Who owns your data?

A note before we begin: I’m not a lawyer, and you shouldn’t consider anything I write or say to be legal advice. As always, this post is solely my own, and does not necessarily represent anyone I’ve worked for or with, or any community I’ve been a part of in any capacity. Okay? Okay.

To catch a thief, the police turn to Google

It’s May 20, 2019, a year before the pandemic. Midlothian is an old, unincorporated coal-mining town outside Richmond, VA that now serves as one of its suburbs. A man enters the Call Federal Credit Union, forces a worker to open the safe using a threatening note that implied he had taken hostages, and walks out with $195,000.

A few weeks after the robbery, the police have no strong leads. Finally, they go back and examine the security footage, and notice that in the minutes before the robbery, the perpetrator holds a smartphone to his ear — which gives them an idea.

When Android smartphones have Location History turned on, they save detailed location information on Google’s servers. Because it’s centralized and indexed by Google, it can be searched by the company, as well as subpoenaed by third parties — and obtained by law enforcement.

The police in the Midlothian case get a warrant for Google’s location data for every cellphone in the area of the Credit Union — a so-called geofence warrant — for an hour around the time of the robbery. Each of the 19 cellphone owners returned to them by Google becomes a suspect; they investigate each one in turn, having conversations and methodically ruling them out. And that’s how they find Okello Chatrie.

Chatrie entered a conditional guilty plea in 2019. It wasn’t cut and dried. The Fourth Amendment protects people from arbitrary searches and seizures. His lawyers argued that a blanket geofence warrant that revealed everyone who happened to be within the vicinity of the Credit Union was a violation of those rights. The judge presiding over his case acknowledged that the warrant did likely violate his rights, but allowed the evidence to be included anyway. Chatrie was ultimately sentenced to twelve years in prison.

His legal team brought the Fourth Amendment complaint to an appeals court — and lost. Contesting that result, they petitioned the Supreme Court, which has now agreed to hear the case.

Surveillance capitalism is just surveillance

The implications of the Supreme Court’s eventual decision will go far beyond Chatrie’s freedom.

Google is issued tens of thousands of these geofence warrants every year, handing over detailed information about cellphone users without them ever knowing.

Google isn’t the only potential recipient for such a warrant. Much of the internet economy depends on gathering data and selling characteristics about individual people to others; Google is just one of many companies that store and trade on this data. Without protections, all of it can be used to target and identify individuals.

Data brokers buy information from third-party apps across device types (including iPhones) and sell bulk access to it. Those apps are sometimes surprising: weather apps, for example, need to understand your location to give you a useful forecast, but they often then sell that location data through brokers.

As well as advertising networks and sales teams, customers include the police, ICE, and intelligence services around the world. This data is often “anonymized” or “de-identified”, but in practice can be made identifiable again relatively easily when datasets are combined. They sell this information even without a warrant, and many security services buy subscriptions in order to circumvent legal restrictions that would ordinarily require them to get one.

This information — whether retrieved via warrant or otherwise — is often specific and directly identifiable. Anyone with the ability to access it about a person gains the ability to track their activities at a highly granular level. That’s made possible by massive, centralized data collection at scale, and an assumption that users don’t have significant rights over it.

The implication of Chatrie’s petition to the Supreme Court is that it must answer the question: when you consent to share location data with a cloud provider like Google, do you forfeit constitutional protection against government searches of that information? But there’s another question that should be asked alongside it: given that this information can often just be bought on the open market, what might protect people from having their personal and identifying information searched without their permission?

The court surfaced an email from a Google employee that said Google’s interface “feels like it is designed to make things possible, yet difficult enough that people won't figure out” how to disable tracking. This implies a third question: if a service uses dark patterns to bury the implications of a consent decision, as Google and many other internet services arguably do, is it informed consent at all?

Is personal data property?

Two cases in the late 1970s (Smith v. Maryland and United States v. Miller) established something called the third-party doctrine, which holds that people have no reasonable expectation of privacy over information they have voluntarily shared with third parties.

These cases were decided decades before the cloud, smart devices, and ubiquitous mobile computing: specifically, they determined that bank slips and records of outgoing calls could be accessed without a warrant. In both cases, the argument was that the person involved knows that they’re giving this information to the bank and phone company respectively. That doesn’t apply cleanly to how data is created and collected in the internet era, where data is often created and collected seamlessly, without our direct involvement. Regardless, the doctrine has long been used to argue that Fourth Amendment protections don’t apply when retrieving cloud data about a person.

Those differences do matter. Much more recently, in 2018, the Supreme Court found (in Carpenter v. United States) that location information drawn from cell tower records was protected under the Fourth Amendment, recognizing that the “detailed, encyclopedic, and effortlessly compiled” nature of this data was different to that considered under the third-party doctrine.

Clearly, data automatically saved from geolocation on a smartphone is much more comparable to this cell tower information. This data, too, is detailed and encyclopedic, and is gathered without any input from the user. Both are buried deep in the terms and conditions of their respective underlying services, where users are probably unaware they’ve consented to them; they only really differ in the mechanical details of how they’re gathered. If cell tower location information maintains Fourth Amendment protections, there is no reason why Google’s (or anyone else’s) geolocation data should not.

But the implications of the case may be larger. My attention was drawn to a dissent in Carpenter by Justice Gorsuch, who agreed with the conclusion (that cell site data was protected) but disagreed with how the Court got there. He said:

He did not invoke the law of property or any analogies to the common law, either there or in his petition for certiorari. Even in his merits brief before this Court, Mr. Carpenter’s discussion of his positive law rights in cell-site data was cursory. […] In these circumstances, I cannot help but conclude—reluctantly—that Mr. Carpenter forfeited perhaps his most promising line of argument.

In other words, he was disappointed that Carpenter’s lawyers chose to argue that he had a reasonable expectation of privacy, and not that his personal data was his property. Gorsuch’s opinion in the Carpenter case was, in a way, an invitation for plaintiffs to use this property argument in future cases: a signal letting them know that he would be receptive to it.

That’s exactly what the Chatrie team has done: Gorsuch’s property argument is a core part of their petition.

Google the bailee

The Chatrie team argued that Google’s custody over a person’s personal data is a bailment, and that because Google users can control their location data (including deleting it), it’s their property, not Google’s.

Unlike the [Cell Site Location Information] at issue in Carpenter, Location History is in no sense a business record: users (not Google) have control over whether it is stored and can unilaterally delete it. Although the records were stored on Google’s servers, Google was acting as a bailee rather than an owner.

A bailment is when you give your property to someone else for safekeeping or a specific purpose, but you retain ownership and agency over it. The best analogy is a coat check or valet parking. The bailee takes possession of your stuff, but it never becomes their stuff. You get your coat back from the coat check; the valet returns your car. There’s an assumption that they’ve treated them well in the meantime; their owners retain Fourth Amendment rights over them throughout.

Google itself filed an amicus brief in the original Chatrie case, indicating that those rights were also preserved for location data under its custody. As Lawfare summarized it last year:

Google ultimately asserted in its Chatrie amicus brief that its users retain Fourth Amendment rights in their Location History data. Moreover, four days after the oral arguments in the Chatrie case, Google issued this announcement that after a year or so it would no longer store Location History data except on users’ own devices, essentially ending Google’s participation in geofence warrants.

Being seen as a source of ubiquitous surveillance is bad for business; it stands to reason that Google would want to hold the practice.

But of course, data is a little bit more complicated than a coat or a car. Unlike a paper record — or any other sort of property — data is infinitely replicable. Google might hold a copy of your data, but that doesn’t necessarily preclude anyone else from having a copy, too. That essential characteristic has powered the entire internet revolution: the core concept of scalability doesn’t work without infinite replication.

This infinite replicability also has the potential to be a complication for that bailee argument. In a data universe, there may be multiple custodians for different copies of the same piece of information. It’s not what’s called rivalrous: while my possession of my coat or my car mean that nobody else can have them, if I give Google my data, I’m not necessarily withholding it from anyone else. In a data world, the same coat can be stored in infinite coat checks.

Property rights evolved around rivalrous goods; for something to be considered property, it usually needs to have scarcity. The exception is intellectual property, which is something you create: IP covers creations that can be infinitely replicable. The thing is, intellectual property hinges on a copyrightable work being created; sometimes data is this (this article is data and also a copyrightable work), but sometimes it’s just a set of facts. Facts aren’t copyrightable; IP doesn’t cleanly cover them. A set of facts of the form “Ben was in this location at this time” is therefore not covered by IP.

For us to consider data as being property, then, we probably have to consider it as something new. At the very least, we need to expand how we think about property to incorporate the concept of infinite replication.

What is property?

If something is your property, you typically have certain rights:

• The right to use (“enjoy”) it
• The right to exclude others from using it
• The right to transfer it
• The right to destroy it

These all make sense in a data context too — it just doesn’t cover everything you can do with data. I would add:

• The right to copy it
• The right to transform it
• The right to examine it

For data to be property, the owner needs to have these rights over it. Whether a user really does have each of these rights over the location information stored by Location History is up for debate. Do they have true title to this information, which would mean they have sole power to exercise these rights? Or have they just been granted some control over it?

What is personal data?

It’s worth considering who generates personal data, and how.

Take this analogy: in the famous scene in Titanic, Jack (Leonardo DiCaprio’s character) draws a still life of Rose (Kate Winslet’s character). Jack has recorded an observation of Rose. It contains Rose’s personal information: her face, her whereabouts, what she’s wearing. But who owns that drawing? Is it Jack’s or Rose’s?

Jack has made the drawing: while Rose modeled for it, it’s his work. The drawing is intrinsically his. Rose probably has some moral rights over it — for example, over her likeness — but the piece of paper with the drawing on it is not her property.

