THE THIRD-PARTY DOCTRINE AND THE FUTURE OF THE CLOUD.

• Author: Richards, Neil
• Position: Washington University School of Law 150th Anniversary Commemorative Issue

ABSTRACT

When the government seeks electronic documents held in the cloud, what legal standard should apply? This simple question raises fundamental questions about the future of our civil liberties in the digital world. In a series of cases, government lawyers have argued that information shared with digital intermediaries--including emails and cloud-stored documents--can be seized without a warrant. Their argument rests upon a controversial Fourth Amendment principle known as the "Third-Party Doctrine," which maintains that information shared even with trusted "third parties" loses a reasonable expectation of privacy under the Fourth Amendment, and with it, the protection of the warrant requirement. Criminal defendants and civil libertarians have argued the opposite, and as the issue has not reached the Supreme Court, the two sides have fought to a messy standstill. This article puts the debate over the Third-Party Doctrine in historical, jurisprudential, and technological context, and offers a normative and civil-liberties-protective way forward for Fourth Amendment law in the age of the cloud. My claim is not only that we must reconsider the way we think about the Third-Party Doctrine, but that this shift in thinking will have important ramifications for the ways in which we think about technology and law (particularly constitutional law) more generally.

This argument proceeds in three steps. Part One develops a concept I call the "the lag problem" of the Fourth Amendment. Offering a bird's-eye historical view of the Fourth Amendment's relationship with new technologies, I show how the Fourth Amendment has been a bulwark of civil liberties against ever-encroaching state surveillance, but that our legal understandings of Fourth Amendment privacy have always lagged somewhat behind our advancing technologies. Part Two focuses on the Third-Party Doctrine in particular, and makes two claims. The descriptive claim is that when its origins and assumptions are looked at more closely, the Third-Party Doctrine is really much smaller and more limited than most observers have assumed. The second normative claim is that the best way to understand the Third-Party Doctrine in the context of new technologies is in the limited, exceptional way in which it was adopted, rather than as a general rule that would swallow the essential principle that the Fourth Amendment guarantees a general protection of privacy for people against their government. Part Three argues that when we put the Third-Party Doctrine in its proper place as a limited exception rather than one that would swallow the rule of privacy, we need a new set of legal principles to govern Fourth Amendment privacy in the cloud.

I offer four such principles. First, I argue that the broad view of the Third-Party Doctrine is manifestly unsuited to the protection of our digital civil liberties. Second, I compare my approach to Orin Kerr's "Equilibrium- Adjustment Theory" of the Fourth Amendment, and contend that in contrast to Kerr's approach, when it comes to the question of closing lags in the civil liberties context, we should focus on those questions of civil liberties rather than on questions of state access to data. Third, I explain that the process of interpretation of the Fourth Amendment is inescapably normative, and I argue that principles of intellectual privacy offer a useful guide to the normative project of translating Fourth Amendment values in a way that closes the technological lag. Fourth, I explain that no matter how we interpret the Fourth Amendment, any approach to the protection of digital civil liberties will need to account for the important role that intermediaries play in the practices of data processing and protection. In a digital world, trusted intermediaries are very different from merely being "third parties," and whichever path our law takes, it must take this fact into account.

There are, of course, multiple paths that Fourth Amendment law could take in the future to grapple with these problems. My purpose is not so much to call for a particular solution as to highlight the considerations I believe should apply as we translate the Fourth Amendment's text into workable doctrine for the cloud age in a way that is practical but also protects the traditions and normative commitments of our hard-won civil liberties.

