Friday, April 03, 2009

The Privacy Privilege

This post is going to argue that we should slightly revised how we think about the legal principle that guarantees us privacy.

As I’ve explained before, the primary privacy guarantee we have is the Fourth Amendment, which protects us from “unreasonable” state-initiated searches and seizures.

The protection created by the Fourth Amendment, like the protections created by the other provisions of the Bill of Rights and other laws, are usually referred to as “rights.”

In this post, I want to argue that it the protection the Fourth Amendment gives to our privacy is more properly understood as a “privilege” than as a “right.” According to Black’s Law Dictionary, a “right” is “[s]omething that is due to a person by . . . legal guarantee”, while a privilege is an “exemption” or “immunity” granted to a person.

Rights and privileges both give us certain types of protection, but the dynamic involved differs. When I have a “right” to something, I expect the government to see that I get it. So I have a constitutional right to due process in a criminal trial or in an administrative proceeding dealing with my right to, say, unemployment benefits. Since I have a right to due process, it’s up to the government to see that I get it; if the government defaults on that obligation, I can sue to obtain redress for that default. But basically, when a right is involved my role is passive; I expect the government will give me what I am entitled to.

When I have a privilege – like the Fifth Amendment privilege against self-incrimination – I have, as Black’s Law Dictionary notes, an immunity that protects me from being compelled to do something the government wants me to do. So if a federal prosecutor subpoenas me in front of a grand jury and starts asking me about my (purely hypothetical) criminal activity, I can invoke my Fifth Amendment privilege and refuse to answer. I have to invoke the privilege, though; it’s not up to the prosecutor to take care of that for me.

Let’s get back to the Fourth Amendment as creating a privacy privilege. Why do I think it may make sense to treat that constitutional guarantee as a privilege, instead of as a right (which is the way it’s usually interpreted)? I think it makes sense because, as I wrote in a law review article, privacy is conceptually more analogous to the privilege against self-incrimination than it is to the right to have due process. Privacy is inherently an oppositional concept; it doesn’t exist in the abstract. When I’m concerned about privacy, I’m concerned about shutting other people out of certain aspects of my life . . . which is why I draw the drapes at night and shower in a room where the glass in the window is frosted.

As a matter of practice, then, we already treat privacy as a privilege, not a right, and we do that because it makes sense. It makes sense to make the state responsible for providing counsel and other procedural protections to defendants in criminal cases because the state controls the adjudicative process. It would not be “reasonable” to make the state the arbiter of privacy because privacy is not something in which the state has a vested interest; indeed, privacy is in many respects antithetical to the state’s interests since, if nothing else, the limitations imposed by privacy make it more difficult to investigate and prosecute crimes.

I think the Supreme Court has already at least implicitly recognized that the Fourth Amendment operates like a privilege, not a right. In the Katz case, which I’ve talked about in several posts, the Supreme Court implicitly recognized that Fourth Amendment privacy is a privilege and that the specific scope of that privilege must come from the people. Like evidentiary privileges, the contours of the “privacy privilege” are derived by balancing evolving societal expectations of privacy against the state’s interest in information-gathering.

The Katz Court made it clear that the “privacy privilege,” like the Fifth Amendment privilege, must be invoked to be effective when it held that “[w]hat a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. . . . but what he seeks to preserve as private, even in an area accessible to the public, may be . . . protected.” So if you’re going to grow marijuana in your bedroom, you’d better close the blinds; if you don’t, you can’t complain that your Fourth Amendment privacy was violated because police officers saw the plants and got a warrant to come get them. By not closing the blinds or blacking out the windows, you failed to invoke your privacy privilege.

We’re pretty good at invoking the Fourth Amendment privacy privilege in the real-world. We know how to close blinds and frost windows and have conversations we don’t want the world to know about in rooms with closed doors (that have maybe been swept for bugs). Cyberspace is where the invocation of the privilege really becomes problematic.

One could argue that the privilege should not apply to cyberspace because cyberspace isn’t a “place”, and privacy has traditionally been about places (the home or office, as the Katz Court noted). Cyberspace is a persistent, synchronous and asynchronous experiential phenomenon we conceptualize as a “place” because we have no other appropriate analogy. The fact that it isn’t a physical place is, however, irrelevant when it comes to the applicability of the privacy privilege. As I explained in an earlier post, the Supreme Court recognized over a century ago that we have a Fourth Amendment expectation of privacy in sealed letters we send through the mail; and in Katz, it recognized that we have a similar expectation of privacy in the content of our telephone calls. So since the Fourth Amendment privacy privilege applies to the contents of communications, it by extrapolation also applies to cyberspace, which is a more or less transient aggregation of digital communications.

That brings me to the issue I noted above: We’re pretty clear on how to invoke the privacy privilege in the physical world, but a little shaky on how to invoke it in the cyberworld. It seems to me we tend to think of privacy in the online world as a right; we expect the government to stay out of our online activity. I suspect most of us don’t think about the need to invoke privacy when we’re online, and maybe wouldn’t know how to invoke it if we did think about it.

This is where the notion of privacy as privilege comes in: The Supreme Court should make it clear that, unlike the home, this is not a context in which the privacy privilege presumptively applies; the Court should make it clear that the Fourth Amendment does not protect computer-mediated communications unless the parties to the communications affirmatively and effectively invoke the privacy privilege. One virtue of this approach is that emphasizing invocation gives courts a standard they can use to parse the varieties of computer-mediated communication; privacy cannot encompass communications unless the parties took steps to ensure that they remained private, unless they closed the blinds. The parties might rely on encryption, on the use of private, password-protected areas or other measures; they would not, however, be able to claim the protections of the Fourth Amendment if they did nothing to preserve the privacy of the communications at issue.

