> "Judge Pauley said that protections under the Fourth Amendment do not apply to records held by third parties, like phone companies."
The thing I don't get is why the NSA is considered a third party here. It's not the phone companies keeping the records, it's the NSA, so I honestly do not understand this ruling.
I think he's saying the phone company is the 3rd party, and so searching and seizing from them is fine, because they're not searching you directly?
I guess a physical analogy would be if you held your belongings in a 3rd party storage unit, the judge is saying the cops should be allowed to search and take whatever they want, because they're doing it to you through a 3rd party.
I don't think you understand what "3rd party" means.
The storage unit is a 2nd party. You (the first party) have a contract with the storage unit (the second party) to store your things. There is no third party.
Compare that to the phone company, where you (the first party) talk with someone else (the second party) using the phone company (the third party) equipment.
Thanks, I didn't realize I made that mistake. Maybe a better analogy would be a broker who is facilitating the transfer of some property, and the cops unreasonably searching/seizing the property while it's in the broker's possession?
Here's the most apt analogy regarding "transfer of some property": The police aren't allowed to search a package without a warrant, but the USPS does photograph all U.S. mail (160 billion pieces), and sometimes provides that information to a police investigation.
After all, what's on the outside (the metadata) is public.
But in general, the owner of your apartment complex cannot give police permission to search your apartment, and the owner of a storage facility cannot give permission to search your items.
The lawyer is a second party, not a third party. In the telephone call situation, you are calling someone else, using the phone company's (the third party's) equipment.
In any case, there may be attorney–client privilege, but it only applies if the lawyer is acting primarily as an attorney for you. If you are using the lawyer just to store documents that you don't want to keep yourself, then there's no privilege.
I don't understand the question, sorry. Dropbox isn't a third party, and it isn't your attorney (or a handful of other fields with special legal status).
You should look to see the legal precedent for private courier service, or for storage facilities. Those are more likely to be comparable to dropbox, if only because consumer protection laws may be relevant.
(That is, you can't give it to your friend, to put into a safe, and expect that it has any status different that anything else that your friend had. For example, a warrant may require your friend to open the safe, because your friend might also store personal items along with your items. While for a storage facility, a warrant to search the business's records would not automatically imply searching the entire building.)
I don't get it... The Fourth Amendment Text reads:
The right of the people to be secure in their persons, houses,
papers, [and effects], against unreasonable searches and
seizures, shall not be violated, and no Warrants shall issue,
but upon probable cause, supported by Oath or affirmation,
and particularly describing the place to be searched, and the
persons or things to be seized.
And effects. They're washing this term of all its meaning.
That's like arguing that cops can search your apartment if it's being rented.
Effects in this sense is a synonym for movable goods, that is, physical property. The text of the fourth amendment protects your property. This and other rulings are saying that the records your phone company produces of what calls they've connected are not yours, but the phone company's property. If Verizon gives its own property to someone, government or otherwise, you have no standing to claim any violation of your rights.
A web analogy: the records of who called whom (i.e. "phone metadata") are just like web server access logs. You would like the court to say that the web server access logs you produce are the property of all the individual people that visit your website. The judge is saying those logs, produced and held by your server, are your property alone.
I still don't get it. There's equivocation with the verb to produce.
I'm going to play Socratic Advocate here. When a music producer produces a record of an artist, who owns it? How do we conceptualize this relationship of artist to market? Do we argue for record companies or for artists? What motivates the moral structure of this debate? Are we sympathizing with record companies or artists? It's a record of the artist's musical activity.
Now, a phone company is a producer of our records. We're its content producers. But if the record company re-uses its artist's work without that artist's permission...?
If I tell you I murdered someone, should the government have to get a warrant to get that information from you? What if they asked you if I visited your bookstore last week? What if you kept a journal indicating each time I visited your store, or bought a book? What if they asked Amazon for a list of when I visited their site, or bought a book? (Keep in mind Amazon has the right to refuse to give that information without a court order...the question is whether I can protest that subpoena, or only Amazon can).
At some point, there needs to be a line drawn. The 4th amendment has been interpreted to protect "reasonable expectations of privacy" in order to draw that line. If I tell you I murdered someone, or if you tell the police when I visited your store, that's over that side of the line. I have no reasonable expectation of privacy. I freely gave up this information to a third party.
