Special Report: Technology and the Law
The Search is On
Who’s Watching The Watchers?
Posted Jun 23, 2006 6:17 AM CST
By Margaret Graham Tebo, Mark Hansen
Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual ... the right ‘to be let alone.’ ”
When Samuel Warren and Louis Brandeis wrote that in 1890 in a Harvard Law Review article called “The Right to Privacy,” the nation was at the dawn of a technology revolution. Photography and a rambunctious press had shrunk people’s zones of privacy. Soon, the telephone and the radio would draw the walls closer. Next came television. In exchange for intimacy, people had to rethink what it meant to be let alone.
The world is experiencing another technology revolution. The Internet, microchips and the Global Positioning System make this a faster, closer—but more jittery—world. What is the “next step” in the right to be let alone? The law is catching up, but many say too slowly. They fear the concerns of another writer: “You had to live—did live, from habit that became instinct—in the assumption that every sound you made was overheard, and ... every movement scrutinized.” The author: George Orwell. The book: 1984.
Employees at one Cincinnati company have a choice. They aren’t required to have ID chips implanted in their arms so their employer can monitor their movements. But they might need to do so should any wish to hold a position that would allow access to a secure data center where the company’s most sensitive materials are stored. The chip is based on technology called radio frequency identification, and its maker, VeriChip Corp. of Delray Beach, Fla., says two employees and the company’s CEO have agreed to be injected with the chips.
The Cincinnati company In question is—ironically—CityWatcher.com, which provides security cameras and other technical security support. The sensitive materials the company is protecting include video databases of thousands of hours of surveillance tapes recorded on behalf of governments and private businesses.
RFID is one of dozens of new technologies unleashed in the past half decade. Although few companies go so far as to implant RFID devices in employees, many institutions and individuals are using biometrics such as facial or iris recognition, fingerprint scans and satellite navigation technology to keep track of employees, children and even the elderly.
While many Americans embrace new technologies for their convenience and the promise of greater security, some legal experts worry that the law is not keeping pace with the introduction of ever-more invasive and pervasive technologies with potential for abuse, fraud or identity theft.
“Introducing this technology just because it exists and has some benefit is a very myopic way of making policy. The consequences of misuse or error are very dramatic and the risks are profound,” says George Washington University law professor Daniel Solove, author of The Digital Person.
“People may think they have nothing to fear because they have nothing to hide, but I don’t know of anyone who truly lives in a glass house,” he says. “Everybody has things they’d rather not have the world be privy to, from their bathroom habits to re-gifting a present to how much their salary is to what medications they take. Everybody has something they don’t want just anybody having access to.”
Living amid a technological revolution is forcing lawyers and courts to grapple with the issue of how much privacy the law should allow in a world where information travels at warp speed.
Increasing use of keycards, fingerprint technology or similar systems could allow bosses to know how long employees spend in the bathroom, what items they ordered from the cafeteria at lunch, and how many sodas or candy bars they bought from company vending machines. Such information could be used to target employees for wellness programs intended to curb health care costs, for example. In most circumstances, the tracking would be done whether the employees wanted it or not.
Lee Tien, an attorney for the San Francisco-based Electronic Frontier Foundation, poses an even more troubling example:
“A worker routinely stops at a particular diner or convenience store for lunch every day. Next door to his regular stop is a strip club, an adult movie theater or a similar venue. Since most [Global Positioning System devices] are only accurate within a few hundred feet, it could appear that the employee is stopping at the adult-oriented venue every day. How do you convince your boss that you’re innocent when his GPS is telling him you’re in a strip club every afternoon?”
Solove says mistakes and misinterpretation are bound to be huge problems in any system that purports to track someone’s every move.
“People make assumptions about how the info collected about them will be used, but how do you know how it will be used? Even if there’s an innocent explanation for everything you do, in this country we don’t want to have to answer for and explain every move we make. Eventually, knowing someone is watching is bound to have a chilling effect on even innocent behavior,” Solove says.
Meanwhile, computer maker IBM now offers fingerprint-scan technology for logging on to computers it sells to the business market, touting both high security and ease of use for laptop owners who need only press an index finger to a tiny pad on the keyboard to be logged on—and have their usage tracked. Other computer makers are also beginning to offer fingerprint-log-on devices.
