Privacy is a squishy concept, one that constantly evolves with the times—and with changing technologies. Advances in how we store and communicate information shift expectations around what we can keep to ourselves, and what the rest of the world is able to know. The disruption of established privacy norms is nothing new: People were concerned when the postcard came out, for example, because they believed mail should be private.
Still, there’s a growing sense that our privacy is more vulnerable now than ever before. The technologies and devices we consider essential to modern life also create an exhaustive record of where we go, who we interact with, how we entertain ourselves, and more. The consequences of that come into sharp focus when we learn, as we have over the past several years, how often corporations fail to safeguard our most sensitive information, or that the government is secretly spying on us.
There are measures you can take to lock down your own data, but broader protections may require new legislation or even reimagining our constitutional rights for the digital era; after all, the Fourth Amendment’s protection against “unreasonable” searches and seizures gives significant room for interpretation. The push for more privacy has been gaining momentum. Now the question is whether the courts, the federal government, or the states will step in to protect our privacy. Its future is still up for grabs.
A Major Win
The Supreme Court handed privacy advocates some good news in June with Carpenter v. United States. In a 5-4 decision, it ruled that the government generally needs a warrant to get cell site location records, which are automatically generated whenever a mobile phone connects to a cell tower. In the opinion, chief justice John Roberts acknowledged the necessity of cell phones to modern life, as well as the powerful surveillance capabilities they have.
The biggest question is whether Carpenter is merely a flash in the pan or the start of a total overhaul of the Fourth Amendment.
The decision was a victory for proponents of reforming constitutional law for the digital age, including Justice Sonia Sotomayor, who was part of the majority. But Roberts was also careful to rule narrowly, meaning that Carpenter’s protections extend only to cell site location information and not to any other type of data, such as emails, text messages, and browsing histories.
“The Carpenter decision, it’s kind of an unsatisfying one I think, because it still leaves open so many questions. The majority’s rationale is a little all over the place,” says April Doss, a data privacy and cybersecurity lawyer who worked at the National Security Agency for years. “It still leaves open a ton of questions for the future about how this approach might apply to other technologies.”
The Supreme Court could clarify its position by taking on more cases. For example, the justices have yet to address whether Stingrays—the powerful surveillance devices that behave like fake cell phone towers—are constitutional. But it’s not clear there’s a desire in the court to take on such projects.
For one, Carpenter was a divided, 5-4 ruling that took the justices a significant amount of time to deliberate. Another problem is that if the Supreme Court issues a ruling too broad, it risks impeding an ongoing investigation that relies on electronic surveillance. And there are plenty of obstacles cases need to pass just to get to that point.
“The courts realize that they’re just stepping through a minefield here, and they don’t even know what the potential landmines are,” says Joshua Matz, a former clerk to justice Anthony Kennedy and the coauthor of Uncertain Justice: The Roberts Court and the Constitution.
And so, we will likely see a plethora of scholars, public defenders, and lower court judges attempt to interpret how Carpenter protects against electronic search and seizures over the next several years instead. “The chief justice decided to vote for his result, assigned himself the opinion, wrote the opinion narrowly and leaves everything to everybody else,” says Eben Moglen, a professor at Columbia Law School and the founder of the Software Freedom Law Center. “He has opened a big can of worms for everyone to sort through.”
The Carpenter decision also comes at a moment of wider changes for the court, which will also bear on the future of the Fourth Amendment and digital privacy. This was the first Supreme Court term for Neil Gorsuch, and his dissent in Carpenter hints at how he may handle such issues going forward. He believes that the plaintiff’s lawyers should have argued their case a different way entirely, by relying on property rights to claim that cell phone location records belong to the defendant rather than the mobile carrier. He’s favored similar property-rights arguments in the past.
“He has very forcefully charted out his view of how we can and should protect these sensitive records held by third parties,” says Nathan Wessler, a staff attorney at the ACLU’s Speech, Privacy, and Technology Project, who argued Carpenter’s position before the court. “Every defense attorney and advocate litigating on these issues going forward would be remiss not to very seriously grapple with the theory that Gorsuch put forward.”
Carpenter was also one of the last cases for Justice Anthony Kennedy, who announced his retirement just five days after the ruling came down. Kennedy was a crucial swing vote on many close decisions, and his retirement paves the way for President Trump to shape the future of the judiciary for a generation. We don’t yet know who the president will nominate to replace Kennedy, but it’s safe to say that the court will likely skew even further right for years to come.
Congress Could Solve This Tomorrow
Congress could step in and reform existing digital privacy laws at any time. The most significant law on the books, the Electronic Communications Privacy Act, was passed in 1986, long before the advent of smartphones, social networks, and even widespread use of email. It doesn’t require law enforcement to obtain a warrant in order to access sensitive electronic records in many cases. In theory, Congress could reform the ECPA at any time, but several efforts to do so have fallen apart.
“They just haven’t been able to move it to a vote in the Senate, there are choke points in the process,” Wessler says. “There’s also just a lot of partisan division.”
Which is not to say that Congress never steps in. Back in February, the Supreme Court was set to make a decision in US v. Microsoft, which would have decided whether national borders matter when law enforcement seeks digitally stored data. The case stems from an incident five years ago, when Microsoft was served a warrant for emails as part of a drug trafficking investigation. The tech company didn’t hand them over because they were stored in Ireland, ostensibly outside the reach of a United States warrant. The justices never decided the case because Congress quickly passed the CLOUD Act, which clarifies that it doesn’t matter whether data is stored on American soil or not.
“The Microsoft case was one where everybody could see pretty quickly, ‘Wow this has huge implications,’” Doss says. “But there are a myriad of other questions that are equally complicated and equally challenging.”
There’s certainly more pressure on Congress to pass a comprehensive privacy bill, especially in the wake of the Cambridge Analytica scandal, when news broke that Facebook had allowed the political consulting firm to misuse data belonging to tens of millions of Americans. And many lawmakers are also looking to the European Union, which recently implemented a comprehensive privacy law designed to give users more rights over their data used by companies like Facebook and Google.
But the same momentum isn’t exactly building over government surveillance. In January, Congress reauthorized many of the warrantless government surveillance programs that Edward Snowden exposed, and even expanded some of their most invasive aspects.
If Congress doesn’t update existing digital privacy laws, it’s also possible that states may step in and craft their own. Some already have: California passed a law in 2015 that requires state law enforcement to obtain a warrant to get user data stored online, including things like text messages and location information. Last week, the state also unanimously passed another sweeping privacy law, designed to give citizens more control over the data collected about them by private companies like Facebook and Google. For now, we’ll have to wait and see if Congress and the Supreme Court follow California’s lead.