Over time, privacy protection has advanced in key moments. These have involved judges and advocates who appreciated new technologies and found ways to ensure privacy prevailed in a changing world. This week’s unanimous decision by the Supreme Court in the case of Riley v. California ranks with other key historical moments. More than in any other recent decision, the Supreme Court this week advanced privacy in a digital era characterized by ubiquitous computing.
As a result, the scales of justice shifted in a profound way toward a new ideal of privacy in a digital world. There is an important history for privacy that points in this direction and is worth appreciating. But it’s important to start simply by saying this: it was not just a historic week, but a very good week for privacy. A scale implies balance. The Supreme Court’s decision strikes the right balance between public safety and the privacy concerns of users of mobile technology.
The context for this week’s case is important. For decades, the authorities have validly searched those they arrested without a warrant under an exception to the Fourth Amendment’s warrant requirement. These searches extended to the possessions and immediate area near an arrestee, such as a wallet, purse or the inside of a car. The Supreme Court ruled this week, however, that warrantless searches cannot extend to a cell phone; instead the authorities must secure a warrant from a court to search such a device.
We live in a time when the importance of effective law enforcement remains vital. Yet as the Court rightly observed, “the sum of an individual’s private life can be reconstructed” by accessing the information stored on a cell phone.
In making this observation, the Court built on a long-standing and important tradition of adapting privacy to new technology, albeit one that has moved markedly on only rare occasions. Perhaps the only way to fully appreciate the importance of the past week’s decision is to take the broad view and put it in the context of other pivotal steps.
In important respects, technology started to challenge privacy protection as long ago as the 1800’s, as Americans embraced the camera, telegraph and telephone. In 1890, Louis Brandeis took one of the privacy field’s seminal steps, publishing in the Harvard Law Review an article advocating “the right to be let alone.” Writing a quarter century before he joined the Supreme Court, Brandeis helped define this field by articulating a clear rationale for protecting privacy under existing state common laws. Notably, Brandeis argued that the impetus for this strengthened privacy protection was the adoption of new technologies, including “instantaneous photographs.” Using words that resonate still, he argued that “mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”
Brandeis’ piece captured the tension that sometimes arises between the advance of new technologies and the protection of enduring values. This tension sometimes pits technologists against lawyers. The more fruitful challenge, however, is to focus on how we can maximize the benefits of technology while simultaneously preserving values we hold timeless. This is not always easy, in part because the issues are often complex and because it takes time for the societal impact of new technologies to become clear. That’s why it’s so important to pause and reflect on the critical moments when key people and writings, like that of Brandeis and his article, have helped show a path forward.
As I mentioned when speaking at the Brookings Institution this past Tuesday, I’ve believed that one such moment came in early 2012, when Justice Sonia Sotomayor wrote a short concurring opinion in the case of U.S. v. Jones. The case involved the placement by the San Diego police of a GPS locator on a suspect’s car, exceeding the scope of a court warrant. In a 5-4 decision, a majority of the Supreme Court held that this violated the Fourth Amendment’s protection against unreasonable searches and seizures. But the Court’s principal opinion did so using a traditional argument that Brandeis would have found familiar, relying on the physical intrusion involved in placing the GPS locator on the car and its implications under common law trespass principles.
Justice Sotomayor wrote a short concurring opinion in the case that went further. It stated that without any physical intrusion at all, the authorities could rely on “GPS-enabled smartphones” to track people. And the privacy implications of this could be profound. Justice Sotomayor pointed out that “GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.” And as the opinion added, the “Government can store such records and efficiently mine them for information years into the future.” Ultimately, as her opinion concluded, unless this type of surveillance was safeguarded under the Fourth Amendment regardless of whether there was a physical intrusion, it could “alter the relationship between citizen and government in a way that is inimical to democratic society.”
Equally important, Justice Sotomayor’s 2012 opinion looked forward and addressed directly the changing attitudes of a new generation that increasingly was comfortable sharing its personal information. She reasoned that people could share information with their friends and still have “a reasonable expectation of privacy,” which is the prerequisite for Constitutional protection under the Fourth Amendment. As she pointed out, for generations the law had basically equated privacy with secrecy. In other words, when lawyers (and many other people) used the word “privacy,” they often used it as if it were synonymous with the word “secrecy.” But as technology trends increasingly have shown, a new generation of people increasingly has redefined the word “privacy.” To them it means the ability to share information but determine who they share the information with and how the information will be used. If anything, one of the defining features of the early growth of services such as Facebook and Snapchat has been the ability for consumers to do precisely that. In other words, people now share information in a limited way and look to privacy protection to sustain these limits.
