On June 25, 2014, the U.S. Supreme Court issued one groundbreaking opinion in two cases regarding cellphone searches incident to arrest. In a unanimous opinion, the court held that under the Fourth Amendment, police must obtain a warrant prior to searching the cellphone of an arrestee. The court found that the “immense storage capacity” of cellphones and their aggregation of data differentiated them from other items found on an arrestee’s person. Chief Justice John G. Roberts Jr. wrote that cellphones “could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers.”1
This commentary situates the Riley decision in the broader context of technology search cases and analyzes its potential implications for companies faced with a government request to turn over customer data. The Supreme Court’s acknowledgments of the altered technological landscape and the sensitivity of user data signal a potential shift in its third-party guidance, and its decision is a hopeful sign for companies seeking to protect user privacy in the face of digital data requests from the government.
The Third-party Doctrine: An Overview
The third-party doctrine states that an individual does not have a reasonable expectation of privacy in any communication that is “voluntarily conveyed” to another. Whether this concerns a conversation with an informant, or transmissions to banks and telecommunications companies, the Supreme Court has generally held that if the information is made available to a third party, the government may access it without a warrant.2
In 1928 the high court held that warrantless wiretapping of telephone lines did not violate the Fourth Amendment, provided there was no physical trespass on an individual’s land. In dissent, Justice Louis D. Brandeis argued that the U.S. Constitution must be adapted to a changing world. He noted that “[s] ubtler and more far-reaching means of invading privacy have become available to the government.”3
Almost 40 years later, the court overturned that decision, holding that the warrantless wiretapping of a public telephone booth violated a defendant’s constitutional rights because the Fourth Amendment “protects people, not places.”4 As explained in Justice John Marshall Harlan II’s concurrence, the standard for Fourth Amendment protection was whether the individual had a reasonable expectation of privacy.
In 1971 the court held that a person does not have a reasonable expectation of privacy under the Fourth Amendment in information voluntarily disclosed to a third party who turns out to be a government informant.5 The court continued extending the third-party doctrine throughout the 1970s, holding in United States v. Miller that documents “voluntarily conveyed” to a bank could be shared with the government, regardless of the defendant’s subjective expectation of privacy.6 By the end of the decade, in Smith v. Maryland, the court found that an automated machine or system qualified as a third party; it ruled that law enforcement did not need a warrant to obtain telephone numbers that a defendant voluntarily revealed to the switching equipment at the telephone company.7 The case involved a mechanical device called a pen-register that the telephone company installed at its central offices, at police request, to record the numbers dialed from the defendant’s home for four days.
The court found the defendant did not have a reasonable expectation of privacy in the telephone numbers he dialed because it was generally understood that the telephone company can and does record these numbers. The court concluded that regardless of its automated nature, the telephone company’s switching equipment was no different from an “operator who, in an earlier day, personally completed calls for the subscriber.”
In 2012 the Supreme Court’s holding in United States v. Jones, and Justice Sonia Sotomayor’s concurrence in that case, signaled that it was starting to shift away from its third-party analysis.8 In Jones the Supreme Court unanimously held that placing a GPS tracker underneath a vehicle to trace the owner’s movements constituted a search and required a warrant. While the majority opinion was based on a theory of property and trespass, Justice Sotomayor focused on privacy in her concurrence, arguing that the movements of the car revealed far more about the driver than his location. She argued that the third-party doctrine is “ill-suited to the digital age.”9
The Third-party Doctrine, Internet Communications and Bulk Data
Companies such as Google and Amazon store their customers’ personal data on their servers. Under a strict application of the third-party doctrine, an Internet user would lose a reasonable expectation of privacy in such data, as it has been voluntarily conveyed to external servers. The Supreme Court has not directly ruled on this issue, and lower courts have disagreed on how to apply the third-party doctrine to the Internet.10
Federal courts remain at odds as to how to apply the doctrine to National Security Agency requests for bulk customer metadata information.11 Three NSA cases are pending before appellate courts, and all three turn on those courts’ interpretation of Smith.12 The government frequently cites Smith in cases involving Internet surveillance and data requests.
