What the Stored Communications Act would look like after Rep. Lofgren's ECPA reform bill (H.R. 983)

I wrote previously about Rep. Lofgren (and others) proposing a modification to the Stored Communications Act (SCA) as well as an addition to the ECPA regarding disclosure of geolocation information; that post can be found, here: Quick details on H.R. 983, the ECPA reform bill announced today.

I decided to update the relevant portions of the SCA (18 U.S.C. 2701-2705) with the modifications in H.R. 983. You can see the bill and my markup, below (original from Cornell's LII):

18 USC § 2701 - Unlawful access to stored communications

(a) Offense.— Except as provided in subsection (c) of this section whoever—

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

(b) Punishment.— The punishment for an offense under subsection (a) of this section is—

(1) if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain, or in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or any State—

(A) a fine under this title or imprisonment for not more than 5 years, or both, in the case of a first offense under this subparagraph; and

(B) a fine under this title or imprisonment for not more than 10 years, or both, for any subsequent offense under this subparagraph; and

(2) in any other case—

(A) a fine under this title or imprisonment for not more than 1 year or both, in the case of a first offense under this paragraph; and

(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under this subparagraph that occurs after a conviction of another offense under this section.

(c) Exceptions.— Subsection (a) of this section does not apply with respect to conduct authorized—

(1) by the person or entity providing a wire or electronic communications service;

(2) by a user of that service with respect to a communication of or intended for that user; or

(3) in section 2703, 2704 or 2518 of this title.

18 USC § 2702 - Voluntary disclosure of customer communications or records

(a) Prohibitions.— Except as provided in subsection (b) or (c)—

(1) a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; and

(2) a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service—

(A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such service;

(B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing; and

(3) a provider of remote computing service or electronic communication service to the public shall not knowingly divulge to any governmental entity the contents of communication covered by subsection (a) of section 2703 or any a record or other information pertaining to a subscriber to or customer or user of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.

(b) Exceptions for disclosure of communications.— A provider described in subsection (a) may divulge the contents of a communication—

(1) to an addressee or intended recipient of such communication or an agent of such addressee or intended recipient;

(2) as otherwise authorized in section 2517, 2511 (2)(a), or 2703 of this title;

(3) with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service;

(4) to a person employed or authorized or whose facilities are used to forward such communication to its destination;

(5) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;

(6) to the National Center for Missing and Exploited Children, in connection with a report submitted thereto under section 2258A;

(7) to a law enforcement agency—

(A) if the contents—

(i) were inadvertently obtained by the service provider; and

(ii) appear to pertain to the commission of a crime; or

[(B) Repealed. Pub. L. 108–21, title V, § 508(b)(1)(A),Apr. 30, 2003, 117 Stat. 684]

(8) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.

(c) Exceptions for Disclosure of Customer Records.— A provider described in subsection (a) may divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by subsection (a)(1) or (a)(2))—

(1) as otherwise authorized in section 2703;

(2) with the lawful consent of the customer or subscriber;

(3) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;

(4) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency;

(5) to the National Center for Missing and Exploited Children, in connection with a report submitted thereto under section 2258A; or

(6) to any person other than a governmental entity.

(d) Reporting of Emergency Disclosures.— On an annual basis, the Attorney General shall submit to the Committee on the Judiciary of the House of Representatives and the Committee on the Judiciary of the Senate a report containing—

(1) the number of accounts from which the Department of Justice has received voluntary disclosures under subsection (b)(8); and

(2) a summary of the basis for disclosure in those instances where—

(A) voluntary disclosures under subsection (b)(8) were made to the Department of Justice; and

(B) the investigation pertaining to those disclosures was closed without the filing of criminal charges.

18 USC § 2703 - Required disclosure of customer communications or records

(a) Contents of Wire or Electronic Communications in Electronic Storage.— A governmental entity may require the disclosure by a provider of electronic communication service or remote computing service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, that is stored, held, or maintained by that service, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. Within three days after a governmental entity receives such contents from a service provider pursuant to this subsection, the governmental entity shall serve upon, or deliver by registered or first-class mail, or other means reasonably calculated to be effective as specified by the court issuing the warrant to the subscriber, customer, or user a copy of the warrant and a notice that includes the information referenced in section 2705(a)(4)(A) and (B)(i), except that delayed notice may be provided, pursuant to section 2705 of this title. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.

