At the WaPo Conspiracy, Orin Kerr wrote about a decision by Judge B. Lynn Winmill, out of the District of Idaho, in Smith v. Obama on the constitutionality of NSA surveillance. While Judge Winmill applied the third-party doctrine from Smith v. Maryland, as he was constrained by precedent, he added this astounding language.
Judge Leon’s decision [in Klayman] should serve as a template for a Supreme Court opinion. And it might yet. Justice Sotomayor is inclined to reconsider Smith [v. Maryland], finding it “ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.” See U.S. v. Jones, 132 U.S. 945, 957 (2012) (Sotomayor, J., concurring). The Fourth Amendment, in her view, should not “treat secrecy as a prerequisite for privacy.” Id.
But Smith was not overruled, and it continues – along with the Circuit decisions discussed above – to bind this Court. This authority constrains the Court from joining Klayman.
In case you were sleeping, Judge Leon went out on a limb, rejecting the third-party doctrine in Klayman.
Following this post, Orin went to the twitters in response to Rob Graham’s question about what, if Smith v. Maryland was reversed, would replace it. Orin responded that “No one seems to know what to replace Smith with.”
Well, I couldn’t let that hang there, so I leaped in with “No one? I wouldn’t say no one.” Orin replied with:
Now, some may see this as snarky response, along the lines of “yeah, right. If brilliant scholars can’t come up with a good answer, there’s always some dopey trench lawyer like Greenfield who thinks he knows better.” But I don’t see Orin’s twit that way at all. Rather, I see it as his kindly view of my folksy, Will Rogers-like, practical approach to the law.
So, challenge accepted.
If Smith v. Maryland fails to serve societal needs for privacy in the digital age, what then should be the rule? My formulation would be that the third-party doctrine be returned to an exception to Katz’s “reasonable expectation of privacy,” and limited by reality:
Information placed into the hands of a third-party retains its reasonable expectation of privacy if it is of the nature that (1) it would not be reasonably anticipated to be personally seen by another human being in the ordinary course of business or events, and (2), even if it was viewed by another human being, it would not be of such a nature as to make a reasonable person take specific notice of its content.
In other words, if the generic telephone company gets data about a gazillion phone numbers called, nobody thinks there are a bunch of guys in a boiler room somewhere who take a look at each and every number. Rather, we expect them to all go into a big computer somewhere to be spit out for billing purposes, never to be individually seen by anyone ever. We do not hand over our calling info because we think to ourselves, let’s relinquish our privacy to the phone company. We do so only because it’s a friggin’ phone, and the company that serves our phone needs get to bill for the service it provides us. Nothing more.
The second prong of my test has to do with the significance of the data even if it did, for whatever reason, come to be seen by an actual human being. So what? You dialed 232-555-7834? No one, ever, would care. It’s just a string of ten numbers, just like all the other strings of ten numbers that would never, under any circumstances, cause a millisecond’s pause in any person’s day.
Problem solved. Now, I’m going to lasso some steers while telling incisive jokes. And Orin? My pleasure.
Discover more from Simple Justice
Subscribe to get the latest posts sent to your email.
I like it. Just a question to clarify…in the 2nd prong, what is “specific notice” versus regular notice? Maybe some practical considerations. If you give your address and list of prescriptions to the cashier at walgreens is there any info you would expect them to not reveal to police looking for doctor shopping? If you fill out an application online to open an etrade account, is there any info you would expect them not to reveal to the sec looking for insider trading? Thanks.
My use of the word “notice” isn’t meant to refer to Notice in the legal sense, but stuff somebody might notice, as in “take note of” in an everyday sense. So what I’m saying is that if the data is of the sort that we would reasonably expect someone, if it happened to pass before his eyes, to stop and say, “whoa, that’s something I need to specifically take note of,” then the expectation of privacy is lost. If it’s just routine, more of the same, then it retains an expectation of privacy.
As for the pharmacy or eTrade, that’s the sort of input they get constantly and by the truckload. Any reason why one prescription would stand out from the thousands of others? And reason why the one brokerage account should be differentiated from the thousands of others? That’s the query.
So if you tell the pharmacist you’re taking antibiotics, no big deal; but if you tell them you’re taking narcotic painkillers then should you expect the police to search your medical history there? It just seems like “specific notice” then is akin to “that which may be illegal.” Can you think of an example where you, in the routine course of business, willingly give info to a 3rd party that you would expect them to not disclose?
Whoa! Slow down a second. Your application of the pharmacy example is not at all what I said. First, because a prescription has to be filled, the first prong (that an actual human being see it) is inherently met, and only the second prong is in issue. But pharmacies fill prescriptions for drugs of all types daily. There is no reason why a normal painkiller prescription would elicit notice. An abnormal prescription, say a month’s worth of narcotics, yes. A week’s worth, nothing special.
As for your question, it’s horribly phrased and I have no clue what you’re asking. Try again, and think Katz language rather than “expect them to not disclose.” Just horrible.
