Fourth Amendment Codification and Professor Kerr\u27s Misguided Call for Judicial Deference

This essay critiques Professor Orin Kerr\u27s provocative article, The Fourth Amendment and New Technologies: Constitutional Myths and the Case for Caution, 102 Mich. L. Rev. 801 (2004). Increasingly, Fourth Amendment protection is receding from a litany of law enforcement activities, and it is being replaced by federal statutes. Kerr notes these developments and argues that courts should place a thumb on the scale in favor of judicial caution when technology is in flux, and should consider allowing legislatures to provide the primary rules governing law enforcement investigations involving new technologies. Kerr\u27s key contentions are that (1) legislatures create rules that are more comprehensive, balanced, clear, and flexible; (2) legislatures are better able to keep up with technological change; and (3) legislatures are more adept at understanding complex new technologies. I take issue with each of these arguments. Regarding Kerr\u27s first contention, I argue that Congress has created an uneven fabric of protections that is riddled with holes and weak safeguards. Kerr\u27s second contention - that legislatures are better able to update rules quickly as technology shifts - is belied by the historical record, which suggests Congress is actually far worse than the courts in reacting to new technologies. As for Kerr\u27s third contention, shifting to a statutory regime will not eliminate Kerr\u27s concern with judges misunderstanding technology. In fact, many judicial misunderstandings stem from courts trying to fit new technologies into an old statutory regime that is built around old technologies. Therefore, while Kerr is right that our attention must focus more on the statutes, he is wrong in urging for a deferential judicial approach to the Fourth Amendment

A Taxonomy of Privacy

Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from an embarrassment of meanings. Privacy is far too vague a concept to guide adjudication and lawmaking, as abstract incantations of the importance of privacy do not fare well when pitted against more concretely-stated countervailing interests. In 1960, the famous torts scholar William Prosser attempted to make sense of the landscape of privacy law by identifying four different interests. But Prosser focused only on tort law, and the law of information privacy is significantly more vast and complex, extending to Fourth Amendment law, the constitutional right to information privacy, evidentiary privileges, dozens of federal privacy statutes, and hundreds of state statutes. Moreover, Prosser wrote over 40 years ago, and new technologies have given rise to a panoply of new privacy harms. A new taxonomy to understand privacy violations is thus sorely needed. This article develops a taxonomy to identify privacy problems in a comprehensive and concrete manner. It endeavors to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law

Identity Theft, Privacy, and the Architecture of Vulnerability

This Article contrasts two models for understanding and protecting against privacy violations. Traditionally, privacy violations have been understood as invasive actions by particular wrongdoers who cause direct injury to victims. Victims experience embarrassment, mental distress, or harm to their reputations. Privacy is not infringed until these mental injuries materialize. Thus, the law responds when a person\u27s deepest secrets are exposed, reputation is tarnished, or home is invaded. Under the traditional view, privacy is an individual right, remedied at the initiative of the individual. In this Article, Professor Solove contends the traditional model does not adequately account for many of the privacy problems arising today. These privacy problems do not consist merely of a series of isolated and discrete invasions or harms, but are systemic in nature. They cannot adequately be remedied by individual rights and remedies alone. In contrast, Professor Solove proposes a different model for understanding and protecting against these privacy problems. Developing the notion of architecture as used by Joel Reidenberg and Lawrence Lessig, Solove contends that many privacy problems must be understood as the product of a broader structural system which shapes the collection, dissemination, and use of personal information. Lessig and Reidenberg focus on architectures of control, structures that function to exercise greater dominion over individuals. Solove argues that in addition to architectures of control, we are seeing the development of architectures of vulnerability, which create a world where people are vulnerable to significant harm and are helpless to do anything about it. Solove argues that protecting privacy must focus not merely on remedies and penalties but on shaping architectures. Professor Solove illustrates these points with the example of identity theft, one of the most rapidly growing types of criminal activity. Identity theft is often conceptualized under the traditional model as the product of disparate thieves and crafty criminals. The problem, however, has not been adequately conceptualized, and, as a result, enforcement efforts have been misdirected. The problem, as Solove contends, is one created by an architecture, one that creates a series of vulnerabilities. This architecture is not created by identity thieves; rather, it is exploited by them. It is an architecture of vulnerability, one where personal information is not protected with adequate security. The identity thief\u27s ability to so easily access and use our personal data stems from an architecture that does not provide adequate security to our personal information and that does not afford us with a sufficient degree of participation in the collection, dissemination, and use of that information. Understanding identity theft in terms of architecture reveals that it is part of a larger problem that the law has thus far ignored. Solove then discusses solutions to the identity theft problem. He engages in an extensive critique of Lynn LoPucki\u27s solution, which involves the creation of a public identification system. After pointing out the difficulties in LoPucki\u27s proposal, Solove develops an architecture that can more appropriately curtail identity theft, an architecture based on the Fair Information Practices

HIPAA Turns 10: Analyzing the Past, Present, and Future Impact

This essay, written in a journalistic style, examines HIPAA over the past decade. The essay discusses the creation of HIPAA, the evolution of HHS enforcement, the impact of the HITECH Act, and the overall influence and effect of HIPAA on healthcare providers and organizations using medical data. Professor Solove combines analysis with interviews of key regulators and practitioners

