(Editor’s Note: This is Part I of a two-part series about the digital-privacy paradox that has emerged from the Supreme Court’s revolutionary 2018 decision in Carpenter v. United States. Part II is here. Michael R. Dreeben argued several cases discussed in this article, including Carpenter, Kyllo v. United States, and United States v. Jones before the Supreme Court on behalf of the United States. Dreeben discussed the third-party paradox on an episode of the Just Security Podcast here.)
The Fourth Amendment revolution in Carpenter v. United States has produced a constitutional world that seems – as Aaron Burr’s character in the hit Broadway musical Hamilton described the Constitution – “full of contradictions.” Carpenter is the latest in a line of Supreme Court cases that attempt to reframe search-and-seizure law to keep pace with changing digital realities. Near the start of the 21st century, the Court addressed thermal-imaging technology that could reveal a home’s interior without a physical entry, seeking to update the Fourth Amendment’s core protection of the home to meet that challenge. A decade later, it applied trespass concepts to restrict GPS tracking of a car on public streets. And more recently, in 2014, it found that a cell phone’s vast capacity to hold information took it outside conventional search-incident-to-arrest doctrine. In 2017, Carpenter continued this project by breaking through the longstanding third-party doctrine: the principle that, when a person voluntarily gives information to a third-party, the person loses any constitutionally protected expectation of privacy in that information.
Carpenter refused to apply that principle to at least some digital information in the hands of third parties. Instead, the Court held that the government conducts a Fourth Amendment search, and must satisfy the constitutional obligations that attach to that search, when it acquires historical cell-site location information (CSLI) – i.e., the digital bread crumbs that reveal the cell towers to which a person’s phone connected – from a third-party provider of cell-phone services. As the Court explained, CSLI can provide the government with revealing information about a person’s life – including their “familial, political, professional, religious, and sexual associations.” And yet the information is equally valuable to the government in tracing a person’s movements in a criminal investigation, allowing investigators to identify and link individuals to a crime scene or criminal associates. Carpenter‘s rejection of the third-party doctrine to this type of information was a seismic departure from settled law, opening up myriad questions about what other digital information would similarly fall outside the third-party doctrine and come within the ambit of Fourth Amendment protection.
In the years since Carpenter, however, not only have questions about the decision’s scope bedeviled the courts, but a procedural paradox – what we call the “third-party paradox” – has emerged as an obstacle to obtaining answers. This paradox arises when the government tries to obtain a user’s electronic data – the type of information that Carpenter might arguably protect – through a subpoena, warrant, or court order directed to a third-party service provider, such as a telecommunications, email, or internet service. The service provider receives notice of the demand but lacks Fourth Amendment standing to challenge it. In this context, “standing” means whether someone has substantive protection under the Fourth Amendment sufficient to raise such a claim in court. The legal and practical ability to bring a Fourth Amendment claim – or the lack of that ability – can determine the outcome of any challenge to a search. Unlike service providers, the service users do have Fourth Amendment standing to challenge the demand for their data. But because the service provider is not required to notify (and often is prohibited from notifying) the service user of the demand, the user often lacks notice of the government’s request to obtain it. The upshot is that the government’s investigative demand becomes unchallengeable, at least until after the service provider has complied with the government’s request and the alleged constitutional violation has already occurred. Under this legal framework, the individual who is aggrieved by the search can challenge it only when the government seeks to use the data as evidence in a prosecution, and the user (now a defendant) moves to suppress the evidence on Fourth Amendment grounds, or when the user learns of the search and brings a civil action for damages under Bivens v. Six Unknown Federal Narcotics Agents or 42 U.S.C. § 1983. (Bivens provides a cause of action for individuals alleging a violation of certain constitutional rights by the federal government; § 1983 does the same for allegations against state governments.)
