Objects, Places and Cyber-Spaces Post-Carpenter: Extending The Third-Party Doctrine Beyond CSLI: A Consideration of IoT and DNA

Eunice Park
21 Yale J.L. & Tech. 1

At the November 2017 oral arguments in the case Carpenter v. United States, Justice Sotomayor commented that many individuals even carry their cell phones into their beds and public restrooms: “It’s an appendage now for some people.” On June 22, 2018, in a 5-4 opinion written by Chief Justice Roberts and joined by Justices Ginsberg, Breyer, Sotomayor, and Kagan, the Supreme Court held that the government will generally need a warrant to access cell-site location information (CSLI). Ostensibly, Carpenter is only about CSLI, and the language of the decision carefully limits its application. However, the Court’s reasoning behind why the third-party doctrine should not apply is broadly applicable:  the information was involuntarily exposed, incidental to merely having a cell phone, which is an item necessary for functioning in modern society. Indeed, technology’s constant forward march leads one to wonder, what privacy issue awaits around the next corner? What technological innovation will pose yet another Fourth Amendment challenge? Our cell phones commonly have health apps that monitor our activity, sleep, mindfulness, and nutrition. Internet of Things (IoT) devices, which have the ability to connect to and interface with a network, include “smart” light bulbs, refrigerators, and even a mattress cover that starts your Bluetooth or WiFi-enabled coffee maker when you wake up in the morning. The private genomic testing industry, too, in which intimate genealogical and genetic health information is sent to third-party laboratories, medical researchers, and even sold to pharmaceutical companies for profit, has seen tremendous growth recently.

IoT devices and private DNA testing seem vastly different from each other and from cell phones, and yet both are increasingly popular consumer technologies whose functioning, by design, necessitates a third party. Like CSLI, the data sent to third parties by smart devices and genomic testing services involves no voluntary act, let alone affirmative sharing. This lack of voluntariness was a significant part of the Carpenter Court’s basis for holding—in a decision lauded by privacy advocates—that the cell phone owner has an expectation of privacy in CSLI, despite the fact that the data is owned by a third party. Thus, notwithstanding its limiting language, Carpenter opens the door to a slew of questions about consumers’ privacy expectations in multitudes of other burgeoning technologies that, like cell phones and the location data they produce, also necessitate a third party. This Article, therefore, proposes extending the third-party doctrine in Carpenter’s wake to reflect the realities of the digital age, both to protect privacy and provide some limits to the third-party doctrine. Given that a third party has control over a consumer’s personal data, a meaningful test for whether an expectation of privacy remains or has been forfeited should include two inquiries: first, whether the consumer understands that the technology’s very design necessitates a third party; and second, whether the consumer has a meaningful opportunity to opt out of sharing data with that third party.

This Article begins by describing the common law background that prefaced Carpenter, explains why the Carpenter analysis is incomplete, and offers the new, extended test for the third-party doctrine as one that balances decisional analysis with technological reality and provides a principled framework to encompass technologies beyond CSLI. Next, this Article offers normative explanations for why digital data is a square peg in the round hole of the third-party doctrine but explains that privacy in the digital era should nonetheless survive the disconnect. Finally, this Article applies the newly extended third-party doctrine test to two specific examples of increasingly popular technologies in which private data is necessarily shared with third parties: IoT devices and private DNA testing. This Article illustrates the inability of smart devices and private genomic testing services to pass the two inquiries of the proposed extended test, and affirms the consumer’s expectation of privacy in the absence of any voluntary act.