- Law & Policy
- Revitalizing American Institutions
Orin Kerr is a senior fellow at the Hoover Institution and a professor at Stanford Law School, where he teaches and writes on criminal law and criminal procedure. He helped found the field of computer crime law, which studies how traditional legal doctrines should adapt to digital crime and digital evidence, and is widely considered a leading authority on the Fourth Amendment. He spoke with Chris Herhalt about how the Fourth Amendment must adapt to the digital realm.
Chris Herhalt: Welcome to Hoover. What’s next for you, now that you’ve joined us? What do you think you’re going to explore?
Orin Kerr: I’m going to keep up what I’ve been doing, which is studying the shift to the world of digital crimes and digital evidence and digital evidence collection. My interest is this: how do you take a legal world that has been about physical crimes, physical evidence, and eyewitness testimony—like when the government comes into court with a gun or the drugs—and shift to a world where the government comes in with data? The crime itself may be an online crime, such as a computer intrusion or an online threat. What really interests me is how we translate the world of criminal law and criminal investigations to a digital realm—what institutions are a part of that, and what rules are a part of that. How do we adapt our very ancient criminal law system for the new technological world?
What attracts me to Hoover is it’s a great group of scholars with real-world impact and access to great minds that are thinking about these sorts of public policy questions. Because what interests me is not just the theory of these things, but how do we make this happen? How do we bring all the relevant players together in an open way and think through that shift?
Chris Herhalt: Here’s something I’ve thought about even before I started reading about your work: the plain-view exception. Is there a plain-view exception that extends to screened devices? If a member of law enforcement happens to “look over the shoulder” of a person in an investigation and see what’s on their screen, is that admissible? In that same vein, you’ve talked about the 2014 decision that held that police no longer had the automatic right to search devices upon arrest. If a device is left unlocked or if it is in law enforcement’s custody and a message comes in plain view that is tied to criminality, how are those sorts of things dealt with?
Orin Kerr: They can look at it.
Chris Herhalt: They can look at it.
Orin Kerr: This is relevant for lawyers who are working on materials out in public or people who have confidential documents for clients when they’re out in the world with laptops and cell phones. This also goes for speaking; some people are known to speak very loudly in crowded places and to talk about confidential issues. People should be very careful about that, lawyers and non-lawyers. But yes, basically they can access it.
Chris Herhalt: So, if a device has no countermeasures on it, they can look at it?
Orin Kerr: They can look at what is openly visible on the screen, but the government needs a search warrant to start looking through what is inside it. It’s just as protected as if it’s your postal mail or if it’s your home. It’s all protected by default. You have Fourth Amendment full rights in your digital devices. The real question with extra locks becomes what beyond the warrant requirement does the government have to do to bypass them.
Chris Herhalt: There have been national security cases where the device was so well protected that you almost never heard whether law enforcement succeeded in breaking it. Does the government need to seek additional judicial permissions to take more significant steps to break through?
Orin Kerr: It depends. There are a bunch of techniques the government uses to try to unlock locked devices. A lot of it is just technological means. There’s a vibrant market in unlocking tools. There are companies that sell unlocking tools to governments, and they try to bypass the encryption that locks the devices. So, the government might try that.
They sometimes also occasionally try—this is less common—getting the person to unlock the device for them under some sort of legal command. That’s where you get the legal question, the Fifth Amendment privilege. Can the government make you unlock your device? Can they put your thumb on the thumb reader or your face up to the face ID? That can raise some constitutional questions.
Chris Herhalt: Let’s focus on an essay you wrote for Hoover in 2021 [“Buying Data and the Fourth Amendment”], where you pointed out that with so much data for sale, there already are often situations where the government can buy certain information that it would otherwise obtain by seeking a warrant. You wrote that “a sea change in how often the government can buy records to conduct detailed surveillance might someday justify a more restrictive approach.” In your view, are we approaching that situation? And how often is the government able to buy what it’s looking for?
Orin Kerr: “Rarely” is the short version. I should say this is a chapter of my new book, The Digital Fourth Amendment. And I have a chapter where I go into more detail than I did in that 2021 essay.
This is talked about a lot and the subject of a lot of concern, but the kinds of records that are useful in an investigation are typically very specific to a very specific user. It’s not the kind of mass data that tends to be sold, or generic information useful in the advertising setting, which is usually where that market is. I may want to know a hundred thousand customers who have searched for something, whatever it might be. And that’s usually not of investigative use, but that might change. So, I leave open the possibility that the Fourth Amendment constitutional rule might need to shift for that, but I don’t think it has yet.
Chris Herhalt: In a webinar you co-led for Hoover’s Center for Revitalizing American Institutions, you talked about a case where the government sought metadata to show whether a suspect’s phone flashlight was on or off at a specific time. Are there cases emerging where the government is seeking data about the internet of things, such as devices in your home and what they’re doing or not doing at certain times?