The copyright law has an entirely different history, text, and history of interpretation.
I agree that the third party doctrine is no longer workable in the digital age (people probably have just as much of an expectation of privacy in their DropBox as their C: drive), but I don't think the other viewpoint is entirely unreasonable, especially during the pre-digital age.
I think this ruling, and others it foreshadows, points to a need to amend the Constitution to ensure protections for personal property held by third parties on behalf of private citizens. At the time the 4th amendment was created, it was reasonable to assume that anything a person wanted to keep private would be safely secured by them in their own home. Times have changed. Now I keep my private financial "papers" in a system administered by a third party bank, my private medical "papers" in a system administered by a third party insurance company, and a lot of my other private effects in databases administered by third parties google, dropbox, etc.
Luckily the Framers foresaw that future changes would necessitate changes to our fundamental law so there is a process for the People to make such issues much less open to broad interpretation by the judicial branch.
In legal philosophy there is the notion of "proximate cause" — this needs to be re-purposed for "effects" such that we define the notion of "proximate effects" w/r/t to content producers.
If a music artist has some legal clout regarding that which is produced, and can seek renumeration through certain provisions, we as content producers of phone companies (and obviously ISPs, because clearly that's the next phase in this legal narrative) should have provisions which scope and define joint ownership of our recorded activities insofar as a "chain of events" is scoped around our assigned IP addresses and telephone numbers.
A schema can follow http://schema.org/Person. Block any transaction between third-parties and government that involves these properties. Metadata becomes what is left over — raw information about what is essential to describe the service itself.
We are content producers just like music artists are content producers. Phone companies are just like record labels.
Well, yeah. But what are we going to do about it since it's clear past due to update such laws. Now we're in the thick of an infrastructure that has just busted any practical sense of minimal right to self-governance.
That's true. But both sides of the political spectrum regularly do these sorts of linguistic end-runs around the Constitution in the name of the ends justifying the mean. The right does it to the fourth amendment, the left does it to the second. So neither side can legitimately call out the other for hypocrisy because nearly everyone is willing to jettison at least part of the Constitution when the stakes get high enough.
There's a different argument here. Some buildings keep a visitor log. That will say when I arrived, perhaps who I'm visiting, and likely when I left. I do not own that data, and it is not part of my papers.
Nor is this information part of the papers of the person I'm visiting. It's part of the business records of the building owner.
There's no promise that this information is private. Indeed, in some buildings it's often semi-public information, in that successive visitors can likely see the log when signing in or out, and it's left on the main desk all day.
The argument is that this information isn't under 4th amendment protection because it not not part of your private or personal information.
The recent court opinion by Judge Leon against the NSA points out - rightly, in my opinion - that when there is a lot of information about who you communicate with, then that in turn reveals information about you and your thoughts. You should read the opinion.
Such an Decision actually wholly deprives us of all self-governance what-so-ever since technically we do not own the fax machines and systems of all the companies we interact with.
This is totally disingenuous. It penalizes us for not only being born here but also for aligning ourselves with the American Dream.
Corporations are not people. Corporations do not have effects — we, the People, do. What kind of justice is this?
Yes, and they are not, which is precisely why we have separate laws that explicitly assure us of the privacy of these documents.
As for sibling comments that exclaim that this doctrine contradicts the meaning of the Fourth Amendment, consider that very intelligent people (Supreme Court Justices) who are explicitly trained in interpreting laws and especially the Constitution, and who are selected partly for this precise talent, have thought otherwise. In light of this circumstance, it may at least be reasonable that it is you who are not properly interpreting the meaning of the fourth Amendment.
Yes, put complete trust in the same judicial system that moves judges off of cases when they don't like the rulings. Especially when those rulings are centered around the exact handwavy unjust fourth amendment violations that justify the program in question here.
I don't know if you're seeing what i'm seeing, but there appears to be a war going on over this issue. Why should i trust the very capable people on this side of the fence, and not the very capable people on the other? Because you said so?
I'm not telling you your position is wrong; I'm telling you to doubt your position.
I myself share, I think, your opinion: this sort of collection ought not to be allowed. However, I am also aware that I have reasons to doubt my position.
Oh. Ok. Yes, it's worth going to the trouble of reading into exactly why this is the ruling. I am in fact playing armchair judge. I wish i didn't have to, but i've lost faith in my judicial branch on these matters.
No Supreme Court justices have ruled on this. There have been two federal judges to issue a ruling so far, and if you'll recall the last ruling was the exact opposite. This debate is very much not decided.
Regardless of the 4th amendment, we have separate laws that protect our communications, much in the same way we protect our medical records. The only imaginable argument in favor of these transgressions are that "it's not illegal when the government does it"
> Regardless of the 4th amendment, we have separate laws that protect our communications, much in the same way we protect our medical records.
The ACLU raised some of those separate laws in this case, but those claims were dismissed for procedural reasons, including that Congress had only waived soveriegn immunity with regard to Section 215 orders to allow the recipients of the orders to challenge them, not the subjects of the orders.
There's no need to defend the transgression when no one with the interest in challenging them is permitted to challenge them.
The big problem here is that the entire idea of sovereign immunity -- the embodiment of the idea that the King is above the law, adapted to circumstances where there is no King -- is directly contrary to the concept of government bound by the rule of law.
Of course, there is growing chorus of voices that believe the 3rd party doctrine needs to change, including comments by Justice Sotomayor in the recent US v. Jones case, which I've quoted elsewhere in this thread and are worth reading to get a sense of how some members of the current Supreme Court may vote if and when the Court decides to hear these NSA cases.
You are correct, both in interpreting me and in providing valuable context to the discussion.
My only point was that people who I would a priori believe to be intelligent, reasonable, and competent have found the 3rd-party doctrine valid. They may not have been "right", in whatever sense I mean that, but they are not a priori wrong, which many of our ancestor comments seem to be assuming.
I assume all of those records were already being obtained but here is the legal cover they need to do it officially.
The only records that are safe are those encrypted and on your person. Just don't write down the key. Information in your head is still (mostly) protected.
Correct me if I'm wrong, but isn't this essentially ruling that everything that you own and store in the 'cloud' doesn't belong to you in the sense that it is not subject to the same protections as other property you own?
I can see this having huge negative consequences for all US 'cloud' business.
Not really: the stipulations in the agreement you make with the cloud provider explicitly cover data rights. Rights to subpoena data is completely different.
You are right about the implications, but this is old news. This is what is known as the "third-party doctrine" and it goes back decades. It is not an entirely unreasonable doctrine, based on the history and text of the 4th amendment. More importantly, Judge Pauley is obligated to follow Supreme Court precedent on this issue. Our system of law is based heavily on "stare decisis", or the idea that we should follow precedent and not keep re-interpreting the law or changing the settled expectations of society.
That said, at least some members of the Supreme Court have expressed concern about how much the 3rd party doctrine guts our privacy rights in the modern age. In a recent case (Jones), the Supreme Court held that attaching a GPS receiver to a car violated the defendant's rights because there was a warrantless intrusion when the device was physically placed on his car. For now, they side-stepped the issue of what would happen if, for example, the police collected all of your movements from a 3rd party like OnStar, which uses your car's built-in GPS. Judge Sotomayer, in a concurring opinion, discussed how the 3rd party doctrine may have to be changed:
"More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as JUSTICE ALITO notes, some people may find the “tradeoff” of privacy for convenience “worthwhile,” or come to accept this “diminution of privacy” as “inevitable,” post, at 10, and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection. See Smith, 442 U. S., at 749 (Marshall, J., dissenting) (“Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes”); see also Katz, 389 U. S., at 351–352 (“[W]hat [a person] seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected”).
Resolution of these difficult questions in this case is unnecessary, however, because the Government’s physical intrusion on Jones’ Jeep supplies a narrower basis for decision. I therefore join the majority’s opinion."
Even further: We don't possess the copyright to the algoritms of non-plaintext. So effectively we don't own anything we codify in a proprietary format...