Employers say this makes it more difficult for an unauthorized person to access the system than it would be using someone else’s password or keycard, since the finger itself needs to be pressed to the keypad for access to occur.
Solove worries about misuse of information by authorized users, such as employers or even family members. A recent Chicago Tribune article reported on ways that technology can be used to make sure elderly parents have not fallen or are taking their medications. But the monitoring can be more intrusive. One elderly nursing home resident who wore a tracking device fought to cancel his daughter’s access to his GPS records, saying she overstepped by keeping too-close tabs on his increasing weight and reporting too much to other family members.
The other danger that frightens Solove is the misuse of all this collected data by unauthorized users—hackers who find their way into databases, unscrupulous employees of the collecting companies who sell personal data, and other criminals.
Companies that collect information such as employee fingerprints rarely give much thought to protecting that information from outside hackers, Solove says. If someone were to access a database of digital fingerprint scans, the victims’ identities could be stolen in a fashion that would make it nearly impossible for the victim to prove that he, not the thief, was the real “Joe Jones.”
While some people take as gospel that fingerprints are unique, most fingerprints are stored as digital images, meaning copying a digital file might be all that’s needed to convince another computer to recognize a print and allow access, says Solove. For his part, John Proctor, spokesman for VeriChip, says a lot of the fear about uses of RFID and similar technology is based on inaccurate or incomplete information. He says the primary use for VeriChip is in the health services industry: Patients who have implanted chips can be treated more quickly and effectively especially when a situation arises in which a patient arrives at an emergency room unconscious.
“There’s no personal information on the chip at all. It’s just a 16-digit number. Using that number, a hospital employee calls up a private Web database, enters a unique password to track who is seeking access, and then searches the patient’s medical records using the 16-digit number. It’s very secure” and compliant with the Health Insurance Portability and Accountability Act, Proctor says.
But others see such uses of RFID as a precursor to more invasive technologies, such as GPS devices that would allow constant tracking of a person’s movements. While implantable GPS technology is not yet on the market, many attachable devices are already in use.
Parents are putting chips in children’s backpacks and on teenagers’ cars and tracking them via the Internet, while a school in New Jersey requires parents who want access to the campus to submit to an iris-recognition scanning system that will unlock outer security doors.
While few dispute that employers have a right to know what their employees are up to while on the clock, some worry about the routine invasiveness of a boss knowing that a salesman driving a company car made a stop at a convenience store on the way home from work. While it might be overlooked in normal circumstances, even such innocent infractions could be used by someone with an ax to grind.
And if a parent’s GPS system is hacked, a predator could monitor the child’s whereabouts—perhaps without the parent even being aware until something terrible happens.
The potential use of RFID technology in passports and driver’s licenses is one of the issues being closely monitored by the ABA’s Section of Individual Rights and Responsibilities. “Our concern is to see that basic privacy rights are safeguarded through legislation that takes into consideration the potential privacy impact of the use of these new technologies,” says Marc Rotenberg, chair of the section’s Privacy and Information Protection Committee.
Later this year, Congress may take up the question of mandatory notification of affected consumers when security is compromised, says Rotenberg, who is executive director of the Electronic Privacy Information Center in Washington, D.C. Some states, such as California, already have strong statutes requiring that companies notify individuals if their private information is illegally obtained, such as by hackers accessing an electronic database of consumer credit information.
“It’s one thing for the courts to say, as they have for years, that there’s no expectation of privacy when a police officer sees you do something in public. That’s very different, though, from being tracked from one place to another by a high-tech camera,” he says. Solove says many lawyers fail to think creatively about causes of action when clients’ privacy interests are violated. In addition to the usual torts of invasion of privacy, lawyers should consider causes of action such as breach of confidentiality and negligence when an organization allows unauthorized access to private information, such as files in a database that should be accessible only to authorized users.
