Fourth Amendment Codification and Professor Kerr\u27s Misguided Call for Judicial Deference

This essay critiques Professor Orin Kerr\u27s provocative article, The Fourth Amendment and New Technologies: Constitutional Myths and the Case for Caution, 102 Mich. L. Rev. 801 (2004). Increasingly, Fourth Amendment protection is receding from a litany of law enforcement activities, and it is being replaced by federal statutes. Kerr notes these developments and argues that courts should place a thumb on the scale in favor of judicial caution when technology is in flux, and should consider allowing legislatures to provide the primary rules governing law enforcement investigations involving new technologies. Kerr\u27s key contentions are that (1) legislatures create rules that are more comprehensive, balanced, clear, and flexible; (2) legislatures are better able to keep up with technological change; and (3) legislatures are more adept at understanding complex new technologies. I take issue with each of these arguments. Regarding Kerr\u27s first contention, I argue that Congress has created an uneven fabric of protections that is riddled with holes and weak safeguards. Kerr\u27s second contention - that legislatures are better able to update rules quickly as technology shifts - is belied by the historical record, which suggests Congress is actually far worse than the courts in reacting to new technologies. As for Kerr\u27s third contention, shifting to a statutory regime will not eliminate Kerr\u27s concern with judges misunderstanding technology. In fact, many judicial misunderstandings stem from courts trying to fit new technologies into an old statutory regime that is built around old technologies. Therefore, while Kerr is right that our attention must focus more on the statutes, he is wrong in urging for a deferential judicial approach to the Fourth Amendment

Understanding Privacy (Chapter One)

Privacy is one of the most important concepts of our time, yet it is also one of the most elusive. As rapidly changing technology makes information increasingly available, scholars, activists, and policymakers have struggled to define privacy, with many conceding that the task is virtually impossible. In UNDERSTANDING PRIVACY (Harvard University Press, May 2008), Professor Daniel J. Solove offers a comprehensive overview of the difficulties involved in discussions of privacy and ultimately provides a provocative resolution. He argues that no single definition can be workable, but rather that there are multiple forms of privacy, related to one another by family resemblances. His theory bridges cultural differences and addresses historical changes in views on privacy. Drawing on a broad array of interdisciplinary sources, Solove sets forth a framework for understanding privacy that provides clear, practical guidance for engaging with relevant issues, such as surveillance, data mining, identity theft, state involvement in reproductive and marital decisions, and other pressing contemporary matters concerning privacy

I\u27ve Got Nothing to Hide and Other Misunderstandings of Privacy

In this short Article, written for a symposium in the San Diego Law Review, Professor Daniel Solove examines the nothing to hide argument. When asked about government surveillance and data mining, many people respond by declaring: I\u27ve got nothing to hide. According to the nothing to hide argument, there is no threat to privacy unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private. The nothing to hide argument and its variants are quite prevalent, and thus are worth addressing. In this essay, Solove critiques the nothing to hide argument and exposes its faulty underpinnings

Data Is What Data Does: Regulating Use, Harm, and Risk Instead of Sensitive Data

Heightened protection for sensitive data is becoming quite trendy in privacy laws around the world. Originating in European Union (EU) data protection law and included in the EU’s General Data Protection Regulation (GDPR), sensitive data singles out certain categories of personal data for extra protection. Commonly recognized special categories of sensitive data include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation and sex life, biometric data, and genetic data. Although heightened protection for sensitive data appropriately recognizes that not all situations involving personal data should be protected uniformly, the sensitive data approach is a dead end. The sensitive data categories are arbitrary and lack any coherent theory for identifying them. The borderlines of many categories are so blurry that they are useless. Moreover, it is easy to use non-sensitive data as a proxy for certain types of sensitive data. Personal data is akin to a grand tapestry, with different types of data interwoven to a degree that makes it impossible to separate out the strands. With Big Data and powerful machine learning algorithms, most non-sensitive data can give rise to inferences about sensitive data. In many privacy laws, data that can give rise to inferences about sensitive data is also protected as sensitive data. Arguably, then, nearly all personal data can be sensitive, and the sensitive data categories can swallow up everything. As a result, most organizations are currently processing a vast amount of data in violation of the laws. This Article argues that the problems with the sensitive data approach make it unworkable and counterproductive — as well as expose a deeper flaw at the root of many privacy laws. These laws make a fundamental conceptual mistake — they embrace the idea that the nature of personal data is a sufficiently useful focal point for the law. But nothing meaningful for regulation can be determined solely by looking at the data itself. Data is what data does. Personal data is harmful when its use causes harm or creates a risk of harm. It is not harmful if it is not used in a way to cause harm or risk of harm. To be effective, privacy law must focus on use, harm, and risk rather than on the nature of personal data. The implications of this point extend far beyond sensitive data provisions. In many elements of privacy laws, protections should be based on the use of personal data and proportionate to the harm and risk involved with those uses

A Taxonomy of Privacy

Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from an embarrassment of meanings. Privacy is far too vague a concept to guide adjudication and lawmaking, as abstract incantations of the importance of privacy do not fare well when pitted against more concretely-stated countervailing interests. In 1960, the famous torts scholar William Prosser attempted to make sense of the landscape of privacy law by identifying four different interests. But Prosser focused only on tort law, and the law of information privacy is significantly more vast and complex, extending to Fourth Amendment law, the constitutional right to information privacy, evidentiary privileges, dozens of federal privacy statutes, and hundreds of state statutes. Moreover, Prosser wrote over 40 years ago, and new technologies have given rise to a panoply of new privacy harms. A new taxonomy to understand privacy violations is thus sorely needed. This article develops a taxonomy to identify privacy problems in a comprehensive and concrete manner. It endeavors to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law

A Tale of Two Bloggers: Free Speech and Privacy in the Blogosphere

It is true that existing law lacks nimble ways to resolve disputes about speech and privacy on the Internet. Lawsuits are costly to litigate, and being sued can saddle a blogger with massive expenses. Bloggers often don’t have deep pockets, and therefore it might be difficult for plaintiffs to find lawyers willing to take their cases. Lawsuits can take years to resolve. People seeking to protect their privacy must risk further publicity in bringing suit. These are certainly serious problems, but the solution shouldn’t be to insulate bloggers from the law. The solution is to create a system for ensuring that bloggers blog responsibly without the law’s cumbersome costs. Perhaps systems of alternative dispute resolution could be used

Nothing to Hide: The False Tradeoff between Privacy and Security (Introduction)

If you\u27ve got nothing to hide, many people say, you shouldn\u27t worry about government surveillance. Others argue that we must sacrifice privacy for security. But as Daniel J. Solove argues in this book, these arguments and many others are flawed. They are based on mistaken views about what it means to protect privacy and the costs and benefits of doing so. In addition to attacking the Nothing-to Hide Argument, Solove exposes the fallacies of pro-security arguments that have often been used to justify government surveillance and data mining. These arguments - such as the Luddite Argument, the War-Powers Argument, the All-or-Nothing Argument, the Suspicionless-Searches Argument, the Deference Argument, and the Pendulum Argument - have skewed law and policy to favor security at the expense of privacy.The debate between privacy and security has been framed incorrectly as a zero-sum game in which we are forced to choose between one value and the other. But protecting privacy isn\u27t fatal to security measures; it merely involves adequate oversight and regulation. The primary focus of the book is on common pro-security arguments, but Solove also discusses concrete issues of law and technology, such as the Fourth Amendment Third Party Doctrine, the First Amendment, electronic surveillance statutes, the USA-Patriot Act, the NSA surveillance program, and government data mining

