Some experts have estimated that technology grows so rapidly that it doubles every year. While this conclusion may be difficult to comprehend, there is little doubt that technology advances so rapidly that frequently the law is left panting trying to keep up with its pace. Jurisprudentially speaking, the problem is knotty.
On one hand, our body of law, to have the degree of predictability required to govern an ordered society, must develop slowly through legislation and court decisions. Abrupt, rapid changes in the law hardly allow for the predictability required for law to be an effective guidepost for our conduct. In The Nature of the Judicial Process, Benjamin Cardozo wrote, "[t]his work of modification is gradual. It goes on inch by inch. Its effects must be measured by decades and even centuries. Thus measured, they are seen to have behind them the power and the pressure of the moving glacier."
On the other hand, technology, such as that used in life sciences or nanotechnology, grows at a lightning pace. How then can our body of complex laws and regulations, which must evolve slowly, keep up with these technological changes? Legislatures and courts grapple with this challenge. A recent New Jersey criminal case is a simple example of this.
In State v. Reid, No. A-3424-05T5, 914 A.2d 310, 2007 N.J. Super. LEXIS 11 (App. Div. Jan. 22, 2007), Timothy Wilson, the owner of Jersey Diesel, filed a complaint with the local police alleging that someone had broken into the company's computer system and changed his shipping address and the password for all his suppliers. The shipping address was changed to a non-existent address. Wilson suggested that Shirley Reid, an employee out on disability leave, could have made changes to his account. She was the only employee with the company password and ID.
Wilson began an investigation and concluded the changes were made by someone with an email account with Comcast, an Internet Service Provider (ISP). He contacted Comcast and the company refused to divulge any information about the person holding that email account and screen name. The local police obtained a subpoena duces tecum which directed Comcast to divulge all information concerning the IP address in question. Comcast complied and provided information implicating Reid who was then charged with a computer-related theft in violation of the New Jersey criminal code.
The trial court held that Reid had a reasonable expectation of privacy and, thus, that the search was unreasonable. On appeal, the Appellate Division addressed the issue of whether Internet subscribers have a right of privacy under the Fourth Amendment with respect to identifying information on file with their ISPs. Here is an example of when changing technologies must be governed by laws that were born in a far different era. In 1789, the Internet did not exist and neither did Internet Service Providers. The Fourth Amendment was designed to prevent unreasonable searches and seizures by law enforcement entering one's quarters. How is the Fourth Amendment to be applied to the results of rapidly changing technology - the Web, ISP's and email?
The Appellate Division held that although Federal Courts have uniformly held that no such right of privacy exists because there is no reasonable expectation of privacy on the Internet, New Jersey, which has a strong tradition of safeguarding individual rights, recognizes a right of "informational privacy." This means the "ability to control the acquisition or release of information about oneself." According to the Court, this typically includes information such as social security numbers, addresses, financial and health information, and phone logs. Account information related to an Internet address was held to be covered by the right of "informational privacy." The Court wrote:
"Just as technological developments once made 'the telephone an essential instrument in carrying on our personal affairs' so have further developments made the personal computer an essential component of modern life, entitling individuals to at least the same degree of privacy with respect to use as accorded to other forms of personal communication."
Thus, when one uses an Internet address or screen name that does not reveal that person's actual name, there is an expectation of privacy that will be protected against warrantless searches. As a result, the evidence against Reid produced by Comcast in response to the police subpoena was suppressed.
The extension of the right of "informational privacy" to an anonymous Internet address is a fine example of how our courts struggle to adapt and apply venerated legal principles from another era to new technologies, and in these authors' views, the effort is commendable though a bit fanciful.
Constitutionally speaking, Comcast's actions constituted a completely defensible handing over of Reid's personal information. Federal Courts have uniformly held that the Fourth Amendment's protections with regard to unlawful search and seizure do not apply. In fact, the United States Supreme Court has held that a person has no expectation of privacy of information - such as one's name - that he or she voluntarily provides to third parties. See, e.g., United States v. Payner, 447 U.S. 727, 731-32 (1980); Smith v. Maryland, 442 U.S. 735, 743-44 (1979). And, while the Court has acknowledged that it is "not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks[,]" it has stopped just short of action. Whalen v. Roe, 429 U.S. 589, 605 (1977). However, the pervasiveness of the Internet as a mega-database holding billions of pieces of voluntarily-provided personal information stands as a challenge to such passivity. As one astute commentator has noted: "by creeping into the lives of all but the most radical techno-phobes, the Internet has elevated informational privacy to a generalized concern." Elbert Lin, Prioritizing Privacy: A Constitutional Response to the Internet, 17 Berkeley Tech. L.J. 1085, 1153 (2002) [hereinafter Prioritizing Privacy].
In the absence of Federal action, state constitutional law has led the charge in trumpeting the importance of informational privacy, which has been typically defined as the ability of an individual "to control the acquisition or release of information about oneself." Reid, at *10 (internal citations omitted). In doing so, these states offer protection more comprehensive than those of the Federal government. However, change has been slow to come. Only ten states - Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington - include any express reference to informational privacy in their constitutions. Prioritizing Privacy, 17 Berkeley Tech. L.J. at 1130-31. Of these ten states, only California has developed its constitution with an eye towards computerized databases including personal information such as might be stored within an ISP's files. And, of the forty states that make no explicit mention of this right, only New Jersey seems to recognize a powerful implied right that its state case law has applied to Internet usage. Id. at 1130.
Although its state constitutional law was not drafted with informational privacy rights in mind, New Jersey, with California, has led its sister states in recognizing and enforcing an informational privacy right in relation to the Internet, holding that the "personal computer[, as] an essential component of modern life, entitling individuals to at least the same degree of privacy with respect to its use as accorded to other forms of personal communication." Reid, at *21 (internal citations). The New Jersey Supreme Court has shown its willingness to extend informational privacy protections beyond those offered by federal law since at least 1982, when it wrote that, "where the equities so strongly favor protection of a person's privacy interest . . . we should apply our own standard rather than defer to the federal provision." State v. Hunt, 91 N.J. 338, 345 (1982).
The Appellate Division's decision in the Reid matter - 25 years after Hunt was decided - illustrates New Jersey's continuing commitment to the informational integrity of its citizens. In deciding Reid's fate, the New Jersey Appellate Division, like the New Jersey Supreme Court, asserted a state constitutional right to privacy more inclusive than that recognized by the Federal Constitution. Finding that Reid did in fact have a reasonable expectation of privacy with regard to her subscriber information, the court found that her use of an anonymous ISP address and "screen name" indicated the defendant's intention to keep her identity "publicly anonymous," revealing her true identity only to Comcast. Reid, at *20. Further, the court found that Reid's interest in anonymity was "both legitimate and substantial" such that her name on file with Comcast fell within the concept of informational privacy. Id. at *20-21. In light of these holdings, the court held that Reid's personal information provided by Comcast was properly suppressed by the court below.
On one level, Reid is interesting because of its application of the right of informational privacy to the use of anonymous Internet addresses in criminal actions. This is very different from civil actions where there is no "state action" and where, in appropriate circumstances a private party can discover such personal information. See Dendrite Int'l, Inc. v. Doe, 775 A.2d 756 (N.J. App. Div. 2001) and Immunomedics, Inc. v. Jean Doe, 775 A.2d 773 (N.J. App. Div. 2001). The law in civil actions is discussed in Unmasking The Masked Man: Pulling The Mask Off Your Email Intruder, Metro. Corp. Counsel, Mar. 1, 2006, by Marc S. Friedman and John Carlson.
On a deeper level, Reid is significant for it exemplifies the manner in which courts are trying to solve new technologically-based disputes and issues with old laws. As the life sciences, information technology, nanotechnology and other technologies are born and develop, our courts, such as the Appellate Division in Reid, and our legislatures will continue to struggle to make rulings and legislate changes that address the ever expanding technologies in a fair and rational manner.
Marc S. Friedman is the Chair of the Intellectual Property Group at Sills Cummis Epstein & Gross P.C. and practices in the Firm's New York City Office. Monique Cofer works with the Firm's Litigation Practice Group. The views and opinions expressed in this article are those of the authors and do not necessarily reflect those of Sills Cummis Epstein & Gross.