Underscoring the emerging importance of these issues, a prominent law firm recently invoked Carpenter in arguing that its clients’ privacy interests justified quashing an SEC subpoena for client records. The subpoena sought the names of clients whose files had been compromised by a cyberattack on Covington & Burling, LLP, in furtherance of the SEC’s investigation into whether the attackers used the stolen information to commit any securities law violations. The district court found the subpoena to be overbroad under the Fourth Amendment and ordered only partial compliance. But it rebuffed Covington’s reliance on Carpenter to protect its clients’ generalized privacy interests in the attorney-client relationship in the administrative-subpoena context, distinguishing that claim from the expectations of privacy in one’s location that the Fourth Amendment safeguards. The case nonetheless illustrates how Carpenter has changed the conversation about when custodians of information can invoke their customers’ rights. Because service providers can be expected increasingly to rely on Carpenter to assert protection of their customers’ rights, the time is ripe to revisit whether, how, and when they should be able to do so. Part I describes the legal tangle that produces this puzzle. Part II provides the solution: to provide a means of litigating the novel and complex Fourth Amendment issues raised by Carpenter, we propose that Congress authorize third-party providers in certain circumstances to assert the Fourth Amendment rights of their users before complying with the government’s command to turn over their data.
The Carpenter Revolution and Its Aftermath
The Fourth Amendment provides that:
[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
A threshold issue in applying the amendment is whether a “search” has occurred; without a “search” or “seizure”, the Fourth Amendment’s protections do not kick in at all. Under the Supreme Court’s 1967 decision in Katz v. United States, the search question turns mainly on whether a person has a reasonable expectation of privacy in the place to be searched. This test stemmed from Justice John Marshall Harlan II’s concurrence in Katz, which articulated a “two-fold requirement” for finding a Fourth Amendment search: “first that a person . . . exhibited an actual (subjective) expectation of privacy, and, second that the expectation be one that society is prepared to recognize as ‘reasonable.’”
Only after Katz, did the Supreme Court make clear that the expectations of privacy that the Fourth Amendment protected were radically different from ordinary expectations of confidentiality. To the contrary, the Court divorced those two concepts, consistently holding that a person has no reasonable expectation of privacy in information shared with others. The upshot was that such a person had no Fourth Amendment claim when the third-party provided the information to the government, no matter how sensitive the information or how justified the belief that the third-party would respect that confidentiality.
The Court started down this counterintuitive path in United States v. Miller, which rejected a defendant’s motion to suppress his financial-transaction records that had been obtained through a grand jury subpoena issued to his bank. While most people consider their banking and transaction records highly private, and highly revealing, the Court held that the defendant had no basis to object because “the Fourth Amendment does not prohibit the obtaining of information revealed to a third-party and conveyed by him to Government authorities.” The Court next applied the same logic in Smith v. Maryland to hold that the government’s acquisition from a telephone company of records of a customer’s dialed phone numbers was not a Fourth Amendment search because the customer “voluntarily conveyed” that information to the phone company by dialing. The Court paid no heed to the reality that the calls one makes may reveal intensely personal information about who one talks to, how often, and in what sequence.
But technological advances pushed the third-party doctrine past the breaking point. In retrospect, this seems inevitable: the emergence of a society in which vast troves of digital data resided in the hands of private service providers means that Fourth Amendment protections would wither if the Court had pressed then-existing doctrine to its logical limits. The dam burst in Carpenter. There, the government obtained CSLI records from a telecommunications provider using a court order issued under § 2703(d) of the Stored Communications Act (SCA). That statute permits the government to require a telecommunications provider to produce certain non-content information (like the dates on which email accounts were created, the names of account holders, or the date and time an email was sent – essentially, any information that does not concern the “substance, purport, or meaning” of the communication) based on “specific and articulable facts showing that there are reasonable grounds to believe” that the requested information is “relevant and material to an ongoing criminal investigation.” That reasonable-grounds showing falls well below the gold-standard Fourth Amendment requirement of probable cause to obtain a search warrant: a “fluid concept” requiring a “reasonable ground for belief of guilt.” Although the Court had not hesitated to use the third-party doctrine to strip bank records and telephone call records of Fourth Amendment protection in Miller and Smith, Carpenter drew the line at extending those cases to historical CSLI.