This ruling is incorrect. Protections under the fourth amendment must apply. Companies must be able to guarantee your data is safe, or you end up with thermostats and laptops in your home that can watch you without your ever knowing. You must know when you are being searched.
Of course 3-hop data imports FROM the phone company databases into NSA databases will still also exist, and have not been limited.
Private storage has been acting as an abused workaround for constitutional law this entire time. That is actually the exact problem with these programs. The "corporate store" is a fake third party, the third party being designed specifically to store the data once pulled from real third parties.
But it was a strange thing to begin with. Why would anybody trust a cloud provider with sensitive information? Another way to look at the NSA -- they are hardening our security.
Companies who've moved to the cloud have already weighed their risk vs. reward of handing their data to a 3rd party, vs. the cost of standing up their own datacenter and servers etc. This NSA business won't change any of that thinking for most IMO.
They've already ruled by moving to the cloud the cost savings is greater than the risk of a 3rd party accessing their data.
The cloud providers told their customers that this information was secure from government interference, and that the government had to obtain search warrants in order to even inspect the data. This turned out not to be true, as Snowden demonstrated. This changes the level of risk, and apparently at least some companies are rethinking their cloud commitments. Also, as Target's 40 million customer credit card breaches demonstrate, there is a real cost of not providing your own (good) security and keeping data safe. And that cost may get higher. See http://finance.yahoo.com/news/senator-calls-accountability-t...
The government does need to subpoena AWS etc if they want access to my s3 bucket, or ec2 instances. The NSA siphoning off unencrypted data in transit via backbone providers en masse is entirely different.
You wrote: "The government does need to subpoena AWS etc if they want access to my s3 bucket, or ec2 instances"
Do they? Evidently, the NSA, a US government agency, feels that portions of the Patriot Act and related laws (including secret interpretations of such laws) do grant it legal right to collect information that is on any server of any company in the world (including servers physically located in the United States), in order to fight terrorism and other threats to national security, without the need for a subpoena or a warrant. Furthermore, if the NSA if legally allowed to do so, are not the CIA, the Department of Defense, other Homeland Security Agencies and any other information-collecting agencies, whether or not such collection is overt or covert, and whether or not the subject of such collection is aware of such collection or not, also able to make the same argument that such activities would be legal under the same legal justification used by the NSA?
If if this is so, then the statement you made: "The government does need to subpoena AWS etc if they want access to my s3 bucket, or ec2 instances" must be incorrect, or untruthful.
If it is untruthful, then the negation must be truthful, which means the government does not need to subpoena AWS etc if they want access to your s3 bucket or ec2 instance.
The judge in this case essentially confirmed the case of Smith V. Maryland (1979) < http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=US&in... > (see page 2 of the article we are commenting on) that one does not have expectation of privacy for information provided to a third party. You logged in to amazon systems, and you conveyed information (data) from your system to their system. I see this as no different than providing a phone number to a telephone carrier in order for them to connect the call. You are putting software, data, instructing them to serve it to other parties, as in the case of s3 buckets, or instructing them to run virtual machines to perform computational operations on their computers, as in the case of ec2 instances.
While, as the article mentioned, there are now people in the justice system who may think the 1979 case no longer reflects the realities of electronic communications, it is still the law and will remain so until the lawyers decide it isn't.
To quote from the article:
[begin quote]
In one of the concurrences, Justice Sonia Sotomayor wrote that "it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties."
[end quote]
So, while the Fourth Amendment is clear about "papers and effects", it is not so clear on data provided to third parties (no matter the purpose, no matter the level of protection of the data the company promised--company promises cannot supercede state or federal law) isn't wide open for government access, in light of what the article states, and in light of the judge's decision in this case.
It seems to me that while sentiments and opinions may lean toward granting more privacy protections to data stored online, the law today isn't there yet.
They do need a subpoena to access your data on AWS, they do not when they are just sniffing it off the wire en masse as it passes thru a third party system. Kind of like you not having privacy when you mail a postcard and expecting that no one should read it.
Also the NSA wouldn't be subpoenaing data from amazon anyway it would be someone like the FBI in this case.
The thing I don't get is why the NSA is considered a third party here. It's not the phone companies keeping the records, it's the NSA, so I honestly do not understand this ruling.