How well-intentioned privacy laws can contribute to wrongful convictions

An inmate hangs his hands outside his cell as he chats with another prisoner in a nearby cell at the Taylor County Jail June 20, 2019. A proposition to add a new jail pod with 212 additional cells would address overcrowding at the facility, but might worsen another problem - a shortage of jailers.0707jail4

In 2019, an innocent man was jailed in New York City after the complaining witness showed police screenshots of harassing text messages and recordings of threatening voicemails that the man allegedly sent in violation of a protective order. The man’s Legal Aid Society defense attorney subpoenaed records from SpoofCard, a company that lets people send text messages and make calls that appear to originate from someone else’s phone number. After the records showed that the complaining witness had sent the messages and voicemails to herself, the district attorney’s office dismissed the case and the suspect was freed. Importantly, the exculpatory data was generated not by the suspect’s own use of digital services, but rather by the use of digital services by the complaining witness. If a data privacy law had blocked the attorney’s subpoena, the suspect might remain wrongfully incarcerated today.

In a troubling and almost certainly unintentional trend that one of us (Wexler) explores in depth in a forthcoming UCLA Law Review article,[1] some recently proposed data privacy laws risk making it more difficult for wrongly accused defendants to obtain exculpatory digital records. The growing volume of data gathered and stored by mobile network providers, social media companies, and location-based app providers has quite rightly spurred interest among consumers, advocacy groups, and policymakers in updating privacy laws. And legislators have correctly recognized that protecting privacy in an era when so much digital information is stored on the cloud requires limiting access to the massive amounts of data that we all generate but don’t fully control.

As a result, proposed privacy legislation generally heightens the obligations on the companies that control our data to strictly limit its dissemination. But some of these laws contain special exceptions that enable access by law enforcement—without similar exceptions for access by defense investigators. This creates a fundamental asymmetry. While law enforcement can compel the production of data that can help establish guilt, a defendant will have a much harder time compelling the production of data that establish innocence. To see why this is the case, it’s helpful to take a step back and briefly look at the criminal justice system more broadly.

Adversarial Investigations

In the U.S. adversarial system, prosecutors work to obtain evidence establishing guilt, while defense counsel investigates evidence of innocence. Of course, if prosecutors happen to encounter evidence of innocence, then due process requires them to tell the defense. But there is no requirement that prosecutors investigate a defendant’s theory of the case.

At first glance, this might seem to provide a modicum of balance. Prosecutors on one side gather information that they plan to present to a jury with the goal of securing a conviction, and defense attorneys on the other side present information aimed at convincing a jury of innocence. There are other symmetries as well. Both law enforcement and the defense have the right to call their own witnesses and to cross-examine those called by the other side. Both law enforcement and defense counsel have the right to subpoena information.

There are also significant asymmetries. To name just two among many, the government’s burden of proof is “beyond a reasonable doubt”—an asymmetry that favors defendants. Meanwhile—for an asymmetry that favors prosecutors—generally only law enforcement can obtain a warrant. As a result, it is often easier for prosecutors to deploy state power to search for and seize data than it is for defense attorneys to use subpoenas to access the same data.

Of course, there are legitimate concerns that rogue defense attorneys (like rogue law enforcement actors) might abuse their investigative powers to harass or intimidate witnesses. Those risks apply to criminal investigations generally; they are not limited to subpoenas (or warrants) for social media messages or other cloud data. As a result, subpoena and evidence rules already mitigate those risks through built-in safeguards against abuse by either defense attorneys or law enforcement—including the option to use protective orders that can strictly limit how counsel may use sensitive data and when they must return or destroy it.

Proposed Privacy Legislation

Unfortunately, language in some newly proposed privacy legislation risks exacerbating existing power imbalances in criminal investigations. For example, S.2637, the Mind Your Own Business Act sponsored by Sen. Ron Wyden (D-OR), would apply to data brokers, companies with information on large numbers of consumers or consumer devices, and companies with more than $50 million in average annual gross receipts. On request from a consumer, the bill would require those companies to reveal “the name and contact information of each person, partnership, or corporation with whom the personal information of that verified customer was shared,” along with a description of what information was shared, why, and when. This requirement does not apply to information shared with “governmental entities” pursuant to certain types of court orders. However, the lack of a parallel provision enabling defense counsel to obtain data without triggering this notice requirement is problematic, because defense attorneys may require access to the same types of data as law enforcement. This includes the ability to conduct confidential investigations in circumstances when notice could risk someone’s physical safety, or lead to destruction of or tampering with evidence.

