An extra I did earlier this week, after Tom Hall sent me the video of a press conference by Attorney General Barr and FBI Director Wray, “arguing” for a legislative ban on Apple iPhone encryption technology. Watch the conference along with me, and let me know if you think their argument is any good. (Spoiler: I did not.)
Late yesterday, Judge Timothy J. Kelly of the United States District Court, D.C., issued a memorandum opinion in United States v. Facebook, granting the consent motion before him, and thereby giving legal effect to a settlement order proposed by the parties.
Those of you who have followed me or CLP know that we filed an amicus brief last October, objecting to the proposed settlement on the grounds that the order appears, in a few places, to grant the FTC and DOJ warrantless access to Facebook user data, and that this is unjustified both under the existing legal precedent (Carpenter v. United States), and according to proper legal principles governing data shared for a limited purpose in a business context.
Fast-forward to today, in the midst of the coronavirus crisis, and we see Kelly entering his memorandum opinion, upholding the proposed settlement order and, in doing so, ignoring entirely the Fourth Amendment concerns raised in the settlement order.
You can read the entire opinion for yourself, but in essence, Kelly says he is dissatisfied with the proposed settlement–but not because of the Fourth Amendment implications, not because the order appears to grant the government warrantless access to Facebook user data. Instead he expresses sympathy for EPIC’s and other amici’s position that, given the current state of the law, big bad Facebook gets off too easy. The answer, he implies? Government regulation:
“In the Court’s view, the unscrupulous way in which the United States alleges Facebook violated both the law and the administrative order is stunning. And these allegations, and the briefs of some amici, call into question the adequacy of laws governing how technology companies that collect and monetize Americans’ personal information must treat that information. But those concerns are largely for Congress; they are not relevant here. Mindful of its proper role, and especially considering the deference to which the Executive’s enforcement discretion is entitled, the Court will grant the consent motion and enter the order as proposed.”
Memorandum Opinion, pp. 1-2
CLP has never taken a position with respect to Facebook’s alleged misconduct. Our concern in this case is to ensure that, as a supposed remedy for Facebook misconduct, we are not given Big Brother! And yet that is exactly what the now-effective settlement order has gone a long way toward creating–not only because of possible government access to vast troves of personal data, but also because the order requires Facebook relinquish substantial supervisory authority and control over its company to government-approved board members and auditors. In other words, the order goes a long way toward uniting Facebook and Government, which pretty much tops the list of Orwellian worst nightmares.
In the opinion, Kelly recounts the allegations against Facebook, both before the previous 2012 settlement order–which I warned about on my podcast at the time, BTW–and since. He describes the terms of the stipulated order: what Facebook is required to do, what it receives in return, how long the order will be in effect (at least 20 years). He then quotes the highly deferential standard contained in the relevant legal precedent, finding “that the Stipulated Order passes muster….that the parties consented to the order, and that it is fair, reasonable, and in the public interest.” (p. 8)
In finding the order to be “reasonable” given the allegations against Facebook and what the order requires of Facebook as a remedy, Kelly makes a single glancing mention of the information to be shared with the government pursuant to the order. And it appears to be a wholly favorable one. On page 12 of his opinion he notes, “the order will empower both the Department of Justice and the FTC to demand extensive information from Facebook to evaluate its compliance for themselves.” Might that “extensive information” include Facebook user data? After all, it is the handling of that very data that the DOJ and the FTC will be “evaluating” for the next 20 years, at least, yes? Judge Kelly doesn’t say. And in analyzing whether the order is in the “public interest,” Kelly makes no mention of any concerns about government access to Facebook user data, only concerns as to whether Facebook is being unfairly absolved of liability.
In his conclusion, Kelly notes that the Court “retains jurisdiction over this matter, including to enforce its terms.” (p. 16) One might reasonably hope that Kelly will keep his eye on government conduct under the terms of the order, as well? But recall that the order specifies that the FTC and DOJ can request extensive data “without further leave of court.” And when Kelly, in his opinion, contemplates the parties returning to court, it is “because the United States alleges–once again–that Facebook has reneged on its promises and continued to violate the law or the terms of the amended administrative order.” (p. 16) He does not seem to anticipate supervising the FTC and DOJ in their “demand[ing] extensive information from Facebook” in order to ensure that such demands are consistent with Facebook users’ Fourth Amendment rights.
What are CLP’s next steps, and what can you do to help? First, you can help us spread the word that this order–in which the FTC and DOJ will potentially have warrantless access to Facebook user data for the next 20 years (at least!)–is now in effect. Please share this post! Facebook users may want to delete much or all of their data, or adjust their use of Facebook, according to their personal preferences and hierarchy of values. Moreover, Facebook should be held accountable for consenting to this order, instead of fighting it on behalf of its users’ privacy.