A court would, therefore, reject someone’s claim that she had an expectation of privacy in messages she posted on a publicly accessible website because there was no invocation of the privilege; the messages could be read by anyone. If the messages were posted to a Facebook wall, the court would have to determine if the wall belonged to a public group, a private group or an individual; if the wall belonged to a private group or individual, the court would then have to determine whether the subscribers had taken measures sufficient to limit access to the wall and thereby invoked the “privacy privilege.”

And what about emails? As I explained in an earlier post, they can be analogized to postcards because emails can be read by employees of the system(s) though which they are transmitted. In holding that we have a Fourth Amendment expectation of privacy in letters, the Supreme Court relied on the fact that he invoke the privacy privilege by sealing the letters in an opaque envelope; it noted we have no such expectation of privacy in postcards, because they can be read by anyone involved in their delivery. Encrypting emails would therefore invoke the privacy privilege; the more difficult question is whether any thing less than encryption should serve to invoke it.

In my humble opinion, a virtue of this approach is that by putting the burden of establishing a cognizable privacy interest on the individual, it gives individuals control over the extent to which their activities are shielded by the privacy privilege. This is consistent with Katz’s risk-analysis, e.g., its premise that “what a person knowingly exposes to the public . . . is not a subject of Fourth Amendment protection.” It should also put people on notice that those who employ the communication opportunities in cyberspace without taking steps to ensure their privacy assume the risk that their communications will be read by outsiders, including law enforcement officers.

That, in turn, should encourage people to take steps to invoke the privacy privilege with regard to communication in cyberspace -- to develop technology that can be used to invoke the privacy privilege in this context. And since cyberspace is an artificial construct, it should prove easier to do this than to counter surveillance technologies in the real-world.


Anonymous said...

Telephone calls, like email, are not encrypted, and pass through a third party, but you have an expectation of privacy in their contents.

Courts (are supposed to) look at 'societal understandings' not technical invocations of privacy.

Tony Patrick said...

And what about emails? As I explained in an earlier post, they can be analogized to postcards because emails can be read by employees of the system(s) though which they are transmitted.

This is just wrong. Continuing your analogy into the real world, is a letter not protected because a postal worker could open it and read it? The certainly could, but a century of jurisprudence says that they are not allowed to do so. If you require encryption to invoke protection, why is the use of a cipher not required to invoke privacy in physical mail?

Is a phone call only protected when encrypted? It can be intercepted by simply reading the signal at your phone, your phone line, or at an exchange, but this doesn't reduce the privacy privilege.

From a law enforcement point of view, email messages are protected until delivered, read and stored on a computer system. If you need to read the suspect's hotmail, you serve a subpoena on Microsoft. This is exactly like physical mail where the message is protected in transit, but if you execute a search warrant, the opened mail is subject to the search.

An email user expects that the message will be delivered to the intended recipient only. The only possible exception to this is that messages to a corporate recipient may be opened by the company, but again, the company has policies that give them this right, and the company still has an expectation of privacy against the outside world. I.E., just because my personal assistant opens my mail does not alter the fact that the government and the postal service are not allowed to read it in transit.

A facebook post is more like a postcard. An email is intended to be private and you shouldn't need to encrypt it to make it so.

Susan Brenner said...

Actually, the scenario of serving a subpoena on an ISP to get email is not like using a search warrant to get snail mail. It's not like a search warrant for two reasons:

The first that subpoenas do not have to be based on probable cause to believe a crime has been committed, reasonable suspicion to believe a crime has been committed or any level of individualized suspicion. A grand jury, for example, can subpoena any and all records simply because it wants to. So the individualized suspicion for government intrusion element is absent.

The other reason is that the use of subpoenas and other court orders is imposed by a federal statute, not by the 4th Amendment as the Supreme Court currently interprets it. That means that if Congress were to repeal the statutes imposing these requirements, which it can do, law enforcement could simply ask an ISP to give someone's email to officers and they could do that. The person whose email was surrendered could not raise a 4th Amendment objection; they can't now, all they have is a statutory scheme.

I agree with both of you about the analogy between the content of phone calls and the content of emails, i.e., that if I don't have to encrypt my phone calls I shouldn't have to encrypt my emails to have a 4th Amendment expectation of privacy in them. But that isn't how the Supreme Court sees this, for a couple of reasons.

The first reason is that the case applying the 4th Amendment to phone calls dealt with calls in transit, which is the only way to capture a real time oral conversation. The content of the calls was not stored on the telephone company's system. The content of emails is stored on an ISPs server, for a greater or lesser period of time. I, for one, leave many emails in my email account so I can access them easily from various computers and various places.

I, personally, don't see why the contents of my emails stored on my ISP aren't private under the 4th Amendment, but the understanding now is that they are not because I've assumed the risk that the ISP (a third party, which is exempt from the 4th Amendment under Smith v. Maryland and other Supreme Court decisions) will read them and/or give them to law enforcement.

So unless and until the Supreme Court revisits all of this and comes up with a workable standard of portable privacy -- privacy in emails and other content I own and have stored in places outside my home -- we have to come up with some way to have a 4th Amendment expectation of privacy in that information.