My understanding of Katz is that it has nothing to do with the info conveyed; the only relevant factor to your privacy expectation is the forum where you’re conveying the info (i.e. a phone booth). But your 3rd party rule looks at the quality of the info and whether it seems “unusual” or “specific.” Is this right?
Not at all. It’s still Katz, the reasonable expectation of privacy. If I believe, and my belief is reasonable, that the information that comes into the possession of a third party will remain private, then it would be protected. Smith is a categorical exception, that anything coming into the hands of a third party is, by definition, unprotected.
The confusion you have goes to what makes the belief reasonable under the second prong of my rule. Is it reasonable of me to think that my ordinary phone bill wouldn’t, if seen by an actual person, cause that person take some particular notice of it because of some aspect of its content that was outside the norm of a phone bill? If so, then my expectation of privacy would be unreasonable.
So simply put, if you have a bunch of calls to the Middle East a person reviewing it might take special notice. Now they see you’re a Persian rug distributor so it goes back to no big deal. But they see you’re a criminal defense attorney and they think Al Q?
No, no, no, no, no. Why are you adding your own additional layers onto something very straightforward. You have a bunch of calls to the middle east and it is no longer reasonable to expect someone to see it and not take notice. End of story. The company doesn’t then need to investigate you. The company has nothing to do with it. You are way overcomplicating this.
Why are you struggling so hard with this? It’s no harder to follow than Katz, and it would be applied in the same way.
Remember, Katz is the basis for standing for a motion to suppress. Under Smith, there is no categorical standing to suppress anything in the possession of a third party. My rule would extent Katz to perfunctory information in the possession of third parties, recognizing in the digital age that almost all information is in the hands of third parties. That’s what this is all about.
Idaho rejected Smith in State v. Thompson, and while I wouldn’t say we’re doing great, it certainly hasn’t kept us from imprisoning much of our population.
The meaninglessness of this comment is fabulous. You rock my world.
The meaning, my sadly obtuse host, is that Kerr’s hand wringing over what the world would be like without the Smith test is unnecessary as such a world exists. It’s very much like the world we’re in, but with more warrants. You don’t actually NEED a test to figure out when data passing between parties can be captured by the government without a warrant. You can just as easily, as Idaho has, declare the government fucking needs a warrant. Ta da!
Now this comment has meaning, since you have to be more explicit for us obtuse guys. If the Supreme Court did away with the third party doctrine all together, we (you and I, Orin, not so much) would be fine with that. But I suspect Orin has a point that they won’t get rid of it altogether after living with it since Smith.
If they just eliminate the third party doctrine and drop the categorical exception completely, then that’s that. If not, then what? That was Orin’s challenge, but I’m good with no third party doctrine at all too, though I suspect it won’t work out the way you or I want. My test is intended to create a rule requiring a warrant, precluding a judge from finding no expectation of privacy in any individual case because it’s unreasonable.
Doesn’t “if the data is of the sort that we would reasonably expect someone, if it happened to pass before his eyes, to stop and say, “whoa, that’s something I need to specifically take note of,” then the expectation of privacy is lost.” leave itself open to however we define the context of “specifically take note of”, i.e., anything could be important? This seems to be the grounding philosophy of current data sponging by the NSA and other bodies.
It seems like a definition of the overall context, and limits for how far this can go or change, at least within a defined duration, may be necessary. Also, some sort of definition may need to be built in for “when the technology no longer addresses these factors, it may be time to revisit this”?
I don’t understand your question or your example.
This may not be Todd’s example, but please consider this one:
For online purchases there is no human on the other end examining the details of the credit card transaction, the merchant transmits the data to their credit card clearinghouse and the transaction proceeds. At a later date the credit card holder disputes the charge, and claims it was fraudulent. The merchant receives a chargeback, and the clearinghouse raises the rates it charges due to the high rate of fraud occurring on the merchants transactions. At this point, the merchant studies the particular transaction and notices that the country code provided in the transaction was ‘RU’ instead of ‘US’. The merchant then implements an IP address geo-location system and plans to only proceed with transactions where the country code specified by the user matches that determined by the IP geo-location system. Customer’s don’t realize they’re providing an approximation of their current location to the merchant, but they are in the form of their IP address. (The credit card processor ignores everything but numeric portions of billing addresses because everybody still wants to do business with people who can’t spell.) In the arms race against credit card fraudsters the merchant repeatedly tests his fraud detection algorithms against his existing store of transactions, to make sure he gets it just right – the lowest number of fraudulent transactions that doesn’t turn away what appears to be good business.
So the merchant will be repeatedly examining some subset of his transactions to tune his fraud detection mechanics, and although the merchant may never personally examine the data ( unless a test run of the data points to a flaw in his implementation ), the transactions are examined repeatedly nevertheless. There is a lot of iteration here, because the people who are purchasing credit card numbers in bulk are also studying how to best use them, and can cross check their results by testing them against various merchants.