Orin Kerr: That has not come up, I think because that is usually not of investigative importance. But in that example of whether the flashlight app was on, what’s so interesting is that it points to this possibility that there’s data about all these things going on in the world.
Chris Herhalt: I’ve been thinking about Alexa, all those little smart speakers, when law enforcement comes upon a terrible domestic violence situation, possibly with fatalities. Do any of those smart speakers pick up something relevant?
Orin Kerr: There was a case involving a warrant for Alexa records a few years ago. The broader picture is, of course, that any of these devices that keep records in a known location are potentially of interest to investigators when it reveals evidence of a crime. And when you have these big companies storing the data, if you’re an investigator, you think, “Hey, wait a minute, I’m going to go to this big provider and get data.” What’s particularly useful is something like Facebook because Facebook’s rules are that you’re supposed to use a real name. So, it’s easy for the government to know if a particular person has a Facebook account, and they can get data from that account. But someone’s e-mail account, who knows? They might have an e-mail account where their name is 4S-B-359 or something like that. So, it’s not as useful, but it’s all potentially out there. What limits a lot of this is that when you have a court order requirement, either by statute or by the Constitution, the government needs to say, why is this likely to be evidence of crime?
Chris Herhalt: I was a young newspaper reporter during the Snowden period, and we got to know way too much about metadata. You’d have these self-evaluations of what you did digitally in the course of your job. What could some individual piece together about me from what I did? How does the Fourth Amendment treat metadata?
Orin Kerr: Traditionally, metadata is treated kind of like your appearance in public. You can learn a lot about somebody by following them and seeing where they go. Where do they leave in the morning? Where do they spend their day? The government can get a lot of information about someone’s life from just observing them out in public, but the traditional answer is that that’s not protected by the Fourth Amendment. Fourth Amendment rights are basically about breaking into private spaces, not observing somebody in public, so the courts have traditionally drawn that same line for metadata and contents of communications. You have Fourth Amendment rights in your phone calls, or we have Fourth Amendment rights in this Zoom call that we’re making, but not the metadata about it. It’s sort of like the information about where you went on the internet, as compared to what you actually said when you were there.
At the same time, the Supreme Court has started, and lower courts have started, to expand Fourth Amendment protection into the metadata category. Some kinds of metadata are new and different and are really invasive. That’s what the Supreme Court did in 2018 with Carpenter v. United States, the case on cell-site location information that the government wants to track people. And they basically said this is a new kind of record, and we’re not going to follow our old metadata rules. We’re going to treat this as a new category and say this has to be protected under the Fourth Amendment, or else we’ve shifted the level of government power too much by technology. We need the law to come in and rebalance things.
After Carpenter, lower courts are still figuring out how to interpret it. For example, take the issue of whether there is some sort of a short-term exception to this rule. What if it’s only a little bit of metadata? Is it then not covered? Let’s say the government just wants to know whether someone’s phone was in California at a particular date and time; is that different from tracking someone for a whole month? There had been a suggestion in earlier cases of a short-term/long-term distinction that the Supreme Court didn’t resolve in the Carpenter case. Lower courts are currently divided on it.
Chris Herhalt: What else are you working on?
Orin Kerr: I have a few articles in the works. Let me talk about just one, “Data Scanning and the Fourth Amendment,” forthcoming in the Boston College Law Review. Here’s the question: when the government is ordering the search of a massive database, how broad is the search that occurs, if any? That has started to be a really important question.
Here’s where it comes up. The government might order Google to search the stored search terms of a billion users to find a match for a search query related to some known crime. For example, there was an arson in which the government had reason to think that the arsonist Googled the address. Why might they do that? It might just be to get directions, or to do online surveillance. You can use Google Maps and see what the building looks like. In this particular case, someone burned down a house, killing a few people in it, and the government had reason to suspect it was arson. The government got a warrant to order Google to search its records for anyone who had Googled the address in a particular window of time—and they actually found the arsonist that way. Lower courts are divided on how the law applies. Is that a search of a billion houses, the kind of overbroad search that the Fourth Amendment doesn’t traditionally allow? Alternatively, from a constitutional standpoint, is that a Fourth Amendment search at all?
One court, the Fifth Circuit Court of Appeals, has said that a search that’s through too big a database is unconstitutional. You can’t do it even with a warrant. Then other courts say, no, you can, as long as the filter setting is sufficiently narrow.
This is another example of something that comes up often in digital Fourth Amendment cases. We have this physical rule, which is that government can only get a warrant to search one house. They can’t get a warrant to search a city. Well, how do apply that rule to a query through a database of a billion people’s data? What’s the right analogy? Google determines that all the data is put in a single database. They could break it into lots of different databases. Are they required to? Does it make a difference? And how big is too big?
This interview was edited for length and clarity.
