Big Brother Online: Policing and the Cloud

Government agencies, including law enforcement, are able to access more of our personal data stored online than ever before. A Vanderbilt Law School professor says it’s time to develop a “21st century framework” for stronger privacy protection.

It is now a commonplace that virtually everything we do is memorialized on databases.  Some of these electronic repositories are maintained by government, but most are in the hands of Internet service providers, credit card companies and other commercial enterprises.

Databases contain an astonishing range of our intimate daily activities, including financial transactions, Internet connections, travel routes, tax information, and even medical treatment and biometric information—as well as more prosaic matters ranging from employment and residence history to movie-watching habits and how often we turn on our lights.

It may be surprising that the police can access this information with relative ease. For instance, government officials seeking data from third parties virtually never need a warrant, because of Supreme Court decisions that have held, in essence, that once information is surrendered to a third party like a bank, one loses all constitutional privacy protection.

In order to obtain records of our Internet, phone, bank and similar transactions, the police usually only need to obtain an “ex parte subpoena,” which at most requires a showing that the information is somehow relevant to an investigation and which does not permit the target of the investigation to contest it prior to disclosure.

In many other situations, such as accessing commercial camera footage or obtaining data about credit card purchases or past travel routes, most jurisdictions do not require police to follow any judicial process, but rather allow them to obtain the information at their discretion and that of the data holders.

Several decades ago, this regime might have made sense.

The effort required to obtain data from hard-copy files was itself a significant obstacle to data aggregation and analysis.  Today, however, digitization has vastly increased the scope of databases and at the same time increased government agencies’ ability to access, aggregate and scrutinize them, in ways that could only be imagined just a few years past.

Can this information be protected from prying government eyes?

Database searches by law enforcement come in at least five different guises: suspect-driven, profile-driven, event-driven, program-driven, and volunteer-driven.  In each area, the regulatory regime needs to be rethought.  A warrant may not be necessary in all of these situations, but in many a subpoena might not be enough.

Some database access by the state is aimed at getting as much information as possible about individuals suspected of wrongdoing. Here legislatures and courts should require increasingly demanding justification requirements—sometimes even a warrant—based on the nature and amount of data sought.

Other efforts do not start with a particular suspect, but rather with a profile of a hypothetical suspect, purportedly depicting the characteristics of those who have committed or will commit a particular sort of crime. Both national security agencies and ordinary police departments are increasingly relying on this type of “predictive policing.”

Courts should be involved here as well, making sure both that there is justification for profile-driven identification, and that the profiles are properly validated and do not rely on obviously biased risk factors.

A third type of data search starts neither with a suspect nor a suspect profile but with an event—usually a crime—and tries to figure out, through location and related information, who might be involved. At least when this type of “data dump” is extensive, judges should evaluate the need for and scope of such investigations.

Fourth, in order to have the information needed for suspect-, profile-, and event-driven operations at the ready, government itself often initiates data collection, as with the National Security Agency’s metadata program made famous by Edward Snowden.  These collections of data ought be maintained outside of government to the extent consistent with governing needs, and wherever maintained should be authorized by specific legislation and administrative rules transparently and democratically arrived at.

Christopher Slobogin

Finally, restrictions should be placed on the extent to which third parties should be able to proffer to the government personal information they have acquired from us solely because we must surrender it to receive basic services such as communicating, travelling or purchasing. Further, courts should scrutinize any government incentives, financial or otherwise, that encourage third parties to “voluntarily” transfer information that normally would be subject to the other four types of access and collection limitations.

It is time to rethink when government can gain access to The Cloud and other electronic databases.  Otherwise, everything we do will increasingly become available to law enforcement agencies at little more than the touch of a button.

Christopher Slobogin is the Milton R. Underwood Chair in Law and Director of the Criminal Justice Program at Vanderbilt Law School. This op-ed was adapted from his white paper for the National Constitution Center’s white paper series entitled “A Twenty-First Century Framework for Digital Privacy,” supported by Microsoft. The white paper series will be released at an event at the National Constitution Center on Wednesday, May 10, 2017.