Much of the debate over modern surveillance—including the NSA mass spying controversy—has centered around whether people can reasonably expect that records about their telephone and Internet activity can remain private when those records belong to someone else: the service providers. Courts have disagreed on whether the 1979 Supreme Court case Smith v. Maryland, which ruled people have no expectation of privacy in the phone numbers they dial, should be extended to cover newer, more invasive forms of technology. But a decision released on December 24th by the Ninth Circuit Court of Appeals looks at the issue from the point of view of businesses, providing a glimpse into how service providers and technology companies could challenge the government's unconstitutional surveillance.
In Patel v. City of Los Angeles, the Ninth Circuit found a city ordinance that required hotels and motels to turn over guest records without any judicial process violated the Fourth Amendment. The ordinance mandated hotels and motels keep a record for 90 days containing things like a guest's name and address, the make, model and license plate number of the guest's car, and the room number assigned and rate charged. The ordinance allowed police to inspect guest records without a search warrant or the hotel's consent at any time. The city believed that collecting the records would deter drug dealing and prostitution, as people would be less inclined to rent a room if police could get access to guest information at any time. Failure to turn the records over was a misdemeanor crime.
The court found that the hotels and motels had an expectation of privacy in their business records, even if those records didn't contain anything of great personal value to the hotel. This was true even if the users themselves didn't have an expectation of privacy in the records. Because the ordinance didn't have a mechanism to allow the hotels and motels to obtain judicial review of whether the demand was reasonable before applying criminal penalties for non-compliance, the Ninth Circuit ruled the ordinance violated the Fourth Amendment. This procedural requirement—obtaining judicial review—is important, so that companies aren't at the mercy of the "unbridled discretion" of officers in the field, who would be free to arbitrarily choose when, whom, and how frequently to inspect a particular business.
This decision provides ammunition for companies to challenge receipt of other forms of surveillance requests, including National Security Letters which are issued without any oversight or judicial review and require the recipient to remain silent about the fact it even received a request.
More broadly, Patel shows yet again that the Fourth Amendment doesn't die once you turn information over to a business. If courts are going to reject user challenges to government demands for their data, then it's up to the companies to step up to safeguard not only the data entrusted to them by their users, but the data that presumably belong to the companies themselves. As major tech companies have called for NSA reform and have taken steps to implement technological protections to safeguard their users' data, this decision shows that they can also make legal challenges in court. While Yahoo! unsuccessfully challenged an order requiring it turn over data to the NSA under the PRISM program, the phone companies themselves have made no legal challenges to the NSA's bulk collection of phone records, which at least one judge has found to be unconstitutional. This must change so that the public can take advantage of the conveniences of new technologies without having to sacrifice privacy.