(b) Contents of Wire or Electronic Communications in a Remote Computing Service.—

(1) A governmental entity may require a provider of remote computing service to disclose the contents of any wire or electronic communication to which this paragraph is made applicable by paragraph (2) of this subsection—

(A) without required notice to the subscriber or customer, if the governmental entity obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction; or

(B) with prior notice from the governmental entity to the subscriber or customer if the governmental entity—

(i) uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena; or

(ii) obtains a court order for such disclosure under subsection (d) of this section;

except that delayed notice may be given pursuant to section 2705 of this title.

(2) Paragraph (1) is applicable with respect to any wire or electronic communication that is held or maintained on that service—

(A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such remote computing service; and

(B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing.

(c) Records Concerning Electronic Communication Service or Remote Computing Service.—

(1) A governmental entity may require a provider of electronic communication service or remote computing service to disclose a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications) only when the governmental entity—

(A) obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction;

(B) obtains a court order for such disclosure under subsection (d) of this section;

(C) has the consent of the subscriber or customer to such disclosure;

(D) submits a formal written request relevant to a law enforcement investigation concerning telemarketing fraud for the name, address, and place of business of a subscriber or customer of such provider, which subscriber or customer is engaged in telemarketing (as such term is defined in section 2325 of this title); or

(E) seeks information under paragraph (2).

(2) A provider of electronic communication service or remote computing service shall disclose to a governmental entity the—

(A) name;

(B) address;

(C) local and long distance telephone connection records, or records of session times and durations;

(D) length of service (including start date) and types of service utilized;

(E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and

(F) means and source of payment for such service (including any credit card or bank account number),

of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena or any means available under paragraph (1).

(3) A governmental entity receiving records or information under this subsection is not required to provide notice to a subscriber or customer.

(d) Requirements for Court Order.— A court order for disclosure under subsection (b) or (c) may be issued by any court that is a court of competent jurisdiction and shall issue only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation. In the case of a State governmental authority, such a court order shall not issue if prohibited by the law of such State. A court issuing an order pursuant to this section, on a motion made promptly by the service provider, may quash or modify such order, if the information or records requested are unusually voluminous in nature or compliance with such order otherwise would cause an undue burden on such provider.

(e) No Cause of Action Against a Provider Disclosing Information Under This Chapter.— No cause of action shall lie in any court against any provider of wire or electronic communication service, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in accordance with the terms of a court order, warrant, subpoena, statutory authorization, or certification under this chapter.

(f) Requirement To Preserve Evidence.—

(1) In general.— A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.

(2) Period of retention.— Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.

(g) Presence of Officer Not Required.— Notwithstanding section 3105 of this title, the presence of an officer shall not be required for service or execution of a search warrant issued in accordance with this chapter requiring disclosure by a provider of electronic communications service or remote computing service of the contents of communications or records or other information pertaining to a subscriber to or customer of such service.

18 USC § 2704 - Backup preservation

(a) Backup Preservation.—

(1) A governmental entity acting under section 2703 (b)(2) may include in its subpoena or court order a requirement that the service provider to whom the request is directed create a backup copy of the contents of the electronic communications sought in order to preserve those communications. Without notifying the subscriber or customer of such subpoena or court order, such service provider shall create such backup copy as soon as practicable consistent with its regular business practices and shall confirm to the governmental entity that such backup copy has been made. Such backup copy shall be created within two business days after receipt by the service provider of the subpoena or court order.

(2) Notice to the subscriber or customer shall be made by the governmental entity within three days after receipt of such confirmation, unless such notice is delayed pursuant to section 2705 (a).

(3) The service provider shall not destroy such backup copy until the later of—

(A) the delivery of the information; or

(B) the resolution of any proceedings (including appeals of any proceeding) concerning the government’s subpoena or court order.

(4) The service provider shall release such backup copy to the requesting governmental entity no sooner than fourteen days after the governmental entity’s notice to the subscriber or customer if such service provider—

(A) has not received notice from the subscriber or customer that the subscriber or customer has challenged the governmental entity’s request; and

(B) has not initiated proceedings to challenge the request of the governmental entity.