To reach this result, the Court offered murky and qualitative distinctions of Miller and Smith. In contrast to banking and call records, the Court noted the “deeply revealing nature” of CLSI, its “depth, breadth, and comprehensive reach,” and “the inescapable and automatic nature of its collection.” Relying on those factors, the Court held that, even though the information about the cell towers to which a cell phone connected was in the hands of a third-party business – and hardly a private possession of the cell-phone users – those users retained a reasonable expectation of privacy in their “personal location information.” This meant that the government’s demand for the production of at least seven days of cell-site location records constituted a Fourth Amendment search, which requires a warrant.
Carpenter opened a Pandora’s box. The Court did not disturb Miller and Smith or cast doubt on other “conventional surveillance techniques and tools.” So, for now, anyway, the government can obtain banking records, call-detail records, and many similar business records with a subpoena, not a warrant. But the Court explicitly declined to express a view on multiple other technologically advanced surveillance techniques not at issue in Carpenter but potentially implicated by its limitation of the third-party doctrine. These techniques range from court orders to produce real-time CSLI, to “tower dumps” (“a download of information on all the devices that connected to a particular cell site during a particular interval”), to “other business records that might incidentally reveal location information.” And the Court did not begin to explain how or whether its “narrow” holding regarding historical CSLI might apply to digital information in other contexts, such as IP addresses, search history, automatic license-plate readers, or pole cameras trained on a home. The Fourth Amendment’s protections for digital information – perhaps the most vital source of evidence in many government investigations in our digital world – fell into a state of uncertainty.
Without clear guidance, lower courts have been left to sort out the implications of Carpenter on their own. Unsurprisingly, the law remains underdeveloped and inconsistent, even for the very type of data at issue in Carpenter: CSLI data. For example, federal courts have disagreed on whether government acquisition of real-time CSLI data violates a reasonable expectation of privacy under Carpenter, with one finding no search occurred when real-time CSLI data tracked a defendant on public roads, and another finding a search occurred when the defendant was tracked in real-time through his CSLI at home. Others have avoided the issue entirely, instead resolving the case on other grounds. Federal courts have similarly steered clear of addressing the potential application of Carpenter to geofence warrants – i.e., warrants that require a provider to search its trove of data for all users or devices located in a particular geographic area at a particular time – leaving the question open. And the Supreme Court recently declined to take up a hotly watched case raising a Carpenter challenge to long-term surveillance of a home using a pole camera.
In sum, Carpenter raised novel and nuanced issues about the reach of the third-party doctrine as applied to troves of electronic data. And given the vast quantities of electronic data that users hand over to third-party providers, plus the government’s omnipresent need for digital information to investigate potential criminal activity, defining the frontiers of Carpenter has preeminent importance both for users’ privacy and for the type of investigative tools the government can deploy. Yet post-Carpenter doctrine remains embryonic. Part of the reason for that limited development flows from the mismatch between the government’s investigative tools to compel providers to turn over information and the limited procedural vehicles for users or providers to raise constitutional claims to challenge those demands. As discussed below, while the government has a broad range of tools for acquiring digital data in a third parties’ hands, the opportunities for challenging that acquisition are far more limited.
Limited Mechanisms for Challenging Third-Party Searches
Carpenter itself illustrates the classic after-the-fact nature of most Fourth Amendment cases – and it underscores the obstacles that challengers face. The case arose from a criminal prosecution of the suspect in a string of robberies of cell-phone stores. The government used § 2703(d) orders under the SCA to obtain Carpenter’s CSLI, but when the cell-phone providers received the orders and produced the evidence, Carpenter had no clue that the government was seeking that information about him. Nothing in the law required notice to him that the government sought non-content records pertaining to his account. And, significantly, the SCA authorizes courts to order providers not to tell anyone, including the user, about the provider’s receipt of the government’s demand. Timothy Carpenter himself thus had to raise the constitutionality of the government’s use of a § 2703(d) order to obtain his CSLI only after his indictment, when he litigated the issue in a motion to suppress evidence about his cell phone’s location.
