Big data and predictive reasonable suspicion.

• Author: Ferguson, Andrew Guthrie
• Position: II. The Rise of Big Data Policing D. Unprotected Data through Conclusion, with footnotes, p. 373-410

4. Unprotected Data

   Big data remains largely under-regulated. This Section reviews the constitutional, statutory, and commercial restrictions imposed on the collection and use of information underlying big data.

   As a constitutional matter, few limits exist on accessing and collecting personal data. The controlling Fourth Amendment standard, derived from Katz v. United States, asks whether an individual has an expectation of privacy that society would consider objectively reasonable. (239) This expectation of privacy test has little application to the information police collect about individuals who enter the criminal justice system (including convictions, arrests, or biographical information provided pursuant to the criminal process). It also has little application to information individuals knowingly expose to the public, as the Supreme Court has reasoned that this information does not deserve Fourth Amendment protection. (240) In addition, information given to private individuals who later turn it over to law enforcement is not protected under the theory that the risk of disclosure was assumed by revealing the information to another person. (241) Similarly, data given to commercial third parties, including banking records, (242) telephone call lists, (243) cell phone locations, (244) or Internet search or subscriber information (245) have not been protected by the third-party doctrine. (246) Some scholars have critiqued this policy, and Justice Sotomayor has expressed some inclination to reconsider the third-party doctrine. (247) By and large, however, Fourth Amendment protection is currently unavailable for this type of information.

   Unlike these constitutionally unprotected categories of information, there exists a patchwork of statutes that limit the disclosure of health information, financial information, and some online communication. (248) To be clear, these statutes cover direct access to third-party information. For example, the Health Insurance Portability and Accountability Act of 1996 (249) (HIPAA) protects access to medical records, although it allows law enforcement to access the records through an administrative, trial, or grand jury subpoena. (250) Likewise, laws such as the Gramm-Leach-Bliley Act, (251) the Bank Secrecy Act, (252) the Right to Financial Privacy Act of 1978, (253) and the Fair Credit Reporting Act, (254) provide some measure of protection from unauthorized access to financial records, although these protections can be surmounted by a subpoena or court order.

   Similarly, the content of electronic communications is statutorily protected by the Electronic Communications Privacy Act of 1986 (255) (ECPA) and the Stored Communications Act, (256) but the protection lapses quickly. (257) Finally, telephone records are subject to protection through the Telephone Records and Privacy Protection Act of 2006, (258) but they too can be accessed by police if the evidence is relevant based on "specific and articulable" facts. (259)

   In addition to constitutional and statutory protections, certain consumer guidelines established by companies promise to keep information private. (260) Yet most major commercial entities--including Internet search companies, online retailers, and social media platforms--collect data to monetize it. (261) In fact, many businesses, including big-name companies like Google, Microsoft, Yahoo!, and Facebook, are financially successful, in part, because of their ability to sell targeted advertising using user data. (262) These economic incentives, combined with a willingness to assist law enforcement as good corporate citizens, means that most third-party information is not well-protected from government access.

   3. BIG DATA AND REASONABLE SUSPICION ON THE STREETS

   What happens when a doctrine built on small data becomes overwhelmed by big data? What happens when previously unknown suspects can become known with a few quick search queries? Police and courts will soon confront this new reality as officers come to use existing facial recognition or biometric technology and networked databases to obtain individualized and particularized information about a suspect. Courts will confront additional questions as these technologies become more sophisticated, mobile, and reliant on predictive analytics.

   This Part studies this intersection of technology and doctrine through three different lenses--observation, investigation, and prediction--mirroring the most common types of police work. Police officers regularly observe ongoing criminal activity, investigate past criminal activity, and predict future criminal activity. The impact of "big data suspicion" will be different depending on the type of police activity at issue.

