Better AI Starts with Better Privacy
Protecting personal data in the digital age
I have recently written about “The Right to Privacy in the Digital Age” and how privacy remains a moral imperative in our data-driven economy. The United States’ current legal doctrine establishes a limited expectation of privacy for most Internet content and, therefore, the discussion centered around the importance of Digital Literacy and other mitigations. There is an opportunity and need to revisit the interpretation of the Fourth Amendment and extend its protection against unreasonable searches and seizures to protect privacy in our digital age. Underlying the debate about Ethical and Responsible Artificial Intelligence there is still an open question about data privacy in the United States.
Technological advancements such as the change from circuit-based communication networks to the Internet, the pervasive adoption of smartphones, and the increasing amount of data stored in the cloud are driving this need. Today’s communications, based on the Internet Protocol with phones acting as gateways to Internet-based services, require a broader interpretation of the law extending the concept of a reasonable expectation of privacy beyond the traditional wire-tapping scenario last evaluated by the Supreme Court. Furthermore, the Third-Party Doctrine, which pertains to information shared with third-party service providers through phones, must be reinterpreted to ensure it aligns with contemporary expectations of privacy in a world where we are surrounded by Internet of Things devices constantly capturing data (did anyone say Alexa?).
In 1967 the United States Supreme Court, in its Katz decision, introduced the concept of reasonable expectation of privacy indicating that listening to phone conversations represents a violation of privacy and, therefore, requires a warrant issued by a judge with the assumption of probable cause. This Supreme Court opinion made what was law into a constitutional right based on the Fourth Amendment. Before that the 1934 Federal Communications Act had created a statutory right for privacy revising the 1928 Olmstead decision which permitted wiretapping without a warrant. These court and legislative decisions were informed by the prevailing communications technology of the time, including circuit-based networks.
Unlike circuit-based networks which establish a dedicated end-to-end connection, today’s Internet Protocol is packet-based. The information being transmitted over the network is broken into smaller chunks (the packets) that include routing information (the source and destination of the packet). These packets are transmitted from computer to computer using specialized intermediaries called routers. The network transmits the content of different message streams over the same infrastructure and the concept of the dedicated circuit no longer exists. Packets travel through different routes in an adaptive process which, together with the ability to retry and resend after failed attempts, makes the Internet fault tolerant. The packets are then reassembled at the destination. Given this construct, observation of what goes on inside the network is difficult and fundamentally different than installing a tap on a dedicated circuit. The decision on where to tap moves to the point of connection into the network or to the end-point devices. Given the role that current phones have as gateways to a plethora of internet services, surveillance at the endpoint becomes extremely invasive.
More recently, in 2018, the Supreme Court Carpenter decision recognized the role of contemporary consumer communications devices (cell phones) as an integral part of modern life generating a wealth of sensitive information about their users. The decision expanded the court’s view of constitutional privacy rights to include protections for cell site location information. Those can now only be obtained by law enforcement via a warrant. However, the Court emphasized that the Carpenter ruling was narrowly restricted to the precise types of information and search procedures that were relevant to Carpenter's complaint and more work needs to be done to address other types of digital data.
The Carpenter decision has implications for other types of digital data as well. For example, courts are now evaluating whether individuals have a reasonable expectation of privacy in their internet search history, social media activity, and other forms of digital communication. The Supreme Court has not yet ruled on these issues, but lower courts have begun to apply the Carpenter decision to other types of digital data.
Before Carpenter, the Supreme Court consistently held that a person had no reasonable expectation of privacy regarding information voluntarily turned over to third parties such as telephone companies, and therefore a search warrant is not required when government officials seek this information. This legal theory is known as the third-party doctrine. It is also due for re-examination, as it is no longer appropriate given the vast amounts of personal data that are now stored on third-party servers. This doctrine has been challenged by the rise of cloud computing and other technologies that store vast amounts of personal data on third-party servers.
In summary, the Fourth Amendment’s protection against unreasonable searches and seizures must be re-evaluated taking into consideration the technological advancements discussed above. The Carpenter decision is an important step forward in protecting individuals’ privacy rights in the digital age. Still, more work needs to be done to address other types of digital data and revise the third-party doctrine considering the vast amounts of personal data now in the hands of third parties.