Clouded computing: the foggy application of the Fourth Amendment in technology.

Author:Giordano, Joseph A.
Position:II. Establishing a Framework for "Content" Information under the Fourth Amendment A. Intentionally Provided, Unorganized "Content" through IV. Conclusion, with footnotes, p. 168-193

    When a user signs up for an Internet service like Facebook, or any other service providing digital communications, they usually have to provide some basic information. (136) Most often this includes data such as: name, address or geographic location, and an e-mail address. (137) This information is intentionally provided, meaning the user is knowingly disclosing it to a third party. (138) Each service provider requires different amounts of information for registration purposes; Facebook requires "name, email, gender, and birth date" but also allows users to add other information to their profile. (139) Facebook also explicitly notifies new registrants that certain information, like a user's name and profile picture, will be publicly available on the Internet. (140) Certain "required" information may be made private, and therefore curated. (141) Facebook puts users on notice that certain information can be hidden and protected via user settings on Facebook, giving users control over which information is public and what will remain private. (142) There is no way to make a profile picture or name private, aside from creating a pseudonym or alias along with a misleading picture. (143)

    As a matter of policy, if society confers the benefit of privacy protection on Internet users for their digital information, it would not be too onerous to require users to also bear some of the burden in maintaining that privacy. However, even if users take certain privacy precautions, individual bits of information will not always warrant significant privacy protection. Based on the holding in Dwyer, individual bits of generic information are of insufficient value to individuals or companies to necessitate privacy protections. (144) The information is not aggregated in a way that makes it too revealing or intrusive; seeing a name attached to a photo reveals no "bigger picture." (145) Were such information to be paired with other bits of information, such as the unique device ID (UDID) of a cell phone or other personal information that, when combined, clearly identify the individual, there are sufficient justifications for providing enhanced protection. (146) The problem then becomes where to draw the line in determining the minimum threshold of aggregation that triggers certain privacy protections, namely, whether that information can be accessed by use of subpoena, warrant, or wiretap. No matter the level of protection, however, any bit of information behind a password screen, no matter how banal, should at the very least require the level of privacy afforded that requires a subpoena to retrieve that information.


    Once a specific threshold of "aggregation" is crossed, the next step is to determine how the information was shared with, or received by, the aggregator to determine the level of privacy protection inherent therein. First, however, it is essential to establish the aggregation threshold.

    Because there are so many different types of information and digital content that people can share online, the minimum threshold cannot be too specific as to the type or quantity of information necessary to trigger heightened privacy protection. Nevertheless, there should be certain types of information that, when combined with other information, automatically trigger a heightened "aggregate" protection. These specific types of information serve as bellwethers of protected information, such as "name-plus-social security number" or "name-plus-credit card number." In the digital world, a common example of this is frequently encountered by law enforcement dealing with IP Addresses. (147) If a detective encounters an IP address during an investigation, whether it originates from a basic investigation or pursuant to a court order, they still must obtain a subpoena to match that IP address to a private citizen. (148)

    On Facebook, a new factor comes into play when dealing with information that is generated by machine and not the user directly. (149) Facebook provides privacy controls to limit access to user information. (150) Names and profile pictures have no privacy settings. (151) The rest of the information a user puts in their profile can be organized through the privacy settings to limit access. (152) These privacy settings act as fences, limiting the visibility of information a Facebook user's friends and third parties are able to access and share. In Facebook's Privacy Policy, Facebook acknowledges and respects these limitations, but notifies users that "[r]emoved and deleted information may persist in backup copies for up to 90 days, but will not be available to others." (153) Accordingly, when a user chooses to employ privacy controls, their action reflects a reasonable expectation of privacy similar to locking a door or building a fence around the perimeter of property. (154)

    Conversely, when a user chooses not to employ any privacy controls, or employs them in a haphazard manner, it should be viewed as an abandonment of their expectation of privacy, or at the very least reducing it. At a minimum, failure to employ privacy controls manifests a lack of knowledge of the privacy settings or a disregard for one's privacy, either of which can make an expectation of privacy unreasonable. Leaving information in the public purview where it can be accessed through basic information-gathering measures, such as leaving the information so that it can simply be googled, is the same as physical objects in plain view under Fourth Amendment jurisprudence. This information is no more protected than the criminal who walks around brandishing a weapon or the drug user getting high in public. On the opposite side, information that has been deleted by the user but is still retained as a backup on Facebook's server retains the user's expectation of privacy. If the information was deleted and private, it should still require a warrant, however, deleted public information should merely require a subpoena. (155)


    The last part of a user's Facebook profile that can be filled out is their general interests. Here, a user is free to enter whatever information he or she wishes to convey to the public to reflect his or her personality, using basic guidelines such as favorite activities, interests, and music. There are few restraints on the scope of information here, and users are free to be as creative or basic as they choose. For example, an enterprising law student may choose to only list those activities that make her seem like a legal scholar, such as reading only books by Supreme Court Justices and listing her hero as Hugo Black. An art enthusiast may list her favorite art galleries to visit, artists or artistic styles, and even favorite paintings. All of this information is subject to the same privacy controls as every other section of user profiles, with the exception of name and profile picture. (156)

    Similarly, other information on Facebook fulfills a similar role as e-mail. Posts to a user's wall by others, or on others' walls by the user, are subject to the same privacy controls previously mentioned. (157) Users may also engage in private, one-on-one communications either latently through messaging or in real time through chat, utilizing a computer or a cell phone. Information under this tier is what is already subject to a warrant requirement. The policy goal in creating this tier is to unambiguously address this requirement.

    The issue that is most likely to arise is whether a post made so that more than just one person can read it is truly private. This is where the "organized" aspect comes in to play. The information is intentional in that the user is consciously aware of their conveyance of it. Being "organized" implies the use of privacy controls. The only factor that may weaken this requirement would be a user who is connected to an incredibly large number of people. A way to address this issue is proposed in the final section.


    Before moving on to a remedy, it is important to briefly review how these tiers of information may apply outside of Facebook, and how they may be abused. As mentioned earlier, anyone can use a search engine such as Google, or Microsoft's Bing specifically for Facebook, to search any social network to find information about users. The results will generally be limited to what a user may choose to share via privacy controls. Facebook boasts over 680,000,000 users accessing the site via mobile devices, devices that may or may not be using secure networks and technologies to share information. (158) Since the information exists on Facebook's servers, every time a user accesses Facebook remotely, user data is susceptible to third party interception and observation. However, simply because the user never physically possesses the "content" of their Facebook account does not mean the user does not have an expectation of privacy in such information. (159)

    Law enforcement needs to keep the location of information in mind when executing warrants. Obtaining a warrant for a cell phone will not necessarily mean they can search a Facebook account, even if that information is freely accessible through Facebook. To hold otherwise is the equivalent of saying that having a warrant to search a car permits officers to search a garage. However, this application need not be overly strict. For example, once law enforcement has lawful permission to seize a device and while in possession of the officer, the device receives a "push notification" (160) indicating there is a new message. The plain view doctrine would likely apply to whatever portion of that single communication was visible. Should that visible portion give indication that rises to suspicion of criminal activity or evidence thereof, it would amount to an exigent circumstance allowing for the...

To continue reading