Objects, Places and Cyber-Spaces Post-Carpenter: Extending The Third-Party Doctrine Beyond CSLI: A Consideration of IoT and DNA.

• Author: Park, Eunice
• Position: Cell-site location information, Internet of Things

1. INTRODUCTION II. TRADITIONAL TENSIONS, CARPENTER DECONSTRUCTED, AND THE CALL FOR A NEW EXTENSION OF THE THIRD-PARTY DOCTRINE IN THE DIGITAL AGE A. The Fourth Amendment: Property or Privacy? B. Carpenter Deconstructed: A Direct Strike at the Third-Party Doctrine C. The Call for a New Extension of the Third-Party Doctrine: A Proposal for a Retrospective Test III. FITTING THE SQUARE PEG OF DIGITAL DATA IN THE ROUND HOLE OF THE THIRD-PARTY DOCTRINE A. Why Privacy Should Survive the Disconnect with Traditional Decisional Analysis: "We're Not in Kansas Anymore" B. Consumers' Contradictory Behavior: An Explanation 1. Dissociative appeal dilutes apprehension 2. Social mandate contributes to an illusion of indifference IV. THE NEW TEST APPLIED: PERSONAL DATA OF SMART Devices and DNA Testing C. Smart Technology: Wearable and Voice-Activated 1. IoT devices necessitate a third party, but not necessarily consumer awareness 2. IoT devices lack meaningful ability to opt out D. Private DNA and Genetic Testing Companies 1. Private DNA testing services necessitate a third party, but not necessarily consumer awareness 2. Testing services lack meaningful ability to opt out V. CONCLUSION I. INTRODUCTION

   On June 22, 2018, the Supreme Court held that the Government will generally need a warrant to access historical cell-site location information ("CSLI"). (7) In arriving at its decision, Carpenter held that CSLI was not subject to the "third-party doctrine"--the general rule that an individual lacks a reasonable expectation of privacy in information he or she has voluntarily disclosed to a third party, and that "the Government is typically free to obtain such information from [the third party] without triggering Fourth Amendment protections." (8) Ostensibly, Carpenter is only about CSLI, and the language of the Court's decision is careful to limit its application. (9) However, the constant forward march of technology leads one to wonder, what privacy issue awaits around the next corner? What technological innovation will pose yet another Fourth Amendment challenge? Our cell phones commonly have health apps that monitor our activity, sleep, mindfulness, and nutrition. (10) "Smart" devices, with the ability to connect and interface with a network, (11) include light bulbs, refrigerators, even a smart mattress cover that starts your Bluetooth or WiFi-enabled coffee maker when you wake up in the morning. (12) Private genomic testing, too, with intimate genealogical and genetic health information sent to third-party laboratories, medical researchers, and even sold to pharmaceutical companies for profit, has seen tremendous recent growth.

   IoT devices and private DNA testing seem vastly different from each other and from cell phones, yet both are increasingly popular consumer technologies whose functioning, by design, necessitates a third party. Like CSLI, the data sent to third parties by smart devices and DNA requires no voluntary act, let alone an act of affirmative sharing. This lack of voluntariness was a significant part of the Carpenter Court's basis for holding that the cell phone owner has an expectation of privacy in CSLI, despite the fact that the data is owned by a third party. Thus, notwithstanding its limiting language, Carpenter opens the door to a slew of questions about consumers' privacy expectations in multitudes of other burgeoning technologies that, like cell phones and the location data they produce, also necessitate a third party.

   This Article, therefore, proposes extending the third-party doctrine in Carpenter's wake to reflect the realities of the digital age, both to protect privacy and provide some boundaries to the third-party doctrine. Given that third parties control consumer data, a meaningful test for whether an expectation of privacy remains or has been forfeited must include two inquiries: first, whether the consumer understands that the technology's very design necessitates a third party; and second, whether the consumer has a meaningful opportunity to opt out of sharing data with that third party. This Article examines smart devices and private genomic testing services as examples of technologies in which private data necessarily is shared with third parties, illustrates their inability to pass these two inquiries, and affirms the consumer's expectation of privacy in the absence of any voluntary act under such circumstances.