(5) A governmental entity may seek to require the creation of a backup copy under subsection (a)(1) of this section if in its sole discretion such entity determines that there is reason to believe that notification under section 2703 of this title of the existence of the subpoena or court order may result in destruction of or tampering with evidence. This determination is not subject to challenge by the subscriber or customer or service provider.

(b) Customer Challenges.—

(1) Within fourteen days after notice by the governmental entity to the subscriber or customer under subsection (a)(2) of this section, such subscriber or customer may file a motion to quash such subpoena or vacate such court order, with copies served upon the governmental entity and with written notice of such challenge to the service provider. A motion to vacate a court order shall be filed in the court which issued such order. A motion to quash a subpoena shall be filed in the appropriate United States district court or State court. Such motion or application shall contain an affidavit or sworn statement—

(A) stating that the applicant is a customer or subscriber to the service from which the contents of electronic communications maintained for him have been sought; and

(B) stating the applicant’s reasons for believing that the records sought are not relevant to a legitimate law enforcement inquiry or that there has not been substantial compliance with the provisions of this chapter in some other respect.

(2) Service shall be made under this section upon a governmental entity by delivering or mailing by registered or certified mail a copy of the papers to the person, office, or department specified in the notice which the customer has received pursuant to this chapter. For the purposes of this section, the term “delivery” has the meaning given that term in the Federal Rules of Civil Procedure.

(3) If the court finds that the customer has complied with paragraphs (1) and (2) of this subsection, the court shall order the governmental entity to file a sworn response, which may be filed in camera if the governmental entity includes in its response the reasons which make in camera review appropriate. If the court is unable to determine the motion or application on the basis of the parties’ initial allegations and response, the court may conduct such additional proceedings as it deems appropriate. All such proceedings shall be completed and the motion or application decided as soon as practicable after the filing of the governmental entity’s response.

(4) If the court finds that the applicant is not the subscriber or customer for whom the communications sought by the governmental entity are maintained, or that there is a reason to believe that the law enforcement inquiry is legitimate and that the communications sought are relevant to that inquiry, it shall deny the motion or application and order such process enforced. If the court finds that the applicant is the subscriber or customer for whom the communications sought by the governmental entity are maintained, and that there is not a reason to believe that the communications sought are relevant to a legitimate law enforcement inquiry, or that there has not been substantial compliance with the provisions of this chapter, it shall order the process quashed.

(5) A court order denying a motion or application under this section shall not be deemed a final order and no interlocutory appeal may be taken therefrom by the customer.

18 USC § 2705 - Delayed notice

(a) Delay of Notification.—

(1) A governmental entity acting under section 2703 (b) 2703(a) of this title may—

(A) where a court order warrant is sought, include in the application a request, which the court shall grant, for an order delaying the notification required under section 2703(b) 2703(a) of this title for a period not to exceed ninety days, if the court determines that there is reason to believe that notification of the existence of the court order warrant may have an adverse result described in paragraph (2) of this subsection; or

(B) where an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury subpoena is obtained, delay the notification required under section 2703 (b) of this title for a period not to exceed ninety days upon the execution of a written certification of a supervisory official that there is reason to believe that notification of the existence of the subpoena may have an adverse result described in paragraph (2) of this subsection.

(2) An adverse result for the purposes of paragraph (1) of this subsection is—

(A) endangering the life or physical safety of an individual;

(B) flight from prosecution;

(C) destruction of or tampering with evidence;

(D) intimidation of potential witnesses; or

(E) otherwise seriously jeopardizing an investigation or unduly delaying a trial.

(3) The governmental entity shall maintain a true copy of certification under paragraph (1)(B).

(4) Extensions of the delay of notification provided in section 2703 of up to ninety days each may be granted by the court upon application, or by certification by a governmental entity, but only in accordance with subsection (b) of this section.

(5) Upon expiration of the period of delay of notification under paragraph (1) or (4) of this subsection, the governmental entity shall serve upon, or deliver by registered or first-class mail or other means reasonably calculated to be effective as specified by the court issuing the warrant to, the customer or subscriber a copy of the process or request warrant together with notice that—

(A) states with reasonable specificity the nature of the law enforcement inquiry; and

(B) informs such customer or subscriber—

(i) that information maintained for such customer or subscriber by the service provider named in such process or request was supplied to or requested by that governmental authority and the date on which the supplying or request took place;

(ii) that notification of such customer or subscriber was delayed;

(iii) what governmental entity or court made the certification or determination pursuant to which that delay was made; and

(iv) which provision of this chapter allowed such delay.