“This area of law is really just developing. Common law recognizes a privacy right, and there are many ways to show a court how that fits within local jurisdiction,” says Solove. He points to exceptions to most states’ freedom of information acts as providing a wealth of ideas about the type of information the state legislature thinks should be kept private. Those exceptions can be used as examples for why a cause of action should be allowed. For example, most states prohibit the disclosure of employee personnel files, identifying information about those who use government services, student records, collective bargaining materials, and virtually anything that would not be discoverable in a court action. Solove says unauthorized disclosures of any of these sorts of materials could form the basis for an invasion-of-privacy tort action.
But Solove also thinks courts and lawyers should go even further in protecting litigants’ privacy. For example, almost anything is subject to discovery in a civil case—whether or not it would ultimately be admissible in court. Solove says judges should weigh the probable admissibility of highly personal information before allowing it to be discovered routinely in litigation. The harm, Solove notes, lies not merely in whether the information is used in court, but also in simply allowing an opposing party to gain access to information that has little chance of being legally relevant to the case.
The EFF’s Tien agrees that the law must change to recognize the potential sensitivity of certain information, even something as seemingly innocuous as a person’s location in a public space.
“The whole scope of privacy in public changes when you’re not just talking about who within a few blocks might see you, but rather who might be tracking you from miles away,” says Tien.
Even those things the law already recognizes as private are not always protected using the best practices available, Tien notes. He cites a recent example of credit card transaction information being lost by an overnight mail company while being sent from the issuing bank to a credit reporting company. The lost envelopes contained account numbers, names, addresses and other personal information about customers. Tien questions why such sensitive data was sent by such a relatively unsecured method in the first place.
Too Much Information
In a 2000 case, a California appellate court found that a husband’s use of fraudulently obtained prescription information about his soon-to-be ex-wife was protected by a statutory litigation privilege. The husband had received a printout of all his wife’s prescriptions for the previous year by telling a pharmacy employee that he needed the information for his tax return. The wife had previously notified the pharmacy of the divorce proceedings and expressly told the manager that she did not want any of her information released to her husband.
The husband used the prescription information in an attempt to show that the woman was unfit to care for the couple’s children. He also wrote to the state department of motor vehicles in an attempt to get the wife’s driver’s license suspended because, he contended, the medications made her unfit to drive. Both attempts failed, and the wife sued the husband and the pharmacy for breaching her privacy. Though the court found the husband immune from the privacy suit, it let stand a $100,000 verdict against the pharmacy. Wise v. Thrifty Payless Inc., 83 Cal. App. 4th 1296.
Solove says that, too often, lawyers fail to recognize the privacy interests at stake for clients involved in litigation and thus fail to seek pre-emptive protective orders before the opposing party can subpoena sensitive information.
In addition, Solove says, lawyers should ask clients about private information presented in the litigation that they prefer to have sealed from public review.
“Some things are public information, but a lot of things fall into a gray zone where it is up to the judge’s discretion as to whether to protect information. The lawyer should protect the client’s privacy by seeking closure,” he adds.
Lawyers, too, play a role in the devolution of individual privacy. In February, the senior counsel of the Electronic Privacy Information Center wrote to the state bar ethics committees of all 50 states decrying attorneys’ use of information brokers who get their data by unethical and often illegal methods.
Chris Jay Hoofnagle wrote that lawyers are the primary consumers of information gleaned through the practice known as “pretexting,” in which data brokers impersonate someone or use other fraudulent means to obtain private information. Included among the information that lawyers most often purchase are cell phone records, the sale of which has come under scrutiny by Congress in recent months.
Hoofnagle writes that attorneys violate at least five of the ABA Model Rules of Professional Conduct when they buy fraudulently obtained information from brokers, usually in an effort to gain an advantage in civil litigation.
Too often, Hoofnagle says, attorneys purposely turn a blind eye to the underhanded and often illegal tactics used by their hired investigators to get information about opposing parties.
“I don’t think attorneys tell investigators to use pretexting, but it’s certainly implicit when attorneys ask for a background check. Most of the info could be obtained legally by subpoena, but this is faster, cheaper and provides a veil of secrecy so that the subject of the investigation never knows how the information was obtained,” says Hoofnagle, who is director of EPIC’s San Francisco office.
Law enforcement may finally be catching up. In April, Illinois Attorney General Lisa Madigan sued New Jersey-based Advanced Research Inc., claiming its owners fraudulently obtained Illinois consumers’ cell phone records.
