20120907

Service Agreements Kill Privacy, But Can They Create It Too?

With more people constantly connected to the Internet, technology companies are becoming massive repositories of sensitive and personal information. Our communications with family and friends now sit stored on servers belonging to Google or Facebook. Cell phone companies keep track of our location by recording every time we connect to a cell phone tower for up to two years. Unfortunately, the Fourth Amendment has not kept up with this technological reality. And a recent case decided by the Ninth Circuit Court of Appeals, United States v. Golden Valley Electric Association (PDF), highlights the increasing way constitutional rights are adjudicated when it comes to data stored by other companies: through the service agreement a user enters into with a company.

First, some background. The Supreme Court long ago ruled that users lose their expectation of privacy when they turn information over to third parties. The "third party doctrine" has been used by the government to justify warrantless acquisition of cell site tracking records, Twitter account information, and email. They've argued these records belong to the companies, so a user can't complain when the data is turned over to the government. Ultimately, this means that your constitutional rights are in the hands of the companies storing your data. Given the ever increasing demands of law enforcement, companies have little time or resources to fight for user privacy. That means companies have an enormous amount of power in determining your privacy rights. As we've documented in our "Who Has Your Back" campaign, many of the biggest and most popular tech companies have work to do in fighting for user privacy.

A 2010 case from the Sixth Circuit Court of Appeals highlights how a subscriber agreement that governs the relationship between a company and user can potentially become a black hole where the Fourth Amendment goes to die. In United States v. Warshak, the Sixth Circuit became the first federal appellate court to rule that people had a reasonable expectation of privacy in their emails notwithstanding the fact that email typically passes through a third party, the email service provider. That meant law enforcement needed a search warrant to obtain the contents of emails. But Warshak noted it was "unwilling to hold that a subscriber agreement will never be broad enough to snuff out a reasonable expectation of privacy." So although the email provider in the Warshak case didn't say anything about whether it would "audit, inspect, and monitor" emails, messages stored by a service provider that did say it would monitor email in a subscriber agreement wouldn't necessarily be protected by the Fourth Amendment. In short, the court said companies have the ability to strip you of your Fourth Amendment rights.

As troubling as that seems, the flip side is that presumably faced with silence -- like the Warshak service provider -- or even an affirmative statement by a service provider that it will protect your privacy, a reasonable expectation of privacy could still exist. Or stated differently, a service provider can also give you Fourth Amendment protection if it promises to safeguard your privacy.

The Ninth Circuit addresses this precise issue in Golden Valley. The case revolved around a small cooperative utility provider in Alaska, that received an administrative subpoena issued by the DEA seeking customer records it believed were relevant to a criminal investigation. These records included things like the subscriber's name, telephone number, method of payment (including credit card numbers or checking account information), and service initiation and termination dates.

The most important thing the government sought, however, was energy consumption records. By determining whether energy levels were elevated in specific houses, the agents believed they could pinpoint locations where marijuana was being grown. Addressing a very similar situation in 2001, the Supreme Court in Kyllo v. United States ruled that the police needed a search warrant to use a thermal imaging device to measure heat levels in a residence, since the devices could reveal intimate details about the interior of a home. To get around Kyllo, the government sought to get the records from Golden Valley directly instead of planting a police officer in front of the houses, ultimately avoiding the need to get a search warrant. That's because the records belonged to Golden Valley, and therefore, the government argued, customers had no expectation of privacy in them.

Golden Valley challenged the administrative subpoena, a rare act for a company to take, and raised the argument suggested by Warshak: that since it had a company policy of protecting user privacy, a search warrant was required to obtain this information. The Ninth Circuit, however, rejected Golden Valley's argument, finding that Golden Valley failed to show any explicit customer agreement promising to keep records confidential.

At first blush it may seem that Golden Valley highlights a lose-lose situation for users created by the third party doctrine: providers can take away your Fourth Amendment rights in their service agreements, but in the rare instance when they make an effort to preserve your rights by promising to protect your privacy, it doesn't matter anyway because the "records" (created with your data and activity) aren't yours.

But the Ninth Circuit really left a far more important privacy opening. It noted that in some circumstances, "a company’s guarantee to its customers that it will safeguard the privacy of their records might suffice to justify resisting an administrative subpoena." In the specific case before the court, Golden Valley's policy did not rise to a sufficient level of specificity. But going forward in the future, other companies storing sensitive, personal information need to take advantage of Golden Valley's suggestion that service agreements can be more than just a black hole. They should explicitly detail in their service agreements that they will keep user data confidential and that they will stand up for users' privacy by challenging government attempts to obtain data without a search warrant.

At the same time, courts need to heed the words of Justice Sotomayor's concurring opinion in United States v. Jones, where she wrote it was time to stop treating "secrecy as a prerequisite for privacy," and stop assuming "that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection." That way, the fact that our privacy rights are in the hands of companies means more than they're just gone forever.

No comments: