Privacy and Security: Outflanking the Third-Party Doctrine

October 20, 2014

Edward Snowden became famous last year for revealing US government surveillance programs and starting a conversation in America about the tradeoffs between privacy and security. More recently, Snowden has conducted interviews in which he has advised Americans to avoid certain online services, like Dropbox and Facebook, that do not provide adequate privacy protections for users and to instead use alternatives like SpiderOak that do. If Americans begin to take Snowden up on his advice, it could have profound impacts on criminal investigations. At this point it is reasonable to ask: Can’t we simply rely on enforcement of Fourth Amendment protections against unreasonable searches and seizures to protect online privacy? No. Thanks to the Supreme Court and its third-party doctrine.
The third-party doctrine is probably not something that most Americans are familiar with, but it is very important because of its implications regarding online privacy. If an American writes the most intimate details of his life in a journal and keeps it in a locked safe, that journal will be afforded the most robust privacy protections that the Fourth Amendment of the United States Constitution has to offer. However, if that same person writes that same information in a Word document and places it on Google Drive or Dropbox, not only will the privacy protections not be as robust, but the Fourth Amendment will not even be applied if the government orders Dropbox or Google to turn over the document.
This is a result of the third-party doctrine. The Supreme Court has ruled, in United States v. Miller among others, that if a person discloses information to another person or entity, that information is no longer subject to a “reasonable expectation of privacy.” The argument proceeds by taking as a premise that nobody reasonably expects information to be private from anyone that has been disclosed to anyone else because we all accept the risk that even our best friend might divulge our secrets to others. The implications for email and cloud storage are obvious. Anything you email using a Google account or place on Google Drive has been divulged to Google. Therefore, if the government asks Google to disclose the contents of your Google Drive account, the Fourth Amendment is not applicable because no search has been conducted. The Court considers the information to be in public.
There are laws that protect privacy online, but those laws generally require the government to show only reasonable suspicion that evidence of a crime will be found rather than the more difficult standard of probable cause that is usually required by the Fourth Amendment. However, services like SpiderOak, recommended by Edward Snowden, can remove the teeth from the third-party doctrine by creating know-nothing third parties.
SpiderOak and other services like it, offer a unique weapon to combat government searches. SpiderOak does not store password data, and its servers never are aware of the contents of stored files. Therefore, even if a law enforcement agency subpoenas a user’s files, SpiderOak is unable to comply with the subpoena because they do not have the data requested, nor can they provide the police with the encryption key to access the data themselves. So while it might be completely within the law for the police to gain access to a particular service’s data concerning one of its users, they are physically unable to do so. Furthermore, because of the Fifth Amendment protection against self-incrimination, the police will have no way to get the password because they cannot compel a suspect to give it up.

If third-party services in cyberspace continue to provide greater security for users as Apple recently announced it will do, it is possible that the third-party doctrine will become a nullity in cyberspace.

Issuing court orders obtained with a lower burden of suspicion will not mean anything if nobody on the receiving end of those orders (Google, Dropbox, SpiderOak, Apple, ect) knows anything useful to the authorities. The possibility also exists that people who are more tech-savvy will have greater privacy from the government than people who are not. Finally, although many people think it is a good thing to have more privacy, if it becomes possible to conduct all criminal activities through third-parties who will never actually know any useful information about what the criminal is doing, will it become nearly impossible to investigate intelligent criminals?
For example, a contract killer could pretty easily work through a system of encrypted third-party communications services and data storage companies to conduct his business.

It would be almost impossible for a police officer to compile enough evidence to allow for a criminal prosecution if almost every piece of evidence of the crime is encrypted in cyberspace. If we extrapolate that example to terrorist activity, Americans might find themselves in a position of having too much privacy and not enough security.