(6) As used in this subsection, the term “supervisory official” means the investigative agent in charge or assistant investigative agent in charge or an equivalent of an investigating agency’s headquarters or regional office, or the chief prosecuting attorney or the first assistant prosecuting attorney or an equivalent of a prosecuting attorney’s headquarters or regional office.

(b) Preclusion of Notice to Subject of Governmental Access.— A governmental entity acting under section 2703, when it is not required to notify the subscriber or customer under section 2703 (b)(1), or to the extent that it may delay such notice pursuant to subsection (a) of this section, may apply to a court for an order commanding a provider of electronic communications service or remote computing service to whom a warrant, subpoena, or court order is directed, for such period as the court deems appropriate, not to notify any other person of the existence of the warrant, subpoena, or court order. The court shall enter such an order if it determines that there is reason to believe that notification of the existence of the warrant, subpoena, or court order will result in—

(1) endangering the life or physical safety of an individual;

(2) flight from prosecution;

(3) destruction of or tampering with evidence;

(4) intimidation of potential witnesses; or

(5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.

Read More

WSJ releases study of website user data sharing with third parties

The Wall Street Journal has compiled a list of 70 popular American websites that require registration and analyzed them based on how they share user data. For each entry, they report whether the user's e-mail address, name, username, age, and zip code are shared and to which website(s) that information is given. Each entry also contains a response from the website as well as the recipient websites if they company responded to the WSJ's inquiry.

In the study, they learned that the Wall Street Journal itself was sharing e-mail addresses and names with four companies, and users' ages or birth years with nine. In response to the investigation, the newspaper noted that many of these transmissions were done in error, and the company "is working to close that hole."

Two years ago, the Journal released a similar study related to data shared by mobile apps.

Read More

When does one start to have a legitimate privacy interest in one’s phone records?

In McGreal v. AT & T Corp., 2012 WL 4356683 (N.D. Ill. Sept. 24, 2012), a federal district court held that a phone owner did not have standing to bring a Fourth Amendment unreasonable search and seizure violation as she did not have a legitimate expectation of privacy in the previous owner’s usage records of the phone.

The plaintiff alleged a Fourth Amendment unreasonable search and seizure violation against the Village of Orland Park and some of its employees (The Village defendants). In October 2010, the Village of Orlando Park requested a subpoena for the phone records at issue during the arbitration of the plaintiff’s son’s termination as an Orland Park police officer. The subpoena was issued for the months of February and March of 2010. The phone number for which the subpoena was issued belonged to the plaintiff’s son from May 2009 through March 26, 2010. When the plaintiff’s son was ordered to produce his phone records for February and March 2010, he was unable to provide them because he closed the phone account on March 26, 2010 and transferred it to the plaintiff.

At trial, the plaintiff argued that her status as owner of the cell phone number when the subpoena was issued gave her ownership of the entire record associated with the number.

The District Court dismissed the defendant’s argument and noted that the subpoena mostly sought after “records that were created . . .  before her ownership of the number.” The court stated that for one to have a legitimate privacy interest as to confer standing to object to a search and seizure, one must have some amount of possession and control over the “object” of the search. The court frowned against the transfer of ownership by the plaintiff’s son to the plaintiff and deemed it a bad faith attempt to evade production of the records.

It is not exactly clear how much weight the court gave to the factual circumstances that surrounded the termination and transfer of the phone account. In the absence of bad faith, one may wonder if the holding would be the same.

While the court held that the plaintiff did not have standing to bring a search and seizure violation in regards to the entire phone record, the court held that the plaintiff did have standing pertaining to the phone records of March 26, 2010 through March 31, 2010. This was a period where she had ownership and complete dominion of the phone record. Thus, the Village defendants’ motion to dismiss the Fourth Amendment violation claim for lack of standing was granted in part and denied in part. 

Read More

Another post-Jones GPS case on the calendar this week

This week, on September 6th, the Wisconsin Supreme Court is faced with a GPS tracking case - State v. Brereton. The issues are unique, and include a pre-textual stop to install the GPS tracking, seizure of the car, lies by law enforcement to conceal the process of installing the GPS tracker, and the interaction of GPS tracking with the holding of the United States Supreme Court in United States v. Jones.

