TABLE OF CONTENTS

I.   THE INTERNET AND CLICKSTREAM DATA COLLECTION
II.  THE FOURTH AMENDMENT AND THE INTERNET
      A. A Brief Overview of the Fourth Amendment's Expectation of Privacy and Reasonableness Requirements
      B. Application of the Fourth Amendment to the Internet has Thus Far Been Marked by Reliance on Principles Ill-Suited to Cyberspace, Leading Courts to Conclude that Net Users Lack an Expectation of Privacy in Online Activity.
      C. Courts Employing Traditional Fourth Amendment Jurisprudence Will Probably Conclude That Net Users Lack a Legitimate Expectation of Privacy in Clickstream Data.
III. ESTABLISHING A LEGITIMATE EXPECTATION OF PRIVACY IN CLICKSTREAM DATA
 

{1} The development of the Internet presents unprecedented opportunities for global communications and commerce. However, it also poses dramatic risks to personal privacy.[1] The series of electronic footprints created when a Web user moves about in cyberspace, commonly called a "clickstream," can be monitored and recorded by prying eyes. This data can then be "mined" for information and used to profile a Web user or to recreate her online experience.

{2} A significant Fourth Amendment question is raised when the prying eyes monitoring a clickstream belong to law enforcement officers: does a Net user retain a legitimate expectation of privacy in his or her clickstream data? Unfortunately, traditional Fourth Amendment jurisprudence is ill-suited to answer this question.[2]

{3} This Article argues that Web users should enjoy a legitimate expectation of privacy in clickstream data. Fourth Amendment jurisprudence as developed over the last half-century does not support an expectation of privacy. However, reference to the history of the Fourth Amendment and the intent of its drafters reveals that government investigation and monitoring of clickstream data is precisely the type of activity the Framers sought to limit. Courts must update outdated methods of expectation of privacy analysis to address the unique challenges posed by the Internet in order to fulfill the Amendment's purpose.

{4} Part I provides an overview of the Internet and clickstream data collection, and explains the value of this data to law enforcement. Part II discusses general Fourth Amendment principles, then explores how these principles have been, and are likely to be, applied to the Internet. Part III explores the intent of the Fourth Amendment's drafters, analogizes clickstream searches to the general searches the Framers sought to prohibit, and argues that the values underlying the Fourth Amendment require courts to eschew the traditional two-prong expectation of privacy test in favor of a normative inquiry which recognizes a legitimate expectation of privacy in clickstream data.[3]

{5} The Internet is a global electronic communications medium comprised of innumerable computer networks which communicate by using a common language and set of data transfer protocols.[4] The Internet is not a location; rather, it is the aggregate of the electronic communications routers and devices which transmit and receive electronic information through the global network. Originally conceived during the Cold War as a means by which to insure continuity in military communications during wartime, the modern Internet has brought hundreds of millions of people together online. While the exact number of Internet users is impossible to determine, it is estimated that nearly 300 million people worldwide are currently online.[5] These users can travel among the five million active Web sites on the Net.[6] The growth of this medium over the past five years has been explosive,[7] and promises to continue at a rapid pace well into the twenty-first century. Recent estimates show the number of people going online during the next two years approaching one billion, and show the value of Internet commerce swelling to over $1 trillion by 2003.[8]

{6} Unfortunately, Web surfing generates a massive amount of personal information about a user each time he or she goes online.[9] Net users often operate under an illusion of anonymity in cyberspace. However, the reality of the Internet is much different: prying eyes can identify individual users and track online activity by monitoring and examining "clickstreams." A "clickstream" is the aggregation of the electronic information generated as a Web user communicates with other computers and networks over the Internet.[10] The name "clickstream" refers to the series of mouse clicks users make as they travel the Web. Each click translates into an electronic signal which is then sent by the surfer's computer to other computers on the Net telling them what information to return to the user. Since online movement requires the user to send or request certain information from other computers on the Web, every step in cyberspace inevitably becomes part of the clickstream record.[11] This data can be shockingly revealing, providing a record of the entirety of one's online experience, including movements among Web sites, geographical location, the type of computer and Internet browser in use, and any transactions or comments made at individual Web sites.[12]

