Note: the big social media news of the week was that Meta was found guilty of harming young people by juries in New Mexico and California (which found YouTube guilty, too). There will be no newsletter next week due to my kids’ spring break, but I plan to write more about child safety and youth social media bans when I return on April 10.
The case: can the government search your location history without a warrant?
This spring, a major US Supreme Court privacy case could help establish the principle that we, not platforms, own our social media accounts, and an amicus brief from a group of legal and technical heavy hitters could be the key.
Chatrie v. United States is a case about geofence warrants (see the Brookings Institute for a full summary). A geofence warrant is a legal fishing expedition. If the government wants to identify possible suspects in a crime, they force a platform with location data to turn over anonymous information about every device that was in a given area at a certain date and time. The government can then identify which device patterns look suspicious, and go back to the platform to identify those users for subsequent investigation or arrest.
Okello Chatrie was convicted of armed robbery in Virginia in 2022, based in part on the results of a geofence warrant issued to Google. He appealed on the grounds of the Fourth Amendment, which bans unreasonable searches and seizures, and requires probable cause to issue a warrant.
On January 16, the Supreme Court agreed to hear the case, hopefully addressing directly whether geofence warrants are over-broad violations of privacy.
The case hinges on whether location data is information shared with the service provider for business purposes, or if it is each user’s private data. The third party doctrine, established in the 1970s, holds that information that you voluntarily share with a provider, like the address you write on an envelope or a list of phone numbers you are calling, can be shared with the government without a warrant. Opening your mail, or tapping your phones, crosses that line and requires a warrant.
Our modern, connected world is challenging this model. A 2018 case, Carpenter v. United States, found that in certain cases, detailed historical information about cell phone location derived from cell towers requires a warrant. That data is not considered voluntary in the same way because the system doesn’t work without it. It is also so granular that it crosses the line from business purposes to something private.
The amicus brief: searching inside an account is like going through someone’s hotel room
On March 9, an amicus brief in the case was filed by Christopher Bavitz and a team from Harvard Law School’s Cyberlaw Clinic, along with Princeton professor and former government bigwig Jonathan Mayer and former Google leader Richard Salgado. I was lucky to work briefly with both Chris (while I was at the Berkman Klein Center), and with Richard, when he was Google’s Director of Law Enforcement and Information Security.
As if that weren’t impressive enough, the 17 amici curiae on the brief are all distinguished themselves, including Vint Cerf (one of the fathers of the Internet) and Alex Stamos (former Chief Security Officer at Facebook, and founder of the Stanford Internet Observatory).
The amicus brief proposes that each Google user’s granular location data should be considered part of their account, not just data on a server operated by Google:
Today, the concept of an online account is a familiar part of our world. In the context of this case, it is the appropriate unit of Fourth Amendment analysis, scoping the virtual places or areas that the government could (and did) search. In modern online services, user content is stored, segregated, and accessed through account-defined spaces enforced by identity, permissions, and privileged access controls. Alternate abstractions, urged by others in this case, do not match how the technology works or the way it appears to ordinary users. Describing the place to be searched in terms of Google’s “computer servers” obscures the architecture that matters. Likewise, characterizing the information as “business records” and Google as a “custodian of records” is contrary to how systems are structured and how users interact with services like Location History. An account, on the other hand, is both technically and socially cognizable as a discrete unit for Fourth Amendment analysis.
The brief goes on to point out a comparable situation from the real world. Supreme Court precedents have established that the government can’t get a blanket warrant to search every room in a hotel without probable cause, so they should not be allowed to make platforms go into everyone’s accounts on a digital fishing expedition.
People in hotel rooms are entitled to the same Fourth Amendment protection as a house or apartment, even though it’s a shared space (in time) and even if hotel employees have permission to enter it:
Under this analogy, the system infrastructure is the hotel and the provider is the innkeeper. The account is the hotel room and the account holder is the guest. The stable account identifier is the room number that ties a particular space to that guest. The protocols and permissions that define and confine ordinary access are the walls of the room. The verification and credentialing processes are the closed door and the key that controls entry. The account access logs are the hotel registry and related business records. Finally, the contents of the account are the items brought by the guest or supplied by the hotel.
From guest to owner
I hope that this case goes Chatrie’s way. If the Supreme Court enshrines accounts as something with constitutional meaning and protections, it will advance the fight toward ownership and portability of our online lives.
If you make something new while staying in a hotel room, it is still yours. Even if you do something crazy like write a novel on the fancy towels with the hotel-provided free pen, they can charge you for replacements, but they don’t get intellectual property rights or editorial control over your terry-cloth epic just because you used their stuff to do it.
You should have the same unquestioned ownership, and freedom to exit, over everything you create in your online accounts. You created your social graph with likes and follows. Platforms should not be able to lock it down just because they provided the software to do it.
Even ownership over your content is not as clear as you might think. For example, thanks to the Applied Social Media Lab’s Transparency Hub, you can see that YouTube’s terms of service let them keep a copy of your videos even after you leave: “You understand and agree, however, that YouTube may retain, but not display, distribute, or perform, server copies of your videos that have been removed or deleted.” To me, that suggests YouTube could still use your “deleted” videos for their own purposes, such as, say, training Gemini’s video generation models.
Stay tuned in months to come to see how Chatrie turns out.
Ideas? Feedback? Criticism? I want to hear it, because I am sure that I am going to get a lot of things wrong along the way. I will share what I learn with the community as we go. Reach out any time at [email protected].
