By Elizabeth Lee
Recent advancements in technology now allow for information to be very easily accessed and disseminated. Accordingly, it has become increasingly important for corporations to monitor the ways in which they collect and protect consumers’ data. However, this data has also proven to provide corporations with valuable insight into consumer activity. As a result, this type of data, which is integral in developing a strategy for effective consumer targeting, has become an increasingly valuable market commodity.
In this article, I will discuss the ways in which the intersection of technology and data privacy in the modern day has led to conflicts between corporations, the government, and consumers at large on moral, social, and political issues. First, I will discuss the history behind the All Writs Act in connection with my discussion on the need for a balance between individuals’ constitutional rights and companies’ data privacy policies. Second, I will discuss the balance between individual data privacy and public safety through Apple v. FBI, CM 16-10 (Court dismissed Mar. 28, 2016).[1] Third, I will explore the ways in which technology companies capitalize on the data that they collect through highly targeted marketing strategies and the sale of data to third-party companies. Lastly, I will discuss the current data privacy laws and issues as they relate to the United States, specifically in California, to outline the rights of American citizens regarding their data and privacy.
Through these various topics, I hope to challenge readers to think about the ways in which technological advancements have transformed society, and in return, what rights individuals should have to privacy and data. Because technology continues to be an important aspect of our society, I hope to encourage readers to consider what they feel comfortable with regarding the ways in which technology companies gather and sell data on our technology usage. In addition, I caution readers to be more cognizant of how data privacy can affect their lives and raise awareness towards the need to be intentional about the ways one interacts on digital media platforms.
The All Writs Act
In 1789, the Supreme Court passed the Judiciary Act of 1789, which aimed to establish the structure of the federal court system and outline the limitations of the judicial branch.[2] Within the Judiciary Act, the courts issued a broadly written statute, now commonly known as the “All Writs Act,” stating that “the Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”[3] Historically, the All Writs Act has given the federal government the authority to gain the cooperation of third parties in ongoing investigations or on other special matters.[4]
The Supreme Court set a strong precedent of supporting the government against third parties that were believed to be imperative to investigations. In United States v. New York Telephone Co., 434 U.S. 159, 161-63 (1977), the FBI requested a telephone company provide them with the facilities and technical assistance to install pen registers to telephone lines that were reasonably believed to be utilized in an illegal gambling scheme. [5] The Supreme Court ruled the requests conformed with the congressional intent of the All Writs Act and reaffirmed the flexibility the Act gave the federal government to administer writs for cases of public interest.[6] As such, the All Writs Act served as a safeguard for the federal government to rely on if it needed additional parties or resources to administer justice.
Apple v. FBI
For the first time in 2016, the federal government attempted to attain classified information from a technology company that could negatively impact consumers’ cyber security and data privacy under the All Writs Act of 1789. The issue arose in a case commonly referred to as Apple v. FBI, where the FBI came into possession of an iPhone presumed to belong to the deceased perpetrator of the San Bernadino terrorist attack on December 2, 2015.[7] The FBI believed the telephone was used to communicate with some of the victims of the massacre, as well as others who potentially helped organize the attack.[8] However, due to Apple’s unique and advanced software, the federal government could not decipher the code for the locked iPhone to access the data.[9] Thus, the government issued a court order for Apple to assist the FBI in its ongoing investigation, citing the All Writs Act to grant governmental authority over Apple to help as a third-party to the investigation.[10]
In response to the federal government’s request, Apple’s CEO, Tim Cook, released a customer letter on behalf of the company discussing the dangerous precedent that complying with the court order would set in allowing the government to breach the data privacy of individuals.[11] Cook explained the order required Apple to create a new version of the iPhone software that would be able to bypass some of the privacy features that make its cyber security system so strong.[12] By doing so, Cook argued Apple would have to create a product that is antithetical to its mission to protect and secure its consumers’ data, leaving the company susceptible to hackers and cybercriminals in an age where phones store such personal and sophisticated data.[13] He argued that if Apple was forced to comply with the court order in this case, it the government could “demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge” in the future.[14]
Apple refused to comply with the original court order, and the government moved to compel its compliance. In its motion, the government emphasized the urgent and important nature of the matter as a public safety issue relating to a terrorist attack.[15] It also disputed Apple’s arguments in the customer letter, stating Apple had options to retrieve the iPhone’s data apart from creating self-inflicting software. [16] The federal government also insinuated Apple was simply deploying a marketing scheme to showcase its advanced cybersecurity software while explicitly ignoring the urgency and sensitivity of the matter at hand. [17]
Though the case was ultimately dropped when the FBI discovered another way to unlock the suspect’s iPhone without Apple’s assistance,[18] Apple v. FBI marked the onset of ongoing and important discussions regarding how the courts should balance public policy and individuals’ rights to privacy. Particularly, Apple v. FBI considered how much control the federal government should have in requiring third parties to provide technological assistance considering the new methods for storing individuals’ data and information. The government’s access to consumer data could potentially stop criminal activity prematurely. But it could open the door to constant monitoring of citizens’ digital interactions and activity. As people become increasingly dependent on their technological devices, it is important to think about when, if any, there are situations in which the government should be able to access individuals’ information considering public safety concerns.