{7} Clickstream data poses a dramatic risk to the personal privacy of Net users since it can be collected, stored, and reused indefinitely.[13] An increasing number of private companies are monitoring, recording, and analyzing clickstreams in an effort to make Internet advertising more effective. This data is typically collected by online advertisers and retailers, and by Internet service providers ("ISPs").[14] Most online advertisers and merchants can monitor clickstreams only while a user is at the particular Web site operated by the advertiser or retailer; however, even this data can be incredibly revealing.[15] Some online advertisers have developed "networks" of hundreds of unrelated Web sites which use individual identifying codes to identify and track Web users' clickstreams as they travel among the sites on the network.[16] The data compiled by these businesses is then "mined" for hints about consumer preferences, and may be used to generate personal profiles of surfers in order to target Internet advertising.[17]

{8} In contrast, ISPs can precisely monitor and record an entire clickstream since all of the user's online commands are sent through the ISP.[18] This data can be combined with information the user voluntarily provides to the ISP to create a massive database detailing the online use habits of individually-identifiable surfers.[19] Such monitoring is becoming increasingly common.[20] Unfortunately, the massive data collection regarding a user's online behavior and habits is performed largely sub rasa, occurring without the user's knowledge or consent.[21]

{9} Clickstream data gathered by ISPs and online companies could be a fertile source of information for law enforcement. Law enforcement agents could analyze clickstream data[22] for evidence of crime or digital contraband.[23] Such searches[24] could be generalized, scanning all clickstreams for evidence of illegal activity,[25] or limited to a specific suspect at a specific time and cyber-location.[26] Law enforcement officers who obtain this data from an ISP or online business would have a powerful investigative tool at their disposal: a record of the entirety of a suspect's online experience. This data would dramatically promote the efficacy and efficiency of police investigation into crimes consummated in or facilitated by cyberspace. Officers could track every step a Net surfer takes from the moment she logs on until she logs off, and could note each site visited, how long she stayed there, whom she "chatted" with, and what she downloaded.[27] Surfers who download child pornography or recipes for methamphetamine or explosives could be easily identified, allowing officers to improve the accuracy of "real world" investigations.

{10} In addition, law enforcement agents could mine clickstream data to create psychological profiles for use at trial to establish intent or motive. Online businesses already use clickstream data to profile users in an effort to determine what types of products a particular user is likely to purchase.[28] Law enforcement using the same data could compile a dossier of a defendant's online behavior replete with potentially incriminating "evidence."[29] For example, the clickstream of a defendant on trial for possession of child pornography could be potentially damning if it showed significant amounts of time spent in cyberspace searching for or viewing pornography. Similarly, a defendant accused of murdering his wife to inherit her assets might be condemned by a clickstream that recorded recent research into "manslaughter" inheritance statutes or intestacy schemes. A third example: the clickstream of a defendant on trial for conspiracy to blow up a government building which logged an excessive amount of time spent on anti-government militia Web sites could provide strong evidence of association or intent.

{11} Although the goals of promoting the accuracy and efficiency of criminal investigations and prosecutions are certainly laudable, courts must take caution in pursuing them in cyberspace. Police discovery of "real world" contraband would certainly be more expeditious if general suspicionless searches of residences were allowed; however, the text of the Fourth Amendment specifically prohibits such searches.[30] General searches of clickstream data should likewise be forbidden. The danger in Internet criminal law is that courts will rigidly adhere to outdated Fourth Amendment concepts which are ill-suited to cyberspace, leading to the conclusion that Web users lack legitimate expectations of privacy in clickstream data.