I encourage you to read the case briefs. I am cited in the AG's response brief for a point that I noted as relevant but was certainly not the crux of my piece. As a personal note - I would side with the defendant in this case, but the reference to my piece is germane, nonetheless.  The AG cites me for the concept that it should not matter whether the GPS tracking is real-time or the GPS information must be downloaded with human intervention. In footnote 145 I state: "Judge Bell in United States v. Walker forecloses this GPS technology distinction in a notable way: 'That the officers here chose to use a specifically engineered GPS tracking device rather than merely duct-taping an iPhone to Defendant's bumper is of little moment. The technology in this case is in general use….' 771 F. Supp. 2d 803, 811 (W.D. Mich. 2011)." Clearly a reference to Kyllo, although I find it unconvincing.

The Defendant's Brief can be found here.

The Wisconsin Attorney General's Response Brief can be found here. (I am cited on pg. 33).

The Defendant's Reply Brief can be found here.

My law review article can be found in its entirety, here: Car-ving Out Notions of Privacy: The Impact of GPS Tracking and Why Maynard is a Move in the Right Direction

Read More

Five security tips IT personnel wish students knew

Security News Daily interviewed me for a piece on what I wished students knew about IT security, and I think it has great advice not just for students, but for anyone accessing the internet in general. It can be found here: 5 Security Tips IT personnel wish students knew.

The easiest way to stop cyber crime is to reduce the number of targets.

Read More

Hotels present concerns for guests' security, technology

For many of us, hotels often become a second home. And relying on technology like we do, we carry all of our important devices with us. However, it's not always feasible to take your laptop with you to dinner or your cell phone to the pool. But to what extent should you worry about it?

Spying on the staff
Several months ago, I met Canadian privacy scholar Christopher Parsons at the Privacy Law Scholars Conference in D.C. He does a lot of interesting work in the privacy and surveillance area and also writes a blog on those interests.

I've never been a terribly paranoid person - that is until I met Christopher. I wouldn't define him as being paranoid, either. Rather, he is just smart and inquisitive. He travels a great deal and stays in many hotels. Over time, he has developed a survey of sorts concerning hotel security, testing the housekeeping staff. By carefully placing cell phones, laptops, and other items around the room, he is able to see where the staff checks for such things and what they do with them. One interesting bit of information he has learned is that a do not disturb sign often acts as an invitation to search the room.

"Most hotel staff are, of course, excellent and trustworthy. This said, having heard stories from family members who have worked in hotels - such as how their colleagues would routinely violate room occupants' privacy when rooms were unattended - and others who are well versed in contemporary fraud techniques, I try to take precautions to ensure that my data, and the data of others, is as safe and secure as it can be," said Christopher. "Just one of those precautions involves testing staff in hotels to ascertain - typically with 'dummy' or wiped equipment - whether they are activating devices, trying to log in to them, and so forth."

Since Christopher and I met, I have only stayed in one hotel, but I had no luck with his methods unfortunately. Do not disturb signs were honored, and none of my personal belongings were touched. Do any of you have similar approaches? Have you learned anything interesting? Please share in the comments.

Hotel employees not the only fear
Certainly one fear is that hotel employees will take our items or for some reason attempt to get our data. They can easily get key card access to our rooms. Another concern, as recently demonstrated by a hacker, is the ease in which others can obtain access to your room.

At the recent Black Hat conference, a software developer demonstrated how $50 of materials and a little programming make it possible to obtain access to over four million hotel rooms. He has since released how the hack works.

Unfortunately, the only way to fix the problem is to change each lock, and Onity, the developer, insists that the hotels foot the bill for the replacement.

Creating a workaround
The fact that your home-away-from-home is not quite as secure as you'd like can be terrifying. And certainly there are many issues beyond securing your technology at issue here. However, since this is a technology blog, let's address that issue. What ways do you use to secure your technology when traveling? Share your tips for our other readers.

