Harvard Law Review Harvard Law Review Harvard Law Review

Evidentiary Privileges

Privacy as Privilege: The Stored Communications Act and Internet Evidence

This Article exposes a profound and growing injustice that major technology companies have propagated through every level of the judiciary under the guise of protecting data privacy. The Supreme Court has repeatedly proclaimed: “In our judicial system, the public has a right to every [person’s] evidence.” Yet, for over a decade, Facebook, GitHub, Google, Instagram, Microsoft, and Twitter have leveraged the Stored Communications Act (SCA) — a key data privacy law for the internet — to bar criminal defendants from subpoenaing the contents of another’s online communications, even when those communications could exonerate the wrongfully accused. Every appellate court to rule on this issue to date has agreed with the companies.

This Article argues that all of these decisions are wrong as a matter of binding Supreme Court doctrine and just policy. The Article makes two novel doctrinal claims and then evaluates the policy consequences of those claims. First, when courts read the SCA to block criminal defense subpoenas, they construe the statute as creating an evidentiary privilege. Second, this construction violates a binding rule of privilege law: courts must not construe ambiguous silence in statutory text as impliedly creating a privilege because privileges are “in derogation of the search for truth.” This Article is the first to read the SCA through the lens of evidentiary privilege law. Overturning the conventional wisdom and correcting the erroneous case law on this issue will enhance truth-seeking and fairness in the criminal justice system with minimal cost to privacy.

Introduction

A homicide defendant in California was blocked from arguing self-defense because he was denied access to the records of harassing online messages and death threats that had kept him “in constant fear for his life.”1×1. Opposition to Non-party Instagram Motion to Quash Subpoena Duces Tecum at 5, People v.[Redacted], No. [Redacted] (Cal. Super. Ct. Nov. 13, 2018) (on file with the Harvard Law School Library)[hereinafter Opp’n to Instagram Motion]; see also id. at 1 & n.1, 4–6, 8; id. at 14 Exhibit A (subpoena duces tecum to Facebook, Inc. (Instagram)). A murder defendant in the District of Columbia was denied access to impeachment material from a key prosecution witness’s social media accounts, despite the trial judge’s finding that the evidence was relevant, material, and necessary to vindicate his “fundamental constitutional rights.”2×2. Brief for the United States at 3, Facebook, Inc. v. Wint, 199 A.3d 625 (D.C. 2019) (No. 18-SS-958) (on file with the Harvard Law School Library) (describing the trial court’s order denying Facebook’s motion to quash); see also Wint, 199 A.3d. at 628; Brief for the United States, supra, at 4. A death row inmate in Texas was denied access to the source code for a forensic software program used to analyze the evidence against him, despite a judge’s finding that the code was “material and necessary for the administration of justice.”3×3. Order and Certificate, Ex parte Colone, No. 10-10213 (Tex. Dist. Ct. Jan. 3, 2020) (on file with the Harvard Law School Library); see Protective Order, Ex parte Colone, No. 10-10213 (Tex. Dist. Ct. Nov. 21, 2019) (on file with the Harvard Law School Library); Order Denying Petitioner Joseph Colone’s Amended Notice of Motion and Motion to Compel Production of Records Pursuant to Cal. Penal Code 1334.2, In re Colone, No. 20-517083 (Cal. Super. Ct. July 28, 2020) (on file with the Harvard Law School Library) [hereinafter Order Denying Colone’s Motion]. An Iraqi refugee, accused of terrorism and facing extradition, torture, and “almost certain death,”4×4. Ben Taub, The Fight to Save an Innocent Refugee from Almost Certain Death, New Yorker (Jan. 20, 2020), https://www.newyorker.com/magazine/2020/01/27/the-fight-to-save-an-innocent-refugee-from-almost-certain-death [https://perma.cc/53Y7-WVHN]. was denied access to Facebook and Twitter posts that might have helped exonerate him.5×5. Audrey McNamara, Facebook, Twitter Withheld Data that Could Prove Refugee’s Innocence in Murder Case, Attorneys Say, CBS News (Jan. 23, 2020, 11:19 AM), https://www.cbsnews.com/news/omar-ameen-facebook-twitter-withheld-data-that-could-prove-refugees-innocence-in-murder-case-attorneys-say-2020-01-22 [https://perma.cc/J7NN-YUFK] (documenting Facebook’s and Twitter’s reliance on the Stored Communications Act (SCA), 18 U.S.C. §§ 2701–2712, to refuse to comply with a criminal defense subpoena seeking posts from suspended ISIS social media accounts).

