The technological landscape has become increasingly conducive to sharing all kinds of information — personal or otherwise. But recent developments shed light on the possibility that the culture of sharing might come with unexpected risks for privacy and constitutional rights.
Documents recently obtained by the Electronic Frontier Foundation as the result of a Freedom of Information Act lawsuit suggest a shadowy relationship between the FBI and Best Buy’s electronics repair subsidiary Geek Squad. According to the documents, Geek Squad appears to have been cooperating with the government for several years in turning over child pornography found on customers’ computers and has received money for that information on at least one occasion.
The EFF is still trying to gain information that could clarify the relationship, according to staff attorney Aaron Mackey, such as whether Geek Squad employees have actively searched for illegal materials or merely turned over material they happened across while working on customers’ devices. The company’s cooperation with the FBI raises questions about whether the employees act as agents of the government and whether their actions amount to warrantless searches in violation of the Fourth Amendment.
More recently, Facebook became the focus of another scandal when it was reported last week that data analytics firm Cambridge Analytica accessed Facebook users’ data through an app via Facebook’s login feature. Although some users gave permission to have their data collected, Cambridge Analytica also harvested data on those users’ friends who had not given their permission. After Facebook changed its rules in 2014 to limit information gathered by third-party apps about users’ friends, Cambridge did not delete the data, despite its promises in 2015, and according to reports, Facebook knew the data had not been deleted. CNN reported Tuesday that the Federal Trade Commission has neither confirmed nor denied an investigation against the social media platform.
Although the privacy questions raised by the Cambridge Analytica revelation don’t deal with constitutional rights, they seem to throw into relief a gap between the knowledge of people living much of their lives online and the ability of current laws to fully protect those individuals’ privacy rights.
Mackey said the key difference between Geek Squad’s cooperation with the FBI and Cambridge Analytica’s actions. In the case of Geek Squad and the FBI, the core question about privacy rights under the Fourth Amendment is at what point a private party becomes a government agent.
At the crux of the Cambridge Analytica scandal, Mackey said, is the revelation that Facebook users don’t have meaningful control over their data, and Facebook doesn’t give them enough information to understand where their data actually goes.
“And then it’s clear that what we’ve learned about Facebook is it doesn’t meaningfully audit or scrutinize the third parties that it shares user data with, and it allows for these downstream uses,” he said.
But one facet of the Geek Squad circumstances might illuminate a common link between its cooperation with the FBI and Facebook’s Cambridge Analytica headache to the shifting privacy landscape in which both revelations exist.
According to the EFF, the FBI has been able to get around Fourth Amendment protections using the “third party doctrine.” The legal concept overrides a person’s reasonable expectation of privacy in evidence when the information is shared voluntarily with a third party.
Although the latest backlash caught by Facebook doesn’t implicate the Fourth Amendment, it might raise similar questions about whether the definition of “voluntary” is too broad in an age when companies and organizations can so easily obtain digital information.
“It raises questions about whether or not you can meaningfully understand and consent to sharing information,” Mackey said.
Geek Squad’s case begs the question of whether customers have a reasonable expectation to privacy under the Fourth Amendment when they voluntarily hand their devices over to Geek Squad employees.
The customers sign a form acknowledging that anything containing child pornography will be turned in to authorities.
While the government argued this amounts to customers waiving their Fourth Amendment rights, the EFF has taken the position that actively searching devices for such material goes outside the scope of permission given by the form. Mackey likened it to visiting a doctor to have a sore throat looked at and the doctor performing a full-body MRI.
Mackey said it’s not currently possible to know definitively the extent to which Geek Squad employees actively searched customers’ computers for illegal materials or simply turned over such materials they happened across.
But according to court records in one resulting criminal case for child pornography, it appears Geek Squad employees would search unallocated storage space on customers’ devices, where technological problems would not be found.
This seems to point to the company’s employees actively seeking illegal materials, Mackey said.
He said the case of Cambridge Analytica is tinged with the same gray area about the definition of “voluntary” and whether commonly employed user agreements are truly adequate disclaimers.
“If you read through Facebook’s terms of service and what they allow and how they allow the data sharing, there’s a question of whether you actually have enough information, and then there’s also a question of whether or not you can actually really consent to that sharing,” he said.
Mackey said the third-party doctrine, which also covers information given to parties such as banks or phone companies in addition to internet providers and servers, made more sense in a pre-digital age when sharing large quantities of personal data happened much less frequently.
“Just to live in the world we do now, we’re turning over all sorts of data and personal information to third parties,” he said. “And so you really begin to question whether or not that’s voluntary in the sense of … are we making affirmative choices to relinquish our privacy interests in this sorts of things.”
He said he hopes the recent revelations, which have shown how common collecting and disseminating personal data is, mark a turning point in a public demand for transparency about what companies do with that data.
“The asset that’s being transferred and transacted is user data,” Mackey said. “And so the more people are aware of this and are, quite frankly, shocked by what they’re learning, that’s good. And we hope those users put pressure on these platforms to take meaningful steps to provide more transparency about what they’re doing.”
—Julia Cardi