Read More

N.J. appellate court finds no reasonable expectation of privacy in cell phone number; distinguishes between "generated" and "assigned" information to reach result

In State v. DeFranco, 2012 N.J. Super. LEXIS 92 (App. Div. Jun. 8, 2012), a New Jersey appellate court held that under the New Jersey Constitution, an individual does not have a reasonable expectation of privacy in their cell phone number. This might not be head turning (at least it wasn't for me), but I was fascinated by how the court reached such a result - by distinguishing between "assigned" information (i.e. your cell phone provider assigns you a number), and "generated" information (i.e. ISP records, bank records, and other records that would be generated by a third party). I don't think I am convinced by this dichotomy, but first, let's get to the facts.

The defendant pled guilty to first and second degree assault, as well as endangering the welfare of a child, arising out of an incident that had happened years beforehand. The majority of the evidence was obtained by having the victim call the defendant on his cell phone (a number that was obtained by a school resource officer (SRO) and provided to a separate law enforcement agency), and essentially have him allocute on the phone to his previous transgressions.

The defendant's major assertion is that his cell phone number was private, and for the SRO to hand this over to law enforcement was a violation of his privacy. Unfortunately for the defendant, he had provided that number previously for a school directory and for a school trip. The directory noted that the numbers within it were private, especially those unlisted, but the defendant never corrected an error which failed to mark his number as unlisted. Based on this disclosure, the court found that even if it were to find a privacy interest in the cell phone number, the defendant would have waived such an interest. But, on to the merits.

The defendant asserted that a cell phone number was similar to bank records, ISP records, and other information that New Jersey courts had found a privacy interest in. The defendant tried to assert that New Jersey ascribed to an "informational privacy" model, a mode adopted by a New Jersey appellate court, but never explicitly adopted by the New Jersey Supreme Court:

In this regard, we note that in the Appellate Division's opinion in Reid, the panel stated that "New Jersey appears to have recognized a right to what has been called 'informational privacy.'" The panel described informational privacy in the following terms:

 Informational privacy has been variously defined as "shorthand for the ability to control                        the acquisition or release of information about oneself," or "an individual's claim to control the terms under which personal information . . . is acquired, disclosed, and used." In general, informational privacy "encompasses any information that is identifiable to an individual. This includes both assigned information, such as a name, address, or social security number, and generated information, such as financial or credit card records, medical records, and phone logs. . . . [P]ersonal information will be defined as any information, no matter how trivial, that can be traced or linked to an identifiable individual." 

 We adopt this formulation.

But, the Supreme Court did not adopt this "informational privacy" formulation when they heard Reid on appeal, stating that "[t]he contours and breadth of the standard are not entirely clear, and we need not address those issues in resolving the narrower constitutional question before us."

Because the Supreme Court rejected this approach, the court, here, rejected the defendant's attempt to squeeze cell phone numbers into such a privacy regime:

We perceive a significant difference between the "generated information" afforded protection by the New Jersey Supreme Court in its privacy decisions and the "assigned information" that defendant seeks to protect in this case. The ISP records, the long-distance billing information, the banking records, and the utility usage records of Reid, Hunt, McAllister, and Domicz, respectively, constituted the keys to the details of the lives of those to which the seemingly innocuous initial information pertained. While in some circumstances, knowledge of a telephone number might be equally revelatory, here it was not. The number was simply a number. In the circumstances of this case, we do not find that defendant's professed subjective expectation of privacy is one that society would be willing to recognize as reasonable.

Fascinating, but ultimately problematic. On the surface, this seems like a very good attempt to make a true distinction between information types, and the amount of privacy that they should receive. But, there are many "assigned" pieces of information that one would argue should receive privacy protection, such as your social security number, your IP address (I would argue that this case muddles Reid because can you really make a distinction between the assigned IP address and the generated information it could reveal), and your credit card number. State statutes protecting the information previously stated are an attestation to protection of "assigned" information, and make this distinction unconvincing. Another example would be a private encryption key assigned by an internet company. I'm sure readers can think of many more examples.  While the N.J. Supreme Court did not adopt the "informational privacy" approach, I don't think they meant to throw all "assigned" information noted above out the window.

Instead of attempting to make arbitrary distinctions that will ultimately fail to be the catch-all the court would like, this case should have been resolved on third-party doctrine alone, due to the defendant handing over the information previously. While New Jersey has tightened privacy in the third-party sphere, a little judicial restraint here to not make a sweeping judgment would have been a better approach. Is the public really unwilling to accept this privacy interest as objectively unreasonable? I'm not so sure, especially if you only disclose that number to a tight knit circle of friends/relatives.

Read More