism: RCS-classified data production can be compelled via a subpoena combined with prior notice (and prior notice can be delayed for up to 90 days if it would jeopardize an investigation(6)), a far lower threshold than a search warrant.

Notes

6 : 18 U.S.C. § 2705

 The SCA, while a step in the right direction, is subject to two issues: (1) it can be altered by Congress at a later date through the normal course of legislation, and (2) it has large gaps which have only grown wider since 1986.
Line: 51 to 47
 Amending the SCA to require search warrants for more types of electronic third-party data would be helpful, but it requires a willing Congress. Instead, we should look at taking matters into our own hands, and re-defining the location of where our data is stored to align with the location-focused language of the Fourth Amendment.
Changed:
<
<		Here we must find a balance between the fundamental conveniences that third-party services like Google Docs or Dropbox provide and a structure which might provide an individual using the services with Fourth Amendment protections to their data contained in the service.

In the 1948 case _In re Subpoena Duces Tecum_(7), a subpoena of one partner to produce documents involving the other partners was successfully quashed, and this remains good law(8). I propose setting up these cloud services as partnerships with their users.

In this proposal, rather than using a company like Dropbox, you would instead create a service which added users on as partners when they joined to upload and share their documents (or whatever other service you are looking to provide). This partnership service would be distributed on a franchise-style model for scalability purposes - the franchisee would gain access to the source code and be able to run their own instance of the service with a different set of partners.

Notes

7 : 81 F.Supp. 418

8 : See, e.g., Crop Associates-1986 v. C.I.R., 2000 WL 976792 (2000)

>
>		My first instinct was to look to corporate structure, to find an organizational approach fostering a relationship between consumer and provider which would still fall under the Fourth Amendment’s protection. The 1948 case In re Subpoena Duces Tecum (9), contains a successful quashing of a subpoena of one partner to produce documents involving the other partners, and while it remains good law(10), the reality is that slapping the word “partnership” on an endeavor likely will not suffice. Instead, the most realistic way forward for concerned users is found in initiatives like FreedomBox which re-house someone’s online presence into, well, their own house. I would love to see a privacy-focused ISP distribute these to customers alongside other required hardware like modems and routers, and further encourage its adoption and use by disseminating bills and notices through FreedomBox? apps (with an optional opt-out to email).

Notes

9 : 81 F.Supp. 418

 

Perhaps the other aspects of partnership, such as unlimited liability, would be relevant to consider? What does source code have to do with partnership? Why do you need franchise agreements? This proposition seems rather sweeping, and assumes that the magic lies in the word "partner," rather than the reality of the relationship. Why courts will find it impossible to go behind a supposed "partmership agreement" is not made clear. If this is really the central point of the essay, the next draft should remove other material in order to address this notion fully. If it is not the central subject, it's a massive distraction and in my view it should go.
Added:
>
>
Yes I agree - the reality of the relationship is what matters and not the magic word "partnership". It seemed appealing as I do still believe there is a massive, massive convenience and "free" factor (and on the flip side, inconvenience and "not free" factor which serves to hinder large-scale adoption of initiatives like FreedomBox? ), but I now think that the more realistic approach here is addressing those hurdles of inconvenience (perceived or real) and cost, now that FB's existence shows proof-of-concept.
 


Revision 6r6 - 17 May 2021 - 20:54:23 - SethGlickman
Revision 5r5 - 03 Apr 2021 - 20:03:42 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM