(Editor’s Note: This is Part II of a two-part series regarding the digital-privacy paradox that has emerged from the Supreme Court’s revolutionary 2018 decision in Carpenter v. United States. Part I is here. Michael R. Dreeben argued several cases discussed in this article, including Carpenter, Kyllo v. United States, and United States v. Jones before the Supreme Court on behalf of the United States. Dreeben discussed the third-party paradox on an episode of the Just Security Podcast here.)
In Part I, we described the third-party paradox that results when the government seeks potentially Fourth-Amendment-protected information from service providers who lack standing to raise their customers’ rights. Only two paths are available to solve the third-party paradox. The first option would be to give users notice before the search. This would allow the users themselves to assert their rights in a motion to quash the government’s demand that the third-party provider furnish user-related information. Such motions would permit courts to adjudicate Carpenter claims ex ante at the behest of the person whose rights are at stake before a potentially unlawful search occurs. But in practice, providing notice will often be impossible. The government frequently seeks, and courts frequently grant, non-disclosure orders that forbid a provider from alerting the target user to the request (see Part I for a longer discussion). Although Department of Justice (DOJ) policies advise caution in seeking nondisclosure orders, given how quickly and easily electronic data can be deleted or altered, or other harms materialize by alerting targets to the scope and direction of an investigation, prosecutors will often have a basis for seeking such orders.
So in the majority of cases, that leaves only one way out of the third-party paradox: affording providers the right to go to court to assert their users’ rights. And the pathway to that approach is straightforward: Congress should address the third-party paradox by passing legislation that gives providers the ability to assert users’ Fourth Amendment rights. That approach makes sense for several reasons: a challenge should be available before, rather than after, the invasion of privacy occurs; providers are the natural, if not the only. parties who can bring these challenges; and a new federal statute, fully drafted below, is the best way to cut the Gordian knot that currently binds the hands of users and providers alike.
A Challenge Should Be Available Before a Search Occurs
Challenges to government demands for information implicating the third-party paradox should come before the request is fulfilled. This is a logical consequence of the basic purpose of the Fourth Amendment: to prevent arbitrary government searches. An ex ante challenge can head off a constitutional violation in the first place, avoiding the injury to privacy rather than trying to repair or compensate for it later. In the search-and-seizure context, as discussed below, after-the-fact remedies are especially hard to come by, and even when available, they fail to fully account for the harm that occurred. This holds true for both criminal defendants and civil plaintiffs.
In criminal cases, the major after-the-fact remedy available is suppression of the evidence under the exclusionary rule. But the exclusionary rule does not repair the violation; it aims to provide forward-looking deterrence against future police misconduct, not a backward-looking remedy to the person whose rights were violated. Beyond that, a Fourth Amendment violation alone does not necessarily trigger suppression; courts not only require a “causal relationship between the unconstitutional act and discovery of evidence,” but also will deny suppression under the good-faith exception to the exclusionary rule, which applies, among other circumstances, when law enforcement has engaged in objectively reasonable reliance on a warrant, a statute, or judicial decisions. Tellingly, despite his historic victory at the Supreme Court, even Timothy Carpenter could not obtain relief, losing on good-faith grounds in the Sixth Circuit on remand.
After-the-fact recourse in the civil system, typically through lawsuits brought under Bivens v. Six Unknown Named Agents of Federal Bureau of Narcotics or 42 U.S.C. § 1983 – which provide a cause of action for individuals alleging a violation of their constitutional rights by the federal government and state government, respectively – requires navigating equally daunting obstacles. Most notably, plaintiffs must overcome qualified immunity, which protects “all but the plainly incompetent or those who knowingly violate the law.” The qualified-immunity defense is “raised frequently by defendants,” “granted frequently by courts, and often result[s] in the dismissal of cases.” What’s more, the flexibility judges have in granting qualified immunity without first deciding whether a constitutional violation occurred stunts the development of the law in clarifying the existence and scope of constitutional rights – a particularly troublesome problem where, as here, the case involves “cutting-edge technologies.” And if a plaintiff seeks injunctive relief, Article III standing is often an insuperable hurdle unless the plaintiff can establish that he is in fact threatened with a future search.