The suit alleges that the company obtained consumers’ records through employees misrepresenting themselves as cell phone account holders. The suit is the third filed by the Illinois attorney general against such companies.
But the courts are bound to see more litigation involving technology and privacy. “Common law is rarely bound by the four corners. It evolves. We need to think about privacy in a more robust way in this new age,” Solove says.
Who Could Be Watching?
When people think of a search, in the traditional, law enforcement sense of the word, they tend to think of a heavily armed SWAT team breaking down the front door in the middle of the night.
But new technology has made it possible for police officers to observe or gather information about somebody without ever setting foot on a person’s property—and to do so even without the knowledge of the person being targeted.
Using surveillance cameras, telescopic lenses, GPS technology and devices that detect heat, sound and images through walls, police can now follow an individual’s every move—around the home or around the globe.
A new generation of wiretapping, bugging and computer hacking devices has made eavesdropping on oral and written communications quicker and easier than ever before. And information about a person’s health, financial status, driving record, credit card transactions, real estate holdings and Internet wanderings is readily available.
“Snoopware” surreptitiously tracks a computer user’s activities, and commercial data brokers can mine personal information from public and quasi-public records.
Some experts say the courts thus far have been unable or unwilling to deal with the threat to individual privacy that such new technology represents.
New technology has made more and more personal information available to anyone equipped to receive it. And social norms dictate that more and more personal information is provided to third parties. Together, those two trends threaten to render the Fourth Amendment a practical nullity, says Stephen Henderson, a Widener University law professor who specializes in technology-enhanced searches.
“It’s nearly impossible to live in modern society without giving significant amounts of personal information to multiple third parties,” Henderson says. “You can hardly shop at a store anymore without having all of your purchases tracked.”
Indeed, Henderson and other criminal law experts increasingly see a need to change the thinking about what a search might be. Some suggest re-examining the Fourth Amendment’s guarantee of protection against unreasonable searches and seizures. Others argue for a more updated explanation of the long-held common-law principle of a reasonable expectation of privacy.
“As a constitutional matter, the government may engage in transaction surveillance and most physical surveillance virtually at will,” says University of Florida law professor Chris Slobogin, an expert on privacy and the Fourth Amendment. “Even physical surveillance of the home is often exempt from the Fourth Amendment’s strictures.” The Fourth Amendment prohibits the search and seizure of “persons, houses, papers and effects” without a finding of probable cause and a warrant detailing the particulars of the place to be searched and the person or thing to be seized.
But the U.S. Supreme Court has twice held that a search for marijuana in a fenced-in yard by low-flying aircraft does not constitute a search. And some lower courts have held that the use of binoculars, flashlights and other, more sophisticated illumination and magnification devices to peer inside a home does not implicate the Fourth Amendment. Communications surveillance, which includes wiretapping, bugging and other real-time interception of oral and written communications, is more tightly regulated than physical surveillance of the home or car. Under Title III of the 1968 federal Wiretap Act, all real-time interception of electronic communications requires not only a warrant based on probable cause, but also a showing that the government has no other way of getting the information it is seeking.
But the observation of a person’s activities in public or the perusal of computerized records tracking somebody’s personal and business transactions may be just as intrusive as a physical search of a person’s home or a wiretap on his or her phone. And experts say those types of surveillance, which new technology has made easier and more economical to conduct, are subject to little or no regulation.
Slobogin, who is writing a book on the subject, has coined the term virtual search to describe the use of technology-enhanced surveillance techniques that do not involve a physical intrusion on or into a person’s property. Such surveillance, often conducted covertly, includes intercepting communications, observing physical activities and accessing recorded information.
The Supreme Court first addressed the question of how the Fourth Amendment’s prohibition against unreasonable searches and seizures should be applied to novel technologies not available to and perhaps not even conceivable to the framers in the 1928 case Olmstead v. United States, 277 U.S. 438.
Phones and the Fourth
The issue in Olmstead was the wiretapping of telephone conversations, which, tellingly, did not reach the Supreme Court until some 50 years after the telephone was invented. The court said the Fourth Amendment applied only to tangible things, not the transmission of a human voice via an electronic signal. It also said the plain language of the amendment could not be extended and expanded to include things beyond a person’s home or office, such as a telephone line or a highway.