This scenario is replicated in many settings in which the government obtains digital information that is potentially protected under Carpenter. Users rarely receive notice at the time of request. And at least until Carpenter, the holders of the information rarely pushed back. We discuss a few of these situations below.
Stored Communications Act
The SCA provides the overarching framework for how and when a government agency can compel a provider of electronic communications services (ECS) (which can include, for example, internet service providers and cell phone carriers) or remote computer services (RCS) (which can include, for example, providers of computer storage in the cloud) to produce a user’s data. The government can obtain varied forms of information through a subpoena, court order, or a warrant. The SCA provides the most protection to the subscriber or customer when the agency seeks the contents (e.g. the text of an email) of a users’ communications. While the SCA allows the government to obtain the contents of a user’s communication without a warrant in certain circumstances – like when the contents come from an RCS provider or if they come from an ECS provider that has been storing them for more than 180 days – reliance on a warrant to obtain the contents of communications under the SCA is likely constitutionally compelled. Thus, in practice, the government generally uses a warrant in criminal investigations to acquire any information that it regards as contents. When it uses a warrant pursuant to the Federal Rules of Criminal Procedure, as the SCA provides, nothing requires that the government give contemporaneous notice to the subscriber or user whose information is obtained.
Likewise, when the government seeks information other than the contents of wire or electronic communication, the SCA never requires notice to the user. The government may use a subpoena, court order, or warrant to obtain basic subscriber information, including the name, address, telephone records (including times and durations of such records), length of service, types of services used, telephone numbers (including “any temporarily assigned network address”), and means and sources of payments (including bank account and credit card numbers) of a subscriber or customer. And the government may use an order under § 2703(d) to obtain non-content information beyond the basic subscriber information, again without providing notice to the user or subscriber. Together, these procedures allow the government to obtain a significant amount of information from holders of electronic data without ever providing notice to the subscriber or customer whose data is at issue.
At the same time, as the D.C. Circuit noted, the “SCA contains no default sealing or nondisclosure provisions” – that is, nothing to prevent the provider from notifying the user or subscriber. Thus, in theory, providers could tell users or subscribers that the government has come calling, and those parties might seek a judicial remedy. But when the government can show that notice to the user or subscriber might jeopardize the investigation or other government interests, the SCA permits the government to seek a court order that prohibits the service provider from notifying anyone of the demand for data. A court will grant such order if “there is reason to believe that notification” will result in: “(1) endangering the life or physical safety of an individual; (2) flight from prosecution; (3) destruction of or tampering with evidence; (4) intimidation of potential witnesses; or (5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.” Nondisclosure orders have been challenged under the First Amendment as a prior restraint and a content-based restriction of speech – one court held that the service provider alleged a facially plausible First Amendment claim, though the suit was ultimately dropped. But with adequate factual support and subject to appropriate durational limits, this type of nondisclosure order can be upheld.
Likely in response to First Amendment concerns, the Department of Justice (DOJ) has adopted a policy that prosecutors should seek such a nondisclosure order only after conducting a circumstances-specific inquiry and should provide the facts justifying the order to the court, along with an explanation tailored to the particular need for protection of the SCA request from disclosure. As for the duration, the SCA says that the non-disclosure order can last “for such period as the court deems appropriate,” but as a matter of policy, DOJ generally seeks such orders for no more than one year or less, subject to extension if the facts continue to justify nondisclosure as the investigation evolves. Nevertheless, the availability of these nondisclosure orders, coupled with the government’s investigative needs, often means that the user whose information is sought does not learn of the SCA request directed to his provider until long after the fact – often only in a criminal prosecution.