As to the next legal steps that might be taken, make sure to subscribe to this blog so you can be notified of CLP’s activities. Soon I will consult with allies in the limited-government, public interest litigation space. (CLP is, to my knowledge, the ONLY limited-government, public-interest litigation organization focused on privacy.) And, if you can afford to support our efforts financially, please contribute whatever you can to our efforts.
I’ve recently started getting inquiries about how to set up regular monthly donations to CLP. If you are interested in doing this–and I explained why you should be, especially at this time, on yesterday’s show (below)–here’s an easy way to do so:
Those of you who have been following CLP’s involvement in United States v. Facebook know that, in our amicus brief submitted in October, I argued that the proposed settlement between the Federal Trade Commission and Facebook appeared to grant warrantless access to Facebook user data to both the FTC and the Department of Justice and, quoting the language of the settlement, that it did so “without further leave of court.” (CLP Amicus at 8)
Then, in December, Judge Timothy J. Kelley took the (I am told) unusual step of ordering both parties to respond to all the arguments presented by amici. Well, the responses came in last Friday, and the responses to CLP’s arguments were revealing. The government and Facebook apparently have conflicting views about what happens to your privacy under the terms of the proposed settlement order.
Facebook, for its part, spent only two short paragraphs responding to CLP. In its view, CLP’s concerns were unfounded because, first, “Any requests by the DOJ and FTC for user records or communications under the Stipulated Order would still be governed by the Stored Communications Act (the ‘SCA’).” (Facebook Response at 16) and, second, “Facebook does not need to produce personally identifiable information to satisfy the requirements of the Order.” (Id.) (Read Facebook’s entire response brief.)
Both the terms of the settlement order and the government’s response brief seem to contradict Facebook’s first contention. Again, note that the proposed settlement order specifies that the FTC (and the DOJ, which is given the power to stand in the shoes of the FTC for purposes of enforcement) is permitted to request more information from Facebook, “without further leave of court.” (Stipulated order at 28) The SCA, by contrast, even for “communications” stored over a longer period of time, requires at least some “leave of court,” even if only that required for a subpoena. (For those communications stored for a shorter period of time, the SCA requires a warrant.)
The government’s longer response to CLP, by contrast, makes no reference to the SCA or anything else that might prevent it from seeking warrantless access to Facebook user data. In fact, the brief unapologetically claims the right to access such data. After misconstruing CLP’s argument with respect to the applicable law (we argued that even the majority holding in Carpenter calls into question the status of Facebook user data under the Fourth Amendment), the government cites a 2018 D.C. Circuit case holding “that Facebook users lack a ‘reasonable expectation of privacy’ in the Facebook content they voluntarily post on Facebook.” (Government Response at 14) The government also tries to assure us that the “recordkeeping provisions” are not “some sort of Trojan horse through which the government intends to acquire and use Facebook user data for undisclosed purposes,” but are “familiar part of agency enforcement actions and are intended to ensure ongoing compliance with the order.” (Id.) One can’t help but be reminded of the NSA “intending” to monitor foreigners, and yet collecting conversations of innocent Americans.
Further, the government asserts, “there is nothing in the Amended FTC Order that requires Facebook to provide any information about any specific user to the government.” (Id. at 14-15) No, of course not, and CLP never argued this. What we argued is that the Order seems to permit this, especially when it allows the government to demand “other requested information”–quite a broad catch-all, “without further leave of court.” (See CLP Amicus at 8, citing Stipulated Order at 28)
And with respect to personally identifiable data (such as your telephone number), whereas Facebook seems to think it can comply with the Order without turning such data over to the government (see above), the government, citing Smith v. Maryland, proudly asserts the legality of requesting and obtaining warrantless access to it: “a Facebook user’s telephone number is not protected by the Fourth Amendment.” (Government Response at 15) Note that it’s unclear whether the holding in Smith v. Maryland is even applicable to a situation in which someone provides his phone number to a service provider other than the telephone company. More importantly, CLP argues that the Supreme Court’s 2018 holding in Carpenter v. United States–yes, even the majority opinion–calls into question the original holding in Smith!
Most troubling, perhaps, is what the government says in the second-to-last paragraph of its response to CLP:
[E]ven if the Amended FTC Order could incorrectly be read to require production of Fourth Amendment-protected information, the Supreme Court and the D.C. Circuit have for nearly three-quarters of a century repeatedly rejected Fourth Amendment challenges to agency orders requiring document productions–as long as the agency’s requests are reasonable and related to the agency’s investigatory and enforcement powers.
Government Response at 15, emphasis added
So there you have it: the government contends that it is entitled to obtain whatever Facebook user data it wants, so long as the request for such data is “reasonable and related” to its investigation of and enforcement against Facebook with respect to Facebook’s privacy practices. How often is any government request for any sort of data not held to be “reasonable and related” to some power of our ever-expanding government? As I wrote in our amicus brief, if George Orwell were to be reading this today, he’d think he was reading The Onion.