The Supreme Court has repeatedly declared: “In our judicial system, the public has a right to every [person’s] evidence.”6×6. For the latest in a long line of cases repeating this maxim, see Trump v. Vance, 140 S. Ct. 2412, 2420 (2020) (internal citation and quotation marks omitted). Yet, in each of these cases, and many more like them,7×7. Petition for a Writ of Certiorari at 11–14, Facebook, Inc. v. Superior Ct., 140 S. Ct. 2761 (2020) (No. 19-1006), 2020 WL 70352 (collecting cases); Memorandum of Law in Support of Non-party Microsoft Corporation’s Motion to Quash Defendant Saldarriaga’s Subpoena at 6–11, United States v. Mejia-Saldarriaga, No. 11-cr-987 (S.D.N.Y. Dec. 17, 2013). technology companies, including Facebook, GitHub, Google, Instagram, Microsoft, and Twitter, have argued that the Stored Communications Act8×8. 18 U.S.C. §§ 2701–2712. (SCA) — a key data privacy law for the internet — gives the companies special entitlements to not comply with judicially ordered compulsory process, and that those entitlements are more important than the life and liberty of the criminally accused. Indeed, Facebook and Twitter recently argued to the Supreme Court that it is wrong to “prioritize[] a criminal defendant’s desire to obtain” relevant, exculpatory evidence over “trust in the privacy of electronic communications,” because doing so “threatens to discourage the use and development of innovative technologies.”9×9. Petition for a Writ of Certiorari, supra note 7, at 10. To date, the courts have agreed.

For over a decade, federal and state courts across the country have construed the SCA to bar criminal defendants from subpoenaing technology companies for the contents of another’s electronic communications.10×10. See generally Marc J. Zwillinger & Christian S. Genetski, Criminal Discovery of Internet Communications Under the Stored Communications Act: It’s Not a Level Playing Field, 97 J. Crim. L. & Criminology 569 (2007) (describing the issue of a purported SCA block on criminal defense subpoenas). Section 2702(a) of the SCA mandates that electronic communication service providers “shall not knowingly divulge to any person or entity the contents of a communication.”11×11. 18 U.S.C. § 2702(a)(1). Service providers treat the “contents” of a communication to include not merely the bodies of emails and text messages but also documents, photographs, videos, and voice messages. See United States National Security Requests for User Information, Google Transparency Rep., https://transparencyreport.google.com/user-data/us-national-security [https://perma.cc/9EY5-CW8E] (listing examples of content). GitHub treats computer source code stored in private repositories as contents for purposes of responding to legal process. See Guidelines for Legal Requests of User Data, GitHub (2021), https://docs.github.com/en/github/site-policy/guidelines-for-legal-requests-of-user-data [https://perma.cc/W3JQ-JSLJ]; see also GitHub, 2019 Transparency Report (2020), https://github.blog/2020-02-20-2019-transparency-report [https://perma.cc/8ENF-9BWY]. In some circumstances, URLs may constitute communications contents. See In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 135–39 (3d Cir. 2015); see also Joel Reidenberg, Norman I. Silber, Peter Drew Kennedy & Ronald Abramson, Panel III: The Privacy Debate: To What Extent Should Traditionally “Private” Communications Remain Private on the Internet?, 5 Fordham Intell. Prop. Media & Ent. L.J. 329, 373–75 (1995) (addressing protections for content versus noncontent information in early drafts of the SCA). Section 2702(b) then lists nine express exceptions for permissible disclosures of communications contents, including disclosures to an intended recipient of the communication, disclosures necessary to the rendition of the service, and disclosures to governmental entities pursuant to certain forms of legal process.12×12. 18 U.S.C. § 2702(b)(1)–(9). The Fourth Amendment likely also requires a warrant. See United States v. Warshak, 631 F.3d 266, 274 (6th Cir. 2010). The text is silent on criminal defense subpoenas,13×13. See 18 U.S.C. § 2702(b)(1)–(9). as is the legislative record.14×14. Reviewing thousands of pages of legislative history revealed just two witnesses with clarifying questions on nongovernmental subpoenas and one passing mention — in one individual’s testimony at a congressional hearing that took place in 1984, two years prior to the enactment of the law — of a subpoena that, based on the fact pattern described, might have been issued by a criminal defendant, though it was not expressly identified as such. See infra pp. 2776–78. Nonetheless, courts and commentators alike have concluded that the SCA bars disclosures pursuant to such subpoenas without qualification. When communications are unavailable from other sources, such as when subpoenaing an account holder directly would be dangerous or impossible or would risk destruction of evidence, the current SCA case law can completely suppress relevant, exculpatory evidence.

This Article argues that all of these decisions are wrong — as a matter of binding Supreme Court doctrine and just policy. It makes two novel doctrinal claims and then evaluates the policy implications of those claims. First, courts have construed the SCA as creating an evidentiary privilege. Second, this construction violates a binding rule of privilege law: courts must not construe ambiguous silence in statutory text as impliedly creating a privilege because privileges are “in derogation of the search for truth.”15×15. United States v. Nixon, 418 U.S. 683, 710 (1974). While existing legal authorities are admittedly vague in defining what constitutes a privilege, this Article shows that the central function of a privilege is to exempt an ex ante category of information from compulsory process. Construing the SCA as a bar on criminal defense subpoenas does just that. This Article is the first to examine the SCA through the lens of evidentiary privilege law. The cases comprising the current consensus view of the SCA never considered and do not address the arguments presented here.

At first glance, the current consensus view appears to cede judicial control by abrogating the compulsory process powers of the courts, along with those of the litigants before them. But, on closer examination, the view is a stealth overreach in the guise of judicial restraint. Judges perpetuating the consensus reading of the SCA have impermissibly expanded their authority by facilely concluding that Congress dictated the recognition of a novel privilege for the internet through ambiguous silence in the SCA’s text, while shirking the careful balancing of competing interests that would be required before courts could create an analogous privilege via their common law authority.16×16. See Jaffee v. Redmond, 518 U.S. 1, 9–10 (1996); Trammel v. United States, 445 U.S. 40, 50–51 (1980). Courts are not deferring to Congress when they construe the SCA as creating a privilege; they are subsidizing technology companies by exempting them from the burdens of complying with judicial process that other companies and private persons all must bear. The result obscures the origins of privilege rules and masks responsibility for controversial policy choices.

