Research News

Data in the cloud: What’s private and what isn’t?

Christopher Slobogin (Daniel Dubois/Vanderbilt University)

A huge amount of information about Americans is stored in databases maintained by the government, internet service providers, credit card companies, and corporations like Netflix and Google. Clearer rules need to be put in place that specify when this wealth of data can be obtained for law enforcement and national security purposes, says a Vanderbilt University professor and expert on the Fourth Amendment.

New rules are necessary, says Chris Slobogin, holder of the Milton R. Underwood Chair in Law and director of the Criminal Justice Program at Vanderbilt Law School, because digitization has made access, aggregation and analysis of our everyday activities easier than ever before.

The U.S. Supreme Court has been largely quiet on these issues. In fact, its primary rulings in the area hold that once information is surrendered to a third party, such as a bank, one loses all constitutional privacy protection.

In his new study Policing and the Cloud, one of five papers in a National Constitution White Paper Series introduced May 10 at the National Constitution Center under the banner “A Twenty-First Century Framework for Digital Privacy,” Slobogin disagrees with this stance, and suggests guidelines for access to five varieties of database searches.

“In each of these areas, the regulatory regime needs to be rethought,” he says. “A warrant may not be necessary in all of these situations, but in many a subpoena might not be enough.”

Slobogin calls the five varieties of database searches suspect-driven, profile-driven, event-driven, program-driven and volunteer-driven.

Suspect-driven searches are aimed at getting as much information as possible about individuals suspected of wrongdoing. Under current laws, a law enforcement officer can look at bank and phone records and other information without a warrant and sometimes not even a subpoena.

“This approach is ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks,” Slobogin says. “[lquote]Without justification, information gained from activities like communicating with friends, banking and shopping should be harder to get than it is now.”[/lquote]

Profile-driven searches begin with a profile of the characteristics of those who may have committed a particular sort of crime. Called “predictive policing,” it involves searching databases for individuals who have attributes that fit the profile of a criminal.

“Courts should be involved here as well, making sure both that there is justification for profile-driven identification and that the profiles are properly validated and do not rely on obviously biased risk factors,” Slobogin says.

Event-driven searches start with a crime and then use databases to identify who might have witnessed or committed it. They could involve accessing telephone and vehicle GPS records or feeds from closed-circuit or airborne cameras.

“These event-driven uses of the cloud could result in a large haul of people, among whom may be the perpetrator or a witness, but many of them will be neither,” he says. “At least when the scope of such searches is significant, police should have to seek authorization from a judge, who can take the number of people affected, the nature of the crime being investigated and other factors into deciding to what extent such searches may occur.”

Program-driven searches involve the routine collection of data, where they can be “combed” using software designed to detect criminal or terrorist activity through suspect-driven, profile-driven or event-driven techniques. As evidenced by the public outcry over Edward Snowden’s account of the National Security Administration’s collection of communications metadata, a significant proportion of the public is uncomfortable with these types of programs.

“Compilation of information from multiple sources in one ‘place’ raises a host of concerns,” Slobogin says. “[rquote]It can lead to obvious abuses, ranging from illegitimate investigations of journalists, politicians, activists and ethnic groups to leaks based on personal vendettas.[/rquote] Regulation of program-driven cloud searches must come from the political process.”

Further, he argues, once authorized to set up a program, an agency must draft implementing rules, subject them to a notice and comment process that allows public input, and provide written rationales for the rules ultimately chosen, rules that are reviewable by a court to ensure the program meets a demonstrated need and is applied even-handedly, without irrational distinctions between groups or areas.

Volunteer-driven searches usually happen when third parties such as banks and hospitals offer information to the government that it wasn’t seeking.

Even here, Slobogin says, “restrictions should be placed on the extent to which third parties should be able to proffer to the government personal information they have acquired solely because citizens must surrender it to receive basic services.” Otherwise, government could simply subtly encourage third parties to “voluntarily” transfer personal information that normally would be subject to the other four types of access and collection limitations.