Providers Have the Incentive and Resources to Mount Challenges
Providers are ready, willing, and able to bring these sorts of challenges on behalf of their users. Providers of electronic communication and other data-processing services are better situated than criminal defendants or civil plaintiffs to litigate Fourth Amendment claims before disclosing information about their users. They have the resources, expertise, and incentives to raise users’ rights in appropriate cases. Their interest is not abstract; providers have an economic and reputational interest in standing up for their users’ privacy rights. Indeed, many of the major providers have not only made strong promises to their users to protect their privacy, but have taken principled stances to push back on the government in instances of perceived overreach. For example, Apple refused to create new software to allow the FBI to break into an iPhone used by one of the assailants in the 2015 mass shooting in San Bernadino, California, and Microsoft sued the DOJ in 2016 challenging SCA gag-orders under the First and Fourth Amendments. Providers are unlikely to mount abusive challenges for the sake of appearances; major providers have long-range institutional interests in acting responsibly and preserving good relations with the government. The disputes that are likely to result in litigation thus are ones where the law is unclear, particularly after Carpenter, and would benefit from clarification by the courts.
The existence and contours of an opportunity for a provider-initiated challenge should come from Congress. Judicial expansion of third-party standing could work as well, but the prospects for that doctrinal development are uncertain at best. A statutory solution from Congress provides the best route forward to balance the competing interests and establish sound procedures for litigation. Below, we first explain the potential bases for a judicial solution before turning to the most promising route: a new federal statute, the contours of which we provide.
Potential Judicial Solutions
If courts wanted to resolve the third-party paradox, they could draw on two doctrinal frameworks: third-party standing principles and inherent authority. But each approach faces headwinds.
Judicially Expanded Third-party Standing
While in most circumstances litigants must rely on a violation of their own constitutional rights, in some cases, a litigant may assert a third-party’s constitutional rights – i.e., has so-called “third-party standing.” The conditions for invoking another person’s rights are highly circumscribed. The Supreme Court has found that three factors govern whether a litigant has third-party standing: (1) whether the litigant suffered an “injury in fact” that affords a “sufficiently concrete interest” in the outcome of the issue; (2) whether there is a relationship between the litigant and the third-party such that “the enjoyment of the right is inextricably bound up with the activity the litigant wishes to pursue”; and (3) whether the third-party could assert its own rights.
The third factor – the inability of the third-party to assert its own rights – is readily satisfied in most cases where the government seeks information under the SCA. When a provider receives an order to produce customer information under the SCA accompanied by a nondisclosure order, customers would never learn of a request for information, and they therefore have no way to assert any of their own rights. The other two factors are also arguably satisfied. When a provider is required to produce customer information, its injury – the obligation to comply – is coextensive with customers’ privacy interest in their own information. And for the same reason, the provider’s relationship with its customer means the provider’s desire to protect and secure its customer’s privacy aligns with the customer’s potential Fourth Amendment interests. The Supreme Court’s recognition of third-party standing in other contexts supports the application of those principles here. For instance, criminal defendants may raise jurors’ constitutional rights against a discriminatory peremptory challenge because conviction by an unconstitutionally constituted jury is an injury to them, and physicians may assert their patients’ constitutional rights to challenge abortion bans that can be enforced against the physician. The Court has treated professional or contractual relationships between the litigant and the third-party as sufficiently close to permit third-party standing. And third-party standing has occasionally been accorded to businesses to raise their customers’ rights.
Nevertheless, courts may be reluctant to extend those precedents to the Fourth Amendment context because of the Court’s limitation of vicarious standing in Alderman v. United States and Rakas v. Illinois. That reluctance is questionable. Those cases arose in the exclusionary-rule context – William Alderman tried to suppress recordings of conversations captured in a co-conspirator’s place of business; Frank Rakas moved to suppress a rifle and ammunition found in a car that belonged to someone else and in which he was merely a passenger. And in that specific context, the balance of interests is affected by the solely forward-looking purpose of the exclusionary rule – to deter future violations – and the high costs to truth-seeking in criminal trials by the exclusion of evidence. Those considerations do not apply when a provider seeks to prevent a Fourth Amendment violation in the first place. Accordingly, courts would have a basis to recognize a provider’s assertion of its customers’ rights under conventional third-party-standing principles.
The Court’s Inherent Authority
Taking a different doctrinal path, courts might rely on their inherent authority to prevent judicial orders from violating the constitutional rights of parties not before the court. “It has long been understood that ‘[c]ertain implied powers must necessarily result to our Courts of justice from the nature of their institution,’ powers ‘which cannot be dispensed with in a Court, because they are necessary to the exercise of all others.’”
Although the concept of inherent authority is often criticized and its scope remains unpredictable, mapping that framework onto this situation would be straightforward. A court must have the inherent authority refuse to issue an unconstitutional order that violates Carpenter because of the courts’ central mission to enforce the rule of law. This is judicial equivalent of the medical edict to “first, do no harm.” Just as courts must refuse to issue orders that would violate the constitutional rights of the parties before them, so too must courts decline to issue orders that would violate the rights of parties not before them.
But in practice, using that authority would be unpredictable and uncertain. This is especially true in the close-call cases that have no settled answer under Carpenter. Those cases are the ones for which the third-party paradox poses the most serious problem. Thus, the inherent-authority doctrine’s murkiness and uncertainty makes this approach unreliable. And even setting aside those problems, this approach would still leave providers without a right to assert their customers’ Fourth Amendment claims; the use of inherent authority would be a matter of the courts’ discretion. Thus, only a statutory cause of action that gives providers the right bring claims on behalf of their users would clearly resolve the third-party paradox.
Our Proposal: A Statutory Solution
A statutory solution is well within Congress’s power to enact. Existing doctrine may block third-party standing in the Fourth Amendment context, as we discussed above. But third-party standing limits are prudential, not constitutional. So if a party meets the minimum requirements to establish federal Article III standing – concrete injury, traceability, and redressability – Congress may lift prudential limitations on third-party standing and authorize a cause of action.
And a statutory solution is far from unprecedented. Congress and states have frequently responded to advances in technology by passing new legislation to impose limits on the government or to authorize new causes of action. The time is ripe for action in this area as well. Indeed, Microsoft has explicitly called for a statutory solution similar to the one we suggest. So did at least one pre-Carpenter article. And “the appetite for privacy-rights legislation at the federal level seems promising” at this time. For example, in just the last few years, dozens of bills have been introduced in both the House and Senate, from Democrats and Republicans alike, seeking to protect consumers’ rights at the intersection of privacy and technology – from regulating access to sensitive health information in the wake of the COVID-19 pandemic, to banning federal law enforcement from circumventing limits on directly accessing U.S. customer data by buying the information from private parties. So although our proposed legislative solution is novel in how it seeks to solve this particular problem (the third-party paradox), it is well within the mainstream of bipartisan federal legislation that lawmakers are routinely considering.
The specific approach we propose here builds on familiar frameworks in federal law. The SCA, for example, already allows providers receiving certain compulsory legal process to move to modify or quash the order “if the information or records requested are unusually voluminous in nature or compliance with such order otherwise would cause an undue burden on such provider,” or if the provider reasonably believes that target of the request is not a U.S. person and does not reside in the United States, and that complying with the disclosure order would “create a material risk that the provider would violate the laws of a qualifying foreign government.” And in at least two other contexts, involving tax and financial records, Congress has created statutory rights to review when this Court’s decisions otherwise barred judicial remedies. These appear in the Internal Revenue Code at 28 U.S.C. § 7609 and the Right to Financial Privacy Act at 12 U.S.C. § 3410. So the blueprint for a federal cause of action like this already exists in several contexts.
Our proposed statute, set forth below, resolves the third-party paradox by providing a pre-disclosure cause of action allowing either users with notice, or providers (if the user does not receive notice), to file a motion to quash or modify the compulsory legal process seeking the user’s data. The proposed statute provides timelines for litigation and addresses exceptional circumstances in which the government could compel disclosure of the requested data for urgent reasons before completion of the litigation. In this way, the draft statute balances the interest in determining whether the request for data is constitutionally valid against investigatory needs in particular cases for more expeditious action.
The statute could be placed in Chapter 121 of Title 18 of the United States Code, immediately following 18 U.S.C. § 2713 as a newly created 18 U.S.C. § 2714:
Providing a cause of action to challenge compulsory legal process for users’ data:
(a) When a provider of electronic communication service or remote computing service (“Provider”) is required to disclose, pursuant to any compulsory legal process, the information or data of any of the Provider’s users (a “Target User”), a motion to modify or quash the compulsory legal process on the grounds that compliance would infringe a constitutionally protected privacy interest of the Target User may be filed by either:
(1) The Provider, if the government obtains a non-disclosure order preventing the Provider from notifying the Target User; or
(2) The Target User, if the Target User receives notice of the compulsory legal process.
(b) Definitions—As used in this section—
(1) The terms “electronic communication service” and “user” have the same respective definitions given to them in 18 U.S.C. § 2510;
(2) The term “compulsory legal process” includes any compulsory process authorized by the laws of the United States to investigate violations of law including, but not limited to:
(i) Warrants or court orders issued under Chapter 121 of Title 18 of the United States Code;
(ii) Administrative subpoenas;
(iii) Administrative summonses; and
(iv) Grand jury subpoenas.
(c) Any motion authorized in subsection (a) shall be filed—
(1) Under seal;
(2) In the United States District Court that issued the compulsory legal process;
(3) Within 14 days of receipt of the compulsory legal process; and
(4) Expedited as necessary to permit prompt resolution no more than 30 days after the filing of the government’s response.
(d) Compliance while litigation over the motion is pending—
(1) Except as provided in (d)(2) below, the filing of such a motion under subsection (a) stays any compliance obligations for the legal process being challenged while the litigation over the motion remains pending in district court.
(2) Upon a case-specific showing of exigent circumstances by the government, the court shall order immediate compliance pending the litigation over the motion. The court, if it ultimately grants the motion, shall have authority to order a remedy as law and justice require. Exigent circumstances include imminent risk of—
(i) Physical harm to a natural person;
(ii) Destruction of evidence;
(iii) Threats to national security;
(iv) Compromising an ongoing criminal investigation or prosecution; or
(v) Other such exigencies as the facts and circumstances of the particular case may warrant.
At the macro-level, the proposed statute expands the extant authority of providers to initiate pre-compliance litigation for § 2703(d) orders under the SCA, and builds on the third-party litigation procedures of the Internal Revenue Code’s § 7609, the Right to Financial Privacy Act’s § 3410, and Federal Rule of Criminal Procedure 17. At the micro-level, it draws on existing language from § 2703 (e.g., for definitions) and § 3410 (e.g., for the 14-day timeline), as well as familiar Fourth Amendment concepts like exigency for the exceptions to the automatic stay of compliance during the litigation. Questions about authorization for fact-finding proceedings, what would be required to generate an appealable final order, and rules governing stays of compliance pending appeal are left to existing legal standards. This statute does not create any new substantive standards or privacy rights. Rather, the goal of this statute is to address the third-party paradox by using familiar procedural mechanisms and statutory frameworks to allow courts to develop the law post-Carpenter when it most matters: at the time of the request, before any potential Fourth Amendment violation occurs.
The third-party paradox has heightened importance in a post-Carpenter world. While users formerly had few if any Fourth Amendment rights in digital data held by third parties, Carpenter has opened new and unexplored vistas. Our solution – a statutory cause of action that allows providers in certain circumstances to assert the Fourth Amendment rights of their users – promotes the development of constitutional doctrine while protecting the government’s legitimate law enforcement interests. Our proposal does not solve all issues, but is intended to begin discussion. Here, again, Hamilton offers words of advice: while Burr’s character voices caution in the face of proposed new legal frameworks that are “full of contradictions,” Hamilton’s titular character reminds us that the way out of that contradiction requires a first step: “We have to start somewhere.” When it comes to Carpenter’s revolution and the third-party paradox, a new statutory procedure to bring these issues to courts, before the challenged search occurs, is the right place to start.