1. Observation of Ongoing or Imminent Crimes

   Consider a modern day Terry v. Ohio situation. Detective McFadden is patrolling the street. He observes John Terry and, using facial recognition technology, identifies him and begins to investigate using big data. Detective McFadden learns through a database search that Terry has a prior criminal record, including a couple of convictions and a number of arrests. (263) McFadden learns, through pattern-matching links, that Terry is an associate (a "hanger on") of a notorious, violent local gangster--Billy Cox--who had been charged with several murders. (264) McFadden also learns that Terry has a substance abuse problem and is addicted to drugs. (265) These factors--all true, but unknown to the real Detective McFadden--are individualized and particularized to Terry. Alone, they may not constitute reasonable suspicion that Terry is committing or about to commit a particular crime. But in conjunction with Terry's observed actions of pacing outside a store with two associates, the information makes the reasonable suspicion finding easier and, likely, more reliable.

   In observation cases, by using mobile facial recognition to identify the suspect, the officer now can turn any unknown suspect into a known suspect and can search for information that might justify reasonable suspicion. This change allows the officer to review traditional data sources known to law enforcement, including prior criminal history, arrests, addresses, gang associations, known associates, and even concealed weapons permits. Perhaps this individual is on a local "most wanted" list or a watch list as someone who has already been identified as being trouble in the neighborhood. (266) Perhaps his height, weight, race, hairstyle, facial hair, or other distinguishing marks match a robbery suspect. This traditional law enforcement information might also now include data from automatic license plate readers, digitally archived surveillance video, and intelligence reports created and maintained by police. Even this limited information may be--as a constitutional matter--enough for an officer to stop the suspect. If, for example, the suspect had an extensive history of commercial robberies, or if license plate data connected him to prior robberies in the area, this information might well constitute reasonable suspicion that the suspect was going to commit a robbery.

   Additional big data innovations may also assist the police. For example, the New York Police Department (NYPD) has unveiled the Domain Awareness System (DAS) in partnership with Microsoft. (267) This technology allows an officer to observe, through video surveillance or automated license plate readers, the location of a suspect prior to the initial observation:

   DAS is capable of rapidly blending and analyzing realtime data gathered from roughly 3,000 civic closed-circuit cameras, 911 call recordings, and license plate readers ... as well as historical crime reports. Now the NYPD can do things like track a vehicle and instantly determine nearly everywhere it's been for the past few days or weeks; instantly access a suspect's arrest record, and all the 911 calls related to a particular crime; [and] map criminal history to geospatially and chronologically reveal crime patterns.... (268) Thus, the officer could determine whether the suspect had just arrived with a getaway driver, had been casing the store, or had merely been doing noncriminal errands all morning. (269) These patterns may well affect whether an officer has reasonable suspicion that a suspect is about to commit a crime.

   For a second level of inquiry, imagine the police officer uses networked databases owned by third parties to discover personal information about a suspect. This data might include credit information, financial records, credit card activity, employment, past addresses and telephone numbers, names and addresses of family members, neighbors' addresses and telephone numbers, business associates, make, model, and color of registered vehicles, social security numbers, dates of birth, bankruptcies, liens and judgments, and GPS locational data. While access to some of these data would usually require particular legal authorization, law enforcement can circumvent statutes restricting direct access by instead using "fourth-party" commercial aggregators. (270) Such personalized information will allow an officer to develop a more individualized picture of a suspect. While generally unemployment, credit card debt, and bankruptcy are not indicia of criminal activity, when viewed in conjunction with suspicious action in front of an expensive jewelry store, however, a personal financial crisis might be relevant to the totality of circumstances. Further, accurate GPS data tying the suspect to a prior robbery or to a pawnshop might lead to reasonable suspicion. Even the otherwise innocent purchase of a wool cap or ski mask at Walmart might tip a seasonal purchase into reasonable suspicion.

   Finally, imagine if law enforcement could access the suspect's social media data. (271) Search queries, Facebook and Twitter posts, YouTube videos, emails, texts, and similar communications are all available to third-party providers--if not...