Constitutional Law

The Blueprint for a Civil Rights Lawsuit against Government Surveillance Contractors Introduction

mdecrow@maine.edu Article, Paper , , , ,

The Blueprint for a Civil Rights Lawsuit against Government Surveillance Contractors

John Blegen

 

Introduction

In March of 2026, FBI Director Kash Patel, while speaking before the House Permanent Select Committee on Intelligence made a brazen admission. When asked by Ron Wyden, a Democratic senator from Oregon, whether the FBI purchases Cell Phone Location Data from internet advertisers, Patel replied:

“We do purchase commercially available information that’s consistent with the constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us.”

Ron Wyden replied that if true, this practice by the FBI would constitute “an outrageous end run around the Fourth Amendment [that is] particularly dangerous given the use of artificial intelligence to comb through massive amounts of private information.”[1]

This FBI practice is not just an “outrageous end run around the Fourth Amendment,” but an outright violation of Americans’ Fourth Amendment right to privacy against unwarranted government surveillance.

In Carpenter, the Supreme Court held that it is illegal for the government to access cell phone location data information without a warrant.[2] Carpenter mentions no exception to this rule for information that has been purchased from wireless carriers or data brokers. It is not the property rights wireless carriers possess over this information that the Fourth Amendment protects; it is the right to privacy against unchecked government surveillance as ensured by the Constitution.

Patel’s argument would be the same as saying, the government is free to pay a private thug to break into a suspect’s apartment and acquire his wardrobe, or his private collection of firearms, or his diary, or any other piece of evidence without a warrant, so long as they do not do so themselves. It is a brazen admission of the FBI’s intent to not follow the Constitution.[3]

What allows Patel to be brazen enough to make such a statement is the fact that there currently exists no legal mechanism by which the public can validate their right to privacy against government surveillance. This is the case due to decades of congressional lethargy on the issue of data and tech surveillance, as well as the Federal Trade Commission’s refusal to enforce what little data protection laws do exist.[4]

It is also the result of years of the Supreme Court hollowing out plaintiffs’ ability to bring lawsuits against the federal government for violations of the Constitution.[5]  Such civil suits may be brought pursuant to 42 U.S.C. § 1983, which allows suits against states for actions taken in violation of individuals’ Federal Rights, and Bivens actions, which are the equivalent of a 1983 lawsuit against the federal government.

This paper contends that 1983 actions could provide a fruitful method for individuals to validate their right to privacy and push privacy forward against government surveillance, as well as third-party surveillance conducted by AI-surveillance companies like Palantir, which synthesizes mass amounts of data from across various sources into one “fusion” profile and Clearview AI, which provides facial recognition software to law enforcement agencies, both at the state and federal level.

As I will explain below, Section 1983 is an effective tool to limit both these private companies and the government because precedent has held that government contractors may also be subject to a Section 1983 lawsuit when they are performing government functions.

This paper also examines Bivens actions, with the caveat that Bivens law has been deeply neutered by Supreme Court precedent, making it effectively impossible to bring a lawsuit against the federal government for violation of federal rights, even though 1983 allows the same to be done against the states – as implausible as that sounds.

Continue reading

Data Minimization’s Wolf Problem: Learning from Constitutional History to Design Effective Privacy Remedies

mdecrow@maine.edu Paper , , ,

Data Minimization’s Wolf Problem: Learning from Constitutional History to Design Effective Privacy Remedies

Caroline Aiello

 

I. Introduction

Nearly every modern privacy law restricts or seeks to limit how much data companies can collect and how they can process that data. Collectively, these provisions are known as data minimization standards. A foundational feature of privacy law, the concept of data minimization dates back to the earliest guidance and drafting of privacy laws. Widely considered a pivotal segment of a law, determining its effectiveness and severity, these provisions are hotly contested by industry leaders and consumer advocates throughout the legislative process.

