BACK TO PAPERS

The Datatrust Privacy Guarantee: Protecting the Datatrust from Compelled Disclosure

  1. Introduction: Why we need to understand privacy rights.
  2. A quick overview of federal privacy law.
  3. Implications for data collectors today.
  4. Implications for the datatrust.

II. A QUICK OVERVIEW OF FEDERAL PRIVACY LAW.

Basic Fourth Amendment Rights

(Much of the information below is from the Electronic Freedom Foundation’s clear and easy to understand, “Surveillance Self-Defense Project.”)

Right now, the U.S. government’s ability to simply grab documents from your home is limited by the Fourth Amendment of the Constitution, which protects you from “unreasonable searches and seizures.” This is why on cop shows, you see police showing search warrants when they show up to search your house.

A search warrant requires the police to demonstrate “probable cause,” a reasonable belief that a person has committed a crime. The police must apply for the search warrant to a judge, specifying who, what, and where will be searched, and why they think they have probable cause, such as a tip from an informant.

This requirement does not only apply to your home. It may apply to your office, your hotel room, your car, anywhere that you might have a reasonable expectation of privacy.

But none of this applies in general to information you might give to a third party, a.k.a., Facebook.

Or almost all “third parties.” EFF states,

“…you will often have no Fourth Amendment protection in the records that others keep about you, because most information that a third party will have about you was either given freely to them by you, thus knowingly exposed, or was collected from other, public sources. It doesn’t necessarily matter if you thought you were handing over the information in confidence, or if you thought the information was only going to be used for a particular purpose.”

So what about financial records? Telephone records? Aren’t medical records protected?

Congress has passed special laws around certain classes of personal data, including some information collected by third parties like Facebook.

Electronic Communications: The Electronic Communications Privacy Act of 1986

The Electronic Communications Privacy Act of 1986 (18 USC 119) creates special protections for electronic communications, such as telephone calls. ECPA prevents the police from willy-nilly placing wiretaps.

The ECPA also has provisions for email, but because the law was passed in 1986, the provisions related to Internet communications are both outdated and unclear.

The Stored Communications Act, which is part of ECPA, governs what the government can access for communications service providers, such as your cellphone company, your Internet service provider, or email provider like Gmail. (It does not govern your interactions with “remote computing services,” companies that are not communications service providers but provide data storage services, or with websites or search engines that store information but do not provide communications services. More on this below.)

Some communications, like emails and voicemails, receive the strongest protection. The government can access emails, voicemails and other communications content stored by communications service providers ONLY IF the following conditions are met.

  • If the email or voicemail message is unopened or unlistened to, AND has been in storage for 180 days or less, the government must obtain a search warrant, though it need not notify you.
  • If you’ve opened or listened to the email or voicemail message, OR they’ve been unopened and stored for more than 180 days, the government can use a special court order or subpoena to access your message. Both a court order and subpoena are easier to get than a search warrant, though then you must be notified.

The Ninth Circuit has a different interpretation of the law, that even if the email has been opened, if the message is in electronic storage, the government must get a warrant if the email has been in storage for 180 days or less. That means you get a little more protection if you're in the Ninth Circuit, meaning the states of Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, and Washington. Elsewhere, the above provisions apply.

Basic subscriber information from your communications providers can be obtained with just a subpoena. Such information includes your

  • Name.
  • Address.
  • The length of time you've used that phone or Internet company.
  • Phone records, including telephone number and local and long distance telephone connection records.
  • Internet records, including when you signed on and off of the service, the length of each session, and the IP address that the ISP assigned to you for each session.
  • Information on how you pay your bill, including any credit card or bank account number the ISP or phone company has on file.

Who you communicate with, including email addresses, IP addresses, and how much data was exchanged, as well as web addresses of pages you visit, can be obtained by court order. A court order is harder to get than a subpoena but easier to get than a search warrant.

None of the above applies to companies or organizations that are not "communications providers."

The government has argued that records kept by search engines and other websites, because they are not “communications service providers,” can be obtained without a search warrant, court order, or subpoena.

Similarly, data stored with “remote computing services” can be obtained with only a subpoena, regardless of how old it is. The government is supposed to notify you, but the law makes it easy for law enforcement officials to delay until after they’ve gotten your data. However, data that’s stored in your desktop computer cannot be accessed without a search warrant. Thus, the law distinguishes, rather artificially, between data that’s stored in a desktop computer and data that’s stored in the cloud.

The protections described above also do not apply to businesses and schools that provide email services for employees and students, as they are not available to the public.

A coalition of businesses and advocacy groups, called Digital Due Process has proposed that the law be changed. Specifically, with regard to electronic communications and data storage, the coalition has proposed:

“A governmental entity may require an entity covered by ECPA (a provider of wire or electronic communication service or a provider of remote computing service) to disclose communications that are not readily accessible to the public only with a search warrant issued based on a showing of probable cause, regardless of the age of the communications, the means or status of their storage or the provider’s access to or use of the communications in its normal business operations.”

In other words, communications that most people consider private, including data stored in the cloud, can only be disclosed if law enforcement officials present a warrant issued on the basis of probable cause, whether or not the email's been opened or is more than 180 days old.

Other Relevant Categories of Data

Electronic communications records are the most obvious analogue to the kind of data that could be stored in our datatrust. There are other categories of data and information that receive special privacy protections under U.S. law that may not be directly applicable to data in the datatrust, but could be useful in helping us understand what kind of protections we should be advocating for.

Financial Records: The Right to Financial Privacy Act

The Right to Financial Privacy Act of 1978 carved out a statutory Fourth Amendment right around financial information, so that federal government agencies cannot obtain an individual’s financial records without an appropriate warrant or subpoena.

Research and Statistical Data

Medical research participants are protected from having their identifying information disclosed to law enforcement officials in several ways.

When federal agencies, such as the Centers for Disease Control, collect personal data, they are authorized to do so by the Public Health Service Act (42 USC 242k). Section 308(d) of the Act (42 USC 242m), the Privacy Act of 1974 (5 USC 552A), and the Confidential Information Protection and Statistical Efficiency Act (PL 107-347) prohibit the disclosure of that information without the individual’s consent. (Technically, the Privacy Act permits disclosure to law enforcement officials in certain situations, but the Confidential Information Protection and Statistical Efficiency Act states that data that is collected exclusively for statistical purposes must be used only for statistical purposes.)

Other researchers, who are not affiliated with federal agencies, can apply to the CDC for a Certificate of Confidentiality. Such a certificates “protect against compulsory legal demands, such as court orders and subpoenas, for identifying information or identifying characteristics of a research participant.” Any project that collects personally identifiable sensitive information, and that has been approved by an Institutional Review Board, is eligible for a Certificate. Federal funding is not required. The information that is protected includes “name, address, social security or other identifying number, fingerprints, voiceprints, photographs, genetic information or tissue samples, or any other item or combination of data about a research participant which could reasonably lead, directly or indirectly by reference to other information, to identification of that research subject.”