Since Justice Sotomayor’s opinion in 2012, one of the most important questions in privacy law was whether and when the rest of the Supreme Court would embrace a similar view. Today we know the answer to that question, at least to a considerable degree. It was this past Wednesday.
The Court’s decision this week will be remembered as another seminal moment in advancing privacy protection. Significantly, it came from a unanimous rather than divided court, with an opinion written by Chief Justice Roberts for eight of the Justices. But perhaps most important was the Court’s reasoning and its positive implications both for smart devices and the storage of personal information in the cloud.
The Court put a stake firmly in the ground and effectively declared that privacy protection must account for new technologies. As Chief Justice Roberts noted, “before cell phones, a search of a person was limited by physical realities and tended as a general matter to constitute only a narrow intrusion on privacy.” As he pointed out, “most people cannot lug around every piece of mail they have received for the past several months, every picture they have taken, or every book or article they have read – nor would they have any reason to attempt to do so.” Yet smartphones have changed this dynamic. As his opinion stated, “many of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers.”
Putting these features together, Chief Justice Roberts recognized the impact of smartphones today in a way that is similar to Brandeis’ focus on the impact of the camera 125 years ago. As his opinion recognized, “modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life’.”
Comparing the new technology to the Fourth Amendment’s traditional protection of information in peoples’ homes, the Supreme Court could not have been more clear-cut. As it observed, the search of a cell phone “would typically expose to the government far more than the most exhaustive search of a house: A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form.”
While all this is of huge importance, the significance of the Supreme Court’s decision does not stop there. Just as Justice Sotomayor pointed in 2012 toward a next set of important questions, so did Chief Justice Roberts this past week. This is because his opinion included the Court’s first explicit discussion of privacy in the context of cloud computing.
As the opinion noted, “the data a user views on many modern cell phones may not in fact be stored on the device itself.” While the Court was not presented with the search warrant requirements applicable to accessing a data center from a remote location, it nonetheless observed that “the same type of data may be stored locally on the device for one user and in the cloud for another.” This provided the Court with an additional reason to uphold rather than minimize privacy protection. Chief Justice Roberts pointed to “the possibility that a search might extend well beyond papers and effects in the physical proximity of an arrestee” and concluded that this was “yet another reason that the privacy interests here dwarf those” that the Court had considered in an earlier case in 1973. For those of us at Microsoft and other tech companies who are seeking to ensure that the Fourth Amendment protects information stored in the cloud, these are encouraging words.
The Supreme Court’s decision is all the more interesting given the past month’s developments in the House of Representatives. By a lopsided bi-partisan vote of 293-to-123, the House approved an amendment to a defense spending bill to prohibit government agencies from using funds to require Internet service providers to give the government direct access to their servers or to access private electronic communications without a warrant. Similarly, a majority of House members have now signed as co-sponsors on legislation to amend the Electronic Communications Privacy Act to ensure that the authorities obtain a lawful warrant before accessing stored email content, regardless of how old the email may be or where it is stored.
At a time when many Americans think of Washington, D.C. as the capital of gridlock, both the judicial and legislative branches have taken new steps to protect privacy. It’s not unreasonable to hope that now more than ever, there is an important opportunity to bring people together to address next-generation privacy issues. The ultimate answer will lie not in pitting public safety, technology, and privacy against each other. Rather, as I had the opportunity to discuss at the Brookings Institution the day before the Supreme Court’s decision, the challenge is to find new ways to recognize and balance all three of these needs.
This is not to suggest that the issues are easy. As Chief Justice Roberts recognized, “privacy comes at a cost.” But as the Court’s decision makes clear, privacy is also an important and enduring value. As we look back on the privacy week that was, there’s an opportunity for all of us to take inspiration from a unanimous Court and pursue new paths that will enable privacy, safety and technology to move forward together.