Identity Theft, Privacy, and the Architecture of Vulnerability

This Article contrasts two models for understanding and protecting against privacy violations. Traditionally, privacy violations have been understood as invasive actions by particular wrongdoers who cause direct injury to victims. Victims experience embarrassment, mental distress, or harm to their reputations. Privacy is not infringed until these mental injuries materialize. Thus, the law responds when a person\u27s deepest secrets are exposed, reputation is tarnished, or home is invaded. Under the traditional view, privacy is an individual right, remedied at the initiative of the individual. In this Article, Professor Solove contends the traditional model does not adequately account for many of the privacy problems arising today. These privacy problems do not consist merely of a series of isolated and discrete invasions or harms, but are systemic in nature. They cannot adequately be remedied by individual rights and remedies alone. In contrast, Professor Solove proposes a different model for understanding and protecting against these privacy problems. Developing the notion of architecture as used by Joel Reidenberg and Lawrence Lessig, Solove contends that many privacy problems must be understood as the product of a broader structural system which shapes the collection, dissemination, and use of personal information. Lessig and Reidenberg focus on architectures of control, structures that function to exercise greater dominion over individuals. Solove argues that in addition to architectures of control, we are seeing the development of architectures of vulnerability, which create a world where people are vulnerable to significant harm and are helpless to do anything about it. Solove argues that protecting privacy must focus not merely on remedies and penalties but on shaping architectures. Professor Solove illustrates these points with the example of identity theft, one of the most rapidly growing types of criminal activity. Identity theft is often conceptualized under the traditional model as the product of disparate thieves and crafty criminals. The problem, however, has not been adequately conceptualized, and, as a result, enforcement efforts have been misdirected. The problem, as Solove contends, is one created by an architecture, one that creates a series of vulnerabilities. This architecture is not created by identity thieves; rather, it is exploited by them. It is an architecture of vulnerability, one where personal information is not protected with adequate security. The identity thief\u27s ability to so easily access and use our personal data stems from an architecture that does not provide adequate security to our personal information and that does not afford us with a sufficient degree of participation in the collection, dissemination, and use of that information. Understanding identity theft in terms of architecture reveals that it is part of a larger problem that the law has thus far ignored. Solove then discusses solutions to the identity theft problem. He engages in an extensive critique of Lynn LoPucki\u27s solution, which involves the creation of a public identification system. After pointing out the difficulties in LoPucki\u27s proposal, Solove develops an architecture that can more appropriately curtail identity theft, an architecture based on the Fair Information Practices

Digital Dossiers and the Dissipation of Fourth Amendment Privacy

In this article, Professor Solove examines the increasing information flow from the private sector to the government, especially in light of the response to September 11, 2001. In today\u27s Information Age, private sector entities are gathering an unprecedented amount of personal information about individuals, and the data is increasingly being accessed by government law enforcement officials. This government information gathering takes place outside the bounds of the Fourth Amendment, since the Supreme Court held in Smith v. Maryland and United States v. Miller that the Fourth Amendment does not apply to records held by third parties. Law enforcement officials can, with little restriction or judicial oversight, assemble what amounts to a digital dossier about a person by obtaining the personal details aggregated by various banks, businesses, websites, employers, ISPs, and other entities. On the other hand, access to information held by third parties is often critical to effective law enforcement. In light of the growing amount of personal data held by the private sector in the Information Age, to what extent should the government be restricted in its gathering of personal data from the private sector? In the void left by the Fourth Amendment, a series of statutes regulate government access to third party records, but this regime is woefully inadequate and ineffective. Reversing Smith and Miller will not work; the problem is far too complicated. Professor Solove explains why these solutions fail, and he proposes a new and far-reaching solution

Reconstructing Electronic Surveillance Law

After the September 11th attacks in 2001, Congress hastily passed the USA-Patriot Act which made several changes to electronic surveillance law. The Act has sparked a fierce debate. However, the pros and cons of the USA-Patriot Act are only one part of a much larger issue: How effective is the law that regulates electronic surveillance? The USA-Patriot Act made a number of changes in electronic surveillance law, but the most fundamental problems with the law did not begin with the USA-Patriot Act. In this article, Professor Solove argues that electronic surveillance law suffers from significant problems that predate the USA-Patriot Act. The USA-Patriot Act indeed worsened some of these problems, but surveillance law had lost its way long before. Surveillance law is thus in need of a radical reconstruction. After exploring specific difficulties with the scope, standards, and enforcement mechanisms of the statutes, Solove turns to examine the more deeply-rooted and systematic problems. Solove contends that electronic surveillance law is overly intricate and complex, that it has failed to keep pace in adapting to new technologies, and that it provides for insufficient judicial and legislative oversight. He proposes ways in which surveillance law should be reconstructed to address these problems. Solove recommends a rather radical solution: Warrants supported by probable cause should be required for most uses of electronic surveillance. Finally, Solove suggests that Congress draft a charter regulating the FBI