Table of Contents Introduction I. The Fourth Amendment Lag Problem A. Origins & Methods B. The Mails C. The Telegraph D. Telephones E. Data II. Our Tiny Third-Party Doctrine A. Origins of the Doctrine B. Miller and Smith C. The Roberts Court's Third-Party Doctrine III. Privacy in the Cloud A. Third-Party Doctrine Balance B. Lags and Equilibria C. Fourth Amendment Normativity D. Intermediaries and the Future of Civil Liberties Conclusion INTRODUCTION

When the government seeks electronic documents held in the cloud, (1) what legal standard should apply? This simple question masks a surprising complexity. It also raises fundamental questions about the future of our civil liberties in the digital world. In a series of cases, government lawyers have argued that information shared with digital intermediaries--including emails and cloud-stored documents--can be seized without a warrant. Their argument rests upon a controversial Fourth Amendment principle known as the "Third-Party Doctrine," which maintains that information shared even with trusted "third parties" loses a reasonable expectation of privacy under the Fourth Amendment, and with it, the protection of the warrant requirement. Criminal defendants and civil libertarians have argued the opposite, and as the issue has not reached the Supreme Court, the two sides have fought to a messy standstill.

Yet issues of digital civil liberties and intermediaries refuse to stop coming. Beyond the high-profile case of smartphone security that pitted Apple Computer against the FBI over the contents of the San Bernardino Shooter's iPhone, (2) Microsoft is engaged in two separate lawsuits with the U.S. government over whether warrants issued by United States courts apply to electronic communications stored in other countries, (3) and the First and Fourth Amendment standards that should govern government orders that seek to secretly obtain the contents of its customers' emails stored in the cloud. (4)

At stake in these and other disputes is not only the privacy of users of electronic platforms, but the future of the cloud itself. As more of our lives are lived with the assistance and mediation of digital platforms, litigation testing the privacy of stored documents will in a very real sense determine the privacy of our digital society as a whole, and the extent to which we can trust the intermediaries that enable our participation in that society. (5) Cloud privacy thus implicates not only our newest technologies, but some of our most ancient and cherished civil liberties. Given the enormity of this question, courts resolving questions of cloud privacy must consider both the technological and constitutional contexts in which cloud providers are operating. While scholars have almost universally condemned the Third-Party Doctrine in the digital context, (6) courts remain confused about what legal regime should replace it. In this respect, the issue presents a thorny problem of line-drawing: a broad view of the Third-Party Doctrine might woefully underprotect civil liberties, but at least it has the perceived virtues of clarity and allowing law enforcement to obtain incriminating evidence.

This article puts the debate over the Third-Party Doctrine in historical, jurisprudential, and technological context, and offers a normative and civil- liberties-protective way forward for Fourth Amendment law in the age of the cloud. My claim is not only that we must reconsider the way we think about the Third-Party Doctrine, but that this shift in thinking will have important ramifications for the ways in which we think about technology and law (particularly constitutional law) more generally. This argument proceeds in three steps. Part One develops a concept I call the "the lag problem" of the Fourth Amendment. I offer a bird's-eye view of the Fourth Amendment's relationship with new technologies from its inception, and show not only that the Fourth Amendment has been a bulwark of civil liberties against ever-encroaching state surveillance, but that our legal understandings of Fourth Amendment privacy have always lagged somewhat behind our advancing technologies, from postal mail to the telegraph, and from telephones to the Internet. I argue not only that this is a common pattern from which we can learn, but that a certain kind of moderation in the development of legal doctrine can sometimes be a good thing, at least as long as the law catches up eventually rather than remaining ossified by the technological and social assumptions of the past. I conclude by suggesting that we are in the midst of another lag with respect to the constitutional protection afforded cloud data, and note that the development of the law is at an important crossroads, with broad readings of the Third-Party Doctrine threatening to substantially diminish the Fourth Amendment.

Part Two focuses on the Third-Party Doctrine in particular, and makes two claims. The first is a descriptive observation: when its origins and assumptions are looked at more closely, the Third-Party Doctrine is really much smaller and more limited than most observers have assumed. The second claim is normative. Applying the insights of the lag problem to the Third-Party Doctrine, I argue that the best way to understand the Third-Party Doctrine in the context of new technologies is in the limited, exceptional way in which it was adopted, rather than as a general rule that would swallow the essential principle that the Fourth Amendment guarantees a general protection of privacy for people against their government.

Part Three argues that when we put...