The First Amendment as Criminal Procedure

This Article explores the relationship between the First Amendment and criminal procedure. These two domains of constitutional law have long existed as separate worlds, rarely interacting with each other despite the fact that many instances of government information gathering can implicate First Amendment freedoms of speech, association, and religion. The Fourth and Fifth Amendments used to provide considerable protection for First Amendment interests, as in the famous 1886 case Boyd v. United States, in which the Supreme Court held that the government was prohibited from seizing a person\u27s private papers. Over time, however, Fourth and Fifth Amendment protection has shifted, and countless searches and seizures involving people\u27s private papers, the books they read, the websites they surf, and the pen names they use when writing anonymously now fall completely outside the protection of constitutional criminal procedure. Professor Solove argues that the First Amendment should protect against government information gathering that implicates First Amendment interests. He contends that there are doctrinal, historical, and normative justifications for developing what he calls First Amendment criminal procedure. Solove sets forth an approach for determining when certain instances of government information gathering fall within the regulatory domain of the First Amendment and what level of protection the First Amendment should provide

A Tale of Two Bloggers: Free Speech and Privacy in the Blogosphere

It is true that existing law lacks nimble ways to resolve disputes about speech and privacy on the Internet. Lawsuits are costly to litigate, and being sued can saddle a blogger with massive expenses. Bloggers often don’t have deep pockets, and therefore it might be difficult for plaintiffs to find lawyers willing to take their cases. Lawsuits can take years to resolve. People seeking to protect their privacy must risk further publicity in bringing suit. These are certainly serious problems, but the solution shouldn’t be to insulate bloggers from the law. The solution is to create a system for ensuring that bloggers blog responsibly without the law’s cumbersome costs. Perhaps systems of alternative dispute resolution could be used

Nothing to Hide: The False Tradeoff between Privacy and Security (Introduction)

If you\u27ve got nothing to hide, many people say, you shouldn\u27t worry about government surveillance. Others argue that we must sacrifice privacy for security. But as Daniel J. Solove argues in this book, these arguments and many others are flawed. They are based on mistaken views about what it means to protect privacy and the costs and benefits of doing so. In addition to attacking the Nothing-to Hide Argument, Solove exposes the fallacies of pro-security arguments that have often been used to justify government surveillance and data mining. These arguments - such as the Luddite Argument, the War-Powers Argument, the All-or-Nothing Argument, the Suspicionless-Searches Argument, the Deference Argument, and the Pendulum Argument - have skewed law and policy to favor security at the expense of privacy.The debate between privacy and security has been framed incorrectly as a zero-sum game in which we are forced to choose between one value and the other. But protecting privacy isn\u27t fatal to security measures; it merely involves adequate oversight and regulation. The primary focus of the book is on common pro-security arguments, but Solove also discusses concrete issues of law and technology, such as the Fourth Amendment Third Party Doctrine, the First Amendment, electronic surveillance statutes, the USA-Patriot Act, the NSA surveillance program, and government data mining

A Taxonomy of Privacy

Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from an embarrassment of meanings. Privacy is far too vague a concept to guide adjudication and lawmaking, as abstract incantations of the importance of privacy do not fare well when pitted against more concretely-stated countervailing interests. In 1960, the famous torts scholar William Prosser attempted to make sense of the landscape of privacy law by identifying four different interests. But Prosser focused only on tort law, and the law of information privacy is significantly more vast and complex, extending to Fourth Amendment law, the constitutional right to information privacy, evidentiary privileges, dozens of federal privacy statutes, and hundreds of state statutes. Moreover, Prosser wrote over 40 years ago, and new technologies have given rise to a panoply of new privacy harms. A new taxonomy to understand privacy violations is thus sorely needed. This article develops a taxonomy to identify privacy problems in a comprehensive and concrete manner. It endeavors to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law

The Myth of the Privacy Paradox

In this article, Professor Daniel Solove deconstructs and critiques the privacy paradox and the arguments made about it. The “privacy paradox” is the phenomenon where people say that they value privacy highly, yet in their behavior relinquish their personal data for very little in exchange or fail to use measures to protect their privacy. Commentators typically make one of two types of arguments about the privacy paradox. On one side, the “behavior valuation argument” contends behavior is the best metric to evaluate how people actually value privacy. Behavior reveals that people ascribe a low value to privacy or readily trade it away for goods or services. The argument often goes on to contend that privacy regulation should be reduced. On the other side, the “behavior distortion argument” argues that people’s behavior isn’t an accurate metric of preferences because behavior is distorted by biases and heuristics, manipulation and skewing, and other factors. In contrast to both of these camps, Professor Solove argues that the privacy paradox is a myth created by faulty logic. The behavior involved in privacy paradox studies involves people making decisions about risk in very specific contexts. In contrast, people’s attitudes about their privacy concerns or how much they value privacy are much more general in nature. It is a leap in logic to generalize from people’s risk decisions involving specific personal data in specific contexts to reach broader conclusions about how people value their own privacy. The behavior in the privacy paradox studies doesn’t lead to a conclusion for less regulation. On the other hand, minimizing behavioral distortion will not cure people’s failure to protect their own privacy. It is perfectly rational for people — even without any undue influences on behavior — to fail to make good assessments of privacy risks and to fail to manage their privacy effectively. Managing one’s privacy is a vast, complex, and never-ending project that does not scale; it becomes virtually impossible to do comprehensively. Privacy regulation often seeks to give people more privacy self-management, such as the recent California Consumer Privacy Act. Professor Solove argues that giving individuals more tasks for managing their privacy will not provide effective privacy protection. Instead, regulation should employ a different strategy — focus on regulating the architecture that structures the way information is used, maintained, and transferred