The Privacy of 'Things': How the Stored Communications Act Has Been Outsmarted by Smart Technology.

• Author: Crowell, Donald L.
• Position: Annual Symposium Issue

TABLE OF CONTENTS I. INTRODUCTION 213 II. FOURTH AMENDMENT JURISPRUDENCE RELATING TO DIGITAL COMMUNICATIONS 216 A. Katz v. United States Establishes the Foundation for Modern Privacy Expectations 216 B. Miller and Smith Evolve Katz into the "Third-Party Disclosure Doctrine" 217 C. Courts are Conflicted as to Whether a Reasonable Expectation of Privacy Exists in Electronic Communications 219 III. THE STORED COMMUNICATIONS ACT 221 A. Applicability of the Required Disclosure Section of the SCA is Broad as to the Entities and Records It Governs 222 IV. THE FOURTH AMENDMENT OFFERS PROTECTION FOR INFORMATION STORED IN THE CLOUD--FEDERAL LAW MUST REPRESENT THIS 224 A. Classifying Cloud Document Storage Services under the SCA 225 B. Classifying Mobile Applications Under the SCA 226 C. Classifying Security and Smart Home Services under the SCA 227 D. A General Analysis of Cloud Service Providers Under the Fourth Amendment Framework 228 V. A THREE-PRONGED SOLUTION TO ESTABLISH CLEAR CONSTITUTIONAL PROTECTIONS FOR INFORMATION STORED IN THE CLOUD 230 A. The Supreme Court Should Expand Riley v. California to Require Warrants for Any Government Access of User Data Held in the Cloud 230 B. Legislating to Replace or Amend the SCA 233 C. An Industry Effort to Promote Privacy Rights 234 VI. CONCLUSION 235 INTRODUCTION

Meet Barbara, a modern business professional who is one of three managing partners at a well-known investment firm. Working from home, she prepares for a meeting with a client by connecting to her firm's Cloud-based remote desktop application on Amazon's S3 platform. The application replicates her work computer's desktop and allows her to access all her files just the same as if she was at the office. At the same time, her firm enjoys the benefit of having all its documents maintained in a secure backup location. Barbara finishes reviewing her client's documents and gets into her car--a BMW 3 Series. She opens Google Maps on her iPhone to get directions to her client's office, and, meanwhile, her phone has automatically connected via Bluetooth to her car's infotainment system and has begun synchronizing her contacts list, emails, and text messages. As she pulls out of the driveway--just far enough to disconnect from her home Wi-Fi network--her Nest smart-home system notes that she has left. Immediately, the thermostat adjusts to save energy, and the camera system turns on its motion sensors.

Meanwhile, unbeknownst to Barbara, one of the other partners at her investment firm has just made some illegal investments based on inside information. The partner's trades automatically triggered alarms at the Securities and Exchange Commission ("SEC"), Enforcement Division, based on his position at the investment firm. The SEC does a routine investigation into the trades over the next 90 days, ultimately finding a high probability that Barbara's partner made trades using inside information. However, their investigation thus far has only produced enough to muster "reasonable suspicion" that a crime has been committed; further information would be necessary to meet the standard of "probable cause" required to issue a search warrant against Barbara and her firm. The enforcement team, through their counsel, learns of the ability to issue an administrative subpoena under the Stored Communications Act ("SCA"). While it does not allow them to request any digital content newer than 180 days without having probable cause, they are able to request content from service providers for content that has been in storage for 180 days or longer.

The enforcement team first issues a subpoena to the Cloud service provider for Barbara's firm, Amazon, requesting all the electronic documents held in storage by the provider that are older than 180 days. They also make two other requests under the statute: (1) that the firm not be notified of the subpoena request for a minimum of 90 days, and (2) that the provider preserve the entirety of the firm's electronic documents, also for a period of 90 days.