Thus, the court adopted what has come to be known as a “property-based” or “trespass-based” conception of the Fourth Amendment: If there was no encroachment on a defendant’s property, there could be no violation of the Fourth Amendment.
That concept prevailed until 1967, when the court issued its landmark decision in Katz v. United States, 389 U.S. 347. In Katz, the court held that property- or trespass-based concepts would no longer determine the limits of Fourth Amendment protections.
“The Fourth Amendment protects people, not places,” Justice Potter Stewart wrote for the majority. The decision threw out the bookmaking conviction of a man against whom the FBI had used an eavesdropping device attached to the outside of a public telephone booth to gather evidence without a warrant.
“What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected,” Stewart wrote. From then on, the court said, a new two-part test would determine whether the use of a particular type of new technology is a search requiring probable cause, a warrant or both. First, the object of the search must have a reasonable expectation of privacy in whatever he or she is doing; second, that expectation must be one that society is prepared to recognize as reasonable.
At first glance, the reasonable-expectation-of-privacy standard seemed to expand the outer limits of Fourth Amendment protections, at least when it came to the use of technology-enhanced surveillance devices in public, experts say. But subsequent decisions have shown that is not necessarily the case.
The court, citing the “knowingly exposes to the public” language of the majority opinion in Katz, has twice since held that a homeowner has no reasonable expectation of privacy to cultivate marijuana in his backyard if his backyard is clearly visible to the naked eye from a low-flying aircraft.
And, in United States v. Knotts, 460 U.S. 276 (1983), the court upheld the warrantless use of a beeper device to track a car’s movements, saying that a driver has no reasonable expectation of privacy while traveling on a public highway.
Although the Supreme Court has yet to rule on the constitutionality of using other types of technology-enhanced surveillance techniques in public, experts say that the reasoning laid out in Katz and other cases like it suggests that it would have no objection to the widespread use of closed-circuit video cameras, GPS devices, drug and weapons detectors, and other sophisticated surveillance technology in public.
“If the Fourth Amendment is not implicated by the technological surveillance of a car traveling on a public thoroughfare, it is unlikely to apply to enhanced surveillance of a person walking the streets,” Slobogin says.
Indeed, Henderson proposes doing away with the reasonable-expectation standard altogether in favor of an ordinary, commonsense dictionary definition of the word search: generally, looking into or over someone or something carefully or thoroughly in an effort to find or discover something.
That garden-variety definition doesn’t necessarily mean police no longer may engage in surveillance activities, according to Henderson. It just means that the courts would have to determine that what police are doing is reasonable, depending on the circumstances, but without courts having to concern themselves with what people may expect. “It’s far superior to what we have now, which maintains the fiction that all sorts of significant and invasive police surveillance activities do not even constitute a search and therefore warrant no Fourth Amendment protection,” Henderson says.
Even recent Supreme Court cases that were once hailed as protective of privacy are—with the development of technology—cast in doubt.
Kyllo v. United States, decided in 2001, was widely praised as the kind of victory for privacy rights in the home that Katz was once thought to represent for privacy rights in public.
In Kyllo, 533 U.S. 27, the court held that the use of a thermal-imaging device to detect heat emanating from a home was a Fourth Amendment search, requiring a warrant and probable cause.
But experts now say the decision may be less protective of privacy rights in the home than it first seemed. In Kyllo, the majority also held that a reliance on technology that is in “general public use,” or that only replicates what a naked-eye observer could see from a public vantage point, is not a search—even when the location being viewed is the interior of a home.
A lot depends on how the high court, in future decisions, defines that use. Slobogin notes that today’s marketplace offers a wide array of cheaper enhancement devices than the thermal-imaging device at issue in Kyllo. And the march of progress practically guarantees that trend will continue.
Defined narrowly, the term general public use would appear to exclude most current surveillance technology, except possibly the cheapest flashlights, Slobogin says. Defined more broadly, it could include binoculars, powerful telescopes, night-vision equipment, cameras outfitted with zoom lenses and ever-more sophisticated surveillance devices. One might think of the general-public-use standard as the Wal-Mart test, Slobogin says. If an item is for sale at Wal-Mart, it meets the court’s definition of being in general public use.