   Part II of this Article first describes the Fourth Amendment expectation of privacy and the traditional tension between the property and privacy analytical approaches. Section II.B then deconstructs Carpenter's reasoning for finding a privacy interest in CSLI. Section II.C proposes a new extension of the third-party doctrine that rejects the first part of the Court's test (pervasiveness) and urges instead that the second part of the test is pivotal: the absence of an affirmative act of sharing. Given the absence of an affirmative act of sharing with a third party, two inquiries should follow: first, whether the consumer understood that the technology necessitated a third party; second, whether a meaningful opportunity to opt out existed. This extended two-part test maintains focus on the decisionmaker, yet recognizes that the landscape upon which the doctrine is predicated has become altered in the digital era. By operating retrospectively, the new test provides a principled framework to encompass technologies beyond Carpenter's cell phones and the CSLI they produce.

   Part III offers normative explanations for why digital data is a square peg in the round hole of the third-party doctrine. Section III.A discusses why privacy in the digital era should nonetheless survive the disconnect with traditional decisional analysis, and why both the majority and dissenting opinions of Carpenter are incomplete. Section III.B then offers explanations for consumers' seemingly contradictory behavior as to privacy concerns that are, nonetheless, consistent with a privacy expectation.

   Part IV applies the newly extended third-party doctrine test to two examples of increasingly popular technologies: IoT devices and DNA testing. Both technologies, by design, necessitate a third party and even create opportunities for secondary third parties. Moreover, even if the consumer is aware that personal data will be shared with a third party, no meaningful opportunities are available to opt out of the arrangement, since the choice presented is either use with these conditions or no use at all.

   Part V concludes with some thoughts about the urgent need for the Court to extend the third-party doctrine for the growing assembly of technologies whose designs necessitate a third party, if the expectation of privacy is to have any continued resonance.

2. TRADITIONAL TENSIONS, CARPENTER DECONSTRUCTED, AND THE CALL FOR A NEW EXTENSION OF THE THIRD-PARTY DOCTRINE IN THE DIGITAL AGE

   1. The Fourth Amendment: Property or Privacy? (13)

      The Fourth Amendment protects the "right of the people to be secure in their persons, houses, papers and effects" and mandates that a search or seizure conducted by a government agent must be "reasonable." (14) Although no general constitutional right to privacy exists, and it is not expressly written into the amendment's language, (15) Fourth Amendment jurisprudence encompasses an expectation of privacy. (16) The Fourth Amendment originally "was understood to embody a particular concern for government trespass," (17) but, since Katz v. United States was decided in 1967, has also been held to implicate a reasonable expectation of privacy. (18) To invoke Fourth Amendment protection against unreasonable or warrantless searches based on a "Katz invasion of privacy," (19) the area searched must be one in which there is a "constitutionally protected reasonable expectation of privacy." (20) This consists of both a subjective and objective requirement: "first[,] that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as 'reasonable.'" (21) Once a reasonable expectation of privacy has been established, the burden is on the government to justify a warrantless search. (22) "[T]he Constitution requires 'that the deliberate, impartial judgment of a judicial officer ... be interposed between the citizen and the police.'" (23) A warrantless search is per se unreasonable, "subject only to a few specifically established and well-delineated exceptions." (24) Under the exceptions, certain types of searches and seizures are per se valid even in the absence of probable cause or a warrant. (25)

      Against this backdrop, a tension has developed between two different approaches to Fourth Amendment privacy issues, with one approach invoking theories of physical trespass, and another emphasizing privacy rights of a more intangible nature. (26)

      For example, in the 2012 case United States v. Jones, the Supreme Court held that a Global Positioning System (GPS) attached to the undercarriage of a vehicle to track its movements constituted a search. (27) In his majority opinion, Justice Scalia reasoned that attaching the tracking device to the vehicle was a physical trespass, and said the Court did not need to address whether the defendant had a reasonable expectation of privacy, since that test added to, but did not substitute for, the common law trespassory test. (28) The end result, nonetheless, is that a warrant is now required if the government wants to attach a GPS to an individual's vehicle.

      In contrast to Jones, which viewed the privacy issue as secondary to the property rationale, Riley v. California focused on the immense privacy implications of warrantless cell phone searches. (29) In holding that a warrant is required to search a cell phone, even in a search incident to arrest, Chief Justice Roberts explained, "Cell phones differ in both a quantitative and a qualitative sense from other objects that might...