In 2010 the 6th U.S. Circuit Court of Appeals held in United States v. Warshak that a reasonable expectation of privacy applies to the content of emails stored with commercial Internet service providers.13 The Warshak court held that “the mere ability of a third-party intermediary to access the contents of a communication cannot be sufficient to extinguish a reasonable expectation of privacy.” The appeals court analogized emails to letters and phone calls, and noted that the police cannot intercept a letter’s contents without a warrant even after the letter has been handed over to mail carriers for delivery. The court distinguished Miller by explaining that email communications were more confidential than “simple business records,” and by noting that the ISP was only an intermediary and not the intended recipient of the communications.
Congress has also legislated to protect electronic communications. The Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2701, attempts to provide a comprehensive scheme to restrict unauthorized government surveillance of electronic communications. However, the law fails to provide adequate protection; courts have interpreted parts of it to permit the government to acquire electronic communications without a warrant.14
In both Miller and Smith, the Supreme Court held that one who voluntarily reveals information to a business, like one who voluntarily reveals information to a government informant, takes the risk that that business will betray that confidence and divulge that information to the police. But many Americans expect that all sorts of things exposed to third parties will remain private, and they would argue that their decision to entrust private information to companies is not truly voluntary if they wish to participate fully in society.
Companies, which routinely collect and store customer information for a variety of reasons, including for marketing purposes, thus find themselves trapped between customers who are concerned about privacy and the government. Some companies have resisted the government’s attempts to obtain customer data without a warrant— even in the face of statutes that appear to require them to do so.15
However, in the aftermath of Edward Snowden’s disclosures of classified information from the National Security Agency, some telecommunications and Internet companies were perceived as having a troublingly close relationship with the government. Since the Snowden revelations, more companies are publishing transparency reports and law enforcement guides, as well as publicly opposing mass surveillance.
Some companies, such as Amazon, AT&T, Apple, Verizon, Yahoo, Credo Mobile and Google, have expressed a commitment to requiring warrants from law enforcement before they will turn over the contents of user communications (as opposed to metadata), even though the law is currently unsettled.16
Google recently filed a friend-ofthe- court brief in a case before the Supreme Court urging the court to reconsider the third-party doctrine.17 AT&T also filed a friend-of-the-court brief in a case currently in the 11th Circuit where, citing to Riley and Jones, it argued that Smith and Miller are ill-suited to the digital age.18 The Riley decision signals that the Supreme Court may be willing to revisit the third-party doctrine so that companies can more effectively shield customer data, including customer metadata.
Riley is Act
If Jones set the stage, Riley represents the first act of Supreme Court, as it engages fully with the digital age.
In Riley the court held that police generally may not conduct cellphone searches incident to arrest without a warrant. With this ruling, the court deviated from 1970s precedents permitting the search of items immediately associated with an arrestee’s person, such as a wallet. The court recognized that the search of a cellphone implicates substantially greater individual privacy interests than the search of other physical items typically found on an arrestee’s person.
The court also justified its ruling with the observation that cellphone searches do not implicate the two rationales underlying the search-incident- to-arrest exception to the warrant requirement: officer safety and evidence preservation or destruction. The court wrote that these concerns, including potential evidence destruction through remote wiping or data encryption, are better dealt with on a case-by-case basis. The language of the opinion will likely apply to other types of technological searches. For example, the court’s observation that cellphones are “minicomputers” suggests that police should also be required to get a warrant to search laptops and tablets incident to arrest.
Like the majority in Jones, the court makes no explicit mention of the third-party doctrine in its analysis. Moreover, in a footnote, the court said the two cases did not implicate the question of whether the collection or inspection of aggregated digital information amounted to a search under other circumstances.
However, the court recognized that the volume and type of personal information potentially available to the government at the time of arrest has changed so dramatically since the 1970s that precedents from that era do not control the analysis. This reasoning could apply with equal force to the third-party doctrine, which is similarly grounded in cases decided in the 1970s before the advent of email, smartphones and cloud computing.