In United States v. Miller, the Supreme Court held that there is no reasonable expectation of privacy in financial records maintained by a bank, because the information was voluntarily conveyed by the defendant to a third party (the bank). With new legislation mandating more data retention in the works, this is an appropriate time to reexamine what the term “voluntary” means with respect to online third party services given the state of the world 33 years after Miller.
In Miller, Justice Brennan’s dissent stated that “‘the disclosure by individuals or business firms of their financial affairs to a bank is not entirely volitional, since it is impossible to participate in the economic life of contemporary society without maintaining a bank account.’” Today, evading third party services in everyday life is as untenable as living without a bank account. Additionally, more and more companies within the Internet industry are instating privacy policies which inform the user that information will be collected, may be transferred to other entities, and that the policy may be changed at any time. Few detail where any of that information actually goes or inform consumers when data transfers hands. In his dissent in Smith v. Maryland, Justice Marshall wrote that “whether privacy expectations are legitimate within the meaning of Katz depends not on the risks an individual can be presumed to accept when imparting information to third parties, but on the risks he should be forced to assume in a free and open society.” Reasonable expectations of privacy should be derived not from the status quo – a reflection of the moment’s level of technological advancement – but from a normative understanding of privacy.
In Miller the Court stated that “the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.” The court cited Hoffa, a case examining the admissibility of testimony by a paid informant, and Lopez, a case dealing with an IRS Agent that tape-recorded a bribe attempt. In both, the Court explained that “The risk of being overheard by an eavesdropper or betrayed by an informer or deceived as to the identity of one with whom one deals is probably inherent in the conditions of human society. It is the kind of risk we necessarily assume whenever we speak.”
Data Collection: By Whom?
The Court mistakenly compared the expectations one may have toward an acquaintance with those one has toward a business. Acquaintances may well betray or turn out to be informants, but companies are not acquaintances and it is more reasonable to have concrete expectations about companies, entities which exist by the grace of legal recognition, than it is about acquaintances. Society has, in fact, recognized many expectations of privacy towards businesses since 1976: doctors cannot disclose medical records, and neither video stores nor cable companies can disclose your viewing habits, even though their data is also gathered “voluntarily.”
Data Collection: For What?
The Court also did not distinguish data owned by the bank by virtue of the bank being a counterparty to the transaction from data owned by the bank where the bank was simply an intermediary. This distinction is key because in Smith, the Court found it dispositive that the defendant had to convey a phone number in order to make use of the phone company’s service, but in Katz, the Court held that there was a reasonable expectation of privacy in the contents of a telephone conversation. Contents are conveyed voluntarily to the person on the other end of the call, but not to the phone company. This is particularly poignant given what Stephen Henderson points out:
The distinction between content provided directly and content provided incidentally to a third party should play a greater role in the analysis of “voluntary” conveyance.
Paul Ohm makes a persuasive argument that copying information, henceforth maintained indefinitely, is a seizure because it violates one of the primary hallmarks of ownership: the right to alter or destroy (in this case, delete) property. The records required to be kept by the Bank Secrecy Act, which were the object of Miller, were available to any customer on request. If anything were amiss, the customer would be able to point it out and ask for a change in the records.
Trying to obtain the same sort of transparency from online third party services today would be extremely difficult: companies do not divulge precisely what records they keep, disclose to whom they sell data, or offer any process for fixing data errors. In Miller itself, Marshall declared that the bank’s copying and maintenance of records as mandated by federal law was a form of unconstitutional seizure. If the ability to edit those records weighed in favor of voluntariness in Miller, the scales should tip the other way today.
In reassessing the third party doctrine, courts should adopt the nuanced conception of “voluntary” disclosure presented in this essay. Courts should look at whether an individual can practically avoid using a technology that inherently requires data disclosure, keeping modern contractual and commercial practices in mind. Courts should also recognize that information is given consensually to a business on the condition that it is used appropriately. Further, although an individual volunteers some information in order for the service to function, does not mean that the person likewise volunteers incidental information. Lastly, courts should be aware that the data collected nowadays is unavailable for review or editing. Once considered, these new factors would distinctly change how courts approach the reasonable expectation of privacy.
By Kate Vershov