A huge amount of information about Americans is stored in databases maintained by the government, internet service providers, credit card companies, and corporations like Netflix and Google. Clearer rules need to be put in place that specify when this wealth of data can be obtained for law enforcement and national security purposes, says a Vanderbilt University professor and expert on the Fourth Amendment.
New rules are necessary, says , holder of the Milton R. Underwood Chair in Law and director of the at , because digitization has made access, aggregation and analysis of our everyday activities easier than ever before.
The U.S. Supreme Court has been largely quiet on these issues. In fact, its primary rulings in the area hold that once information is surrendered to a third party, such as a bank, one loses all constitutional privacy protection.
In his new study , one of five papers in a National Constitution White Paper Series introduced May 10 at the under the banner ,鈥 Slobogin disagrees with this stance, and suggests guidelines for access to five varieties of database searches.
鈥淚n each of these areas, the regulatory regime needs to be rethought,鈥 he says. 鈥淎 warrant may not be necessary in all of these situations, but in many a subpoena might not be enough.鈥
Slobogin calls the five varieties of database searches suspect-driven, profile-driven, event-driven, program-driven and volunteer-driven.
Suspect-driven searches are aimed at getting as much information as possible about individuals suspected of wrongdoing. Under current laws, a law enforcement officer can look at bank and phone records and other information without a warrant and sometimes not even a subpoena.
鈥淭his approach is ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks,鈥 Slobogin says. 鈥淸lquote]Without justification, information gained from activities like communicating with friends, banking and shopping should be harder to get than it is now.鈥漑/lquote]
Profile-driven searches begin with a profile of the characteristics of those who may have committed a particular sort of crime. Called 鈥減redictive policing,鈥 it involves searching databases for individuals who have attributes that fit the profile of a criminal.
鈥淐ourts should be involved here as well, making sure both that there is justification for profile-driven identification and that the profiles are properly validated and do not rely on obviously biased risk factors,鈥 Slobogin says.
Event-driven searches start with a crime and then use databases to identify who might have witnessed or committed it. They could involve accessing telephone and vehicle GPS records or feeds from closed-circuit or airborne cameras.
鈥淭hese event-driven uses of the cloud could result in a large haul of people, among whom may be the perpetrator or a witness, but many of them will be neither,鈥 he says. 鈥淎t least when the scope of such searches is significant, police should have to seek authorization from a judge, who can take the number of people affected, the nature of the crime being investigated and other factors into deciding to what extent such searches may occur.鈥
Program-driven searches involve the routine collection of data, where they can be 鈥渃ombed鈥 using software designed to detect criminal or terrorist activity through suspect-driven, profile-driven or event-driven techniques. As evidenced by the public outcry over Edward Snowden鈥檚 account of the National Security Administration鈥檚 collection of communications metadata, a significant proportion of the public is uncomfortable with these types of programs.
鈥淐ompilation of information from multiple sources in one 鈥榩lace鈥 raises a host of concerns,鈥 Slobogin says. 鈥淸rquote]It can lead to obvious abuses, ranging from illegitimate investigations of journalists, politicians, activists and ethnic groups to leaks based on personal vendettas.[/rquote] Regulation of program-driven cloud searches must come from the political process.鈥
Further, he argues, once authorized to set up a program, an agency must draft implementing rules, subject them to a notice and comment process that allows public input, and provide written rationales for the rules ultimately chosen, rules that are reviewable by a court to ensure the program meets a demonstrated need and is applied even-handedly, without irrational distinctions between groups or areas.
Volunteer-driven searches usually happen when third parties such as banks and hospitals offer information to the government that it wasn鈥檛 seeking.
Even here, Slobogin says, 鈥渞estrictions should be placed on the extent to which third parties should be able to proffer to the government personal information they have acquired solely because citizens must surrender it to receive basic services.鈥 Otherwise, government could simply subtly encourage third parties to 鈥渧oluntarily鈥 transfer personal information that normally would be subject to the other four types of access and collection limitations.