(The government goes on to criticize CLP for not citing this standard, but CLP’s position was made clear in our brief: if the goal is to protect users from Facebook’s bad practices with respect to user privacy, the answer is not to further encroach on user privacy by making their data accessible, without a warrant, to the FTC and the DOJ! The standard quoted by the government, above, does not reference investigation of and enforcement against Facebook users, only against Facebook itself.)
While the Government and Facebook seem to have very different ideas about what happens to your privacy under the terms of the proposed settlement, both agree that Judge Kelley should “enter the Proposed Stipulated Order without delay” (Government Response at 16). CLP urges Judge Kelley to continue to take seriously his duty to ensure the Proposed Order’s “consistency with the public interest.” Until a Constitutional amendment such as the one currently being considered in New Hampshire becomes effective nationally, only judges can further clarify the scope of the “third-party doctrine” post-Carpenter and thereby protect our rights (and interests). The government should not be handed warrantless access to Facebook data, simply because of Facebook’s alleged misconduct.
Yesterday I had the opportunity to testify before the New Hampshire House Judiciary Committee in favor of CACR15, a proposed constitutional amendment I wrote along with Rep. Josh Yokela. The amendment would restore crucial Constitutional protections for individuals while, at the same time, preserving government’s ability to engage in legitimate criminal investigations. It does this by precisely restricting the scope of the “third-party doctrine” to that it originally enjoyed: government obtaining information shared as part of a criminal scheme. Under CACR15, information shared, for a limited purpose, as part of a legally enforceable contract, would once again enjoy the protection of a warrant requirement.
Watch my full testimony (about 20 minutes) below. Thank you to Rep. Josh Yokela for having the vision to propose this amendment, and for inviting me out to discuss it. Many people care about privacy, but think nothing can be done about it. We’re trying to change that.
A couple irons I’ve had in the fire for some time are heating up this month. First, on January 22 I will be speaking before the New Hampshire House Judiciary Committee in support of a proposed Constitutional amendment that I drafted with Representative Josh Yokela.
You can read the full text here, but in essence the amendment would ensure that the warrant requirement–the requirement that law enforcement show probable cause and particularized suspicion before an impartial judge, in advance of a search or seizure–applies to data shared as part of a legally enforceable contract.
In so doing, the amendment implements, in concise language, my solution to the problem created by the U.S. Supreme Court’s unjustified expansion of the so-called “third-party doctrine.” Those of you who have followed my work are familiar with this doctrine and my critique of it, but for the benefit of those who are new to me or my work:
The third-party doctrine says: once an individual shares information with a “third party” (phone company, bank, social media platform, etc.), the warrant requirement no longer applies to that information. In other words, government need not obtain a warrant before obtaining the information from the third party. Why does the doctrine allow this? The primary rationale offered is that, once an individual shares information with a third party, he no longer retains a “reasonable expectation of privacy” in it. Even if you happen to think you’re sharing information for only a limited purpose, and you expect it to remain private otherwise, the Supreme Court decided, back in the 1970’s, that your expectation is not “reasonable.”
My critique: Contrary to what some Supreme Court justices wrote in Carpenter,this doctrine did not originate in the 1970’s. It grew out of a series of earlier cases called the “secret agent cases.” You can imagine Tony Soprano, in his basement, noisy appliances running to defeat any attempts at bugging, making plans with one of his colleagues/confidants to carry out criminal conspiracies. In those early cases the doctrine provided that, were the colleague/confidant later to rat on Soprano, this would not constitute a search for purposes of the Fourth Amendment. No warrant was required.
This is the sort of context in which the doctrine was applied for decades, until the 1970’s, when the Supreme Court transported it into an ordinary–i.e., non-criminal–business context. Suddenly, with little explanation, the doctrine was held to apply not only to the information shared by the Tony Sopranos of the world, but also to you and me when we share information daily, simply to obtain the goods and services that enrich our lives.
These holdings from the 1970’s were, in my view, unjustified. To see why, we need only apply common law doctrine explaining the difference between the lack of “reasonable expectation of privacy” that naturally exists in the criminal context, and the reasonable, legitimate expectation that you and I retain when we share information with a third party for a limited purpose. That distinction lies in the sort of agreement that exists in each context, and the enforceability of that agreement at common law. In the Tony Soprano scenario, he and his colleague are engaged in an illegal contract, a contract the primary purpose of which is to achieve an illegal (rights-violating) end. Such contracts are unenforceable at common law–including any provisions of such contracts requiring secrecy. In other words, in the secret agent cases, there was no legally enforceable agreement in place protecting the privacy of the information.
