Why does it matter whether governments can access personal data stored on third-party servers? In part, because there’s so much of it — and there isn’t always the nexus to a crime.
The expansion of data collection has happened in parallel with mobile device manufacturers’ and app developers’ efforts, ironically, to protect user privacy by shipping devices or building apps with built-in encryption.
That’s hampered investigators’ efforts to extract data directly from devices. In response, law enforcement increasingly seeks evidence stored on app companies’ servers “in the cloud.”
This isn’t just for the sake of obtaining data. It’s also considered investigative best practice: a way to get a more complete picture of the account and to assist in corroborating other data sources — including data extracted from mobile devices.
Data inputted via mobile device isn’t the only third-party data of interest. Some of the cases that have captured the most media attention involve related or unrelated services:
- The Golden State Killer, who was captured after police used a third-party DNA service to identify potential leads.
- Data captured from IoT devices like home assistants, smart doorbells, and smart wearables.
- Several “geofence” cases in federal district courts in Illinois and Virginia.
Recent years have additionally seen challenges to data requests made to Google, AT&T, and Amazon, as well as the purchase of tools designed to harvest geolocation data from apps — or purchase of data from breached websites.
Historically, most U.S. courts have ruled that by voluntarily entering into contracts with service providers like banks and telecommunications companies, customers give up their reasonable expectation of privacy. (1) (Some state courts, such as in New Jersey (2) and Colorado (3), have interpreted their respective constitutions to recognize an expectation of privacy in these records.
However, courts are increasingly scrutinizing “third party doctrine” in light of advancements in data storage and retrieval. This technology means that government collection of “pattern of life” data is no longer prohibitively costly and time-consuming.
As 5G and its associated devices gain ground, it’s worth asking: what other data sources could end up being subject to search — and how might courts, companies, and legislators balance investigative value with privacy needs?