Grand Jury Subpoenas
The government may also obtain electronic data from service providers by using a grand jury subpoena. The Supreme Court has made clear that grand juries have sweeping power: a grand jury “can investigate merely on suspicion that the law is being violated, or even just because it wants assurance that it is not.” Notably, grand jury rules do not require providing notice to the customer when it has issued a subpoena requesting the customer’s data from a third-party provider. And while a grand jury witness – including a provider subpoenaed for customer records – is not barred by grand-jury secrecy rules from disclosing its receipt of a subpoena, the SCA’s nondisclosure provisions can apply in that circumstance, permitting the court to order the provider not to notify the customer, as described above.
Administrative Subpoenas
An administrative subpoena allows an agency to request documents “without prior approval from a grand jury, court, or other judicial entity.” Administrative authority – vested through statutory delegation of investigatory and accusatory duties to an agency – to request information in an investigation is broad; it need not rest on probable cause or reasonable suspicion. While such subpoenas are not self-enforcing, when the agency goes to court to compel compliance, the Supreme Court has accorded only limited Fourth Amendment rights to the recipient of an administrative subpoena. At least in the context of a request for “corporate books or records,” the subpoena need only “be sufficiently limited in scope, relevant in purpose, and specific in directive so that compliance will not be unduly burdensome.” And absent a specific statutory notice requirement, the agency need not notify the person to whom the records pertain when requesting information from a third-party. Targets of the investigation therefore will often not know that the administrative investigation exists or from whom records have been sought.
Cloud Computing and Enterprise Information
All of these issues are magnified with the advent of cloud computing. As defined by one court, “cloud computing is the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself.” Many enterprises, ranging from corporations to universities to nonprofits to government agencies, rely on third-party providers to store information, making it possible for investigators to seek information from the “cloud” provider rather than the enterprise customer (a company that maintains its file structure in a cloud service) itself. The DOJ has recognized the implications of seeking enterprise information from cloud computing providers. DOJ policy provides for seeking data from the enterprise directly, if practical, but acknowledges that many circumstances may make it inappropriate to do so if alerting the customer would compromise the investigation or otherwise jeopardize law-enforcement interests. In those circumstances, DOJ will seek the information from the cloud provider itself.
Before Carpenter, an enterprise customer seeking to assert a Fourth Amendment objection to government demand to a cloud provider for customer data would likely be turned away based on the third-party doctrine. But after Carpenter, the third-party doctrine may no longer preclude the customer’s Fourth Amendment claim over certain types of data. The upshot is that a range of customers who store information in the cloud may have arguable Fourth Amendment protection for their stored data. But they have no way to assert that protection in response to a government-issued request that seeks production from the providers because the customers have no notice that the government has issued the request.
The Third-Party Paradox
The intersection of Carpenter with the investigatory practices discussed above produces the third-party paradox. First, in many circumstances, the users whose digital information is sought will have no notice that the government is seeking their information from providers. Thus, even assuming that they would have a legal basis for moving to quash process directed to providers, they have no knowledge that the request exists and thus cannot assert any rights they might have. Second, the providers, who do have notice of the government’s request, can object based on their own Fourth Amendment rights, but those rights do not include protecting the legitimate expectations of privacy held by their customers; the providers are generally limited to claims about burdensomeness or potential overbreadth. Third, as a general rule, parties can raise only their own constitutional rights, not the constitutional rights of third parties. And while that rule has exceptions in other contexts – for example, parents may bring claims on behalf of their children, and doctors who provide abortion care have been allowed to raise their patients’ rights to abortion – the law under the Fourth Amendment is particularly strict: Fourth Amendment rights are personal and cannot be vicariously asserted. That principle makes it especially difficult for providers to argue for third-party standing to raise claims based on their users’ rights.
Carpenter did not need to address standing issues in his case because he raised his Fourth Amendment claim in a motion to suppress evidence. But the third-party paradox will arise in the future when the government seeks to obtain a person’s electronic data from service providers. The crucial question is whether any solution exists that would allow courts to decide – before the government acquires the information – whether the Fourth Amendment allows it to do so.