I suspect that some of the technology analyzing the government’s vast troves of collected metadata may have been developed by Palantir.
This presentation by Stephen Cohen points to a specific instance of data mining and law enforcement, and also deals with the human element of determining what exactly the algorithms should take note of.
[Ed. Note: Link deleted per rules.]
Microsoft Research also publishes a good amount of material on some of these issues, and I think this research paper on the economics of internet security is relevant. In particular, I think it shows that the economics related to securing the internet imply a role for experts in examining the gazillion transactions carried out there. In your phone example, the phone company is not concerned that they will be defrauded as a result of your phone calls. Their fraud concerns are distinct from those who receive calls from down on their luck nigerian princes.
[Ed Note: This link too.]
This doesn’t bear on the issue at hand. The question isn’t how or why company’s use/share/review/manipulate data. The question is what the person, whose data is being used, is reasonably entitled to expect to remain private. We know all of this can happen in the background, and that’s been the rationale for why there is no expectation of privacy for anything ever placed in the hands of a third party. So do we want a digital world where there is no privacy as a matter of law, or one where the default expectation is that privacy remains for perfunctory information.
I take the last paragraph to mean you are wearing your Gerry Spence Midnight Cowboy outfit today.
I wear it every day. Who wouldn’t?
Your second prong, “even if it was viewed by another human being, it would not be of such a nature as to make a reasonable person take specific notice of its content” seems unworkable. I’m not sure there is any generally agreed upon understanding of what a reasonable person would notice, much less what they would spend more than a second to ponder. And is it a generic reasonable person, or a specially trained reasonable person?
Your baby is ugly. Sorry.
Of course my baby is ugly. Look where it came from.
The reasonable person is the same as Katz’s reasonable person now, and that’s whatever a court deems objectively reasonable under the circumstances. It couldn’t be someone with specialized training or skills, as that would make it impossible for the person whose information is at issue to know what would stand out to someone who views it through a different prism. It would have to be an ordinary reasonable person, so that the movant would know whether his expectation of privacy was reasonable.
I hate the use of “reasonable” for just this reason (its lack of precise definition), but given what I’m trying to do here, extend Katz to cover perfunctory information in the hands of a third party to retain standing to suppress, it doesn’t change the equation but just extends it so as to cover a part of the third party doctrine exception.
As unsatisfying as Katz’s two prong test might be in one respect (imprecision), I think you’re correct that it is the best available foundational option on which to build a workable standard in this context. It inherently provides the needed flexibility going forward as the manner in which humans continue to communicate, and what is communicated, to others inevitably evolves over time. Probably more importantly, it gives courts something familiar to hang their hat on when recognizing 4th amend. protections in areas not previous protected.
Finally, someone who doesn’t think my baby is ugly (or at least hideously ugly). That’s pretty much my argument in favor of my test. Since its foundation is the existing Katz test, just extended one step further, it seems to serve many of the concerns arising from the third party doctrine in the digital age.
This is a tangent, but I’ve read Professor Kerr’s posts on Volokh for over a decade. I’d never seen a picture of him until that twit up above. I had always imagined him as a hairful lawyer, with a sort of magnificent mane. Illusions: shattered.
Orin had a full, magnificent head of hair until he pulled it all out after reading one of my posts. I feel badly about that.
Wrong yet again, Scott. I haven’t had a magnificent head of hair since college.
Even then, it wasn’t universally agreed that a pompadour made for a magnificent head of hair. I was just being nice. You were, however, clearly a snappy dresser.
C’mon, we know you had a Donny Osmond phase, too.
I had a small thing for Marie after my Marcia Brady stage, but I was never really into Donny.
personally I think it’s time to lose all the 1,000 exemptions to the 4th. we’re in the friggin digital age. there is no excuse to not get a warrant except in limited situations that would have an immediate threat to human life that could be proved at that time to a judge. Yes it would have to be done after the fact but would have to be done using only the evidence you had before the search. but failure to convince the judge should bring immediate dismissal and possible prosecution.
Not quite comprehensible, but since you didn’t argue in favor of killing anyone, it gets posted.
The New Jersey Supreme Court might have articulated a workable rule in People v. Earle in the context of warrant less cellphone location requests (2013).
“When people make disclosures to phone companies and other providers to use their services, they are not promoting the release of personal information to others. Instead, they can reasonably expect that their personal information will remain private.”
They go on to state:
“Viewed from the perspective of a reasonable expectation of privacy, what was problematic in 2006 is plainly invasive today. We are not able to draw a fine line across that spectrum and calculate a person’s legitimate expectation of privacy with mathematical certainty –- noting each slight forward advance in technology. Courts are not adept at that task. Instead, our focus belongs on the obvious: cell phones are not meant to serve as tracking devices to locate their owners wherever they may be. People buy cell phones to communicate with others, to use the Internet, and for a growing number of other reasons. But no one buys a cell phone to share detailed information about their whereabouts with the police. That was true in 2006 and is equally true today.”
Works for me.