Of course, a point of location data isn’t a drawing. It’s not a copyrightable work. It’s a set of facts that list where we were at a particular time. If I sit across from you and notice that you’re wearing a red sweater, you don’t own that observation or have any rights over it, even if it’s about you. I can tell anyone I want, including the police, that you were wearing it.

But there are key differences. In that scenario, I’m independent of you; Google, on the other hand, is tracking your location through your phone, which is your property. You’re a key actor: you’ve set up the phone, kept it charged, bought cell service, and so on. And you’ve chosen to use the services that capture your location. Google is acting on your behalf, recording data that you create by moving around with it in your pocket.

The originator of the action — the instigator — seems to matter. Is Google akin to Jack, observing us and drawing us in its database? Or are location records things we make ourselves by moving around with a phone in our pocket?

Is location data something Google creates by observing us, or something we create by living? Is personal data the result of something we do or something that’s done about us?

In a world where personal data is property, we gain the property rights I listed above by default, and in turn, we gain much more power and control over the information that’s stored about us. This would change our rights online, and every organization — software companies, ad networks, publishers, governments — that captures first-party data about a person would need to adapt. In a world where it isn’t, we either make some gains through the lens of a reasonable expectation of privacy, or we’re left with fewer rights. The status quo would remain largely intact.

Whether Chatrie finds that there was a Fourth Amendment violation is important, because privacy is important. How it finds it has the potential to change the internet forever.

Because it’s not clear that the surveillance data that is stored about us is ours, and because of the serious ramifications, I would be very surprised if the Supreme Court ruled that location data stored about us was personal property.

There’s also a danger: if location data was personal property, there’s a real chance that Fourth Amendment rights would actually be restricted overall. If it can only apply to things that look a lot like property, that may prevent it from being applied to technology and data that diverge from that standard. To put it another way, it sounds protective, but it could ultimately narrow Fourth Amendment coverage by requiring plaintiffs to establish property interests that may not exist in modern data arrangements.

That’s not at all to say that the Court won’t find there is a reasonable expectation of privacy, or that location records aren’t protected by the Fourth Amendment. If your face is caught on CCTV, nobody would argue that you own that footage, but there are reasonable protections on how you can be recorded and what can be done with it. If your phone is wiretapped, you probably don’t own the audio, but there are reasonable protections on whether someone can record it in the first place.

Legislation is needed

This is a thorny discussion — in the US. Strong data protection rights are here; they’re just not evenly distributed yet.

In most of the US, rights over data are largely still up for debate. The third-party doctrine has acted as a shield for service providers, who consequently don’t need to build the extra features and protections that would be necessary if data was property. The CLOUD Act works against privacy rights by requiring American service providers to relinquish data to the authorities.

But privacy should be a human right. Even if the legal arrangements are under debate, the moral right to privacy exists and is clear.

In the EU, the General Data Protection Regulation (GDPR) makes your rights around data much clearer. It establishes a bundle of data rights that include:

• The right to understand which data is being collected about you and how it’s processed
• The right to correct inaccurate data about you
• The right to delete data about you — but only when it has outlived its usefulness for the purpose it was collected
• The right to limit how data about you is processed — in some circumstances — and object to it being processed
• The right to download your data
• The right to share your downloaded data with another provider
• The right to not be subject to decisions solely made using automatic systems using your data

There’s no right to prevent processing altogether, and there’s no right to sell your data. These stop short of full property rights — in fact, they’re explicitly defined as rights that relate to personhood, not property — but there’s significant overlap. Most importantly, they remove ambiguity about what rights a user has over data that is stored about them. It covers both my Titanic and my sweater examples by directly encoding rights.

This has inspired other legislation. For example, California’s privacy laws, the California Consumer Privacy Act (CCPA) are an enormous step forward in the US — but with significant limits. They treat data rights as consumer protection legislation, but only for data captured by certain organizations: non-profits and companies under certain revenue limits are exempt. It also has an explicit carveout for legal processes, leaving users relatively unprotected against government access. Unlike the GDPR, the CCPA doesn’t provide universal rights over data.

As I mentioned, I find it unlikely that the Supreme Court will find that data is property as a finding of its Chatrie decision. But that doesn’t mean data as property is a bad or undesirable outcome (except for the stakeholders who would need to comply with it). To get there, we need lawmakers to create new legislation that encodes those rights.

In his Carpenter dissent, Justice Gorsuch pointed out that the third-party doctrine effectively means that nobody ever has a reasonable expectation of privacy. In a world where we all carry a smartphone in our pockets that stores all kinds of information about us, it condemns us to living with ubiquitous surveillance. Property rights — or something that approximates the bundle of rights normally associated with property — would free us of that.

In order to prevent ongoing arguments about what rights we have over the data that is stored about us, we need clarity — and that’s what legislation is for. For now, all we can really do is hope that the Court decides, in some, limited situations, that we have a reasonable expectation of privacy. But we need to push for more.