Professors, Privacy and Preparing Law Students for a Digital World

An editorial essay this morning in The Washington Post gave attention to a case argued last week before the United States Supreme Court, Jones v. United States. As Jonathan Turley, a law professor at George Washington University, reviewed the case here, the issue under review is one of privacy under the U.S. Constitution. Prof. Turley’s analysis followed an earlier Washington Post essay by David Cole, a Georgetown law professor, concluding that the U.S. government’s actions under review confirmed “Big Brother has arrived, and we have invited him in.”

Both professors are scholars I respect. They have accurately reported the issues presented as ones arising under the U.S. Constitution and its limits on the power of the state to conduct surveillance. But I submit both the professors, and perhaps the advocates before the Court, have presented the issues far too narrowly. In doing so, they have provoked me to use this posting to call out a more fundamental failure in how to navigate our way through the collisions of a digital world with the prevailing principles of a legal system, and our current failure to consistently prepare law students to be effective custodians of the rule of law in a digital world.

The facts are straightforward. Pursuant to a warrant, police secretly installed a GPS device on Antoine Jones’ car to monitor his movements. The warrant expired, the GPS data continued to be collected, and the data enabled the police to locate a cache of cocaine, resulting in a conviction. On appeal, the United States government argues no warrant was even required in the first instance to track the movement of citizens, arguing that today’s always-on technologies are already monitoring each of us to such an extent that we have no “reasonable expectation of privacy” for which a warrant application must be prepared. That application allows a court to evaluate whether the suitable cause exists to nevertheless approve the government’s surveillance.

Both professors highlight the prevalence of surveillance and monitoring technologies. Both also acknowledge the degree to which each of us live our lives in acquiescence to the presence of these technologies, and express no objection to the constant observations being recorded. “We are evolving into the perfect cellophane citizens for a new transparent society,” observes Prof. Turley. Nevertheless, the authors seem to believe that the protection of privacy extracted from a Constitution that went into effect nearly 300 years ago is being eroded, and that a favorable ruling for the government is the basis, again in Prof. Turley’s words, to “mourn . . . privacy’s passing”.

In 1999, Scott McNealy, the founder of Sun Microsystems famously observed, “There is no such thing as privacy. Get over it.” Both of the professors need to get with the program. What is at issue is not the power of the state to conduct surveillance, nor any natural or legal right of a person, automobile, or company to be observed as they live their lives. We are living “cellophane” lives, and if we are connected, both corporations and government have nearly unfettered access to any digital activity (or digital recordings). What is important, and what should be the driving issue, is to recharacterize the conversation to focus on the ownership, control and use of the collective record of our lives stored within the Net.

On nearly any current detective show on television, we see abundant examples of how law enforcement is requesting and accessing recorded data created and held by private entities to investigate and discover social misconduct—call records, casino video tapes, parking lot video tapes, hotel room magnetic key records, credit card transaction data. Of course, none of us going about our routine lives think much about the presence, or use of, these monitoring technologies. I don’t believe any of us choose a beat-down corner grocery versus a national brand convenience store because we know the grocery has no monitoring devices, takes only cash, and does not decorate the interior edges of their front door with measuring tapes against which to calculate our height.

Nor does the collection of the resulting monitoring data seem to offend any of us—by virtue of our use of the devices (such as a credit card) or our access onto premises with recording devices, we are consenting to the recordation of our conduct as a condition to use or access. Banking and real estate lawyers would say that we have given that consent either by express contract or by the voluntary decision to enter onto a specific property.

No one seems particularly upset when commercially collected data is used to catch the bad actor (except, of course, the bad actor). For myself, despite a lifetime liberal value system, I cannot get upset when technology can be employed to detect, and document, conduct that violates the law. The use of commercially collected monitoring data, and re-purposing of that data toward law enforcement, just does not make me uncomfortable.

So, do we have a different level of comfort or discomfort when a) the monitoring data is collected originally by the government, and b) the target has no knowledge of, or consent to, the installation and use of the monitoring technologies? Put aside the constitutional analysis for a moment: does that conduct by the government make us have a different sense of discomfort than any commercial collection activity? In Jones v. United States, what was being monitored was the travel and passage activity of a vehicle on public infrastructure facilities.

Ironically, also in this morning’s New York Times, coverage reported on the “wary” decision of the Chicago City Council to approve the installation of hundreds of speed-detection cameras. Really?!? In opposing or expressing skepticism, several arguments were made: “taxation without representation” of non-resident drivers violating the speed limit; constituents anger that the legislator would support the use of technology that actually worked to enforce the law, etc.