If technology-enhanced physical surveillance is loosely regulated, these experts say, the regulation of transactional surveillance is virtually nonexistent, at least on the federal constitutional level.
Although at least 11 states have interpreted their own constitutions to restrict access to such information, police generally can tap into somebody’s personal records a lot more easily than they can search his or her home or car. Much of the information is available simply for the asking. At most, it requires a subpoena based on a showing that the information being sought is “relevant” to a governmental investigation.
Two decisions to date represent the sum and substance of the court’s jurisprudence with respect to transactional surveillance. The first, United States v. Miller in 1976, dealt with bank records. The second, Smith v. Maryland, issued in 1979, involved the installation and use of a pen register, which records the numbers dialed from a person’s telephone. In Miller, 425 U.S. 435, the Supreme Court held that the suspected operator of an illegal still had no protectable Fourth Amendment interest in the records of his banking transactions because he voluntarily surrendered that information to the banks when he opened his accounts, even though he had no choice but to surrender the information as a condition of doing business there.
By so doing, it said, the suspect “assumed the risk” that the banks would turn that information over to the government.
“This court has held repeatedly that the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed,” Justice Lewis Powell wrote for the majority.
Three years later, in Smith v. Maryland, 442 U.S. 735, the court held that the installation and use of a pen register does not constitute a search under the Fourth Amendment because a caller has no reasonable expectation of privacy in the numbers dialed from his or her phone. In that case, police used a pen register to track down a robbery suspect who made threatening, obscene phone calls to the victim from his home phone. That line of reasoning, which some experts have dubbed the “third party doctrine,” suggests that the court would find that with the possible exception of medical records any information anybody gives to a third party for any reason is fair game.
Some experts believe that the courts are on the right track.
UCLA law professor Eugene Volokh, an expert on privacy and cyberspace law, says there are some types of new technology, such as the wiretapping of phones and the use of heat-sensing devices to detect what is happening in the home that the courts have rightfully held are covered by the Fourth Amendment.
But there are other types of new technology, such as surveillance cameras used in public, that the courts have correctly found do not implicate the Fourth Amendment, Volokh says. This is because “the Fourth Amendment’s job is to protect privacy, and the things one does in public are not private,” he says.
Information gathered from third parties falls under the long-standing rule-of-evidence law, which holds that everybody has a duty to turn over information relevant to a legal proceeding, Volokh says, and that law historically has never been subject to Fourth Amendment protection.
“I tend to think the court got it right in Smith and Miller in saying the government is entitled to gather such information without probable cause or a warrant,” he says. Volokh says it is up to Congress and the state legislatures to decide whether to place some statutory constraints on the government’s ability to gather such information, similar to the kinds of protections they have imposed in other contexts.
Slobogin says government access to such information should be regulated either through the courts, applying a proportionality approach, or legislatively, using Title III’s regulation of communications surveillance as a model.
Under a proportionality approach, the level of certainty required for a search would be roughly proportionate to its degree of intrusiveness. Accessing the content of privately held personal records would require a warrant based on probable cause; accessing the content of an entity’s organizational records would require a subpoena based on relevance.
Title III basically prohibits the intentional interception of all oral, wire and electronic communications unless they are judicially authorized or unless one of the parties to the communication consents to the interception. Violations can lead not only to the exclusion of the evidence, but also to civil and criminal penalties.
Henderson calls for a limited third-party doctrine, which would permit the government access only to that information provided to a third party for that party’s use.
Under such a doctrine, information turned over to a third party for that party’s use, such as bank or telephone records, would enjoy no Fourth Amendment protection.
But information conveyed to a third party acting merely as a conduit—such as the content of an e-mail message sent through an Internet service provider or information that an individual did not intend to provide to anyone, such as the electromagnetic radiation emitted by the human body—would be protected.
After all, the big threat to privacy is not technology itself, according to Slobogin. It’s the law’s failure to regulate the use of that technology by the government.
Margaret Graham Tebo, a lawyer, and Mark Hansen are both a senior writers for the ABA Journal.