Language selection

Search

The Limits of Reasonableness: The Failures of the Conventional Search and Seizure Paradigm In Information-Rich Environments

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Craig Forcese
University of Ottawa

The paper was commissioned by the Office of the Privacy Commissioner of Canada as part of the Insights on Privacy Speaker Series

July 2011

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Related video: Insights on Privacy: David Murakami Wood and Craig Forcese


I start with a simple generalization: Law is reactive, responding to problems (real or imagined) that galvanize responses from legislators or courts. It is, therefore, almost always a lagging indicator, codifying historical responses to past problems and usually only accidentally anticipating or preempting new ones. Law does evolve, of course, in response to changing circumstances, usually by renovating existing precepts and not by radical rejection of core precepts. This legal gradualism can be a source of stability in times of social change. On the other hand, as an inherently conservative meme, law may prove an awkward and inept tool in times of social revolution.

The social revolution at issue in this essay concerns the conversion of modern societies from information-poor to information-rich environments, a development traced by James Glieck in his recent book, The Information.Footnote 1 My particular focus will be on law, surveillance and privacy during this period of social transformation.

I begin with an analysis of these issues in information-poor environments.

A. Surveillance and Privacy in Information-Poor Environments

As the term implies (and as Glieck describes), information-poor environments are those in which the quantum of information – measured in bytes – is modest. It may be no greater than the bytes retained in human memory, speech or (in literate societies) in laboriously reproduced manuscripts or other custom-crafted writings. The printing press, when invented in the 1400s, greatly facilitated the accurate, rapid and relatively inexpensive reproduction of bytes and thus high fidelity transmission and storage. For ease of reference, I shall call this first period the Gutenberg Era, in honour of the inventor of the printing press. In the Gutenberg Era, information can be obtained only through the spoken word (or in exceptional cases, other sounds) or from printed (or otherwise inscribed) media. As such, information collection requires either proximity to speakers or physical access to inscribed media.

1. Camden Paradigm

Without much exaggeration, the laws that govern surveillance and privacy in 2011 are laws designed, in the first instance, for the Guttenberg Era. I shall call them the “Camden paradigm” in acknowledgement of Lord Camden, the judge in the infamous cases of Wilkes v. WoodFootnote 2 and Entick v. Carrington.Footnote 3 In these two matters, the King’s officers ordered the forcible search of the homes of pamphleteers accused of seditious libel of the King’s government. The pamphleteers sued and in his celebrated judgments in their favour, Lord Camden concluded that “there is no law in this country to justify the defendants in what they have done; if there was, it would destroy all the comforts of society; for papers are often the dearest property a man can have.”

Through assorted twists and turns, the precepts articulated in these cases (and more generally in the common law of the 18th century) were later codified in the Fourth Amendment of the U.S. Constitution, which promises: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” A similar protection against unreasonable search and seizure is also now found in the Canadian Charter of Rights and Freedoms, in section 8: “Everyone has the right to be secure against unreasonable search or seizure.”

The Camden paradigm remains the dominant privacy protection in the common law tradition (although it is poorly reflected in international human rights law). It is essential to appreciate, however, that the Camden model was first and foremost a response to physically intrusive state interventions. Lord Camden’s decisions cannot properly be read without an eye to an older common law tradition, codified by the expression that an “Englishman’s castle is his home”. Boiled to its essence, this colourful chestnut is a celebration of a personal sovereignty over physical property. The Camden paradigm protects property because it constrains state access to these zones of personal sovereignty.

Put another way, in its inception, the Camden model was about protecting geography and not about limiting access to information. In its defence of geography, Camden operated to protect information, but only incidentally and only in an information-poor world. In an information-poor world, in which bytes are found in determinant locations and access to these bytes requires a physical intrusion of the state into these locales, personal sovereignty over spaces equates to control over the information found in those zones.

2. The Olmstead Discord

All of this is to say that Camden protects informational privacy in a Gutenberg Era. It is a much more awkward approach as one climbs towards information-rich environments. By the early 19th century, bytes were still transmitted by voice or inscribed media. But by 1794, they were also transmitted by visual and then eventually electronic signal. The telegraph was a device initially invented by Claude Chappe that involved line of sight communication between stations communicating by way of flags, shutters and blades. Its more famous, electronic namesake was invented in fits and starts by a number of inventors, but its best-known contributor was Samuel Morse. I shall, therefore, describe the period of reliable and high-speed distance transmission of bytes the Morse Era, a period that begins by the middle of the 19th century.