In many ways, it is unsurprising that an erroneous view of the SCA as barring judicially ordered criminal defense subpoenas has proliferated through the courts. On the one hand, this view has been advanced by multinational companies with power and privilege, backed by Gibson, Dunn & Crutcher,17×17. See Petition for a Writ of Certiorari, supra note 7, at 22 (representing Facebook and Twitter). Covington & Burling,18×18. See Order Denying Colone’s Motion, supra note 3 (representing GitHub). Perkins Coie,19×19. See Petition for a Writ of Certiorari, supra note 7, at 22 (representing Facebook and Twitter). Mayer Brown,20×20. See Facebook, Inc. v. Superior Ct. (Hunter), 417 P.3d 725, 727 (Cal. 2018) (representing Google). Orrick, Herrington & Sutcliffe,21×21. See Memorandum of Law in Support of Non-party Microsoft Corporation’s Motion to Quash Defendant Saldarriaga’s Subpoena, supra note 7, at 12 (representing Microsoft). and other major law firms acting as repeat litigators on the issue.22×22. Cf. Ari Ezra Waldman, Privacy Law’s False Promise, 97 Wash. U. L. Rev. 773, 791–824 (2020) (theorizing “legal endogeneity” in privacy law, id. at 791, whereby legal institutions defer to corporate symbolic compliance with ambiguous elements of law until, through a process of “managerialization,” id. at 808, corporate interpretations of law “become embedded in institutional interpretations of law,” id. at 791). Silence in section 2702 as to defense subpoenas may create ambiguity and thus predictable legal institutional deference, or institutional deference to corporate interpretations of the law. See Ryan Calo, Privacy Law’s Indeterminacy, 20 Theoretical Inquiries L. 33, 42 (2019) (observing that the need to balance privacy with other values, such as security, “is a systemic source of indeterminacy in privacy law”); Olivier Sylvain, Recovering Tech’s Humanity, 119 Colum. L. Rev. F. 252, 253 (2019) (arguing that “courts have abjured their constitutional authority to impose legal duties” on tech companies). On the other hand, this view has been marshaled against underresourced, decentralized public defenders managing full felony dockets and representing poor, disproportionately Black, and marginalized clients. In the words of one federal defender: “Do I think that the content would be really helpful? Yes. Do I think that we could beat Facebook and Twitter in court? Probably not.”23×23. McNamara, supra note 5. Meanwhile, experts commenting on this issue in Wired magazine,24×24. Gilad Edelman, Facebook and Twitter Want to Keep the Justice System Stacked Against Defendants, Wired (June 19, 2020, 7:00 AM), https://www.wired.com/story/facebook-twitter-criminal-justice-stored-communications-act [https://perma.cc/G3JM-FSRT]. The New York Times,25×25. Kashmir Hill, Imagine Being on Trial. With Exonerating Evidence Trapped on Your Phone, N.Y. Times (Nov. 22, 2019), https://www.nytimes.com/2019/11/22/business/law-enforcement-public-defender-technology-gap.html [https://perma.cc/LC52-VHC4]. The Washington Post,26×26. Jeffrey D. Stein, Opinion, Why Evidence Exonerating the Wrongly Accused Can Stay Locked Up on Instagram, Wash. Post (Sept. 10, 2019, 4:52 PM), https://www.washingtonpost.com/opinions/2019/09/10/why-evidence-exonerating-wrongly-accused-can-stay-locked-up-instagram [https://perma.cc/ZU2L-2BX5]. the Los Angeles Times,27×27. Rebecca Wexler, Opinion, How Data Privacy Laws Could Make the Criminal Justice System Even More Unfair, L.A. Times (July 31, 2019, 3:00 AM), https://www.latimes.com/opinion/story/2019-07-30/consumer-data-privacy-laws-crime-defendants-police-instagram [https://perma.cc/LNN5-GVWK]. CBS News,28×28. McNamara, supra note 5. and the San Francisco Chronicle29×29. Megan Cassidy, Facebook, Twitter Hold Evidence that Could Save People from Prison. And They’re Not Giving It Up, S.F. Chron. (Jan. 23, 2020, 2:06 PM), https://www.sfchronicle.com/crime/article/Facebook-Twitter-hold-evidence-that-could-save-14990176.php [https://perma.cc/X56X-B8NN]. have often bolstered the companies’ position — for instance, normalizing the denial of defense access to evidence by analogizing to home searches and seizures;30×30. Id. (quoting a professor analogizing a criminal defense subpoena seeking a third party’s communications from a technology company to a criminal defendant breaking into a third party’s home to search for evidence). asserting that this construction of the SCA “prevents defense lawyers from using subpoenas to harass witnesses, victims or police officers”;31×31. Hill, supra note 25. and predicting that “a ruling in favor of . . . defendants could flood companies with subpoenas.”32×32. Trisha Thadani, Defenders May Use Public Social Media Posts in Trial, Court Says, S.F. Chron. (May 24, 2018, 4:42 PM), https://www.sfchronicle.com/business/article/Defenders-may-use-public-social-media-posts-in-12941962.php [https://perma.cc/M5VF-XHV8].

The full scale of harm to the truth-seeking process of the courts is difficult to grasp. It is impossible to determine with certainty how many cases are affected by the current consensus view of the SCA because criminal defense subpoenas may be quashed in unpublished opinions, denied in letter traffic between counsel without reaching a judge, or chilled from service in the first place. But the issue is likely substantial. As some indication, the issue reached the California Supreme Court in two different criminal cases in 2020 (both as a matter of first impression)33×33. See Joyce E. Cutler, Court to Scrutinize Social Media Posts in California Murder Case, Bloomberg L. (June 10, 2020, 9:02 PM), https://news.bloomberglaw.com/us-law-week/court-to-scrutinize-social-media-posts-in-california-murder-case [https://perma.cc/LXS2-5MKD]; see also Facebook, Inc. v. Superior Ct. (Hunter), 417 P.3d 725, 753 (Cal. 2018). The California Supreme Court issued a ruling in one case, see Facebook, Inc. v. Superior Ct. (Touchstone), 471 P.3d 383 (Cal. 2020), but remanded the second case for reconsideration in light of that opinion, see Facebook, Inc. v. S.C. (Hunter), 474 P.3d 635 (Cal. 2020). and the United States Supreme Court in a petition for certiorari that same year;34×34. Petition for a Writ of Certiorari, supra note 7, at ii. The cert petition was denied. Facebook, Inc. v. Superior Ct., 140 S. Ct. 2761 (2020). it has triggered rulings by the Second Circuit,35×35. United States v. Pierce, 785 F.3d 832, 842 (2d Cir. 2015). the District of Columbia Court of Appeals,36×36. Facebook, Inc. v. Wint, 199 A.3d 625, 632 (D.C. 2019). and the Supreme Court of Oregon,37×37. State v. Bray, 422 P.3d 250, 256 (Or. 2018). among other courts throughout the nation.38×38. See United States v. Nix, 251 F. Supp. 3d 555, 559 (W.D.N.Y. 2017); United States v. Wenk, 319 F. Supp. 3d 828, 829 (E.D. Va. 2017); State v. Johnson, 538 S.W.3d 32, 70 (Tenn. Crim. App. 2017). As another indication of scale, law enforcement and other government entities within the United States served Facebook with 35,856 unique search warrants implicating 55,002 accounts, and Google with 19,783 unique search warrants implicating 28,865 accounts, in just the period from January to June 2020.39×39. See Overview, Facebook: Transparency, https://transparency.facebook.com/government-data-requests/country/US [https://perma.cc/NT57-KZVU]; Global Requests for User Information, Google: Transparency Rep., https://transparencyreport.google.com/user-data/overview [https://perma.cc/NML2-QQ5G]. If criminal defense subpoenas, when properly enforced, were to amount to even a fraction of these numbers, the impact for defendants could be profound. For reference, the total number of criminal cases pending as of March 31, 2019, in all federal district courts combined was 82,443.40×40. Table D Cases — U.S. District Courts — Criminal Federal Judicial Caseload Statistics (March 31, 2019), U.S. Cts., https://www.uscourts.gov/statistics/table/d-cases/federal-judicial-caseload-statistics/2019/03/31“>https://www.uscourts.gov/statistics/table/d-cases/federal-judicial-caseload-statistics/2019/03/31”>https://www.uscourts.gov/statistics/table/d-cases/federal-judicial-caseload-statistics/2019/03/31 [https://perma.cc/QT6N-TLPD]. Of course, most criminal prosecutions occur in state courts, but the number of pending federal criminal cases is a helpful comparator for understanding the scope of this issue.

Despite an overdue national reckoning with criminal justice reform, the increasing quantity of relevant digital evidence in the hands of technology companies, and a robust, longstanding scholarly debate on other aspects of the SCA,41×41. See, e.g., Ryan Calo, Response, Communications Privacy for and by Whom?, 162 U. Pa. L. Rev. Online 231, 233 & n.15 (2014) (response to Orin S. Kerr, The Next Generation Communications Privacy Act, 162 U. Pa. L. Rev. 373 (2014)) (arguing that Professor Orin Kerr inadequately considered “nongovernmental access to contents of communications,” id. at 233 n.15 (quoting Kerr, supra, at 400)); Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, 72 Geo. Wash. L. Rev. 1208 (2004) [hereinafter Kerr, User’s Guide]; Deirdre K. Mulligan, Reasonable Expectations in Electronic Communications: A Critical Perspective on the Electronic Communications Privacy Act, 72 Geo. Wash. L. Rev. 1557 (2004). the legal literature has almost entirely overlooked the SCA’s treatment of criminal defense subpoenas.42×42. There are two welcome exceptions to this general oversight in the literature. Marc Zwillinger and Christian Genetski introduced the issue in a 2007 article, drawing on their own litigation experience in the U.S. Department of Justice to observe, even at that early date, “how frequently public defender’s offices, private criminal counsel, and even pro se defendants” attempted to serve subpoenas that were blocked by the SCA. Zwillinger & Genetski, supra note 10, at 571. Professors Joshua Fairfield and Erik Luna also discussed the issue in significant depth in a 2014 article, arguing to expand defendants’ access to exculpatory evidence through court-ordered consent to disclosures and by narrowly construing the types of companies to which the SCA applies. Joshua A.T. Fairfield & Erik Luna, Digital Innocence, 99 Cornell L. Rev. 981, 1057–64 (2014). This Article is indebted to the thoughtful commentary in both of these prior works. See also Brendan Sasso, Digital Due Process: The Government’s Unfair Advantage Under the Stored Communications Act, 8 Va. J. Crim. L. 35 (2020).
For practitioners writing on this issue, see Colin Fieman & Alan Zarky, When Acquittal Is Just a Tweet Away: Obtaining Historical Social Media Evidence from Service Providers that Use the SCA as a Shield, The Champion, Nov. 2015, at 26; Donald E. Landis, Jr., MySpace.com: Discovery Issues in the 21st Century, Cal. Def., Winter 2008–2009, at 37; Joshua Lipshutz & Michael Holecek, Opinion, The Criminal Defense Bar Wants Access to Your Emails, Nat’l L.J. (Feb. 27, 2019, 1:54 PM), https://www.law.com/nationallawjournal/2019/02/27/the-criminal-defense-bar-wants-access-to-your-emails [https://perma.cc/77HL-SXED]; and Stephanie Lacambra, A Constitutional Conundrum that’s Not Going Away — Unequal Access to Social Media Posts, Elec. Frontier Found.: Deeplinks Blog (May 31, 2018), https://www.eff.org/deeplinks/2018/05/ca-supreme-court-leaves-scales-tipped-prosecutions-favor-defense-gets-access [https://perma.cc/4FAH-6AS8].
Those scholars who have addressed the issue have generally agreed with the current case law, concluding that the text of the SCA creates an “unequivocal”43×43. Zwillinger & Genetski, supra note 10, at 593. bar on criminal defense subpoenas “under any circumstances,”44×44. Id. at 572. and that defendants’ prospects for a successful statutory interpretation challenge are “minimal at best.”45×45. Id. at 593; see also Fairfield & Luna, supra note 42, at 1056–64 (offering alternate readings of section 2702(b)’s enumerated exceptions to cover some criminal defense subpoenas, and reiterating the consensus view that “the statute does not inherently permit an exception for response to a court subpoena,” id. at 1058).

This Article takes a different approach. The discussion begins in Part I with a puzzle: twenty-first-century courts evaluating the SCA internet privacy law have construed it to block subpoena power, but nineteenth-century courts evaluating similar telegraph privacy laws construed similar statutory texts to yield to subpoenas. The Article argues that nineteenth-century courts reached the correct result because they understood a key point that twenty-first-century courts have overlooked: construing a statute to block subpoena power creates an evidentiary privilege. Part II plays out that point in current doctrine. It explains how federal privacy laws interact with the Federal Rules of Evidence (FRE) to produce privileges and presents a novel doctrinal analysis of the special rules of statutory interpretation that control such interactions. In the process, it identifies a previously unrecognized federal circuit split on a question that is ripe for Supreme Court review: What type of statutory language is required before courts should presume that Congress intended a statute to abrogate its legislatively crafted subpoena and discovery rules, and undermine the truth-seeking process of the courts? This Article argues that, regardless of how the current federal circuit split is ultimately resolved, the statutory interpretation rules for privileges should prohibit courts from construing the SCA to block criminal defense subpoenas.

Part III considers the policy implications of these doctrinal claims. It argues that correcting the erroneous case law on the SCA privilege would impose minimal costs to privacy while eliminating an apparently unjustified subsidy that courts have supplied to technology companies and their data-mining markets. The result would serve the shared interest of prosecutors, defendants, the courts, and the public in safeguarding the truth-seeking process of the judiciary. Meanwhile, the current consensus view of the SCA creates a vastly overbroad, outlier privilege for an entire medium of communication. Suppressing evidence from the truth-seeking process of the judiciary solely because of its means of transmission, without regard to the sensitivity of the subject matter or the communicants’ expectations of confidentiality, is both unprecedented and unwise.

