Utah Has Closed the Biggest Loophole in Digital Privacy Utah Has Closed the Biggest Loophole in Digital Privacy
04.22.2019

Utah’s governor has signed a bill, HB57, requiring police to get search warrants before accessing data held by third parties, including social media networks and cloud computing services. Though the bill was signed into law on March 28, it hasn’t attracted much attention nationally. But its implications are huge: The law is an effort to correct what some see as a fundamental flaw in the enforcement of the U.S. Bill of Rights.

The problems with existing legal precedent, and the new law’s potential impact, are nicely laid out by Nick Sibilla of the Institute for Justice, a libertarian public-interest law firm. A precedent known as the “third-party doctrine” has, since the 1970s, allowed law enforcement to access personal data including bank and phone records without a warrant. The Supreme Court’s logic in establishing the doctrine was that individuals had forfeited their expectation of privacy by giving information about their behavior to third parties.

Get the BREAKERMAG newsletter, a twice-weekly roundup of blockchain business and culture.

From where we stand today, that sounds patently insane—we entrust massive amounts of very personal data to third parties, down to the granular data about online behavior handled by our internet service providers. To a large degree, this means that the Fourth Amendment, which protects against “unreasonable search and seizure” when it comes to things like your house, car, or pockets, simply doesn’t apply to data compiled about you by digital services.

The same principle does apply to local digital devices—police need a warrant to open your phone storage without your consent, for instance. As Jay-Z once put it: “My glove compartment is locked, and so’s the trunk in the back. I know my rights, so you gon’ need a warrant for that.”

But for data stored by third parties, things are pretty close to a free-for-all.

Related: People Don’t Care About Financial Privacy As Much As You Think

Invasive digital surveillance has been normalized in part thanks to enduring post-9/11 fears about terrorism. But it has become increasingly clear that mass data collection by bodies including the National Security Agency provides little or no advantage over traditional, warrant-authorized investigative techniques. In 2012, for instance, a Senate investigation found that Department of Homeland Security “fusion centers,” which collate data including information obtained from warrantless digital surveillance, had “not yielded significant useful information to support federal counterterrorism intelligence efforts.” What such techniques did accomplish, according to Senator Tom Coburn in the same report, was “wast[ing] money and stepp[ing] on American’s civil liberties.”

Such findings don’t seem to have much impact on the government’s ghoulish hunger for more ways to surveil people. The CLOUD Act, passed last year, even allows foreign governments to access user data held by U.S. technology companies, without going through U.S. courts—and gives special privileges to the U.S. in requests for foreign data.

There is a growing awareness, however, that the third-party doctrine that allows this sort of behavior is flawed, especially when applied to contemporary technology. In June of 2018, the Supreme Court ruled that detailed cell-phone location data could not be freely accessed by law enforcement under the third-party doctrine, because that would essentially open the door to full-time, warrantless monitoring of people’s movements. The opinion also inevitably raised broader questions about the third-party doctrine in an era when we all depend on remote digital services to go about our daily lives.

Utah’s new law is another meaningful step towards redressing the encroachment of state power into the digital realm. There are major caveats: First, the new law doesn’t apply to financial data or health records. And it only applies to Utah’s own state-level law enforcement agencies, according to lawyer Peter Jaffe. That means the Provo Sheriff’s office or Salt Lake PD can’t peek at your Twitter DMs without a warrant, but your friends at the FBI still can.

 

Update 4/22/19: This story has been updated to reflect exceptions to Utah’s law for health and financial data.