The principal challenge presented by the Morse Era to the Camden paradigm lies in the newly-attenuated geography of personal communication. Now communications whispered within the confines of a home are audible to another in some far distant locale, transmitted through a network. The existence of conversation is not obvious and the bytes that constitute its content are entirely inaccessible to those positioned along the network of transmission wires, without special equipment.

At issue, by the 1920s, is what relevance Camden had for the Morse Era. In Olmstead v. United States,Footnote 4 a majority of the U.S. Supreme Court answered “none”. At issue was a conspiracy in prohibition-era America to sell liquor, engineered via telephone communications intercepted by law enforcement wiretaps. The specific question before the Court was whether these warrantless intercepts were inconsistent with the Fourth Amendment. In deciding that they were not, the majority observed that

[t]he Amendment itself shows that the search is to be of material things -- the person, the house, his papers, or his effects. … The Amendment does not forbid what was done here. There was no searching. There was no seizure. The evidence was secured by the use of the sense of hearing, and that only. There was no entry of the houses or offices of the defendants. … By the invention of the telephone fifty years ago and its application for the purpose of extending communications, one can talk with another at a far distant place. The language of the Amendment cannot be extended and expanded to include telephone wires reaching to the whole world from the defendant's house or office. The intervening wires are not part of his house or office any more than are the highways along which they are stretched.Footnote 5

Put another way, the personal sovereignty protected by Camden does not extend to the bytes themselves, but at best to the places where they might be found. And if those places are not themselves protected by the Fourth Amendment, it has no application.

This position was met by a forceful dissent by Justice Brandeis – one of the first notable purveyors of a self-standing concept of privacy. Brandeis warned of an unduly narrow construction of the Fourth Amendment that hinged on geography and the physical nature of the intrusion and not on the very fact of government interruption of the right to be left alone – that is, of privacy.

3. The Katz Response

Brandeis’s position, if not his precise approach, was adopted decades later by the U.S. Supreme Court in Katz v. United States,Footnote 6 a decision that latter heavily influenced the Canadian Supreme Court’s approach to section 8 of the Charter in the pivotal Hunter v. SouthamFootnote 7decision.

Another wiretap case, Katz (and specifically, Justice Harlan’s concurring decision) is the origin of the “reasonable expectation of privacy” doctrine – that is, the protections of the Amendment require “first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ‘reasonable’.”Footnote 8

The concept of reasonable expectations of privacy guides application of constitutional search and seizure protections to this day in the American and Canadian jurisprudence. Yet, while Katz abandoned a preoccupation with physical intrusion in a constitutionally protected geographic place, it still concerned itself with zones; that is, instances where a person can be said to enjoy personal sovereignty. It did not convert the Camden paradigm into a self-standing protection of bytes themselves. Refinements ever since have focused on circumscribing the scope of the zone. In the Canadian jurisprudence, privacy interests protected by section 8 can now be divided into several categories:

  1. “personal privacy, involving bodily integrity and the right not to have our bodies touched or explored;
  2. territorial privacy, involving varying expectations of privacy in the places we occupy, with privacy in the home attracting heightened protection because of the intimate and private activities taking place there; and
  3. informational privacy, involving ‘the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others’.”Footnote 9

The category that comes closest to protecting bytes per se is informational privacy. Here, however, it is not all types of bytes that are protected: “s. 8 of the Charter should seek to protect a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state. This would include information which tends to reveal intimate details of the lifestyle and personal choices of the individual.”Footnote 10 Exactly what this category includes is a matter of judgment. Thus, for a plurality of the Supreme Court, “[d]isclosing information about electricity consumption is not invasive nor revelatory of the respondent's private life.” A dissenting minority came to the exact inverse position.Footnote 11 Frontier issues raising similar questions are, for example, whether an individual has a reasonable expectation in relation to digital trails they may leave on the internet. These may be close questions, but they are not categorically different from the problems presented by new technologies in Olmstead and its ilk.

As told, therefore, the Camden paradigm has evolved in response to new information richness and has proven a remarkably robust approach even as it tried to adjust (in the Morse Era) from geographic model to one that protects more inchoate forms of personal sovereignty. The Morse Era does not break the system. The point I make below, however, is that in truly information-rich environments, Camden may be increasingly irrelevant.

B. Surveillance and Privacy in Information-Rich Environments

We now live in an information-rich era. In terms of sheer quantum, bytes in this information-rich period dwarf what has come before. More than that, bytes are accessible, transmissible and retainable in manners hardly envisaged a decade ago, let alone by Lord Camden. For sake of simplification, I shall call the current period the Turing Era, in acknowledgment of Alan Turing and his foundational contributions to computer science.

