Last year, I wrote a blog about the Supreme Court’s decision in Carpenter v. United States. In what might be considered a strained analysis, the Supreme Court ruled that an individual maintains a legitimate expectation of privacy in the records of his/her physical movements as captured through cell-site location information (CSLI). CSLI is how wireless companies can track your smart phone location.
To recap the analysis, the Fourth Amendment protects “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” The Supreme Court previously ruled that a person has no legitimate expectation of privacy in information that is voluntarily turned over to third parties. Because of the third-party principle, the government is typically free to obtain the information you voluntarily provide to companies, such as banks, retail companies, websites, etc.
In Carpenter, the Supreme Court held that the government needs a warrant before obtaining CSLI information because an individual maintains a legitimate expectation of privacy in the record of his physical movements, even though it is kept by a third-party (e.g., wireless companies).
Why... because mobile phones contain very sensitive information about our personal thoughts, motivations, and secrets that people would reasonably expect to be kept private. I still have doubts about this analysis and how it will be applied in the future, but it is the law of the land.
Justice Gorsuch wrote a dissent to the Court’s majority opinion. Because he was the lone dissenter, many scholars have brushed off the reasoning as meaningless.
The reason for Gorsuch dissent is interesting. He does not subscribe to "privacy rights" under the Fourth Amendment. Instead he believes the Fourth Amendment hinges on property rights. Just think – the Fourth Amendment does not say anything about privacy. In fact, the right to be secure in your person, house, paper and effects sounds like a safety issue or property rights.
Data is Property
My interpretation of Gorsuch’s dissent is that data is property worthy of protection. As a certified privacy professional, I understand the privacy argument. The property argument, however, is intriguing because it is easier to apply in an age where data is king.
For example, the reason Google does not charge for a Gmail account is because Google wants your data. The same holds true for Facebook, Instagram or any other social media platform. It’s also the reason why certain companies will provide a free e-book, or a free product in exchange for you creating an account and providing your contact information. Your data has value to the company.
Another example is found in data-breach class actions.
One of the major challenges that plaintiffs face in a data-breach class action is the question of harm. The plaintiffs have to prove that disclosure of their personal information such as social-security numbers, credit card information, and email addresses, resulted in actual harm. The common argument by defendants (such as Equifax, Target, Sony, etc.) is:
Yes, a data-breach can result in identity theft, and credit card fraud, but if a plaintiff hasn’t been the victim of theft or fraud, then there is no harm. No harm, no case.
To be honest, the contention that social-security numbers, credit card information, and email addresses are private has always puzzled me because we share this information with others on a daily basis. This information is not really “private” or a “secret.” This information, however, has value.
Borrowing from intellectual property jurisprudence (such as copyright statutory law): if a person’s data is valuable property (however small), and we trust companies to protect our valuable property, the inadvertent disclosure of the property infringes on a legal right that automatically causes harm. In other words, someone has my valuable property without my permission.
There is a glaring problem under this property theory, however. How do we value data? What is a social-security number worth? Is the value tied to the price of this information on the dark-web?
Defendants in data-breach lawsuits can still argue that the victims whose information was disclosed have not suffered harm because they have not suffered out-of-pocket losses.
Unless, the legislature creates law, like the copyright statute, that identifies statutory damages and strict liability for a data-breach, victims of a data-breach will always have to prove how they have been harmed.
Yes, I know, this theory upends years of legal philosophy and jurisprudence, and is not the current law of the land. But, as crazy as it may sound, Justice Gorsuch has a point:
Data = Value = Property
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP