How Congress should proceed on the Kelsey Smith Act
In June 2007, 18-year-old Kelsey Smith was tragically abducted and murdered in Kansas. For various reasons, it took four days for law enforcement to access the location coordinates of her cellphone, delaying the recovery of her body and extending an excruciatingly terrible experience for her family.
What happened to Kelsey Smith is a horrific tragedy. It’s completely understandable that her parents and other advocates would want to make legislative changes so that no one else has to go through limbo that they did.
Early last week, the U.S. House of Representatives failed to pass H.R. 4889, the Kelsey Smith Act. Though it was certainly a well-intentioned piece of legislation, congressional members made the right choice not to pass it in its current form. I was happy to find that a sufficient number of Republicans and Democrats joined together to stall the bill, allowing cooler heads to work together to craft a reform that finds the right balance between privacy and emergency expediency.
To date, 21 states already have passed their own versions of the Kelsey Smith Act, which compels cellphone companies to hand geolocation data over to law enforcement in the event of an emergency. In developing a federal standard, legislators should have taken the time to follow the lead of states like California, Colorado and Indiana, all of which inserted key provisions that balanced the need for safety with the promise of a right to privacy.
In fact, an earlier version of the bill introduced during the last Congress did include such safeguards. Unfortunately, in the name of expediency, this year’s version had none of these essential privacy protections. It was rushed through the House Energy and Commerce Committee and then fast-tracked to the floor under a suspension of the rules.
Any government-led effort to compel technology companies to undermine customer trust in the name of security ought to sound eerily similar to the recent kerfuffle between the FBI and Apple. Because the bill was changed so subtly from the previous version, it caught both privacy advocates and tech companies off guard, and they initially failed to notice the measure’s assault on the Bill of Rights. No doubt contributing to this oversight was the fact that it was authored by Kevin Yoder, R-Kan., the well-respected lead sponsor of the Email Privacy Act, a measure that actually restores Fourth Amendment protections to email and that passed the House unanimously.
In the age of the Internet of Things, the market is already fixing these issues of geolocation sharing, which were more of a problem back in 2007, when the Kelsey Smith abduction occurred and before the widespread use of smartphones. Americans already have the ability to consent voluntarily to allow their phone carriers to share information in the event of an emergency. Apps like “Glympse” enable individuals to share their movements with loved ones. In the aftermath of the Paris attack, Facebook users were able to alert their friends that they were OK. When I go for a bike ride I share my location with my wife who will, I hope, help me if I fall off or have a flat tire.
The Kelsey Smith Act in some ways accidentally hits on a deeper, more complex question of the right to privacy and location. In fact the House Judiciary Committee has already promised to hold hearings on the intricate question of how the Fourth Amendment intersects with geolocation data in the digital age. It would probably be better for House leadership to allow those deliberations to proceed in a committee format rather than rush hastily drafted legislation to the floor.
Regardless, I am aware of the pressure politicians feel to “just do something.” In that spirit, here are a few suggestions that would drastically improve the bill in a way that appeases opposition from privacy advocates and the tech community.
If H.R. 4889 is to proceed through the House, the legal standard governing access to location information in the event of an emergency should be raised from “reasonable belief” to “probable cause.” This would reduce significantly the chances that sensitive location information would be disclosed in the absence of an actual emergency.
The bill also should require after-the-fact judicial review within 48 hours of the emergency that triggered the geolocation search. It’s not hard to envision ways a lack of accountability could lead to abuse by law enforcement.
Both of these provisions were included in the previous version of the bill that passed out of the House Energy and Commerce Committee with bipartisan support in the 113th Congress. In addition to these previously accepted safeguards against abuse, Congress should consider two other provisions that would also drastically improve the legislation.
First, the bill should require disciplinary action be taken when location information is acquired unlawfully or without cause. Second, consideration should be given to require notice to the person whose location information was obtained. These important provisions would limit exposure to abuse by law enforcement, while still accomplishing the legislation’s intended goals.
Congress must be careful whenever it crafts legislation that grants broad powers to the government. No one denies this bill was developed with the best intentions, but the devil is in the details. Instead of trying end-run around the privacy of Americans, lawmakers should seek a balanced approach that addresses the real world need for expediency with the real world value of privacy.