Data Marketability
As technological devices have created a digital marketplace that is becoming increasingly popular for daily activities, like shopping, banking, and teaching, technology companies have learned how to store data and utilize it towards advertising and creating their business models. Companies do so by using algorithms to create customer profiles based on the data collected to target and personalize advertisements for individuals using various social media platforms. [19] Thus, the ability to predict consumer interests and expectations has never been easier, which has facilitated the tech industry’s ability to capitalize on the vast amount of information provided by their users. [20]
However, not all tech companies sell the data that they collect to third parties. While some corporations outsource data collection to companies specialized in collecting digital data, others have their own data tracking and collecting systems within their company’s software. [21] Larger companies, like Google and Apple, generally do not sell their customers’ data, but rather they use the data themselves to personalize and target users on their own platforms. [22] This tactic is largely employed to ensure competing companies do not have access to the same data that may provide a competitive edge for businesses. [23]
As seen in Apple v. FBI, Apple has championed for data privacy amongst its consumers. However, Apple also utilizes a loophole to profit off its collected data by allowing third parties to contract with Apple to post advertisements through Apple sites. [24] In this way, Apple monetizes on its data as third parties can benefit from the data it has collected without having access to the algorithms that make ads so effective on the platforms. In this way, Apple also does not risk compromising any of its data being utilized by other competing companies.[25] However, Apple has recently strayed from its own business model of having a strict privacy policy, as it recently began allowing app developers to collect data from iPhone users.[26] In its recent policy shift, Apple started allowed companies like Snapchat and Facebook to gather data from Apple users so long as the data remains anonymous, meaning that the data isn’t linked to a specific user.[27] In time, the push and pull from Apple and its billions of customers will reveal the appropriate standards and limitations of data security expected in the growing digital world.
Selling Data Privacy
While the previous section discussed the business aspects of selling consumer data, this section will focus on the present state of privacy laws in the United States, particularly in California.[28] As previously mentioned, data collection is extremely valuable to companies because it allows for more targeted advertising for a pre-selected audience. As such, some companies sell their data for additional profits, leading to clashes with a company’s incentive to keep the data of their consumers private. Because technology has advanced much faster than the laws have evolved in the United States, there are still many unknown variables with respect to data privacy laws.
One of the primary challenges regarding data privacy is the lack of conformity in the laws themselves. While data can be collected from all over the world, there is no one set of laws governing data privacy in the United States or internationally.[29] To complicate matters, the United States has differing federal, state, and local regulations.[30] Currently, in the United States, companies can use, share, or sell an individual’s data without notice that they are doing so. Additionally, there is no national standard or federal regulation as to whether a company must notify an individual of a data breach or potential exposure to unauthorized parties.[31] Only California, Virginia, and Colorado have explicit consumer privacy laws protecting individuals living in those states[32], regardless of where a company is incorporated or physically located.[33]
California
California provides the most extensive regulations for citizens when it comes to data and privacy protection regulations. On January 1, 2020, the California Consumer Privacy Act (CCPA) came into effect, giving Californians the rights to: 1) know what personal information a business is collecting and how it is used and shared; 2) delete personal information collected (with some exceptions); 3) opt-out of the sale of their personal information; 4) non-discrimination in pricing and service for exercising their privacy right.[34] Californians also enjoy a limited “private right of action,” which allows them to sue companies against specific categories of data breaches.[35] This claim is meant to be used in instances where California consumers’ nonencrypted or nonredacted personal information is exposed to the public due to the failure of a company to put in reasonable safeguards for securing that their data.[36]
A couple years after the CCPA came into effect, California voters also approved of the California Privacy Rights Act (CPRA), which amended the former CCPA. One of the major additions to the CCPA under the CPRA is creation of the California Privacy Protection Agency, which serves as the division dedicated to enforcing CCPA and CPRA regulations.[37] While the CCPA was previously enforced by the California Office of the Attorney General, the newly established agency was granted full administrative power, authority, and jurisdiction to enforce the CCPA and CPRA.[38] The Agency was also given the authority to impose fines of $2,500 and the discretion to provide a business with a reasonable time period to cure a violation.[39] Another significant change the CPRA brought was the classification of personal information. This information encompasses an individual’s social security, driver’s license, state ID, passport, financial account information, race, precise geolocation, sex life or orientation, religious beliefs, etc.[40] It follows that this classification system affords additional protection for individuals’ personal information.[41]
While not all states have as detailed or strict regulations regarding data privacy as California, technology users around the world may still benefit from its laws.[42] This is largely because it is more difficult for companies to tailor their websites and products specifically to California.[43] Thus, to be compliant with California’s laws—a significant market—a company might change its entire model to incorporate the necessary tools for providing notice and asking for consent for data from all users.[44]
Conclusion
As society becomes increasingly reliant on advanced technology, it has become increasingly important for individuals and companies to consider how and to what extent customers’ data should be protected from third party sources. Readers should consider the extent to which the American government should be allowed to encroach on their data privacy and question whether there is ever a justification or exception to the boundaries set. As data privacy laws are relatively new in the United States, individuals should consider the ways in which these rules should be changed or shaped for the future.
[1] Apple v. FBI, CM 16-10 (Court dismissed Mar. 28, 2016), https://archive.epic.org/amicus/crypto/apple/In-re-Apple-FBI-Motion-to-Compel.pdf
[2] Dimitri D. Portnoi, Resorting to Extraordinary Writs: How the All Writs Act Rises to Fill the Gaps in the Rights of Enemy Combatants, 83 N.Y.U.L. Rev. 293, 293 (2008).
[3] Id. at 296-97.
[4] Matt Kristoffersen, Reporters Committee Attorneys Seek to Unseal All Writs Act Orders in Three Federal Courts, REPORTERS COMMITTEE FOR FREEDOM OF THE PRESS, (Feb. 3, 2021), https://www.rcfp.org/forbes-all-writs-act-order-unseal/.
[5] United States v. New York Telephone Co., 434 U.S. 159, 161-63, (1977).
[6] Id. at 174-75.
[7] Apple v. FBI, CM 16-10 (Court dismissed Mar. 28, 2016), https://archive.epic.org/amicus/crypto/apple/In-re-Apple-FBI-Motion-to-Compel.pdf
[8] Id.
[9] Id.
[10] Id.
[11] A Message to Our Customers, Apple (Feb. 16, 2016), https://www.apple.com/customer-letter/
[12] Id.
[13] Id.
[14] Id.
[15] Apple v. FBI, CM 16-10 (Court dismissed Mar. 28, 2016), https://archive.epic.org/amicus/crypto/apple/In-re-Apple-FBI-Motion-to-Compel.pdf
[16] Id.
[17] Id.
[18] Katie Benner, Eric Lichtblau, U.S. Says It Has Unlocked iPhone Without Apple, THE NEW YORK TIMES, (Mar. 28, 2016), https://www.nytimes.com/2016/03/29/technology/apple-iphone-fbi-justice-department-case.html
[19] Swiss Goswami, What Does Big Tech Actually Do With Your Data?, FORBES, (Feb. 16, 2022), https://www.forbes.com/sites/forbestechcouncil/2022/02/16/what-does-big-tech-actually-do-with-your-data/
[20] Id.
[21] Manik Berry, Does Apple Sell Your Data? Everything You Need To Know, FOSSBYTES, (Mar. 31, 2021), https://fossbytes.com/apple-data-collection-explained/
[22] Id.
[23] Id.
[24] Evan Schuman, Apple is Sneaking Around its Own Privacy Policy – and Will Regret It, COMPUTERWORLD, (Jan. 7, 2022), https://www.computerworld.com/article/3646190/apple-is-sneaking-around-its-own-privacy-policy-and-will-regret-it.html
[25] Id.
[26] Id.
[27] Id.
[28] Knowledge at Wharton Staff, Your Data Is Shared and Sold…What’s Being Done About It?, KNOWLEDGE AT WHARTON, (Oct. 28, 2019), https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/
[29] Thorin Klosowski, The State of Consumer Data Privacy Laws in the US (And Why It Matters), WIRECUTTER, (Sept. 6, 2021) https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/
[30] Id.
[31] Id.
[32] Id.
[33] Id.
[34] Office of the Attorney General, California Consumer Privacy Act (CCPA), State of California Department of Justice, https://www.oag.ca.gov/system/files/attachments/press_releases/CCPA
[35] Thorin Klosowski, The State of Consumer Data Privacy Laws in the US (And Why It Matters), WIRECUTTER, (Sept. 6, 2021) https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/
[36] Brittney E. Justice, Matthew G. Nielsen, Lucy Tyson, CPRA Countdown: It’s Time to Brush Up On California’s Latest Data Privacy Law, XI Nat’l L. Rev. 352 (2021), https://www.natlawreview.com/article/cpra-countdown-it-s-time-to-brush-california-s-latest-data-privacy-law
[37] Id.
[38] Id.
[39] Id.
[40] Id.
[41] Id.
[42] Sara Morrison, California’s New Privacy Law, Explained, VOX, (Dec. 30, 2019), https://www.vox.com/recode/2019/12/30/21030754/ccpa-2020-california-privacy-law-rights-explained
[43] Id.
[44] Id.