But what seems really at issue is the notion that a citizen has a discretionary “legal” right to disobey the law, based on the likelihood they will not be caught. Too few officers on patrol. A dark and stormy night. No traffic (or officers) in sight, despite a “No Turn on Red” sign. What annoys those opposing speed-detection cameras is that their “right” to roll the dice and violate the law is being compromised by technology. Of course, it is especially ironic the Times reports that, where speed-detection cameras have been installed, drivers are not getting caught as much—in other words, aware they are being observed (and likely to face certain punishment based on the digital record of their conduct), the drivers are complying with the law. What is possibly wrong with that outcome of the use of technology? Is not the government acting no differently, as the owner and operator of the street system, as the convenience store management team?

Imagine, instead of collecting data from an installed GPS underneath Jones’ car, the government turned to a private company that operates orbiting satellites that keep “eyes on the ground”. From the time-lapse video images, specific movement data on a vehicle can be extracted, once a starting date and location of that vehicle are established. Same results: a pattern of conduct, repeated visits to a known “hot spot” providing probable cause. In those circumstances, did Jones have any type of right—much less a constitutional right—to escape prosecution?

The simple reality is that the right of privacy, such as it may exist in the US Constitution (or be expressed in Article 8 of the European Convention of Human Rights, will be an ineffective shield to the use of collected monitoring data by government to enforce the law. Privacy, as a notion of the discretion with which we live our lives, does not entitle us to be immune from prosecution merely because we did not consent to the collection or use of digital evidence of the record of our misconduct.

Instead, where we must focus—and this will be a titantic, enduring, global struggle that will endure beyond my lifetime–is on building a legal rule of law that aligns to the digital age. That rule of law must include global, functional means, including enforcement resources, to define the uses—and impermissible uses—that may be made with collected data. We see uncomfortable innovations every day—family medical histories used to deny insurance; open source analysis of web-based data to verify employment suitability; “evidence-based” medical care—but our legal community is not responding to the real issues.

Data exists, will exist, will increase, and be more comprehensive in its monitoring of our lives. More and more “secondary” uses of data will emerge, many of which have valuable social returns (such as law enforcement), some of which will have harmful impacts (such as online corporate espionage). What is critical is that we re-frame the dialogue from reliance upon national or regional legal principles (which are, themselves, fairly attenuated) and develop coherent mechanisms, embedded in the Net, which express the limits of our comfort on what represents both acceptable and impermissible uses.

In its essence, the solution is found in the basics of contract—forming a contract through offer and acceptance, and making payment to the proper “owner” for the secondary uses which occur. But the application of those basics will be an immense effort—European privacy law has the essential concept already—the notion of informed consent by the data subject, and the opportunity to condition that consent on payment (or other consideration).

In Jones v. United States, I have no problem with the principle that a driver on a public road, as a condition to the privilege of doing so, agrees to the monitoring of their conduct, whether by satellite, speed-detection cameras, motorcycle cops waiting behind a billboard, or the good Samaritan who observes a “hit-and-run” and captures the license with their cell phone camera. None of us believes our legal right to use the public roadways is expressed as “I can do what I want as long as I am not seen violating the law.” Indeed, it is the essential moral principle that citizens voluntarily adhere to the law that keeps society civil. We see in daily life the opposite occurring, particularly when government’s monitoring resources are more limited.

Whether scarce public funds should be invested in GPS devices—or the law should prevent the “trespass” of a vehicle to attach a GPS device—are properly addressed legislatively. But the real shame that is that today’s law students are continuing to be prepared to enter the legal profession without a committed resolve among the academic community to prepare their students to help shape a digital rule of law.

Courses that teach the rules for managing digital information as evidence are electives or seminars, if they are even offered; courses that expose law students to the basics of electronic commerce, and the functionality of the technologies in commerce, have similar status. Only a handful of law schools offer courses on the law of information security (notably the curriculum at Indiana University)—that is, the legal and technology rules by which digital theft, trespass, and mischief can be controlled.

Law is still taught by jurisdiction, without a realistic recognition that the Net, and our systems, are global, as are the bad actors. Those being educated as the next generation entrusted to preserve and advance the rule of law must be offered a foundation that enables them to be zealous advocates in the world that exists. Even the law students understand the problem—I was amazed a few weeks ago attending a New York City Bar event to find law students seeking out supplemental training on electronic discovery, beyond the exhausting workload they already carry in law school, because they felt they would need the training to be effective in their careers. To my knowledge, not a single bar examination that determines the fitness of a law graduate to practice law routinely examines their mastery of the basic building blocks of electronic commerce, digital rights, or privacy.

In this context, then, how would I suggest the Supreme Court rule in Jones v. United States? I do not believe they need to reach the issue of privacy. Under the rules of engagement, i.e., the warrant, the time had expired during which the collection activity had been sanctioned. In effect, the warrant was the contract between the judiciary and the police that defined the boundaries of acceptable data collection. How the case fits with precedents becomes a fairly easy analysis in that light.

The Court need not evaluate this as a principle of privacy—instead, the contract had expired. So has reliance on privacy as a defense against the use of collected monitoring data. Its time to get over it, and begin teaching our law students how to build and maintain a digital rule of law. Precedents, including the Constitution, have their place, but the new law requires new rules.