For all the attention devoted to crafting an effective data minimization standard, legislators have overlooked a fundamental lesson from constitutional law: vague standards without concrete rules and meaningful remedies do not protect rights. The Fourth Amendment’s journey from an ineffective guarantee to an enforceable constitutional protection illustrates this principle. For over a decade after the 1949 holding in Wolf v. Colorado, the Supreme Court acknowledged the application of a prohibition on unreasonable searches and seizures to the states but declined to impose the exclusionary rule as a remedy.[1] During that period, the Court assumed that alternative mechanisms like tort suits and disciplinary actions would deter misconduct. As Justice Murphy warned in his dissent in Wolf, such alternatives were “deceptive,” and that alternatives to exclusion were effectively no remedy at all.[2]

This Article argues that federal data privacy legislation must learn from the Fourth Amendment’s institutional history. A federal privacy law’s data minimization standard should not merely set vague standards and hope that disclosure requirements, consent mechanisms, and scattered enforcement actions will protect consumer privacy. Instead, Congress should establish specific, substantive data minimization requirements that enumerate prohibited uses of personal data, backed by federal enforcement authority and meaningful penalties that create genuine deterrence. Just as the exclusionary rule transformed the Fourth Amendment from an aspirational principle into an enforceable right, federal substantive standards with robust remedies can transform data minimization from a theoretical protection into a practical safeguard.

This Article proceeds in five parts. Part II introduces data minimization, explaining the mechanical components of the law and what business practices they regulate. Part III analyzes and introduces current data minimization laws and enforcement actions both in the United States and internationally. Part IV examines the Wolf v. Colorado to Mapp v. Ohio progression, detailing how the Supreme Court’s twelve-year experiment with state-level Fourth Amendment enforcement failed and why federalization of the exclusionary rule ultimately proved necessary. Part V makes the affirmative case for federal substantive data minimization standards, proposing specific prohibited uses rather than reliance on interpretation of a reasonableness principle, and arguing for enforcement mechanisms that go beyond nominal accountability. Part VI addresses counterarguments, including concerns about business flexibility and innovation. The Article concludes by explaining how Congress can avoid repeating constitutional history’s mistakes and instead create a federal privacy framework that makes data minimization rights real rather than rhetorical.

Continue reading

No Harm, No Court: An International Approach to Data Privacy Harms and Article III Standing

mdecrow@maine.edu Article, Blog , ,

No Harm, No Court: An International Approach to Data Privacy Harms and Article III Standing

Emily Fowler

 

In the United States, cases brought regarding privacy violations are being dismissed early in the litigation process because U.S. law remains tied to historical analysis of injuries, whereas other legal systems around the world are taking a more forward-thinking approach to these issues. Trends in recent cases show that claims for privacy violations, such as the capture of individual interactions with websites through session-replay technology, are being dismissed for lack of standing.[1] Article III standing is a concept based in Constitutional Law. Under Article III, federal courts’ authority is limited so that they may only hear “Cases” and “Controversies”.[2] To bring a case or controversy before a federal court, plaintiffs must have standing (a “personal stake” in the case).[3] Three elements must be met to have standing: (1) there is “an ‘injury in fact’ that is both ‘concrete and particularized’ and ‘actual or imminent’”; (2) “the injury is ‘fairly traceable’ to the challenged conduct”; and (3) the injury likely “‘will be redressed by a favorable decision.’”[4]

Continue reading

The Collapse of Capability Theory: Ambriz, Popa, and the Future of Article III Standing in AI Privacy Cases

mdecrow@maine.edu Article, Blog , , , , ,

The Collapse of Capability Theory: Ambriz, Popa, and the Future of Article III Standing in AI Privacy Cases

Caroline Aiello

 

Introduction

In February 2025, the Northern District of California denied Google’s motion to dismiss in a class action lawsuit that claimed Google’s artificial intelligence (“AI”) tools violated the California Invasion of Privacy Act (“CIPA”) by transcribing phone calls of users.[1] The court in this case, Ambriz v. Google, ruled that Google’s technical “capability” to use customer call data to train its AI models was enough to state a claim under California’s Invasion of Privacy Act, regardless of whether or not Google actually exploited that data.[2] Six months later, the Ninth Circuit took the opposite approach. The later ruling in Popa v. Microsoft held that routine website tracking did not constitute actual harm and the claims were dismissed for lack of Article III standing before reaching the merits.[3]

These two decisions present privacy law with incompatible standards. Ambriz asks what a technology could do with personal data and finds liability in that potential. Popa demands proof of what a technology actually did and requires concrete injury beyond the action itself. The collision between the two theories is inevitable. When a plaintiff sues an AI company under Ambriz’s capability theory, alleging that the defendant’s system has the technical ability to misuse data, and the defendant responds with a Popa-based standing challenge, the courts will face an impossible choice. The capability to cause harm is not the same as harm itself, and if capability cannot satisfy Article III’s concrete injury requirement, then Ambriz’s approach becomes constitutionally unenforceable in federal court. While Popa has not technically overruled Ambriz, the Ninth Circuit will inevitably need to choose which standard to adopt. 

Continue reading