As the team reviews the documents, including sifting through client lists, business strategies, and emails between the firm and its attorney, among other things, it discovers two sets of emails that it finds particularly interesting, although unrelated to their initial investigation against Barbara's partner. The first is a conversation between Barbara and her attorney. The discussion included questions about what constituted insider trading, and whether Barbara could be liable for trading on information that she receives from a client. The second email is a message that Barbara had forwarded herself from her personal e-mail. While the substance of the second e-mail is irrelevant, the team now had the domain of Barbara's personal email account.

The investigators issue a subpoena to Barbara's personal email provider, Google, identical to the one sent to Amazon. What they receive from Google in return is far more than just her e-mail communications. Because of Google's multifaceted list of services, they receive her e-mails, GPS navigation history, web search history, photographs, and personal documents in her Google Drive storage. Her navigation history shows the specific dates and times she navigated to her client's office, in addition to regular visits to a nearby mosque, the local Democratic National Committee offices, her psychiatrist, a hotel, and an abortion clinic. Her photograph backups included those with family, friends, and on vacation trips, but also deeply private, fully-nude photos of Barbara. Similarly, her Google Drive records contained seemingly harmless collections of internet pages and random web-musings, but among them was a collection of scanned purchase receipts, tax records, private contracts, and her personal diary.

The investigation team thoroughly reviewed all the documents before issuing a final administrative subpoena to Barbara's smart-home system provider, Nest. The electronic records they received from Nest included a history of every single time, to the second, when Barbara either left or arrived home. More importantly, provided to the SEC were video recordings of Barbara's home beginning from when the system was installed 6 years ago, essentially capturing every person that has ever been inside her home, and all activities that have taken place inside of it.

They continued reviewing Barbara's personal electronic records until just before the 90-day delay notice and preservation request expired, after which they issued a 90-day extension for both requests, as allowed by the statute. A few days later, just after the 181-day mark since the start of their investigation, the SEC re-issues subpoenas to each of the original providers, this time capturing all electronic records leading to the incident. Reviewing the new navigation history production from Google Maps, as well as the calendar records stored in Amazon's Cloud, they see that Barbara had a meeting with her client on the day of the incident. Audio and video security camera footage from the night before the incident revealed that a client of Barbara's had been over at her home for dinner, during which highly confidential information was discussed regarding her client's expected product release. None of this information was enough to bring formal charges against Barbara, although her partner was ultimately prosecuted. However, Barbara's very intimate and confidential information was now in the public's hand because of her tangential relationship to someone under investigation.

This illustration with Barbara is just one very possible example of the shortcomings that digital privacy law faces under an outdated Stored Communications Act ("SCA"). This Note argues a three-pronged solution to resolvetheseshortcomingsthroughacase-studyanalysisofdifferent technologies: (1) extending a broader application of Riley v. California, (1) (2) legislative amendments to the SCA, (2) and (3) private-sector data encryption advancements. Part II will consider the current jurisprudence of privacy in electronic records and communications by first exploring the foundational elements of modern privacy law, before diving into the more field-specific cases and circuit splits relating to expectations of privacy in digital information. Part III will look at the Electronic Communications Privacy Act ("ECPA") and SCA, examining both their legislative history and amendments, as well as the contradictions and flaws that are revealed when considering their applicability to modern Cloud-based technologies. Part IV will analyze three different Cloud technologies, specifically ones that have the capability of holding the most confidential information of individuals, and demonstrate how the use of administrative subpoenas under the SCA, as well as the delay and preservation notice provisions, directly violate Fourth Amendment protections and are in conflict with prior court rulings that have prohibited the same type of information gathering by other means.

Part V will lay out the three-pronged federal solution to establish new standards for businesses and the government to follow. The first prong will argue why it is necessary to extend the Riley Court's decision (finding constitutional protections in information stored in the Cloud) (3) to situations beyond arrests. The second prong will propose an amendment or replacement to the ECPA and SCA that limits the ability of law enforcement to perform warrantless searches of individuals who are not under investigation, as well as eliminating the time restriction requirements of the acts. Further, the proposed amendments enable National Telecommunications & Information Administration ("NTIA") to regulate electronic communications service providers ("ECSPs") and remote computing service providers ("RCSPs"). This will include a more technical determination of their definitions, as well as requiring those categories of providers to register with...