The Turing Era continues the progress of geographically diffuse communication characteristic of the Morse period. But more radically, it gives that communication – and all sorts of other bytes – a ready permanence and ease of transmission that changes enormously the privacy dynamic. Not only have the means of viewing and intercepting bytes changed – upgrades on the primitive wiretaps of Olmstead – but now those bytes are recorded, not by stenographers, but at high levels of fidelity by electronic means. And once recorded, they may be stored indefinitely and transmitted with ease.

This is not to say that recording and storage did not exist in past eras. Magnetic recording has been around for the better part of a century, and archiving of bytes was a specialty of the East German Stazi and many others before and since. What has changed is scale and ease. And the cumulative impact of these developments amount to a qualitative change in the relationship between surveillance and privacy.

In the following part, I highlight disconnects between the information rich Turing Era and the Camden paradigm of privacy protection. It is not that these disconnects are new, rather it is that in an information-rich environment, they risk swamping the protections offered by the Camden model, giving it an almost quaint quality.

1. Camden and the Mosaic Problem

The concept of a “mosaic” will resonate with anyone familiar with government justifications for secrecy in the area of national security. Put simply, the mosaic effect posits that the release of even innocuous information can jeopardize national security if a knowledgeable reader can piece that information together with other data. The result is a mosaic of little pieces of benign information that cumulatively discloses matters of true national security significance. In the result, the composite pieces of the mosaic must be protected as much as any single, truly sensitive piece of data.

The mosaic concept has a privacy analogue that can be described as follows. In one’s everyday life, one produces a mosaic of bytes that each individually are benign and do not implicate “a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state”. However, cumulatively, if compiled and analyzed by a knowledgeable observer, they could betray a privacy interest as profound as any protected by the conventional Camden paradigm.

In an information-poor environment, the transient nature of the data produced as one navigates life, along with their disparate and uncoordinated nature, makes the mosaic effect an unlikely source of concern – by reason of limited resources alone, a mosaic could be developed by the state only against a small number of state surveillance targets.

In an information-rich environment, in which data are amalgamated in interlaced databanks, held permanently, and capable of sophisticated, prompt and relatively inexpensive mining by powerful computer logarithms, the mosaic pattern is now fodder for any modern intelligence service. Jane Mayer, reporting on the U.S. National Security Agency’s intercept capacities in the New Yorker,Footnote 12 reports that by the late 1990s, the Agency had the technical wherewithal to “correlate data from financial transactions, travel records, Web searches, G.P.S. equipment, and any other ‘attributes’ that an analyst might find useful in pinpointing ‘the bad guys’ [and] that could chart relationships among people in real time.” That specific project – labeled ThinThread – included privacy protections: “all American communications would be encrypted until a warrant was issued. The system would indicate when a pattern looked suspicious enough to justify a warrant”. It was killed in the pre-9/11 period, but then reportedly replaced after the terrorist attacks by “a bastardized version, stripped of privacy controls.” Controversy over this Bush administration’s warrantless NSA intercept program is well-documented and need not be repeated here.

However, it is worth asking whether even the pre-9/11, sanitized ThinThread model constitutes much of an improvement. It complies with the Camden model only insofar as the bytes themselves are inaccessible to the government, absent a warrant. Yet, the algorithm has already pieced together the mosaic of personal information and behaviour that generates the suspicion – or more technically the reasonable and probable cause – to justify the warrant. Few judges are then likely to stand in the way of the warrant, and the Camden process becomes a legal formalism rather than meaningful protection.

Only if Camden is pushed back to protect the ingredient elements of the mosaic does it serve the same purpose as envisaged by Katz decision and its Canadian counterpart, Southam. If the mosaic elements are themselves unprotected bytes – that is, they individually do not raise expectations of privacy – a court would need to be persuaded to cumulate impact. While government may readily invoke the mosaic theory in refusing disclosure of its own sensitive information, I am not aware of any application of Charter section 8 that applies a similar concept to the protection of informational privacy.