Another example is S.2885, the SMARTWATCH Data Act, sponsored by Sen. Bill Cassidy (R-LA), which would prohibit the sale or transfer to information brokers of individually identifiable consumer health information, defined as “any information about the health status, personal biometric information, or personal kinesthetic information about a specific individual that is created or collected by a personal consumer device, whether detected from sensors or input manually.” However, the bill contains an exception for disclosures provided to law enforcement. There is no parallel provision in the bill for data access by defendants.

The Stored Communications Act

Why do we believe that these sorts of imbalances will be harmful? Because past privacy legislation has inadvertently interfered with defense attorneys’ duty to investigate and has threatened accuracy and fairness in criminal investigations. A prominent example is the Stored Communications Act of 1986, which permits law enforcement to compel technology companies to disclose the contents of a broad array of online communications, including social media postings and e-mail messages. No such access is granted to defendants, who find themselves without sufficient legal authority to obtain the digital records that could help exonerate them.

Under the SCA, defense investigations are constrained by 18 U.S.C. § 2702, which addresses “[v]oluntary disclosure of customer communications or records.” More specifically, 2702(a) prohibits certain companies from disclosing the “contents of a communication” to “any person or entity.” The law has an exception for disclosures to government entities, but no exception for disclosures to criminal defense investigators. Companies—supported by near uniform appellate law across the country—say the law bars companies from complying with criminal defendants’ subpoenas for communications contents. In short, the law imposes an affirmative duty on companies to comply with disclosure orders initiated by law enforcement and an obligation not to comply with disclosure orders from defendants.

The Stored Communications Act is widely recognized as a badly outdated statute. But criticism of the SCA rarely focuses on the way it tilts the scales against criminal defendants. Instead, critics usually point to the fact that it was drafted in an era characterized by assumptions—e.g., that content stored for more than six months deserves less protection than recently stored content—that no longer make sense given how we use digital devices and services.

This reflects an unfortunate but common aspect of the policy dialogue regarding privacy: We are generally good at recognizing when technology advances have undermined the efficacy of an ostensibly privacy-protecting statute, but bad at recognizing the collateral damage that statute has inflicted on criminal justice. As a result, new proposals for data privacy legislation sometimes repeat the same mistakes, for what can potentially be vastly more types of data.

Don’t Make Imbalances Worse

Even if we can’t provide full symmetry between prosecutors and defendants in relation to accessing digital data, that doesn’t justify enacting laws that make the imbalances against defendants more severe. That’s why it’s critical when drafting new privacy legislation not to erect new barriers that make it even harder for defendants to prove their innocence.

Some new privacy bills contain language enabling access pursuant to legal process that is not limited only to law enforcement. For instance, S.2577, the Data Broker Accountability and Transparency Act of 2019, sponsored by Sen. Edward Markey (D-MA), would protect privacy in personal information held by data brokers. It has special safeguards against disclosure of biometric information, but those safeguards include an exception for dissemination “required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.” S.583, the DATA Privacy Act, sponsored by Sen. Cortez Masto (D-NY), would apply to “any entity that collects, processes, stores, or discloses covered data” for at least “3,000 individuals and devices during any 12-month period.” Those entities would be subject to limits on disclosure. The bill also states that the limitations would not apply in circumstances where they would “prevent compliance with an applicable law (including regulations) or legal process.”

As the examples in the above paragraph illustrate, it is possible to draft privacy-protecting bill language that accommodates the legitimate needs of both law enforcement and defense investigations. As policymakers go about the vitally important task of improving data privacy protections, our hope is that they will include bill language recognizing that, pursuant to proper legal process, access to data can be vitally important not only to law enforcement but also to defendants.


The authors thank Leyla Karimzadeh and Ping Liu for research assistance.

[1] Rebecca Wexler, Privacy Asymmetries: Access to Data in Criminal Investigations, 67 U.C.L.A. L. Rev. __ (forthcoming 2020), draft available at