Somewhat distressingly, this is the second blog post I’ve written on a legal topic following a call for same from the inimitable Balaji Srinivasan.
It’s not legal advice. See disclaimer.
My last post was on the topic of how to introduce anti-cancellation language into an employment agreement. This blog post will be on the subject of privacy, prompted by this tweet from Balaji:
“The Lives of Others” is a film about an agent of the East German secret police, the Ministerium für Staatsicherheit or the Stasi, which employed hundreds of thousands of East German citizens to spy on their fellow-citizens. As a result, one could never be sure whether one was speaking privately or not.
If you can’t speak privately, you can’t share thoughts.
If you can’t think, you can’t organize.
If you can’t organize, you can’t resist.
If you can’t resist, you’ll remain oppressed.
Per Wikipedia, an unreliable but nonetheless convenient source,
The Stasi had 90,000 full-time employees who were assisted by 170,000 full-time unofficial collaborators (Inoffizielle Mitarbeiter); together these made up 1 in 63 (nearly 2%) of the entire East German population. Together with these, a much larger number of occasional informers brought up the total to 1 per 6.5 persons.
For context, the U.S. FBI – a vast and powerful law enforcement agency with a far larger country, and indeed world, to patrol – has a mere 35,000 employees. That should give you some idea of how insidious and pervasive the East German apparatus was.
In the United States, things are different. Companies like Clubhouse or Facebook not only do not act as data firehoses for the government, they are legally prohibited from doing so.
To understand why nobody should ever record Clubhouse calls, and to contextualize it among a wider internet privacy picture, we first need an electronic privacy crash course.
Our story begins in 1791.
The Constitution: your rights vs the government
The U.S. has among some of the strongest procedural protections for criminal defendants in the entire world. These protections start with the Fourth Amendment to the U.S. Constitution, ratified shortly after the Constitution itself, which guarantees something like a right to privacy. It reads:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
There’s a lot going on here, so let’s break it down.
“The right of the people” is an individual right rather than a collective one.
“…to be secure in their persons, houses, papers and effects” is also specific. The threshold of the home, in particular, is where the Fourth Amendment’s power is at its apex; see e.g. Payton v. New York, 445 U.S. 573 (1980).
Few people know that you don’t actually have a Fourth Amendment right to prevent a police officer from searching the field outside of your house. Nor does the right prevent a search of your boat by the Coast Guard exercising “plenary authority… to stop and board vessels” (although ideally the Coast Guard is expected to show up to save you from the proverbial boating accident, not to search your vessel before you have it). Nor do you have many rights when crossing the border per the border search exception.
“…against unreasonable searches and seizures, shall not be violated” is also interesting language. The fact is that not all searches are unreasonable. The Fourth Amendment’s perimeter extends around anywhere that a “reasonable expectation of privacy” exists, and no further. Katz et seq. This means that while one may have a reasonable expectation of privacy on, say, a phone call in a two-party consent state, or in one’s own home, one does not have a reasonable expectation of privacy in, say, third party records held by your ISP, or in an open channel on a service like Clubhouse (with a notable exception of cell phone location records ever since Carpenter v. United States was decided in 2018).
You also don’t have a reasonable expectation of privacy on the blockchain. As I told Decrypt this morning, you have as reasonable an expectation of privacy regarding information you put on the Bitcoin blockchain as you would with information you spray paint on a wall of a downtown building,
“…and no Warrants shall issue, but upon probable cause, supported by Oath or Affirmation, and particularly describing the place to be searched, and the persons or things to be seized” is what we lawyers know as the warrant requirement. This was created as a response to the (English colonial) practice of issuing what were known as “general warrants” which authorized a sheriff or other Crown officer to basically do whatever the hell they wanted. “Seize that man,” “search that house.” No reason was required.
The Americans weren’t particularly fond of that practice. So in the Constitution we find a requirement that (a) there must be probable cause to issue the warrant and (b) that probable cause must be supported by oath or affirmation. This is why police officers set out statements of facts and swear it to a magistrate before arrest or search warrants are issued. Because back in the day, 300 years ago, this was not a requirement. Furthermore, warrants must describe with particularity “the place to be searched, and the persons or things to be seized.” If the warrant says “search the car,” it’s unreasonable to search the house. If the warrant says “search the house for a sixty-inch television and seize it,” it’s unreasonable to rifle through the sock drawers during the search. Et cetera.
This of course is the briefest summary of the Fourth Amendment. If you would like to learn more, head down to your local law school and enroll in criminal procedure.
Right to privacy on the Interweb
On the Internet you don’t have much if any Fourth Amendment rights because, let’s face it, we’re all doing this on someone else’s computer. The Fourth Amendment protects “persons, houses, papers and effects.” If Alice is the user of a service and Bob is the service operator, Alice’s files on Bob’s computer aren’t Alice’s records. They are Bob’s. Accordingly the Fourth Amendment privilege over those records is Bob’s, not Alice’s, to assert.
Recognizing this, the U.S. Congress actually did something productive and passed the Electronic Communications Privacy Act in 1986. Among the provisions is something known as the Stored Communications Act, 18 U.S. C. § 2701 – 2713.
Again speaking in very general terms, the Stored Communications Act sets out the conditions on which an electronic service provider e.g. Twitter is able to render voluntary disclosure of communications and customer records to third parties, and when it is not.
One of the principal prohibitions is against providing data to law enforcement without a warrant or other legal process. 2702(b)(6)-(7) and 8 set out when communications can be voluntarily disclosed to a law enforcement agency, including where there’s inadvertent discovery of a crime and discovery or existence of an emergency that poses danger of death or serious bodily injury that requires immediate disclosure. (Mind you, it’s possible for a law enforcement officer to say something is an emergency when it isn’t, and not really the place of an information content provider to inquire further with a request for operational information. In my experience U.S. law enforcement doesn’t make emergency requests for trivial matters.) Similar provisions exist for customer records e.g. IP addresses, user account information, login history, whatever.
Under any other circumstance, voluntary provision of this data to law enforcement is not allowed. Law enforcement must obtain a subpoena, 2703(d) order, or search warrant to obtain the relevant records (with subpoenas being limited to customer records only and not the content of communications). This requirement is not created by the Fourth Amendment; it is created by statute, and was created out of recognition that, without it, law enforcement may be able to obtain Americans’ records by applying inappropriate informal pressure on electronic service providers to disclose these third party records over which American citizens had no standing to assert a Fourth Amendment right (as it’s not Alice’s record – it’s Bob’s).
Right to privacy from intrusions by other people
We also have a right to be secure from other people snooping on us. Not in the Constitution, but in statute and common law.
This right includes a range of privacy torts (defamation, intrusion upon seclusion, false light, invasion of privacy).
It also involves federal and state wiretap laws. 18 U.S. C. § 2511 et seq., known as the Wiretap Act, criminalizes a range of eavesdropping behavior including e.g. anyone who “intentionally intercepts, endeavors to intercept,” where “intercept” means “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device,” or “procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication”.
This rule does not, however, apply where “one of the parties to the communication has given prior consent to such interception.” Assuming that Balaji’s Clubhouse hypothetical above involved a registered user of the app conducting the recording, I shouldn’t think there’s a federal issue here (subject to the discussion on how new apps and methods will interact with existing one-party consent rules, provided near the end of the post). There might also be a CFAA issue if the Clubhouse participant was not authorized to log in to the app; so e.g. Balaji and Felicia are talking, Alice logs in to listen, but it is not Alice but in fact Carol using Alice’s login credentials. Whether this is the case will depend on the outcome in Van Buren v. United States, which was argued before SCOTUS in April.
The question then turns to states. Those who would record a conversation need to be very careful when they do so as the question of whether the recording is lawful will depend on where all the participants are standing. State laws vary considerably on whether surreptitious recording of conversations is allowed.
In Connecticut, for example, my home state and the center of the known universe, the rule reads as follows:
(a) No person shall use any instrument, device or equipment to record an oral private telephonic communication unless the use of such instrument, device or equipment (1) is preceded by consent of all parties to the communication and such prior consent either is obtained in writing or is part of, and obtained at the start of, the recording, or (2) is preceded by verbal notification which is recorded at the beginning and is part of the communication by the recording party, or (3) is accompanied by an automatic tone warning device which automatically produces a distinct signal that is repeated at intervals of approximately fifteen seconds during the communication while such instrument, device or equipment is in use.
Conn. Gen. Stat. § 52-570d (2018)
Breaking this down, in contrast to the federal rule, this rule states that if there is an “oral private telephonic communication,” unless
- prior consent of all parties in writing or obtained at the start of the recording; or
- it is preceded by a verbal notification (“This call may be monitored and recorded for quality and training purposes.”); or
- it is accompanied by loud BEEP every fifteen seconds,
recording the conversation is a civil wrong, subject to a long list of specific exceptions. The aggrieved can sue for damages, costs and attorney’s fees.
But there’s more! Since we know
(a) A person is guilty of eavesdropping when he unlawfully engages in wiretapping or mechanical overhearing of a conversation.
(b) Eavesdropping is a class D felony.
C.G.S. § 53a-189 (2018)
…we know there’s a crime involved with eavesdropping, too. To understand how the crime is committed we need some definitions. And two sections above Section 189, we find them. “Wiretap” means
the intentional overhearing or recording of a telephonic or telegraphic communication or a communication made by cellular radio telephone by a person other than a sender or receiver thereof, without the consent of either the sender or receiver, by means of any instrument, device or equipment.
C.G.S. § 53a-187 (2018)
And also
“Mechanical overhearing of a conversation” means the intentional overhearing or recording of a conversation or discussion, without the consent of at least one party thereto, by a person not present thereat, by means of any instrument, device or equipment
Id.
and
“Unlawfully” means not specifically authorized by law.
Id.
So if we break that apart:
A person who
- unlawfully (i.e. not specifically authorized by law, in particular by invoking any of the exceptions such as prior written consent etc. under C.G.S. § 52-570d)
- wiretaps (i.e. overhears OR records communications without the consent of either the sender or the receiver in the conversation)
- or mechanically overhears (in the case where someone is not a party to the conversation, without the consent of any party)
commits a felony in the State of Connecticut.
Where does this leave us? Well, you are operating in a federal union of 50 states, a federal district and a number of territories, each of which are governed by different rules. Violating the wiretap laws in any of them is a very bad idea. You don’t know where particular Clubhouse participants are and you don’t have a means of procuring their consent (I’m assuming this as I don’t know how the app works… with an invite I could of course be more specific. *doe eyes*).
California law (which presumably would have been applicable to many of the participants on that call) appears to have a requirement that the communications be “confidential” in order to charge for illegal wiretapping, raising the question of whether, when a new invitee to the room wiretaps the communication, absent any agreement with that invitee that the communication should remain confidential, the communication remains confidential (perhaps not, but speak to a California lawyer – which I am not – if you need advice). This may be able to be resolved with a quick update to the service’s terms and conditions.
In Connecticut’s case, whether you’re invited to the room or not is irrelevant for the civil cause of action. All that matters is that you didn’t avail the safe harbors (consent, verbal notification, or loud beeping noise) or have some other lawful excuse. If a Clubhouse user were spied on in Connecticut without their consent they could sue for damages, attorney’s fees and costs. If you don’t know who did it, file a John Doe lawsuit, hit Clubhouse with a third party subpoena, get the dox of everyone in the room and then work your way through them one by one.
As for the crime, it depends on whether someone who is in the Clubhouse room is considered a “receiver” or “party to the conversation.”
When I first wrote this blog post, which took 90 minutes, it didn’t appear to me that a third party was a “receiver,” but now I’m not so sure. Let’s suppose that Balaji and Felicia are talking to each other on a cell phone, and as such are “sender and receiver” in a particular conversation. If someone who is not participating in the conversation records it, does the eavesdropper fall foul of the rule? In the old world, yes, they do; they are not a sender of information or a recipient of information, and the consent of either sender or receiver is required (one-party) to stay on the right side of the law.
But this is not the old world. So we need to ask whether, simply by dint of being on the app, the third party itself becomes a “receiver” or a participant. If indeed it is found that Felicia and Balaji were having a bilateral conversation and the third party eavesdropper is not a “receiver” or “party” we could be looking at felony charges. In the alternative we could see the third party argue that their mere use of the app meant that they were a “receiver,” simply acting within the scope of their permissions within the app, and therefore capable of granting the required consent to recording. The idea of a telephone call which is open for the world to join is a fairly new one. A review of Connecticut case law (which I don’t propose to conduct at this juncture) would likely let us know which position was the more likely one for a court to take.
There’s also the issue of “mechanical overhearing”, which is distinct from wiretapping but also capable of forming the actus reus of the eavesdropping offense. This could be committed, e.g., if Balaji and Felicia are talking, Alice is a party to the conversation, Alice gets up to go make a pot of coffee, and Carol then surreptitiously turns on a tape recorder in the background. Whether Alice is in fact a party by being a passive listener in the app is, once again, a matter for case law that I don’t propose to dig into at this juncture.
We don’t know enough about how the Vice Clubhouse recording was made to really come down concretely on any of these points. What we know for certain is that a surreptitious recorder has 50 states – and their conflicts of law rules – to worry about. Accordingly someone conducting a surreptitious recording, even from a perch in a one-party consent state, runs the risk of falling foul of some other two party consent state’s rules where the conduct is unambiguously banned no matter what technology is involved. See e.g. the law codes applicable to a Clubhouse user physically present in that commonwealth of the barbarian tribes of the far northern wasteland, Massachusetts:
Except as otherwise specifically provided in this section any person who— willfully commits an interception, attempts to commit an interception, or procures any other person to commit an interception or to attempt to commit an interception of any wire or oral communication shall be fined not more than ten thousand dollars, or imprisoned in the state prison for not more than five years, or imprisoned in a jail or house of correction for not more than two and one half years, or both so fined and given one such imprisonment.
The term ”interception” means to secretly hear, secretly record, or aid another to secretly hear or secretly record the contents of any wire or oral communication through the use of any intercepting device by any person other than a person given prior authority by all parties to such communication; provided that it shall not constitute an interception for an investigative or law enforcement officer, as defined in this section, to record or transmit a wire or oral communication if the officer is a party to such communication or has been given prior authorization to record or transmit the communication by such a party and if recorded or transmitted in the course of an investigation of a designated offense as defined herein.
Mass. Gen. Laws ch. 272 § 99
These are all matters I wouldn’t want to have to answer for in front of a judge. Doubly so when we’re talking about a judge in Suffolk County.
These laws exist to promote free thought. They punish those who seek to pry into our most private spaces and turn America into a place like East Germany.
So. Don’t record Clubhouse calls unless you have everyone’s prior consent. Preferably in writing.
Or unless Clubhouse creates a “record” feature which makes it blindingly obvious that a conversation is in fact being recorded. Which if they were smart, they won’t do, because it will be a compliance pain in the ass.
Also if anyone has a spare Clubhouse invite lying around there is a contact form on the front page of my website. Holla.