Broadly, this Article seeks to contribute to theorizing the relationship between information privacy law, confidentiality law, and privilege law. It joins recent privacy law scholarship focusing on the law of confidentiality46×46. This Article is especially indebted to Professors Neil Richards and Daniel Solove. See Neil M. Richards & Daniel J. Solove, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123, 144–45 (2007); see also Principles of the L.: Data Privacy § 1 (Am. L. Inst. 2019) (incorporating the law of confidentiality into data privacy principles). and recent evidence law scholarship focusing on evidence rules outside the four corners of the FRE.47×47. See, e.g., Bennett Capers, Evidence Without Rules, 94 Notre Dame L. Rev. 867, 869 (2018) (identifying dress, courtroom occupancy, and race as evidence that is unregulated — and unacknowledged — by the Rules of Evidence); John Leubsdorf, Fringes: Evidence Law Beyond the Federal Rules, 51 Ind. L. Rev. 613, 615 (2018) (arguing for increased scholarly and pedagogical attention to evidence rules not codified in the FRE). The Article also aims to contribute to privacy, criminal procedure, and surveillance studies scholarship by adding consideration of criminal defense investigations to these fields’ more traditional focus on law enforcement investigations.48×48. See, e.g., Julie E. Cohen, Studying Law Studying Surveillance, 13 Surveillance & Soc’y 91 (2015), https://ojs.library.queensu.ca/index.php/surveillance-and-society/article/view/law/lawsurv [https://perma.cc/FV2T-C9UP].


* Assistant Professor, University of California, Berkeley School of Law. This Article received the 2020 Privacy Law Scholars Conference Reidenberg-Kerr Award for “overall excellence of a paper submitted by a pre-tenure scholar.”

This Article benefited from workshops at Berkeley School of Law, Fordham University School of Law, The Ohio State University Moritz College of Law, UCLA School of Law, University of California, Irvine School of Law, University of Chicago Law School, Stanford Law School, Yale Law School, the Center for Advanced Study in the Behavioral Sciences at Stanford University, the Privacy Law Scholars Conference, the Privacy Law Forum, the Internet Law Works-in-Progress Conference, and the Evidence Summer Workshop. For detailed comments on prior drafts, the author thanks Dan Burk, Simon Cole, Vikas Didwania, Mark Gergen, Aziz Huq, Edward Imwinkelried, Orin Kerr, Paul Ohm, Andrea Peterson, Andrea Roth, Pam Samuelson, Paul Schwartz, and Ari Waldman. The author thanks Ron Allen, Jack Balkin, Ken Bamberger, Bicka Barlow, Franziska Boehm, Kiel Brennan-Marquez, Ryan Calo, Linc Caplan, Erwin Chemerinsky, Bryan Choi, Danielle Citron, Julie Cohen, Catherine Crump, Ellen Deason, Jim Dempsey, Deven Desai, Niva Elkin-Koren, Hanni Fakhoury, Peter Galison, Brandon Garrett, Jonah Gelbach, Albert Gidari, Jonathan Gould, Megan Graham, Jerome Greco, Woodrow Hartzog, Chris Hoofnagle, Kirsty Hughes, Pam Karlan, Don Landis, Mark Lemley, Karen Levy, William McGeveran, Priscilla Regan, David Sklansky, Tyler Slay, Chris Soghoian, Jeff Stein, Steven Sugarman, Olivier Sylvain, Kate Tesch, Maggie Wittlin, and Diego Zambrano. This Article benefited immensely from reference support from Doug Avila, Marci Hoffman, Dean Rowan, and I-Wei Wang, and from research assistance from Kristina Chamorro, Robert Fairbanks, Chelsea Hanlock, Joon Hwang, Joseph Kroon, David Murdter, Shreya Santhanam, Cheyenne Smith, Nivedita Soni, Tyler Takemoto, and Daniela Wertheimer. The editors of the Harvard Law Review provided invaluable editorial assistance.