 So it looks like a pretty good crowd, just out of curiosity. How many of you can you raise your hands if you're a practicing lawyer? Okay. How many of you are law students? All right. How many of you are from a non-legal field? Okay. Okay. Okay. The third-party doctrine before this event. Okay. And how many of you worked with a third-party doctrine? Okay. This will be a very interesting discussion. So to kick off the panel, I wanted to start with a statistic. The DC District Court released data that showed that the number of warrantless law enforcement requests for cell phone location and internet activity data grew sevenfold in the past three years. So tonight we'll be discussing the third-party doctrine, which is a legal theory that makes such requests constitutional. So we'll explore how the third-party doctrine affects law enforcement practices, tech company practices, and data privacy expectations. We'll also be discussing Carpenter v. United States, which is a third-party doctrine case that the Supreme Court will have agreed to hear later this year. So it'll be the first time that this Supreme Court will visit the third-party doctrine. Professor Stephen Ledeck, the founding member of Lawfare, called the case, quote, the most important Fourth Amendment and Privacy case that the Supreme Court has heard in a generation. So we've convened five excellent panelists to discuss the third-party doctrine and Carpenter. So starting from your my right, over here, Ahmed Gapour is an associate professor at Boston University School of Law, where he teaches cybersecurity law and national security law. His most recent article was a law enforcement jurisdiction in the dark web. Andrew Crocker is a staff attorney at the Electronic Frontier Foundation and works on their national security and privacy docket. He helped file an amicus brief that supported Carpenter's cert petition. Nicole Jones is a senior law enforcement and security counsel at Google and provides counsel related to cybercrimes, government requests for user data, information security and internal investigations. She also worked as an assistant U.S. attorney in the national security and cybercrime section. Gregory Varnum is a communications strategist at Wikimedia and also the non-lawyer in the panel. And he'll be substituting in for James Alexander, who could not make it today. So Greg has worked on the implementation of Wikimedia's access to non-public information policy and helped volunteers with signing the confidentiality agreement for non-public information. And lastly, Michael Leeming Wong is a partner at Gibson Dunning Crutcher and specializes in white collar investigations. He also assists clients with data privacy counseling litigation. He served as an assistant U.S. attorney for eight years. He also filed an amicus brief on behalf of the Constitution Project for United States v. Jones, a 2012 Supreme Court case that decided whether installing a GPS tracker on a vehicle and then tracking it constituted a search under the Fourth Amendment. Okay, so with all of that done, we can dive into the panel. So we'll first turn your attention to the third-party doctrine. So under the Fourth Amendment, the warrant requirement is usually triggered whenever the search intrudes on a reasonable expectation of privacy. The third-party doctrine holds that people who voluntarily disclose private information to third parties, like cell phone companies or information service providers, have no reasonable expectation of privacy. So this allows the government to obtain information from third parties without a legal warrant. So let's try to put the third party in some context. So presenting the first question to the panelists. What types of data do tech companies collect about consumers? And can you name a couple of types of information that come to mind, perhaps, in your current work? So kicking it off to anybody. I guess as the tech company representative, it might make sense for me to start with that one. We've recently revamped our privacy website at Google and have tried to explain some of this concept to users. And it's difficult when you're talking about so many different types of products and services that a company like Google may offer. But we categorize these types of data into three different buckets that hopefully are useful to lay people to conceptualize this. The first bucket on our site refers to it as the things that make you you. But really what we're talking about there are the things that you might provide while you're registering for a service. So your name and address and phone number, date of birth, gender, that type of information that in other contexts we might describe as subscriber information. Then there's a category of data, the things you do. And that can be transactional type of information. And when I use that term, I'm not making a content, non-content distinction. But rather as you are interacting with the service, the types of data and records that might be created as a result of that. So this might be the things that you search for, the things that you watch on YouTube, that type of data. And then the category of the things you create that if you're familiar with ECPA, that people might refer to as content, the content of your communications. So the emails that you send, the documents you create, the photos that you take and store, your calendar entries, your contacts. The information that you create while using the service. So I guess I'm the token suit here. I represent a lot of tech companies and I think what presents a challenge for both the companies and for consumers who have sensitivities or privacy is aggregation of data. You take one ride on a cab from point A to point B, no big deal. But then Uber has complete ride history stored. I go to a bookstore, buy a book, not a big deal. But I think about all my purchases on Amazon and one can look at that and come up with all sorts of conclusions that challenge the notion that this information is given voluntarily. And for companies that aggregate this data, the challenge is how to safeguard it responsibly, how to sort of mine it for marketing purposes. I think we've all become numb to the ads that pop up when we're surfing. They used to freak me out but now I'm sort of used to them. And Nicole, don't get me started on Google and searches. I think about, I think all of us think about our search histories and think that that's probably more private to a lot of us than the stupid texts we send. And then offering some thoughts on the non-commercial side from the Wikimedia Foundation in Wikipedia. We do still collect data. I think it's surprising to people that any website you go to, there's an automatic data exchange that happens. So we are not in the interest of collecting data. We don't mine data. We don't sell data. But we still wind up acquiring data. And so we have to be very responsible with what we do with that. And that can range from the IP address of where you're editing or pinging us from. It can be your email address if you've registered with an account. Even though we don't require an email address, people will voluntarily tie that to their account. And just another little thing, you know, what device you're using, what your ISP might be that sometimes gets transmitted, sometimes what cell network you're on. So as an organization where data is not really, you know, that type of data anyway, user data is not really our business or our industry, it becomes an interesting challenge that we are kind of forced to have this data. It's kind of thrust upon us and what we then do with it and how we manage it gets very tricky and gets very important. And that's why for an organization like Wikimedia, with a site the size of Wikipedia, where a lot of times, again, people don't even realize that data is being transmitted, how we store it and what we do with it becomes an interesting challenge for us. So one thing to add to when we're talking about the third party doctrine more generally, everyone else has talked about things like records and transactional information, as Nicole was saying. But one thing to keep in mind about the third party doctrine as it's been applied to the sort of digital age is even though the Supreme Court's cases that established it, Smith versus Maryland and United States versus Miller deal with business records, it's been argued to apply to any kind of information held by third parties, including the contents of communications. So things like emails that a third party email provider like Gmail holds. And this is an issue that we thought we had sort of settled back in 2010, the Sixth Circuit Court of Appeals ruled that the third party doctrine didn't apply to the contents of communications. That's the case called warshack. But it's never been definitively ruled on by the Supreme Court. And in fact, EFF is involved in a case right now where the SEC, the Securities and Exchange Commission, is seeking the contents of emails from Yahoo without a warrant. So though it's sort of an outgrowth of the cases from the Supreme Court that deal with business records, it's arguably in its broadest form applies to any kinds of data, including the contents of communications, sort of the most sensitive things as we think of them. And just to sort of introduce some more categories, because I don't think we've introduced enough. But the way I would look at third party data is for communications at least. So we all communicate using digital communications, whether it's on the phone, the computer, Fitbit, et cetera. So you can look at data kept with a third party of the company that you're dealing with as first data that they need to conduct the transaction. What data does Google need to take an email from you and deliver it to the recipient in virtual space? Or what data does AT&T need for you to dial a set of numbers and have the person on the other end of the line actually have their phone ring? And then there's data that a company might be compelled to store. So there's data for purely facilitative purposes. That's the dial-up information, for example. And then data that might be required either by statute or ordinance or country's laws, et cetera, that a company must store for whatever reason. And we'll get into that. And then there's data that the company stores for performance, for example. Let's store everybody's emails and mine them to deliver them ads, for example. Or let's track your cursor as it goes over different ads to see which ones you like best. Let's try to figure out different routing mechanisms to improve our performance and deliver a better product, et cetera. And the reasons might be tenfold. They don't all have to be for the purpose of consumer experience. But this is all data that I would consider sort of extra data that we might want them to store for certain reasons, but we can't or we don't have to have them store for that particular transaction that you're trying to get through. And I'll be referring back to that, I think, along the way. And I think it relates a lot to a lot of the precedent that both Andrew has mentioned and I think that we'll be getting into as the conversation progresses. Yeah, so it seems like there are quite a lot of different categories of data. And so I wanted to ask, how does the third party doctrine affect tech companies and their business practices? How does it affect the way that they do their products and services? How does it affect how they interact with government? And how does it affect your day-to-day work? Again. So I guess starting at a bit of a lower level and maybe putting the third party doctrine into some broader context, it sometimes surprises people, non-lawyers, when I talk to them about requests for records to hear that for the most part, sort of in general, when law enforcement wants the production of documents from a company, they issue a subpoena, an administrative subpoena that is set forth in some statute that says they have the power to do this, a grand jury subpoena, a trial subpoena, that it's generally essentially a piece of paper asking for the production of documents. And that grows from, so the cases that Andrew's already mentioned are cases where this has gone up to challenge. So Miller, USB Miller, is about bank records. And so today, people sometimes are surprised to hear this, all you need is a subpoena to get basically all of your credit card history, all of your banking history from the financial institutions that you do business with. And then there can be gloss on some of this with statute. So ECPA is a really good example of that, where Congress was trying to do a good thing, recognizing that the privacy concerns, as when technology and communications over email was really nascent in the 80s, saying, you know, this is different, this is somehow different, and we should maybe have a different approach to it. And ECPA made some mistakes, some things that didn't age well. But the idea was to classify data by varying levels of sensitivity in the construct of that time and say, okay, you know, a subpoena is okay to get the less sensitive data. For the most sensitive data, and there's a lot of complexity here we can't get into, you're going to need a warrant. And then this middle sort of category of data, non-content that's also not subscriber information, this new type of corridor that was created sort of bespoke in the statute. So that is the framework that a lot of companies, tech companies have been operating under for a really long time, until, as Andrew mentioned, Warshack came along in 2010. And so we had been dealing with the ECPA construct, but then when Warshack came out said no, to the extent ECPA says that there are situations where you don't need a search warrant to get the content of private communications data, that's unconstitutional. And that was a different approach than what had been in place since US v. Miller and State v. Maryland that had said no, once you have conveyed information voluntarily to a third party, you no longer have reasonable expectations of privacy in it. And so the Sixth Circuit, which is the same circuit that Carpenters are rising out of, it's interesting, took a different approach with that. And so far, the Department of Justice has actually not fought that. There haven't in most cases, I mean, and now the SEC, which is different, is actually bringing it to the fore. And I think that arises out of some debates that have come up in the context of actually amending ECPA. Since nothing has happened since 2010 with the Supreme Court actually affirming that the Warshack court was correct, the companies have been working really hard to say, well, at least statutorily, we want a clear warrant for content standard. The SEC has been one of the sticking points in that. Because they can't get warrants. Right, because they can't get warrants. Has been one of the sticking points in getting that legislation across. So in terms of the third party doctrine, I don't think that's, until recently, until really Carpenter has finally brought it up, the fact that the Department of Justice wasn't really pushing back on the concept of needing a warrant, the third party doctrine per se hasn't been a daily thing, but especially now at the Internet of Things and Smart Homes and different kinds of data that aren't so clearly communications that the court can say, oh, this is just like a letter going through the post office. This is just like a telephone call that has to go through an operator. It gets much more complicated and brings it to the point where you really need to be talking about it every day and you're counseling your clients about the type of service they're going to provide, the type of data they're going to store and for how long. So we were worried that there was going to be violent agreement on the panel. I'm going to gently disagree with you about something you said, which is, I think from the civil liberties perspective, the third party doctrine has actually been had a really daily importance. The question being, you know, how does it affect tech companies? I think it affects them greatly because they in this day and age hold so much data, all this data that we've been talking about, and so it puts an immense responsibility on companies because they hold this data. They are intermediaries between the third party, between the government and the people whose data it is or about whom the data pertains, and so they have had to be in the middle of that. They've been forced to respond to government requests like the subpoenas that you were talking about and so on. And that, you know, I think that has grown immensely in the internet age and just largely didn't exist in that way when the Supreme Court cases were decided and then just continues to grow more and more as, and you've probably been on the other side of this, investigations start online or are about online activity. And so the decisions that tech companies make about how to respond to these requests and, you know, whether to challenge them the way the banks tried to do in the case that gave rise to Miller and so on is a really important decision that tech companies make every day. And so pushing for a warrant for content is something that is now a standard in the industry and, again, how companies view these requests and whether they say, oh, it's third party records and so we can just turn them over with a subpoena or we are questioning this, that decision is a very important one and actually, I mean, I don't know how you feel about this, but it actually puts too much responsibility on the tech companies more than they should have to some extent. All right. So I guess pulling back a little and examining third party doctrine and the idea that we do not have reasonable expectation of privacy, I wanted to ask you, do consumers really care about privacy? And what do they consider when they decide to sacrifice their privacy for certain services? And lastly, do companies tend to care about privacy as much as the consumers do more or less? Consumer here. I care about privacy, but I really like the cool features, too, to be honest, so I'm sort of on the fence. What do you think, Andrew? Well, I would direct you to the amicus brief that we filed in the Carpenter case where we have some lovely social science research showing that people do care about privacy and about their location in particular. And I think we'll talk about this maybe in the context of Carpenter specifically, but it may be that people don't have a lot of control over their privacy or their locational privacy. You don't have a lot of control over whether your cell phone generates location information. That doesn't mean that you don't care about it. And when you ask people, they actually find it pretty creepy that you can be tracked using your cell phone all the time. So it may be that there's a bigger disconnect between what we can all do about that versus whether we care. And I think, you know, for Wikimedia when we've had these discussions, first off I should point that our community is a very passionate community, so there's rarely a topic that they are not caring about. When these conversations have come up, I think what is often interesting and what I often see is on the surface, particularly younger people in the United States, not to get too generalized, but kind of the initial reaction is, oh, I haven't really had privacy. I'm a millennial, I've never really had privacy. I don't really care about privacy. But then when you sort of get into the actionable things, so like when we've had discussions about privacy policies and we will ask, well, how long would you like us to retain your IP address when you visited an article? You know, they will immediately say, well, I don't care at all. And it's okay that clearly you do care about privacy because you are very concerned about us keeping information on what articles you're visiting. So I think on the surface, the notion of privacy to a lot of consumers, just because it seems so kind of confusing and it seems so abstract, they don't necessarily care, but they do really care about the application of it. And I think that's what we often see at the foundation is the response that we hear from our community members about when data requests come in, we interact with them and we get a data request. And if we can give them 30 days notice and say, hey, this data request is coming for your user data, to my knowledge, they're almost always very aggressive in saying, please fight this. Please do not allow this entity to get my data, regardless of what the details are or how they really feel about that organization. So I think when you're really faced with the challenge of having your data taken from you or having your data used in a way that you do not give permission to knowingly, you do get a little aggressive about it. And I do think that's where, you know, speaking as a foundation, we care a lot about it because we see the impact and because we hear those stories from people and also because we're a global organization, we wind up experiencing so many different ways that privacy is used against people in other countries and so there's a bit of a fear concern of we don't want to see that trickle into our own country into the country that we're based out of. So for the foundation, it's a very, very high priority and it's a very serious concern, as informed in part by our consumers, our volunteers and readers aggressively pushing that too. Yeah, I think that's right, but I think there is a sort of education that happens in a surrendering and then a numbness that ensues. I remember I was shocked the first time I got to notice that my data had been breached, horrified, like it's my data, I'm going to pursue those SOBs to the end of the earth. Now I feel like I get in the mail like every week some notification that my data may have been breached and at this point I'm like, okay, it's out there. There's only so much control that we have and there's only so much outrage, we can muster. I used to always check no when I'm asked, can this program remember your location for one day? Now I'm like, okay, fine, here's my location and as I said earlier, these ads that pop up reflecting the sites I just visited, the products I looked at that I didn't buy, they're like popping up in my face for the next week. That used to really creep me out and now I'm sort of numb to it. So I wonder whether in talking about expectations, whether the sort of pervasiveness of tracking, of insecurity of information, whether we all sort of become numb to that a little bit and how that affects the courts, the jurisprudence and on the one hand, what exactly reasonable expectations are on the one hand, but on the other hand, how much can disclosure be voluntary if you can't buy things, you can't communicate and if you're single you can't even meet people without going on the internet and entrusting very sensitive information to third parties and big companies. This is a quick question. How many people actually read the iTunes service agreement when you clicked accept? Right, yeah, see this is what he's talking about. We're not paying attention to that stuff. I guess a few things to add. I think that of course consumers care about privacy and companies care about privacy too, but if you go back to Smith v. Maryland again and this is a third party doctrine panel so I think we must. It actually would be, I think if you haven't read Justice Marshall's Descent, it's really enlightening and one of the things that he recognized back then and I'll destroy the quote, something like it's idle to talk about consent when there's no realistic alternative. In the context of Smith v. Maryland that was like the numbers that you're dialing to make a phone call, like there's really, there's no alternative choice there except to not make the phone call. Could you quickly just explain what Smith v. Maryland was about? So Smith v. Maryland was about, there's actually a pin register trap and trace case that involved a situation where the government had obtained a pin register on a phone number and what that means is to be able to, it prospectively, like in real time, capture the numbers that somebody is dialing basically. And so the question was whether that was a Fourth Amendment search that should have required a warrant and unfortunately the answer to that was no. And part of what that stemmed from, because in that case was post-cats which was another Fourth Amendment case in a different context but also related to telephones that had sort of created this idea of reasonable expectations of probably outside the context of the home, which was the traditional realm of where you would need search warrants is when you were going to be going into the sanctity of someone's home. And so, but what kind of I think has gotten lost and I'm sure we'll talk about this a bit with US v. Miller which was the bank records case and then Smith v. Maryland which is the phone type of records case is that cats did set forth a new test this reasonable expectation of privacy tests that included this a prong of what sorts of privacy expectations society is willing to accept and society changes over time and technology is one of the big things that changes society. And so I think what sort of happened after Smith v. Maryland is a focus on one line in Smith v. Maryland of the voluntary conveyance to a third party. And the belief I think by some courts that that was a dispositive, that that was the fact, the main fact. And really I think you could argue that Smith v. Maryland was more contextual than that. There was a discussion of the sensitivity of the data and the determination in that context that it really wasn't that sensitive. You might argue with that but it's different than saying that all Smith v. Maryland said was as soon as a third party is involved game over. So I don't think that's really what was said but sort of moving past that to what we can do in the context of where we are today which is very difficult legal scenario and Andrew called me out correctly. I wasn't intending to say that we don't think about third party doctrine. I just really don't necessarily think of it in those terms because there are so many other legislative and legal issues that sort of play into that. So the approach that I think we're taking and focusing on is what Andrew was saying is providing choice as much as possible where it's possible because privacy means something different to different people in different contexts much like security does. I'm really not a privacy lawyer. I don't think I do more on the security side and we've struggled with the same things when we're dealing with security. How much burden really needs to be placed on the consumer to do all the right things all the time, keep everything patched, have a good password, remember it. I think companies are now starting to say we need to take as much of that burden away from the user and make products that are really secure out of the box and keep secure as you're using them the way normal people do. I think you need to have that approach as a company with privacy as well. There's different types of services for different people. We need to have a lot of options. Some services really tied on privacy for the people that need that in that context. Others, there might be situations where the benefit and the utility you get out of sharing some of your information with a company like Google might be worth it to you in that context. But it's having choice, meaningful choice, informed choice, so that's really the direction that I think a lot of companies are going is to try to make that transparent, try to make users understand what the trade-offs might be and give them the option to go in and be like, oh my gosh, my search history, I'm going to do it. Just to underscore something that Nicole just said, the problem with the third-party doctrine as it's been applied by courts is that it totally annihilates all of those choices and annihilates any kind of nuance in how we share data. So it's an on-off switch. If you convey it to a third party, then it's fair game for the government. And, you know, I wasn't really trying to call you out, but I think that's been the problem with anything that a company has is fair game. And so whether we are privacy nihilists and we think, you know, we don't care what companies collect about us or not, or whether we like cool features and so we agree to some amount of, you know, sharing of data for a specific purpose, all of that is fair game under the third-party doctrine. That's really why it is as Justice Sotomayor said in the Jones case, ill suited to the digital age. I would just nuance that fair game so far as the company retains the data in a form that can be conveyed to the authorities. So, I mean, there's a whole field of trying to develop technologies that would make it impossible to, for example, convey or transport your encrypted data that's stored on a cloud server to the government. Problem is, it's really tough to conduct big data analytics on encrypted data. So almost any company doesn't want to store their data in a encrypted form because they can't do all this cool artificial intelligence analysis on it and come up with all their cool sort of analytics, right? Of course, there are technologies that are being developed both in the academic sphere and in commercial sphere. The question is, how much incentive does a company have to kind of tread in that direction? I think Google is sort of a leader when it comes to stuff like that in many ways. But at the end of the day, companies are companies and there is a convergence of interests, right? I would sort of default on saying you love privacy so that whatever company you're using kind of has some incentive to develop technology to at least help one way or the other or to actually have data retention policies that are not super easy for the government or other entities to sort of suck up data and obtain data. And keep in mind that this isn't just the United States government. It's every government in the world that might have some sort of intersection or contacts with this particular company that might then compel them to provide data at risk of sort of sanction for non-compliance. Some of the panelists have talked rightly about sort of on-off switches or the binary nature of some of the legal doctrines. And the one that I find really interesting and maybe outdated and the one, the carpenter, not to jump ahead to carpenter, but some of the things Nicole said called to mind the struggling the courts have between sort of fourth amendment jurisprudence based on what is content and not content. And even within the same company like when I was a prosecutor even though e-mails go entirely through a third party, like Gmail for example, I couldn't get content of an e-mail even though it was entirely within the hands of a third party without a search warrant and that's provided for by statute. But the law does call for a bright line distinction between content and what isn't. And so Nicole brought up Smith versus Maryland and all the law students here know this but the sort of dichotomy between Smith and on the one hand Katz on the other is that if you're talking the contents of a conversation are enjoy the highest level fourth amendment protection, got to get a warrant for that but just a list of the numbers you dial that according to the majority in Smith, rightly or wrongly is not content and those other analogs like when I'm a prosecutor I can have the postal service photocopy the outside of letters so I can see the address but I can't look inside it e-mail, I can easily get the e-mail metadata but not e-mail content and then there's debates about the two from line and whether that is content or not and I think in Carpenter and in cases like Jones you start talking about data that doesn't seem to be content but because of the aggregation of data it tells an awful lot about somebody and I think that's the challenge and I think that's what Carpenter was struggling with and my guess is that is what the Supreme Court is going to be looking at this fall and some of you we can talk about more of this later but some of you have talked about Justice Sotomayor where she may be headed and clearly this is sort of content, non-content you know black, white, bright line rule is something that technology and aggregation of data has put a lot of pressure on and it remains to be seen whether it's going to stand the test of time. Alright so it looks like everyone's first to talk about Carpenter so let's jump to Carpenter just to catch you up for those who are not familiar with the case Carpenter is about the use of historical cell-site records to prosecute two men that were ironically suspected of robbing cell phone stores Radio Shack and T-Mobile and Detroit so those two men were Timothy Sanders and Timothy Carpenter and that is why it is Carpenter of the United States and so I wanted to go back to that point that actually most of the panels have made about that on and off switch when it comes to reasonable expectations of privacy so it seems like a lot of you are in agreement that there should be a gradation, what sort of gradation? Can I just clarify that in Carpenter I think that issue was the records reflecting the movement of someone for 127 days so basically the data that is stored with the phone company that basically gives an approximation of where you are located through some sort of triangulation with the cell-site towers that your phone is communicating with but for the duration of 127 days so just so the audience can have an idea and then I will pass it along So is your question what kind of gradation? Should the court draw? Should the court draw I think that if we go down that road it is actually very hard to draw lines because and this is something that emerged out of the Jones case is how long is too long for tracking someone with GPS in that case or tracking their movements with their cell phone how long is too long you know is short-term monitoring somehow less invasive than 28 days in Jones or 127 days for one of the defendants in Carpenter I think the better answer is the second you start tracking someone's movements you should get a warrant because tracking someone's movements as at least five justices seem to think in Jones is very revealing for the reasons that we've said so far you know where they've gone it wasn't in the Carpenter case but in the companion case that came out of the fourth circuit there was very similar robberies and tracking the defendants over a long period of time the ACLU made a map of all the data points that the government got and they said you know of course showed what the prosecution wanted to show which is that the defendants seemed to be near the sites of the robberies it also showed that they went to church every week you know you can start to think about all the things that you could know about someone just based on where they go every day and you know by tracking me here you know at the Wikimedia Foundation automatically makes some inferences about what that means and other kinds of things abortion clinics so on and so forth are very telling just in the very fact of being there so for that reason I think it makes sense to just say a warrant should be required for any kind of location tracking and I think you know it's interesting to think about the laws that this case is largely arguing are based on were written in 1986 right it was 86 I think communications storage act and the electronic privacy and I don't want to get into age because it will just depress me but not everyone even here was born in 1986 so think about all the things that have changed in those devices during that time that you know your phone in 1986 unless you were Zach on Save by the Bell was probably in your house right they were just those gigantuan portable phones so the idea of what like communications and what all of those entities were and what was being stored and the idea cellphone didn't even have the GPS tracker in it in 1986 and the idea in your home was so different than what it is today I was talking to a colleague earlier we were talking about you know the importance of the home part of it and a lot of people particularly younger people today talk about how their home is where their wifi is or their home is where their smart phone is so they travel with their entire life their whole life is on their body at all times in their phone in their pocket and this expectation of privacy or this expectation of being willing to give the information over has certainly changed that the information that was on my cellphone in the 90s did not include my dating profile it didn't include my sexual orientation it didn't include what kinds of people I like to date it's a lot of information that's on our phones now that just wasn't there when these were written and I think it's important that where the courts are trying to figure out how these new technologies adapt to it because so far you know we're seeing that this gives huge cases for abuse so I think my answer would be that it should definitely default to a subpoena based system based on the fact that this is where our lives are today and in any other instance when you're trying to invade my life you need a warrant. So Greg talks about going all the way back to 1986 and I want to take this back further to 1967 and bring up a case that Nicole brought up the cats case because it all starts with cats and I was thinking about a little bit recently I was in Europe with my family to celebrate my parents 50th wedding anniversary so I want to give my shout out to my parents here happy 50th mom and dad so we're in so we're there with my parents three kids and they're eight grandkids and six of the eight grandkids are under the age of 10 and we're in Oslo, Norway and they see this red box and they're like what is that and they go over to it and it's the coolest thing they ever saw I mean they literally see a dinosaur and I look like this is a phone booth what's a phone booth and they look at the phone and so that in front is my niece Alexa and my son Jake and then his cousin Kayla and they've never seen a phone booth before and this is the generation whose expectations of privacy will shape the law for this century and you think back and next slide and you think back to cats back in 1967 these phone booths that was cutting edge technology and I actually these are the actual three phone booths that were in cats they're not around now but there's pictures of it they're not that clear the cats opinion talks about three phone booths the FBI talked the phone company into decommissioning one of them and then putting a bug on the other two and then Clever Mr. Cats was using these phone booths to transmit illegal gambling wagers from Los Angeles to bookies in Miami and Boston and the Clever FBI was one step ahead of him and this implicated as all the law students know this led to a sea change in the law where Fourth Amendment doctrine went from just being trespass based intrusion based to based on one's reasonable expectation of privacy and the interesting thing is that the Fourth Amendment talks about persons, houses, papers and effects and that's it doesn't say anything about phones there weren't any cars there weren't any or smartphones and the cats court talks about the pervasiveness of technology the importance of phone booths in people's lives and now there's a generation that thinks of a phone booth as something completely antiquated that you discover while you're on vacation and their reality is that everywhere you go you've got one of these and anyone who has kids knows how intuitive it is for kids to be swiping and pecking and and that I think calls to mind one of the challenges for Fourth Amendment courts looking at cases today which is is not content versus non-content but where you are like this geolocation tracking and I think in the Jones case where the police are actually taking a device and sticking it to a car and tampering with the car that involves police action and that's I think that's a little bit easier when you're just issuing a court order that does not require probable cause showing does not require warrant on a third party like in Carpenter cell phone companies I think that presents a uniquely 21st century challenge that could not have been contemplated at the time of the Fourth Amendment or even by the CATS Court in 1967 or 1986 so a phone booth is where you charge your phone right okay that was a joke come on guys okay just you got it right just to kind of back up a little bit and correct me if I'm wrong but what I'm hearing here is there's at least two ways to look at privacy in the context of Fourth Amendment privacy is sort of like a trespass property device centric way of looking at privacy where for example if you break into my house and somehow unlock my phone and then go through my dialed calls and get all the numbers I've just dialed that's sort of problematic because you broke into my house then you unlock my phone then you did all this stuff but the information that you got might not be the type of information by which I have a reasonable expectation of privacy if I were to voluntarily hand it off to the phone company because you did all these things if you're the government that are very invasive the other way to look at it is sort of an information centric perspective where the question is what is the sort of degree of intrusion that occurs when we get this information from a third party or even from the first party but if you get somebody's dialed digits for example from the phone company the court has at least held in Smith that you don't have a reasonable expectation of privacy because you're voluntarily conveying those numbers to a third party it might not even be a person it actually I'm pretty sure given the year that Smith was decided it was all automated anyway so no human actually looked at those numbers and so the idea that you were voluntarily conveying those numbers to a third party and therefore relinquishing any sort of privacy right is kind of tenuous at best I would say even then we look at the information and see whether or not you have an expectation of privacy over that information the court at least six circuit later decided in Warshack that well emails are special so emails deserve a heightened sort of scrutiny and you have to get a warrant in order to collect any emails even if it is from a third party so one way is like am I breaking into your house or how is the government exactly obtaining that information how are they collecting it directly if they're collecting it indirectly look at the information right the internet kind of muddles all that up and so in the third party doctrine all of a sudden you have you know historical cell site data from a third party so you're getting all this information from a third party that's been voluntarily conveyed let's say but when you aggregate it all of a sudden the information that you can derive from like 300 days of your locations is huge right and so it's causing a lot of concern from a normative perspective even if you agree with that Smith case and Miller hold that if you voluntarily convey this information even if you agree that okay well you've consented to give away this information by virtue of using a phone and blah blah right at some point though like 300 days of your location could be a huge problem when combined with other sort of public information like where the adult sex video story is it might be right behind the church who knows right so and so on that was supposed to be another joke dead audience what is that going on I'm trying here okay well but the point being that all of a sudden we have a whole sort of set of values and norms that are often conflated when we talk about privacy and so I think they're getting back to the question is like how would we decide how would anybody decide or how would you all decide or how would you all suggest that the court decide this case in terms of third party doctrine at some point you walk outside and you're wearing a baseball cap and it says something on it you voluntarily conveyed it to the world you can't just say you know well you can't use that information because you're the government because I'm outside and I'm wearing a baseball cap and it says something on it and now I'm in jail really bad analogy but not illegal to wear baseball I woke up in Boston this morning damn it okay anyone well sorry partially I think you know we can still go back to to cats on on some of this because I think it was cats where there is the statement that the fourth amendment protects persons and not places and I think that's an important thing to keep in mind through the strain of cases that start to try to expand on what a reasonable expectation of privacy is but then when you go back to the innovation in cats about how it's you have you have your subjective you need to have a subjective expectation of privacy and that can kind of get to you know did you walk out in public with you know your confession on your hat or not were you doing other things that that made it seem like you had a subjective expectation of privacy like you went into the phone but then you closed the door and then again getting back to the portion of it that is and what is society willing to accept in terms of these expectations of privacy and that can and should evolve and having these binary on off switches that are sort of carved out of cases that were always fact specific and then you take away the context and just have them be a yes or no answer to get to whether or not there's REP that's just you know it's not it's not helpful so we've got the content non-content sort of on off and that's that might work pretty well in the context of traditional communications and I very much want the Supreme Court to say something in the carpenter opinion that ratifies Warshak and you know accepts that yes we have found that there's society is accepting that reasonable expectation of privacy as a result of that and that's not enough as we've been talking about the non-content data is different but it's not enough to just say content non-content and move on from that just like it's not enough to say there's a third party involved or there wasn't a third party involved because there's a lot of just like there's a lot of different types of data there's a lot of different types of third parties like the misapplied or misjudged trust sorts of cases that started with government informants and whether whether that was an invasion of privacy and the decision not that's very different from a third party intermediary so there's questions you can ask right was the third party a conduit where they are recipient that's very different and there's different types of consent like what what was the consent there and what were the terms of that different relationship between a business and a consumer for a service and if I just happen to share something with you personally I think everyone accepts that if I send you an email I have sort of given up the expectation of privacy and that if you decide to publish that in the New York Times that's my bad but it's very different when it was just that happened to be a conduit that has to be involved in order for the communications to happen so I would I would hate to have Carpenter end up with another on off switch or another bright line rule that then is going to be sorely misapplied for years and years and years until it can get fixed again I mean cell phones have been pretty common now for almost 20 years at least and we're only just now talking about historical cell site I mean that's not good for the evolution of the law so I'm really hopeful that what the court's planning on doing is really kind of going back to cats and not trying to create more bright line rules that are not going to apply and already don't apply to new technology especially sort of the internet of things world that we're getting into now one thing really interesting about cats is that this test Nicole's talking about which has subjective and objective components subjective subjective expectation privacy and then objectively reasonable that that came from just as Harlins concurrence that was not the majority opinion but that's been sort of the test that has has survived the test of time and was picked up by the Smith versus Maryland majority and and with respect to Carpenter we look at the Jones case and you've got sort of the property sort of the property trespass analysis but that was Justice Scalia who was sort of very old school and trying to find a an approach that he and Justice Thomas and some of the more textualist justices could live with obviously Scalia is is not around and you have at least four justices that were wrestling with the idea of aggregation and had a sense that that tracking somebody maybe if you and just for the record professor I think your jokes are hilarious but I think I'm dating myself you know but the analysis was okay so you walk outside your hat with your you walk outside with your baseball hat so technically this is a crime in Boston where I just moved so I walk out like this we didn't plan this it'll be our secret it'll be our secret yeah so please say you they can follow you around they can follow you across town all over the place but you get technology involved technology can follow you in a way human beings cannot do and then it really strains the notion that you give up your privacy everywhere you go because technology can follow you everywhere and I think at least four justices in Jones were really wrestling with that and then the question is well how do you draw the line when does a cop following you because of the hat you're wearing when does that shade into impermissible aggregation and I think that is going to be a challenge for the carbon record and I agree completely with Nicole that it doesn't really lend itself to sort of a bright line analysis especially in a situation where the police the FBI aren't affirmatively doing anything they're just looking for records and the six-circuit was looking at it as a business records case but I think again we all have this notion and Judge Strange in her in her concurrence went into this in more detail that this is not this is not just about business records this is not like the bank records in what was it the Miller in the Miller case not just like flat business records but something more alive where you are for 127 days even though you're voluntarily carrying your cell phone you're presumably beaming your signal to cell towers all over the place I think the notion that the government can just look at that without some sort of heightened showing I think gives a lot of us as consumers quite a bit of discomfort there's a big difference to what this data was once upon a time the warrantless information that you could get I looked at a photo just randomly of a police department getting their warrantless information it was like big boxes it was printed out it was on old dot matrix paper it would have been a nightmare to sort through it would have taken 15 detectives two days to go through all the information they got through this warrantless data today and there wasn't much there to be honest it was just a bunch of phone numbers the prevalence of data I'm carrying on me three or four devices I have four devices on my person that have more information it's collecting every second than they completely got in total in 1988 and that photo was taken so not only are they getting so much more data today warrantlessly but their ability to aggregate it and process it is insane they can do with that data in one second what took 15 detectives three weeks when this law was passed and if you've ever been and anyone who's ever been involved in politics or seen any of these databases and to see what knowledge databases can do with our data I worked on campaigns that we take very basic data we're buying and they with very extreme accuracy will come up with things like how you're going to vote if you like a lawn sign if you edit Wikipedia all that stuff gets aggregated into these databases based on the data that's out there we've learned so much about data aggregation and the idea that it's just oh well it's just not content data so it can't be that harmful I think it's kind of silly to be honest I think if you don't believe that the non-content data that there's the prevalence of it and the ability of what they can get from it isn't a threat I think you're kind of dismissing how much of it is out there and how much technology has improved over the last 30 years and I think from my perspective that is why the warrant really needs to be there because just what you can do with that data today is it's way more dramatically different way more dangerous and goes way beyond just a possible is this person reasonably a suspect you can solve the crime frankly with the warrantless data these days and that's a problem so going back to this issue of bright line rules versus tests I mean I think we would all of us admit that it's easier to say that the third party doctrine shouldn't apply or is problematic here than suggest an alternative nevertheless I think I might slightly disagree on this on the idea that we should just go back to Katz and kind of stick with reasonable expectation of privacy in a more ad hoc kind of way you know, people on both sides and the court has been pretty clear about this that bright line rules are preferred when it comes to the Fourth Amendment largely because of the problem of adjudicating these things after the fact that you really only get to do that when there's a suppression motion and this is where it actually goes to trial and all that and you know it's much better for court ruling in advance than the sort of preference for having magistrates to sign off on warrants in advance is sort of reflected in the Fourth Amendment I think it's difficult to future proof a rule like that you know, it took talk about Katz, it took 40 years for them to even say that conversations were protected they had said 40 years before that that they weren't and so there was this long period where a warrant wasn't required I think if we look at what the court did in the Riley case of three years ago that Supreme Court ruled that a warrant is required to search a cell phone when the police arrest someone if you're carrying it on you and prior to that it had been treated like other things on your person they didn't need a warrant they could have done something different they could have said well if it's a smart phone and there's lots and lots of data on the smart phone will require a warrant but if it's an old fashioned flip phone maybe not and in fact it was two cases adjoined at the same time the Riley versus California and then a case called Worry and in one of those cases there was a flip phone and one of them there was a smart phone and there was actually suggested that maybe they should bifurcate the rule in that way and that was not the approach that the Supreme Court took they actually ruled unanimously that no matter what a warrant was required and I tend to think maybe I'm hopelessly naive in this case which is rare for me that in the case of location tracking we're starting to see the same thing that it makes more sense to just require a warrant in all cases because it's so hard to make these choices and sort of look at it from a standpoint of gradation I don't know what test gets you there and I don't a colleague of mine at the Brennan Center Michael Price has said we should call these things papers so we should look at anything that's a paper under the meaning of the Fourth Amendment should be protected I don't know if that's what they're going to do I sort of doubt that they're going to create an entire new test out of whole cloth but I think we have to get to a place where something like a Breitren rule that lasts us for 40 years bringing up Riley is somewhat interesting because that was already a case that was about an exception to the warrant requirement so is the third party doctor in some sense right and when you well and yes but if talking about Riley and how that came out to be a Breitren is a little bit different in that it was already an exception and the analysis of the cases that had resulted the reason for that exception didn't really apply as strongly to that type of container as it did to like the person and it was like the safety issues so I think that might have been a bit of an easier situation to make a rule about a specific thing that comes up all the time in cases in the current day and age now almost everybody is going to have one on them when you conduct a search I think the interesting thing and I don't have the solution to this at all but one with Jones and some of the courts that have tried to read the tea leaves of what some of those concurrences were saying and the mosaic theory of the Fourth Amendment that gets hard is that it's something that doesn't lend itself very well to a supreme court ruling about the rules because there's been some cases since then that are like okay GPS is really specific so we're very concerned about GPS but for three days only maybe it's not as concerning and then there's courts in Carpenter saying well the cell site, the historical cell site data it's not as accurate in some cases it's really broad in some cities it's going to be narrower but it's not precise but then like Judge Stranch and her concurrence was like yeah but it was for a really long time and so how do you weigh those things and like you were saying we want right line rules because we want certainty and the mosaic theory I think one of the problems with it is that it's going to inherently lack certainty because you're never because it's more of a what are all of the things that law enforcement did in the context of this particular surveillance and did those things added together across the line and that's difficult but I do think it's possible to say for a category of data if we're going if Carpenter if the reason the court took up Carpenter was to draw a bright line about location I think that's good and would be fine I just hope that it doesn't go so far as to draw a bright line that while good for location then doesn't apply as well into the other context that are going to arise last comment yeah and I'm not going to quibble with our argument about whether the third party doctrine is an exception except to say that the reason that you get Smith versus Maryland is because you have cats and you have the reasonable expectation of privacy test and so the government and to some extent the court found themselves in the quandary of well what do we do with these kinds of records assuming that there's a reasonable expectation of privacy or at least a subjective one and I think that that kind of approach actually is a good one if we assume that things are private and protected and therefore a warrant is required then we might have exceptions and to that extent the third party doctrine is an exception to the presumption of an expectation of privacy just as after Jones after Riley the exigent circumstances exception of the warrant requirement always applies and the urgency and the government really needs the information because someone's going to die or evidence is going to be destroyed they can go get that information without a warrant that is an exception of the warrant requirement that most people I think agree is a sensible one but it is based on the assumption that a warrant is required and any warrantless searches per say unreasonable subject to those kinds of exceptions and I think that's the kind of rule that we all hope that they will be in Carpenter and will at least I think account for some of the future of this kind of technology all right thank you so I have many questions left but I'd like to open up to the audience so I think there are mics lined up so if you have any questions please go to the mic so people can hear you properly it's over there I'm not a lawyer I appreciate the discussion I learned quite a bit so far but I feel like there's a couple of big elephants in the room and I wanted to ask a couple of questions one is we live in an era now for the last six months of a government that is more and more showing contempt for the law contempt for some of the courts that has demonized and discriminated against whole classes of people like Muslim people with the Muslim ban all these things are being contested I realize but my first question has to do with make a comment in a context like this where if you're like an undocumented immigrant in this country right now it's not just some kind of consumer choice about you giving up your data there's ICE agents that are sitting scooping people up and when you think about the implications of the location data now you're talking about carrying a phone around without the risk of being rounded up so you know things are getting a little real and I'd like to ask the first question is about what do you all think are the implications of that the second and I'm not so clear on this so maybe you can help me clear this up we're in a post Snowden revelation era as well and that didn't just coincide with Trump in many cases is my understanding you know agents of the government the NSA have scooped up huge amounts of data without worrying about warrants or any other legal process and much of that data contains some of the same terms if I understand your legal terms correctly AT&T scoop up all their data I believe that probably might include location data so what is what's your response to that are these cases where the question of whether or not to get a warrant or a subpoena or data how relevant are they when this data is apparently already being scooped up in massive ways so those are the two questions I don't want to dominate the panel but as your first question one thing that we've seen in the last six months is that the judicial branch is doing its job it has struck down some of the things you're talking about and all of us I think as lawyers maybe have a tendency to put faith in the judicial branch but it is supposed to be a check on the executive and that's true no matter who's in power I think why this is so important to all of us is that we put these checks on the executive's power to get this kind of information that's supposed to be how our constitution is structured that's the purpose of the Bill of Rights the purpose of the Fourth Amendment is to put some checks on the government's ability to access this information so I think that is part of why we all do what we do in the judiciary there are certainly technical measures that people can take and I think Ahmed was mentioning them before and we can talk about those more on this question of the NSA and the sort of national security state I think that's right there are certain programs where they're not worrying about warrants and they are sort of scooping up information on mass this is something that EFF cares a lot about so we've been suing the NSA and we do that in the courts and also in Congress so there's a major surveillance law that's expiring at the end of this year it's called Section 702 and so this is a something that we all can call our representatives about it's actually gotten I would say to be more interesting as a debate about a law than you might have expected at the beginning of this year there's a lot of talk about unmasking and other kinds of surveillance but there's a real question about the NSA's powers to collect data warrantlessly and whether they should be allowed to continue to be allowed to do that and I think it's a really interesting time there's a lot going on it's really interesting and speaking to the NSA thing just in case folks don't know the Wikimedia Foundation is working with ACLU and others to sue the NSA in part on these issues that you were talking about but I think my response or my thought on this is that I increasingly feel like everything that's going on is actually putting more of a necessity on consumers to take on more responsibility than businesses I think we were talking earlier about how things are kind of forced on us there's the iTunes agreement if you want to have music today or you're going to click that if you want to use Facebook if you want to use almost any app you're going to have to turn location on on your phone whether you want to or not frankly the companies that are trying very hard to accommodate is best they can with the extremeness of what's going on we can't wait for them to be honest I think that's where it behooves organizations like Wikimedia when we are trying to we look at our data retention policies and we try to make sure they are keeping in mind all of this stuff we take a look at using unique IDs but I think consumers need to be keeping those things in mind too and the story I'll share is I just got a different backup phone the other day I won't say what OS it was or anything like that I was just turning the phone on and by just turning my phone on so much data was put on to it that I was really creeped out to be honest I don't remember clicking yes to any of this data getting put on to my phone this was just a backup phone I just needed it to have a phone number anything else it did was completely useless to me at that point so as a consumer if I had just kind of been lazy I would have just said okay well setting up the phone meant half of my life is now also on this backup phone and that's how it was presented I really go aggressively look for it I think that's what as consumers we have to start doing and I think what will happen what I hope will happen is we get angry about the fact that there's no on and off switch when I turn on my new phone companies will respond to that but they're not going to respond to that those things if we don't push back they want the tools to be easy they want it to make our lives lazier that's kind of what we've adopted with technology technology allows us to be lazier I don't want to tell my phone I don't want to tell my company we have to start changing that mindset and I think particularly what's going on the executive branch forces us to do that it's unfortunate it sucks but I think that's what we have to do and I think that's where conversations like this are so important understanding that your data can be used it can be mined it can be acquired warrantlessly most people in this country don't realize that so they're just haphazardly walking around with their cell phone no clue that that data could theoretically be warrantlessly acquired from them and talking to each other I think what Google has done on making their privacy policies easier to understand that was I'm sure partly because consumers were demanding it of them and the company's values insisted they respond to that that's the role that we now have to play we can't wait for the companies to catch up for us they frankly are corporations they're people apparently in this country they have their own interests you have to protect your interests too so that would be my response too so how do you react to the last six months the consumer advocate is more important today than ever before as much as I love the companies we can't wait for them to respond to our privacy needs or it'll be too late any other questions and I think we might have time for just one more hi my name is Alex I'm a Wikimedia legal fellow here and I want to thank you all for coming so I had a question we went over this a little bit earlier but I was wondering how the third party doctrine affects the type of products that companies are willing to release so you sort of went over how consumers need to push companies and sort of be the incentive for them to respond and I guess the question is if we assume that there are strong legal protections out there would we see different products out there today from tech companies or maybe different philosophies on how they approach that sort of thing my mic broke I think when you were counting devices if this was a smart mic it would be five apparently I have a dumb mic but I was just going to say that was a terrific question I think so for example there's blockchain technology there is various different types of zero knowledge proof technology where you can validate users without knowing anything about them applications galore right and we can talk about it afterwards as well I have the same exact question and the question is how do we mainstream these products and how do we put a lot of money behind them in research and the sort of underlying question for me which isn't addressed to anyone on the panel but when such technologies become mainstream can we expect the government then to push back and say well actually this is unlawful now you're not allowed to use this type of technology or technologies that exist currently something like signal I mean I wouldn't be surprised if it was outlawed tomorrow just because staffers in the White House are using it to evade surveillance by the president so I think the first question is obviously hopefully we can get some sort of discussion about the first question but the second question is something that at least creatively when you think about sort of legal strategies on how to fight back when and if that kind of initiative from the government happens I think that's a really interesting question so essentially can the government tell you how to retain data and what are the sort of limiting principles in that and the same thing with technology too so privacy preserving technologies and so on I used to be a criminal defense attorney and I get calls all the time from folks who well for example hey I invented this really cool encryption technology that is like encrypted bitcoin but for real and it is for real we're worried about criminal liability just because we invented a technology that could be used by criminals help us right and I mean at BU we actually have a legal clinic that supports MIT and you'd be amazed at the questions that folks at MIT have for law students and lawyers on that note passing it along yeah it really is sort of an awkward waltz between tech companies and government agents with the courts sort of lagging behind a little bit and I think when I think about it I think about sort of the story of the story of the Fourth Amendment through the ages and it really is a struggle to search for what is reasonable and that changes over the years it changes through the generations as I said earlier the Fourth Amendment says that the right of the people to be secure in their persons, houses, papers and effects and again a lot of what we're talking about are none of those things like who uses paper these days what exactly are effects and that was a time when you contemplated that everything could be stored in your home and now as Greg is telling us in an era of big data there's so much data that you couldn't possibly store it in your home even if you wanted to you've got to use Google Drive or other offsite storage locations but I think the key word is the next part of the Fourth Amendment which is against unreasonable searches and seizures and so maybe 250 years ago what was unreasonable was a red coat kicking down your door going through your papers in 1967 it's FBI or police putting a bugging device on a payphone of a bookie that's trying to transmit illegal wagers in 2012 it's agents putting a GPS device on a car and tracking movement suspects movement for 28 days and so and I think we talked about how each generation has its own idea of what is reasonable and I think for that reason I think I would push back just very gently against something Andrew said and sort of I'm with Nicole and I think I think cats I think the cats formulation or Justice Harlan's formulation of what is how you define reasonable and how it has subjective and objective components that permit each generation to decide for itself what reasonable means I think is and even if it weren't I think we're sort of stuck with it I don't see I don't see the Supreme Court doing away with it and I think that if you are looking at the core question of what is reasonable in light of what technology is what people's expectations are and how they actually live their lives I think the cats two-pronged test or Justice Harlan's two-pronged test is the best thing I've seen maybe just for the sake of time this being the last comment so if you could wrap the panel up as well okay so I'll answer very very quick so the thought that I was going to add to that is I don't think companies can wait for policy there were laws we tried to get past that 75% of the country supported the books today these laws we're talking about houses in a way frankly if I had a choice between the government going into my house or taking my smartphone I'd let them into my house there's nothing of excitement in my house let me on my smartphone I'm a little concerned about so I don't think that we can wait I don't think companies and consumers can wait in a utopia world I would love as a political scientist to believe that government can always keep on top of laws that things keep us protected but it's just not the world we live in so I think in the example that Apple ran into recently I think is another good example of where frankly the technology is moving much faster than the policies certainly do today and probably ever could have I'm not entirely convinced if we rewritten the government we still could have written in a way to keep up with technology so I do think when it comes to things like privacy and technology unfortunately it's not so much a relationship between the government and the companies I think it's the relationship between companies and the consumer that winds up having to set and dictate the terms if we wait for the government to do it or if we hope the government does it A. I think they're going to screw it up to be honest and B. I think it will take forever it will be half dead by then okay great so thank you please give a hand to the panelists so many things are in order and then I'll let you have some more of the food first of all I'd like to thank my fellow legal fellows for organizing this event so Aleksha Arstani, Dina Lysperik and Diana Li and together we'd all like to thank the legal staff at Wikimedia for helping put this together especially Jacob Rogers Eileen Hirshinov, Zozo Kitty Francis and Stephen LaPorte thank you we'd also like to thank IT for taking time out of work hours to help us including Robert Miller Brevin Campbell and the communications team here also Zachary McCoon Blanca Flores Melody Kramer Thank you so much and please applause for them so we hope that you stay and ask your panelists more questions and special thanks to Cooley and Jones Day for sponsoring that and for attending and have a wonderful rest of your evening