The topic of privacy keeping pace with new technologies is far from new and we can find articles on the issue almost weekly, each one suggesting that it is time for U.S. Supreme Court adjudication (See article posted on Law.com, Questions in the Search and Seizure of Digital Evidence Are Ripe for Answers). Samuel Warren and Louis Brandeis first argued for a right to privacy in 1890, largely fueled by new printing technologies that allowed for the unprecedented dissemination of newspapers and photos. Sound familiar?
Since the 9th Circuit’s original Quon opinion hit the news in 2008 – invalidating the City of Ontario’s audit of text message content on its own police department-issued pagers – the legal community reignited the debate over privacy issues presented by modern technologies. In both the civil and criminal realms, employers, law enforcement agencies and litigants feel the tug-of-war between data collection mandates (now commonplace) and a virtual sliding scale of privacy concerns. For any practitioner not specializing in privacy law, the plethora of decisions emerging from various state and federal jurisdictions, in addition to international variations and the differing treatment of certain data types, the possibilities – and risks – seem endless. When is it appropriate to preserve or subpoena a social networking page? An employee’s personal email? Cell phone or “smart phone” data? What can be captured? How does the reasonable expectation of privacy differ for the public and private employee? What about the target of a criminal investigation?
Recent rulings offer some guidance. Gibson Dunn’s “2010 Mid-Year Electronic Discovery and Information Law Update” reports a “substantial increase” in cases analyzing the 4th Amendment’s application to electronic data and what circumstances constitute a reasonable expectation of privacy. Specifically, the Supreme Court of New Jersey upheld the attorney-client privilege for emails sent by an employee on a work-issued laptop, reasoning that (1) the employee used a personal, password-protected email account, (2) she took reasonable steps to preserve confidentiality by not saving her password to the work computer, and (3) the company’s technology usage policy left some ambiguity. We can’t assume, however, that an adequate usage policy will negate privacy rights: the decision goes on to suggest that any usage policy would be hard-pressed to outweigh the public policy importance of attorney-client privilege.
So what about privacy where privilege is not involved? Postings made to social networking sites seem fair game, as even “private” messages are proactively published through these sites to at least one other person. No trend exists without exception, however, with some American courts acknowledging a higher degree of privacy in MySpace person-to-person email (See Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 [C.D. Cal. 2010]), for example, while others show a willingness to review potentially embarrassing social networking content in camera. (See Romano v Steelecase Inc., No 2006-2233, September 21, 2010).
Unlike the strict application of electronic discovery rules to most forms of stored data, courts have not yet obligated parties to identify and preserve social networking sites. Email and cell phone data, on the other hand, fall easily within the scope of the Federal Rules of Civil Procedure and its state equivalents, which begs the question: does the current state of privacy law comport with the capabilities of modern search and collection tools? Yes, according to the latest holding of the 6th Circuit on the issue, published just last month. The court in U.S. v. Warshak held that even though email content can be viewed by a third-party provider – the ISP – subscribers maintain a reasonable expectation of privacy as to the contents of their email under the 4th Amendment. The court invalidated wording in the federal Stored Communications Act, permitting federal agents to secure email content with a subpoena, applying instead the same requirement for a warrant that would apply to a phone tap or the interception of mail from the post office.
The California Supreme Court opened the new year with an entirely different tack. Addressing privacy in the context of smart phones, the court in People v. Diaz held that arresting officers may search the text messages of a cell phone taken from a suspect. The court’s 5-2 decision relies on U.S. Supreme Court precedent permitting the search of personal property “immediately associated” with the person arrested, analogizing cell phone data to the search of a cigarette pack found in a suspect’s pocket. The defense in Diaz argued that a cell phone better resembles the example of searching a foot locker acquired during arrest, as neither item is necessarily worn on the suspect’s person. Foot lockers found with a suspect, according to U.S. v. Chadwick, require a warrant prior to searching.
Courts and commentators alike will no doubt use the coming year to debate whether today’s mobile electronic data is more analogous to the protected content of a traditional letter or phone call, or to the unprotected pack of cigarettes stashed in a suspect’s pocket. But let’s reframe the question: isn’t it more notable that the last few months of jurisprudence still compares today’s mobile technologies – powerful enough to carry volumes of personal information and publish almost anything instantaneously to the world – to a handwritten note, foot locker or pack of cigarettes?
Case law makes clear that the government and private litigants will continue to use powerful mobile device forensics software, such as AccessData’s MPE+ to retrieve forensically sound and legally defensible collections. But even the most recent decisions skim over, or ignore completely, the nuances that define data today and the privacy concerns they implicate.
Justice Ming Chin in Diaz notes that if precedent warrants revisiting, in light of modern technology, “then that reevaluation must be undertaken by the high court itself.” (dis. opn. of Werdegar, J., post, at p. 1). Meanwhile, the U.S. Supreme Court expressly declined to address privacy expectations of employees using employer-provided communication devices, citing “implications for future cases that cannot be predicted.” It appears that the decision as to whether we should even address the expectation of privacy in light of modern technologies is itself still up for debate.