However, a recent appellate decision in the United States illustrates application of the mosaic concept to the Fourth Amendment’s protections. In United States v. Maynard,Footnote 13 the Court of Appeals for the Federal District of Columbia concluded that data compiled by police through long-term GPS tracking of a suspect’s movements did transgress a reasonable expectation of privacy, despite the fact that the suspect operated the motor vehicle in question on public roadways:

Two considerations persuade us the information the police discovered in this case -- the totality of Jones's movements over the course of a month -- was not exposed to the public: First, unlike one's movements during a single journey, the whole of one's movements over the course of a month is not actually exposed to the public because the likelihood anyone will observe all those movements is effectively nil. Second, the whole of one's movements is not exposed constructively even though each individual movement is exposed, because that whole reveals more -- sometimes a great deal more -- than does the sum of its parts. … As with the “mosaic theory” often invoked by the Government in cases involving national security information, “What may seem trivial to the uninformed, may appear of great moment to one who has a broad view of the scene.” …. Prolonged surveillance reveals types of information not revealed by short-term surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble. These types of information can each reveal more about a person than does any individual trip viewed in isolation.Footnote 14

2. Camden and the Problem of Persistence

Maynard suggests that the Camden paradigm may prove itself sufficiently pliable to deal with the mosaic effect of information-rich environments, when approached with enough imagination. More challenging may be a second attribute of the Turing Era: the permanence of bytes.

Some bytes have – since the advent of literacy – had a semi-permanent existence. Books are a relatively inert and permanent storage medium. But books contain a fraction of the bytes now amenable to permanent storage because of technological developments. For instance, so much of the everyday data detritus at issue in the mosaic effect is now capable of archiving, as is whatever analytical workproduct is developed in assessing this mosaic. The permanent data trail gives surveillance a fourth dimension: that of time. It is now possible to unearth past behaviour, associations and views with an ease unfathomable to prior generations. Data mining can also be data archeology.

At some level, the Camden paradigm might approach the problem of data archeology with the same creativity as might be applied to the mosaic dilemma: that is, the electronic detritus itself is benign, but if you intend to cumulate it, you require a warrant. The chronological dimension adds a level of difficulty to this approach however. It may be difficult to persuade a court of the privacy threats posed by a highly speculative, harmful mosaic. This is especially true as, with time, data are collected that only years before were unimaginable.

Perhaps even more pernicious is simply the question of control: if the information exists, it is available for use and even if all agree that its use must be controlled in the interest of privacy, ensuring enduring control over (sometimes literally) intangible bytes may be close to impossible. Data collectors morph and change, information moves between subsidiaries and parents, and across borders, and legal regimes governing privacy evolve and devolve. The bytes themselves are theoretically eternal. Camden is absolutely hamstrung in dealing with this problem of long-term control.

3. Camden and Transnational Information Flows

Camden is also geography-centric while bytes in an information-rich era are not. Privacy protections are offered by states in varying degrees. Bytes in the Turing Era are footloose and dispatched between jurisdictions with the click of a mouse. I have written about the problem of national security information sharing and warrants in other contexts.Footnote 15 To summarize one key concern: much communication between non-U.S. locales is now routed through the United States. This communication is indisputably subject to surveillance governed by now quite accommodating U.S. laws (that is, rules less robust than for internal U.S.-only communications). In the result, a purely domestic Canadian call (and almost certainly an international call or internet call through U.S.-based servers) may be routed through U.S. systems, depending on traffic loads. Canadian security services could then receive intelligence from the U.S. government processed from transiting Canadian communications. This would not occur through the ongoing process of exchange of intelligence between allied agencies.

Whether and how the Camden paradigm might be adjusted to regulate this information sharing is unclear. Once the foreign agency processes its intercepts and discerns in them matters of importance to Canadian national security, imposing a system of judicial approval on Canadian receipt of that information would be a largely meaningless, pro forma action. A judge is unlikely to bar a Canadian agency from relying on information with already established, demonstrable relevance to Canadian national security.

4. Beyond Camden

In sum, Camden is at best an imperfect approach to privacy in information-rich environments. While it need not be abandoned – it will always have a place to deal with conventional searches and seizures – its evolution as the cardinal guarantor of privacy in the common law tradition has likely reached its natural limit.

The alternative model is of specialized, data-protection regimes that focus less on close regulation of collection of bytes (although they may have rules on this as well) and more on governing their use and distribution. This is not to say that such systems, articulated in the Privacy Act for instance, currently answer all the problems of information-rich environments. The breadth of exceptions allowing information flows (now greatly facilitated by technology) may render many of the protections that these laws promise largely illusionary.

The data protection model does, however, have a management potential that the simple Camden approach lacks. I conclude this essay with observations on the elements of a data protection model responsive to surveillance in information-rich environments:

a) Disaggregation and Firewall Warrants

First, it seems unlikely that privacy can be preserved in any real way if bytes are cumulated in a single, master database, or chain of linked databases. In a master database, information collected legitimately for one purpose can be mined for innumerable other purposes, with the only protection against such probing being internal, bureaucratic buffers. The latter come and go, and little confidence can and should be placed on them.

Instead, bytes should be archived in separate, firewalled databases. The firewall becomes the cyber equivalent on the Englishman’s castle; it is the barrier subject to being breached only with approval by a sufficiently detached official. I believe that the Camden model might be adopted to allow for what I shall call “Firewall Warrants” – instances where on reasonable and probable grounds, an independent judicial officer is persuaded that hermetically-sealed databases should be conjoined to allow data searches.

I believe that Firewall Warrants are probably already a constitutional necessity, where law enforcement is inclined to search databases cumulating bytes collected for other purposes. This is true even if this search is otherwise permissible under the Privacy Act. The Privacy Act does not vitiate the Charter’s section 8 search and seizure provisions. Information sharing may not be employed by state agencies to circumvent constitutional privacy protections. Law enforcement agencies, for example, may not avoid constitutional search and seizure obligations by receiving otherwise protected information from administrative or other bodies not subject to the same constitutional strictures.Footnote 16 Where law enforcement agencies propose obtaining private information from other bodies that is protected by a reasonable expectation of privacy, warrants must be obtained, even in circumstances where disclosure of personal information is permissible under the Privacy Act.Footnote 17

The shortcomings of the current Camden paradigm, however, make existing section 8 protections inadequate. To date, courts seem to have focused myopically on whether the information housed in the database in question itself is of a sort that gives rise to a reasonable expectation of privacy.Footnote 18 The better approach is to apply the mosaic concept to the cumulated masses of bytes housed in government databanks. It is not the nature of the individual bytes that matters – whether each triggers a reasonable expectation. Rather, it is the scale of the data collection – and the capacity of the government to conjoin innocuous tidbits into an invasive portrait – that should trigger constitutional protections.

b) Logarithm Warrants

Second, just as regular search warrants prescribe in detail the nature of authorized searches, Firewall Warrants must limit the sorts of data mining to be conducted pursuant to the warrant. A Firewall Warrant must not be a carte blanche to troll linked databases at will. Instead, the specific searches to be conducted and logarithms to be used in mining the databases must be approved in advance.

c) Minimization

Third, even with the most carefully constructed logarithms, any data-mining exercise will likely reveal extraneous information unrelated to the approved search. The state should be obliged to minimize the product of the authorized search. That is, material unrelated to the search’s authorized objective should be excised from the search results and expunged. This is especially true in relation to third party information captured by the search results.

Without minimization, the results of approved searches could themselves be archived and constitute a substantial parallel data network to be mined in subsequent investigations.

It will not always be clear at the outset what information is material to the investigation prompting the search. The obligation to expunge extraneous data should, therefore, follow the completion of an investigation, or barring that, become obligatory after the passage of a modest period of time, subject to renewal by a judicial officer.

d) Oversight

As noted, judges continue to play a Camden-like role in the data protection regime proposed above. However, judges do not suffice. In a classic search and seizure, the bytes in question are located outside of the control of government, in the hands (often) of someone whose interests do not always align with the government. In this system, asking a judge to serve as intermediary weighing the state’s interest against that of the person in possession of the information may suffice.

In an information-rich environment where government itself hosts vast quantities of information, there is a less pronounced adversarial relationship between information-seeker and information-possessor. The prospect of leakage between firewalls established between different wings of the same institution must be regarded as real. Accordingly, the existence and maintenance of the firewalls must be audited periodically by an arm’s length official – a natural role for a data protection officer.

e) Compensation

Last, conventional privacy law is built on the notion that privacy is best protected by interposing a traffic regulator to determine the legitimacy of any violation before it occurs. The reality in the Turing Era is that this system is insufficient; there is too much leakage, movement and cross-border trafficking of bytes. Accordingly, a modern privacy regime must include additional deterrent mechanisms, not least a system of compensation for the violation of a privacy right. Compensation would, of course, be a poor proxy – the right can never be fully restored once violated. But financial penalties imposed on the violator him- or herself, in his or her personal capacity, may generate a caution that forestalls excess in the future.

Conclusion

In sum, information-rich environments have the potential to gut conventional privacy protections; protections that depend in large measure on the historic logistical difficulties associated with collecting, storing and transmitting information. Those hurdles are overcome in the modern period, with the result that conventional Camden-style privacy rules no longer adequately defend liberty. By necessity, therefore, privacy law doctrine must evolve to recognize that scale and quantity of data collection create a qualitative (and not just quantitative) shift. Courts must recognize new concepts, such as the mosaic effect of privacy erosion. More generally, institutional rules must be developed to manage information once collected.

A failure to take this steps risks maintaining an illusion of privacy protection without honouring the underlying right at issue; the right to be left alone.

Date modified: