For years, the National Security Agency (NSA) has stockpiled data about nearly every telephone call in the U.S. — not the contents of the conversations, but so-called “metadata” such as date and time, duration and numbers dialed. The NSA claimed the authority to seize this metadata under Section 215 of the Patriot Act, which Congress passed shortly after the Sept. 11 attacks and has renewed several times since.

Earlier this month, a federal appeals court ruled that the NSA’s activities went beyond what Section 215 allowed. And the whole provision expires again on June 1. The combination of the court decision, the approaching deadline and changing attitudes has spurred a bipartisan coalition, including Sen. Al Franken, D-Minn., to advocate a rewrite of the law.

The details are still hotly contested, but proposals passed in the House and debated in the Senate share the same main focus. Instead of allowing dragnets of everyone’s metadata, they would require that the NSA get approval from a special foreign intelligence court to collect a particular suspect’s records.

That solution restores a long-standing balance in our justice system. In general, under the Fourth Amendment to the Constitution, the government needs judicial permission based on particularized suspicion before it can intrude on the “reasonable expectation of privacy.” Courts act as “detached and neutral magistrates” to review search-warrant requests and make sure they have a sufficient basis.

Section 215 is just one example of new technology putting pressure on that historic balance. After all, the founders wrote the Fourth Amendment well before the advent of cloud computing.

Under a once-narrow exception to the warrant requirement called the third-party doctrine, there is no reasonable expectation of privacy in information that has already been disclosed to someone else. In the early days, that simply allowed police to, say, question a member of a gang about its leader without needing a warrant.

Gradually, however, courts expanded the exception, allowing warrantless searches of telephone metadata, financial records held by banks and even trash bags left on the curb for collection. Now, digital technology moves vast amounts of information from locked desk drawers in our homes to countless third parties. Dropbox, Google and Flickr hold our papers, correspondence and photos. Apps, GPS devices and shopping loyalty cards track our movements, purchases and thoughts.

Today, our expectations of privacy aren’t limited to the things in our possession, but the law often continues to act as if they were. This approach confuses privacy with secrecy. It assumes that disclosing information in one context surrenders all control over it in every context. And it ignores the fact that it has become impossible to function without letting lots of intermediaries handle our personal information — many of them faceless companies, not trusted confederates.

Slowly, the law is beginning to readjust. Reform of Section 215 is one example. Two recent Supreme Court opinions also expressed doubts about the fit between old doctrine and new technology. In one, the court found a warrant necessary to track a suspect’s car with a GPS device for a month. The vehicle was in public, so theoretically police could have tailed it constantly. But the court reasoned that GPS monitoring is different because the technology eliminates practical obstacles that prevent that degree of surveillance. In another decision, the court determined that police need a warrant to look at the contents of a person’s smartphone, because the quantity and nature of the information stored there was greater than you would find in most searches of a house. Both decisions were unanimous.

We have been down this road before. When the Supreme Court first considered telephone wiretapping in 1928, it found no warrant necessary, because people who projected their voice out into the world along wires surrendered their privacy rights. Forty years later, once phones had become ubiquitous (although not yet in our pockets), the court reversed itself and held warrantless wiretapping unconstitutional.

This time, Congress and the courts don’t need to wait 40 years to get it right. Our expectations of privacy extend to content stored on the cloud. So should our legal protections. The warrant requirement, based on individualized and articulable suspicion, has always served us well. We should apply it to metadata and other third-party records to make privacy law fit technological reality.


William McGeveran is a professor at the University of Minnesota Law School.