Utah steps forward to protect digital privacy

The following op-ed was published today in the Washington Examiner.

Nearly every American regularly uses a pocket-sized supercomputer to store sensitive information, one that tracks our every movement. Some have suggested that the conveniences of cellphones come with an inevitable trade-off of less privacy, but one state has profoundly disagreed, passing a new data privacy law that sets an example for other states to follow.

Timothy Carpenter’s story demonstrates why elected officials need to step forward to protect privacy. In 2011, the FBI obtained several months’ worth of his cellphone location records, without a warrant, after suspecting that he was involved in criminal activity. These records revealed nearly 13,000 locations he had visited, providing them with sensitive information Carpenter considered private.

Law enforcement had the benefit of U.S. Supreme Court precedent on its side in suggesting that no warrant was needed. The “third party doctrine,” as it’s called, was created in the 1970s, when the court previously determined that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”

This bad case law applied to Mr. Carpenter. With the legal assistance of the American Civil Liberties Union, he brought his case to the nation’s highest court and prevailed. In a 5-4 ruling, the majority of justices held this past summer that Fourth Amendment protections apply to cellphone location records. With this new precedent in place, police must obtain a warrant before obtaining the whereabouts of your mobile device. This is a great victory, albeit a small one.

What about the rest of our data, which lacks similar protection? Every day, we transfer private information to third parties (the “cloud”) — financial documents, photos, calendar appointments, video chats, and more. In addition, these companies generate and store all sorts of information about our interaction with their services, revealing our private behavior. The “third party doctrine” might have made some sense before the digital era, but our inherent reliance on numerous third parties to facilitate any digital interaction makes it clear that the case law needs a major overhaul.

Sure, the Supreme Court should be praised for taking a small step in the right direction, one that would have been far more praiseworthy 10 or 20 years ago when cellphones began to proliferate. But in 2018, the court should have gone further.

Its narrow ruling leaves a glaring omission that privacy advocates should not wait decades more to resolve. Indeed, Justice Samuel Alito once wrote that “It would be very unfortunate if privacy protection in the 21st century were left primarily to the federal courts using the blunt instrument of the Fourth Amendment. Legislatures, elected by the people, are in a better position than we are to assess and respond to the changes that have already occurred and those that almost certainly will take place in the future.”

This is why Utah has recently stepped forward to become the first state in the country to require law enforcement to get a warrant before accessing anybody’s data that’s on a third party server, taking the recent Carpenter case and putting it on steroids. It’s great that the court has protected our cellphone location data from warrantless access, but each of us generates a wide range of content that deserves the same protections. Utah’s new law sets a model policy for other states to follow.

The law broadly states that law enforcement has to obtain a warrant to “obtain, use, copy, or disclose … any record or information” about the person whose data they want. In short, Utah’s law treats your digital data the same whether it’s stored on your device or uploaded somewhere in the cloud. And the law even locks down the data created about us by the companies we interact with. If Carpenter was widely celebrated despite its narrow application, this new model law should be shouted from the digital rooftops across the country.

Edward Snowden’s National Security Agency leaks started an important conversation about surveillance and privacy, but elected officials appear to have fallen asleep on the job. Some 76 percent of Americans are concerned about the government gaining access to our data. But lawmakers have done little to address it. Where are the campaign speeches about online privacy and protecting our data? Which 2020 presidential candidate is talking about it at town hall meetings?

As Carpenter’s case has shown, many politicians are deferring to the courts to slowly figure it out. But states can disregard this deference and, like Utah, move forward ambitiously to fill the void. After all, the U.S. Supreme Court only sets a floor below which law enforcement may not descend. State legislatures can and should rise above that limit to provide greater protections for their citizens.

Utah has done so with a bill that passed unanimously. Other states should quickly follow suit.