Hit & Run

Revisiting Smith v. Maryland


Since I'd been focusing on a variety of other things, I never did say anything about the NSA's call-pattern data mining program, which USA Today disclosed earlier this month. So here's one belated thought about Smith v. Maryland, the 1979 Supreme Court case establishing that pen registers and trap-and-trace devices (which record the numbers dialed from a particular phone and the numbers calling in, respectively) were not Fourth Amendment "searches." The case is being routinely invoked as a kind of stainless steel shut-up rejoinder to anyone who raises questions about the constitutional propriety of the program. (See, e.g., Stephen Spruiell in the latest National Review. [subsc.])

The decision in Smith rests on two main pillars. The first is the argument that pen registers differ markedly from the sorts of wiretaps that were ruled to require a warrant in Katz v. United States (1967) because the information they provided to police was so limited. (Let's be really creative and call this the "limited information argument.") Citing an earlier decision, the court wrote:

Indeed, a law enforcement official could not even determine from the use of a pen register whether a communication existed. These devices do not hear sound. They disclose only the telephone numbers that have been dialed - a means of establishing communication. Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.

The second argument is what I'll call the "disclosure argument," which rests on the notion that you don't have an expectation of privacy in information you've disclosed to a third party:

Telephone users, in sum, typically know that they must convey numerical information to the phone company; that the phone company has facilities for recording this information; and that the phone company does in fact record this information for a variety of legitimate business purposes. Although subjective expectations cannot be scientifically gauged, it is too much to believe that telephone subscribers, under these circumstances, harbor any general expectation that the numbers they dial will remain secret.

Let's take these in reverse order.

The disclosure argument I've always had some issues with. In fact, it was the topic of one of the first Web columns I wrote for Reason. The problem with it is that it imagines this unrealistically (if conveniently, for legal line-drawing purposes) simple binary concept of privacy, where information is either known only to me (and maybe my family), or else has been shared with someone else, at which point it is fully public. One big problem with this, as I noted in that column, has been pointed out by Richard Posner: It allows the government to evade Fourth Amendment scrutiny by a kind of two step. First, in the guise of economic regulation, the government can require all companies of a certain sort (say banks and phone companies, which it's enormously difficult for most Americans to avoid dealing with entirely) to collect some particular information from their customers. Then if the government wants to require the company to turn over the information, it can avoid scrutiny because there's no expectation of privacy once some third party institution is in on the secret.

Problems of that sort aside, I think this is a pretty obviously unrealistic picture of how people form expectations of privacy. If I send a snarky e-mail around to a dozen friends, I may well be taking the risk that one of them will indiscreetly forward it to the target of my snark (or to someone who forwards it to someone who…). But that's just wholly different, it seems, from the risk that the government will force one of my friends to fork over the e-mail. And it's different yet again from the situation where I've shared the information with some company that may well have a binding contractual obligation to use it only in some specified ways.

Part of the problem here is that since the late '70s, we've gone a long way toward a world in which a huge amount of our most private information is held by third parties. A huge chunk of my e-mails from the last couple years are stored on some server owned by Google, where ad-generating software sifts through my private communications looking for keywords that will allow the company to display personally-tailored advertisements for me. Now, maybe I'm naive to have any expectation of privacy in the e-mails sitting on that server, but I do pretty much expect that nobody at Google is actually looking through my correspondence and passing it around to their friends. And I at least didn't expect until recently that some government program would be sifting through those e-mails to see whether I used the word "jihad" some suspicious number of times in letters to people in Saudi Arabia.

So much for third party disclosure. What about the limited information argument? Here, again, we've got a case where the ruling decision hails from a very different technological context. First, it's worth observing that just in terms of the information the NSA program actually collects, there's more information gathered than was at issue in Smith, since the NSA is apparently also taking note of how long particular calls lasted. More important, though, is how much other information is, so to speak, implicitly contained in some datum like a phone number.

It is now, for instance, incredibly easy to run a reverse phone number lookup using public databases to put names and addresses with those numbers. Has hubby been racking up hours on the gay singles chat line? Has the missus been on the horn to a divorce lawyer? All things one might want to keep private. Now, the NSA says it's not connecting its numbers to names and identities, just doing pattern analysis. But it seems as though the point has got to be to make that kind of connection, eventually, when your computers decide some pattern or another is suspicious. And if the collection of the numbers themselves doesn't count as a search, it's very difficult to imagine the legal argument that would make it a search if investigators later decided to run those legitimately-obtained numbers through a public database (hell, you can do it with Google) and get a list of names. What court is going to rule that getting the number wasn't a search, but punching it into Google is?

Someone like Spruiell is going to say (does, in fact, say) this is all moot unless we can point to some specific case in which information gathered by this top-secret program has been abused. Oddly enough, I think it might be a while, given the NSA's reluctance to advertise such things. But even leaving that aside, that's just not the way the Fourth Amendment is supposed to work. We don't operate on the presumption that the government can just gather all this information, and that we'll wag our fingers at them if we discover they've gone ahead and misused it in some invasive way. (If it were, we could make things a lot easier by letting the government record all our calls and hoping they'd only be listened to with proper authorization.) We recognize there's a huge asymmetry in power and information between the NSA and the average American, and prevent them from getting the information in the first place.

I'm not actually sure just yet what I think about this program—what level of judicial scrutiny should be applied, what kind of restrictions might be placed on how data is used. But I'm pretty sure that just invoking Smith v. Maryland doesn't do anything to deal with the core concerns people have about programs like these.

[Cross-posted @ NftL]