With so much of our lives lived online, people have often assumed that the pictures, financial documents, and other sensitive information we store on our password-protected phones and computers are kept private. But every day, it seems there’s a new data breach, or another story about our information being passed around in ways we couldn’t imagine.
>
As a result, there’s been an emerging public distrust in the platforms that hold so much of this information, and increased interest by federal and state legislators on how to protect the public’s privacy. So far, government focus has primarily been on protecting consumer information from intrusive collection by private companies. California passed sweeping legislation in 2018 to protect consumer privacy. That same year, the Vermont legislature passed a law to regulate data brokers. Both Washington and Massachusetts are considering consumer data privacy bills.
While these measures are certainly important, protecting private information from law enforcement invasion—not just private industry—also merits urgency. And with pressure from Libertas Institute and the ACLU of Utah, the Utah Legislature is taking steps toward that very thing. On March 12, Utah legislators voted unanimously to pass landmark legislation in support of a new privacy law that will protect private electronic data stored with third parties like Google or Facebook from free-range government access. The bill stipulates that law enforcement will be required to obtain a warrant before accessing “certain electronic information or data.” (Unlike consumer privacy laws, the bill does not give individuals the ability to see the information that companies collect on them, and doesn’t regulate how personal data is used internally.) The bipartisan bill is expected to go to Governor Gary Herbert’s desk for final approval next week. If he signs the bill, Utah will be the first state in the nation to lawfully protect the electronic information that individuals entrust to third parties.
On the federal level, and in every state aside from Utah, law enforcement can access your information through third-party channels, with no real standard of accountability. This is because of the "third party doctrine" which is a legal theory created when the Supreme Court held that individuals have no reasonable expectation of privacy when they share their data with a third party. This means the government can access anything from innocent photographs to important medical or financial documents one might store on an app. They can access a person’s information so long as the company is willing to share—a loose practice that could easily be abused.
In the courts, third-party data protections have made some progress. Last summer, the Supreme Court narrowly ruled in Carpenter v United States to uphold third-party data privacy. The five-to-four decision said that law enforcement could no longer access a person’s cell phone location data from a third-party phone provider like Verizon or AT&T without first obtaining a warrant. This ruling was significant, but it didn’t do much beyond protecting location data. Banking information, texts, emails, and all other phone data is still up for grabs. That’s why Chief Justice John Roberts, who authored the majority opinion, encouraged state legislatures to pass their own legal protections. In his words, “legislation is much preferable to the development of an entirely new body of Fourth Amendment case law.” Utah took his advice and did just that.
And they did it right, too.
Rather than wait for court action, Utah legislators passed this latest privacy law, which requires law enforcement to obtain a warrant with probable cause in order to access any electronic data held by a third party, at least in most cases. There are legal exceptions to the warrant requirement in the bill—emergency situations or data which appear to be involved with committing a felony or a misdemeanors involving physical violence, sexual abuse, or dishonesty. Even with these potentially problematic exceptions, the bill is certainly better than no protections at all.
Prosecutors and law enforcement may argue they need the power of data collection to protect the public from potential criminals. But individual liberty protections are far more important than perceived safety risks. If there is a legitimate safety concern requiring access to a person's data, law enforcement will still be able to obtain a warrant. Without that warrant requirement in place, private data is left vulnerable to fishing expeditions that are rife for abuse.
Unfortunately, the rest of America is lagging behind Utah’s progress. Without specific laws to address new technology, courts are left to make loose constitutional interpretations. But as Chief Justice Roberts implied in Carpenter, we can’t wait for the courts to decide the fate of our rights. Because privacy laws pertaining to third-party data don’t yet exist outside of Utah, this new legislation should encourage other states to take action, and stop government from prying into the private lives of their people.
WIRED Opinion publishes pieces written by outside contributors and represents a wide range of viewpoints. Read more opinions here. Submit an op-ed at opinion@wired.com