The same is not true, however, in the ordinary business context. When you and I make agreements with banks, telephone service providers, internet service providers, retailers, etc., etc., the agreements often, if not always, include promises to use the information collected for only limited purposes. And because these are overall valid, enforceable contracts, provisions like these should be enforced. Consequently, any expectation of privacy we do retain when engaging in such contracts should be deemed “reasonable.” In other words: government, if you want that information, get a warrant. Don’t treat us all like criminals.
Now that I have explained the distinction, let’s look at the text of the proposed amendment. It adds a mere 25 words to Article 19 of the New Hampshire Constitution, to include, among the things in which “[e]very subject hath a right to be secure from all unreasonable searches and seizures…information provided as a part of a legally enforceable contract that is to be used only for a limited purpose and otherwise kept confidential.”
The amendment, if adopted, would literally legalize privacy in the state of New Hampshire, by making it possible for citizens of New Hampshire to make valid, enforceable contracts in which they share information for a limited purpose, and thereby retaining the most privacy possible while obtaining the various goods and services that enrich their lives.
I thank representative Josh Yokela for having the vision to propose this, and for allowing me the opportunity to explain and promote the amendment to the committee. I’m looking forward to it!
Just two days after that hearing, on January 24, a round of briefs are due in United States v. Facebook. In that case, Judge Timothy J. Kelly has ordered both Facebook and the Government to respond “to all the arguments presented by all amici curiae.” That includes the arguments presented by CLP in its brief back in October.
I’m excited about the progress that we’ve made over the last several months! If you want CLP to continue to Legalize Privacy in 2020, donate here. We simply cannot continue to do it without your support. Thank you!
Law360, a legal news site for professionals, published an article about three amicus briefs filed in United States v. Facebook. CLP’s brief was featured in the headline, “$5B Facebook Deal Lets Gov’t Grab User Data, Court Told.” A second amicus brief was filed by “a coalition of four consumer advocacy groups,” and they, like EPIC, were concerned that the proposed settlement wasn’t hard enough on Facebook, “letting the social media giant off the hook for ‘innumerable practices’–including its handling of children’s and health data–that extend far beyond the allegations of the FTC’s action.” EPIC also filed a brief, but has not given up on its motion to intervene in the case.
CLP has not taken a position on Facebook’s alleged wrongdoing. Instead, we’ve argued in the brief that, regardless of any of that, an appropriate remedy does not consist in granting to the FTC and DOJ warrantless access to Facebook user data. If you haven’t yet read our brief yet, you can find it here.
Support for this work is very much appreciated. Donate here.
Should an individual lose the protection of our Fourth Amendment’s warrant requirement simply because he or she shares information, for a limited purpose, on Facebook?
Today the Center for the Legalization of Privacy filed its first amicus brief, in United States v. Facebook, currently pending before Federal District Court in the District of Columbia. The case concerns whether the Court should approve a settlement reached between Facebook and the Federal Trade Commission, embodied in this stipulated order.
In its brief, CLP argues that:
(1) The Stipulated Order, as written, can reasonably be interpreted to grant the FTC and the DOJ warrantless access to Facebook user data.
(2) The order, insofar as it does this, relies upon an unjustified assumption about the validity and scope of the so-called “third-party doctrine.”
(3) That assumption is particularly unjustified in light of Carpenter v. United States
From the brief’s conclusion:
CLP’s mission is to “legalize privacy” generally: to allow individuals, once again, to use the tools the Common Law put at their disposal to create and protect states of privacy for themselves, according to their own tastes and preferences. An individual should not lose the protection of our Fourth Amendment’s warrant requirement simply because he or she shares information, for a limited purpose, in order to enjoy any number of life-enhancing technologies now made available to us.
Full legalization of privacy will require, as argued above, that the third-party doctrine either be eliminated or narrowed to its original scope. CLP is aware that such a ruling by this Court would likely be overbroad given the narrow scope of the decision it’s been asked to make. CLP urges, at least, that any final order approved by this court specify that no identifiable Facebook user data be given to any government agent or agency—including the Commission, the Department of Justice, and anyone appointed at their pleasure (who are arguably de facto government agents)—without a warrant based on probable cause and particularized suspicion regarding that individual user. “Relevance” to the question of whether Facebook is or has been violating its contractual obligation to protect user privacy in a way that runs afoul of any number of FTC regulations, consent decrees, stipulated orders, etc., does not justify warrantless access to personal information about the individual citizens who are its customers. Not in a free country.
If you would like to read the entire brief, you can do so here. It’s not long as briefs go, and I think it’s quite readable. Let me know what you think in the comments, below.
Today the Center for the Legalization of Privacy was granted leave to file an amicus brief in United States v. Facebook. The Center will use its novel theory of the third-party doctrine to argue that it’s not a good idea, as a remedy for alleged misuse of data by Facebook, to grant warrantless access to that data to two government agencies for twenty years (maybe more).
You can read the motion below. If you’d like to donate to support this effort, there are currently three ways: