Last fall, the Supreme Court of Colorado decided Colorado v. Seymour, a case involving an act of arson that killed a family. One of the defendants sought suppression of his incriminating Google search history. The case is full of weighty Fourth Amendment issues—like the lawfulness of local officers’ “reverse keyword warrant” compelling Google to sift through the search histories of hundreds of millions of its users and provide police a suspect list, whether Internet users have an expectation of privacy in their browsing histories, and the extent of the good-faith exception to the exclusionary rule. The many issues at play almost obscure the court’s most significant holding: that police had “seized” the defendant’s digital records under the Fourth Amendment when police copied his Google search history records during their investigation. This determination rendered the third party doctrine inapplicable and required the court to tread on new legal ground.
The case has already initiated an important legal debate as each of us—and the government—increasingly rely on digital and Internet service. For centuries, important records—banking and tax information, stock certificates, personal diaries, correspondence to business partners and family, love letters, political pamphlets, travel itineraries, and the like—were tangible and personal possessions. These were stored, if at all, in chests, under beds, in safe deposit boxes, and in attics and basements.
However, today these same intimate records of our lives are often stored digitally and online, a social transformation that occurred only over the past 30 years. An IT professionals’ aphorism—“there is no cloud, it’s just someone else’s computer”—suggests the reality: our digital lives are stored on nondescript server farms and office parks spread around the world. These databases are often owned and maintained by a small number of highly regulated companies, like Google, Facebook, banks, and Internet service providers.
Furthermore, service providers store new, tech-enabled categories of records we produce. These new records, including cryptocurrency transactions, Uber and Lyft rides, GPS location history, and search engine and ChatGPT queries, are often as sensitive as the old and reveal a tremendous amount about our families, habits, businesses, and even state of mind. These old and new types of digital records on digital databases are a goldmine for law enforcement. They are much easier to access than records stored under someone’s bed and, because many of these digital records are stored by the service providers, during regulatory or criminal investigations they can often be accessed without probable cause or a warrant.
The Seymour decision is notable because the court closely examined Google’s licensing agreement—the lengthy Terms of Service that we agree to when using a digital service—to determine whether the defendant had a possessory interest in his search history records. The court concluded Google “does not own its users’ content.” The court found, instead, that “users own their Google content” and, therefore, the police had seized Seymour’s records when they copied his search history information to build a case against him. As it concluded, “law enforcement conducted … a seizure of that information under both the Colorado Constitution and the Fourth Amendment.” The police, therefore, needed a warrant to copy and acquire Seymour’s records, just as they would require one to seize records stored in a closet or safe deposit box.
If other courts adopt the Colorado Supreme Court’s approach, there could be a sea change in regulatory efforts and criminal investigations. Decades ago, in U.S. v. Miller and Smith v. Maryland, the U.S. Supreme Court recognized a “third party” exception to the Fourth Amendment’s warrant requirement. That doctrine largely eviscerated privacy in the personal records and information that we send to a third party, like transmitting a phone number to a phone company to complete a call or personal information to a bank to complete a deposit or transaction. Under the third-party doctrine, law enforcement and regulators do not need a warrant to obtain such records.
So, Congress passed laws like Section 2703(d) of the Electronic Communications Privacy Act to allow law enforcement to obtain sensitive account records without a search warrant. With merely a court order, for instance, law enforcement can obtain subscriber’s name, device identity numbers, payment information, and other information from tech companies, telecom companies, and banks. Federal law enforcement officers must offer a judge only “specific and articulable facts” showing that there are reasonable grounds to believe that the records of a communication are “relevant and material to an ongoing criminal investigation” to obtain those records. This is a much easier standard to meet than a finding of probable cause. Even online records like email content, when stored for more than 180 days, can be obtained with less than probable cause.
Some laws, like the Bank Secrecy Act, and regulations, like the SEC’s new Consolidated Audit Trail scheme and the TSA’s Quiet Skies rules, go further. Rules like these exploit the third-party doctrine loophole and make regulated companies like banks, airlines, and stockbrokers de facto arms of the state who must transmit to regulators sensitive records about their customers, even in the absence of reasonable suspicion. These record-collection mandates are premised on the dystopian notion that the government needs years-worth of records about tens of millions of law-abiding people because someone, somewhere, perhaps in the distant future, might do something illegal or improper.
Supreme Court watchers will notice that the Seymour court seems to endorse the bailment framework Justice Gorsuch proposed in his dissent in Carpenter v. U.S., where he pointed out that “the fact that a third party has access to or possession of your papers and effects does not necessarily eliminate your interest in them.” The seizure analysis in Seymour resembles the trespass analysis in U.S. v. Jones and, like Jones, signals a possible obstacle for the increasing number of surveillance statutes and regulatory investigations applying to digital records. That’s because, to paraphrase Justice Gorsuch in Carpenter, the third-party exception to the Fourth Amendment does not apply to “papers” and “effects” that are yours.
If the approach of the Seymour court gains traction, a tech, financial, email, and any other service provider that stores digital records could enhance their customers’ privacy by stipulating in their terms of service that a customers’ records are owned by a customer—the service provider is a bailee, its servers functioning essentially as a safe deposit box for digital records.
That service providers’ terms of service shape our Fourth Amendment rights could be a mixed blessing. Professor Orin Kerr wrote in a recent law review article that it is “a troubling reality” that “our Fourth Amendment rights online hinge on the effect of Terms of Service.” Kerr may be right that it is hazardous to rely on “form contracts written by lawyers for multinational corporations” to protect our privacy and digital records. Governments, and especially the U.S. government, have coerced or pressured regulated entities to surveil their customers for decades.
However, on the flip side, companies could, out of principle or business necessity, add privacy-protecting terms of service that protect their customers against government dragnet surveillance. Protection of customers’ data is especially important as investigators and regulators increasingly rely on “reverse warrants” and production orders to require companies to comb through massive amounts of customer information, like GPS location or search histories, on the government’s behalf.
Courts have struggled with how to apply the terms of the Fourth Amendment rigorously and prevent the equivalent of general warrants for digital records. The issue may reach the U.S. Supreme Court soon as the Fourth and Fifth Circuit Courts of Appeal this year split over whether “reverse warrants” for digital records are Fourth Amendment searches. The Colorado Supreme Court has offered a novel and important approach by finding that, in some cases, we—not the companies—own our electronic records stored by digital service providers.
