In State v. DeFranco, 2012 N.J. Super. LEXIS 92 (App. Div. Jun. 8, 2012), a New Jersey appellate court held that under the New Jersey Constitution, an individual does not have a reasonable expectation of privacy in their cell phone number. This might not be head turning (at least it wasn't for me), but I was fascinated by how the court reached such a result - by distinguishing between "assigned" information (i.e. your cell phone provider assigns you a number), and "generated" information (i.e. ISP records, bank records, and other records that would be generated by a third party). I don't think I am convinced by this dichotomy, but first, let's get to the facts.
The defendant pled guilty to first and second degree assault, as well as endangering the welfare of a child, arising out of an incident that had happened years beforehand. The majority of the evidence was obtained by having the victim call the defendant on his cell phone (a number that was obtained by a school resource officer (SRO) and provided to a separate law enforcement agency), and essentially have him allocute on the phone to his previous transgressions.
The defendant's major assertion is that his cell phone number was private, and for the SRO to hand this over to law enforcement was a violation of his privacy. Unfortunately for the defendant, he had provided that number previously for a school directory and for a school trip. The directory noted that the numbers within it were private, especially those unlisted, but the defendant never corrected an error which failed to mark his number as unlisted. Based on this disclosure, the court found that even if it were to find a privacy interest in the cell phone number, the defendant would have waived such an interest. But, on to the merits.
The defendant asserted that a cell phone number was similar to bank records, ISP records, and other information that New Jersey courts had found a privacy interest in. The defendant tried to assert that New Jersey ascribed to an "informational privacy" model, a mode adopted by a New Jersey appellate court, but never explicitly adopted by the New Jersey Supreme Court:
In this regard, we note that in the Appellate Division's opinion in Reid, the panel stated that "New Jersey appears to have recognized a right to what has been called 'informational privacy.'" The panel described informational privacy in the following terms:
Informational privacy has been variously defined as "shorthand for the ability to control the acquisition or release of information about oneself," or "an individual's claim to control the terms under which personal information . . . is acquired, disclosed, and used." In general, informational privacy "encompasses any information that is identifiable to an individual. This includes both assigned information, such as a name, address, or social security number, and generated information, such as financial or credit card records, medical records, and phone logs. . . . [P]ersonal information will be defined as any information, no matter how trivial, that can be traced or linked to an identifiable individual."
We adopt this formulation.But, the Supreme Court did not adopt this "informational privacy" formulation when they heard Reid on appeal, stating that "[t]he contours and breadth of the standard are not entirely clear, and we need not address those issues in resolving the narrower constitutional question before us."
Because the Supreme Court rejected this approach, the court, here, rejected the defendant's attempt to squeeze cell phone numbers into such a privacy regime:
We perceive a significant difference between the "generated information" afforded protection by the New Jersey Supreme Court in its privacy decisions and the "assigned information" that defendant seeks to protect in this case. The ISP records, the long-distance billing information, the banking records, and the utility usage records of Reid, Hunt, McAllister, and Domicz, respectively, constituted the keys to the details of the lives of those to which the seemingly innocuous initial information pertained. While in some circumstances, knowledge of a telephone number might be equally revelatory, here it was not. The number was simply a number. In the circumstances of this case, we do not find that defendant's professed subjective expectation of privacy is one that society would be willing to recognize as reasonable.Fascinating, but ultimately problematic. On the surface, this seems like a very good attempt to make a true distinction between information types, and the amount of privacy that they should receive. But, there are many "assigned" pieces of information that one would argue should receive privacy protection, such as your social security number, your IP address (I would argue that this case muddles Reid because can you really make a distinction between the assigned IP address and the generated information it could reveal), and your credit card number. State statutes protecting the information previously stated are an attestation to protection of "assigned" information, and make this distinction unconvincing. Another example would be a private encryption key assigned by an internet company. I'm sure readers can think of many more examples. While the N.J. Supreme Court did not adopt the "informational privacy" approach, I don't think they meant to throw all "assigned" information noted above out the window.
Instead of attempting to make arbitrary distinctions that will ultimately fail to be the catch-all the court would like, this case should have been resolved on third-party doctrine alone, due to the defendant handing over the information previously. While New Jersey has tightened privacy in the third-party sphere, a little judicial restraint here to not make a sweeping judgment would have been a better approach. Is the public really unwilling to accept this privacy interest as objectively unreasonable? I'm not so sure, especially if you only disclose that number to a tight knit circle of friends/relatives.