{12} The Fourth Amendment provides that "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."[31]

{13} As an initial matter, a defendant raising a Fourth Amendment challenge to a government search or seizure must show that he or she is entitled to the Amendment's protections by establishing a legitimate expectation of privacy that was infringed upon by the government's actions.[32] The legitimate expectation of privacy test traditionally entails a two-part inquiry: (1) whether the defendant had an actual (subjective) expectation of privacy; and (2) whether society is prepared to recognize that expectation as reasonable.[33] In analyzing the second question, "'[t]he test of legitimacy is not whether the individual chooses to conceal assertedly "private" activity,' but instead 'whether the government's intrusion infringes upon the personal and societal values protected by the Fourth Amendment.'"[34]

{14} The existence of a legitimate expectation of privacy is subject to an important limitation: "[w]hat a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected."[35] The Supreme Court subsequently expanded upon this principle, first announced in Katz v. United States, by holding that a person lacks a legitimate expectation of privacy in information which he or she voluntarily provides to a third party, even if that information is provided in confidence or for business purposes.[36]

{15} If a defendant establishes a legitimate expectation of privacy, the inquiry then becomes whether the government's intrusion upon that expectation was "reasonable." The first step in this analysis is to determine whether the intrusion was regarded as an unlawful search and seizure when the Amendment was framed.[37] Where this inquiry yields no result, courts must evaluate the search or seizure under traditional standards of reasonableness by weighing the degree to which it intrudes upon an individual's privacy against the degree to which the search or seizure is necessary for the promotion of legitimate governmental interests.[38]

{16} Very few courts have addressed the applicability of the Fourth Amendment to the Internet. Decisions addressing this topic have focused on an expectation of privacy in two categories: (1) information knowingly passed online to other Web users, and (2) information voluntarily passed offline to ISPs when signing up for Internet service. Both lines of authority conclude that Net users lack legitimate expectations of privacy in the data at issue, either because the information was knowingly exposed to public view or because the Net user assumed the risk that the recipient would share the information with others.

{17} Courts employing assumption of risk analysis focus on the Supreme Court's decisions in United States v. Miller[39] and Smith v. Maryland.[40] In Miller, the Court held that a bank depositor had no legitimate expectation of privacy in transactional records compiled and kept by his bank because he voluntarily conveyed the financial information to his bank, and because this information was exposed to bank employees in the ordinary course of business.[41] According to the Court, "[t]he depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to another ... even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed."[42] The Supreme Court similarly employed assumption of risk analysis in Smith in concluding that a defendant lacked a legitimate expectation of privacy in the numbers dialed on his telephone. Shortly after being robbed, the victim of a robbery started receiving harassing phone calls from a man identifying himself as the robber.[43] Police installed a pen register on Smith's phone after he became the subject of suspicion, and were thereby able to log him making a threatening call to the robbery victim.[44] Smith moved to suppress the evidence, arguing that use of the pen register violated his Fourth Amendment rights.[45] The Court rejected Smith's argument, explaining:

This Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties. . . . In Miller, for example, the Court held that a bank depositor has no "legitimate 'expectation of privacy'" in financial information "voluntarily conveyed to ... banks and exposed to their employees in the ordinary course of business." This analysis dictates that petitioner can claim no legitimate expectation of privacy here. When he used his phone, petitioner voluntarily conveyed numerical information to the telephone company and 'exposed' that information to its equipment in the ordinary course of business. In so doing, petitioner assumed the risk that the company would reveal to police the numbers he dialed.[46]

{18} Courts have employed the knowing exposure and the assumption of risk rationales to deny an expectation of privacy in electronic information voluntarily exposed online, such as electronic mail or Internet postings.[47] The few courts to have considered the issue have held that a user retains a legitimate expectation of privacy in e-mail while it is in transmission; however, this expectation evaporates once the e-mail is received and read.[48] These courts analogize e-mail to postal mail, and hold that the sender assumes the risk that the recipient will disclose the contents of the e-mail to law enforcement.[49] As the court in United States v. Charbonneau[50] explained:

E-mail transmissions are not unlike other forms of modern communication. We can draw parallels from these other mediums. For example, if a sender of first-class mail seals an envelope and addresses it to another person, the sender can reasonably expect the contents to remain private and free from the eyes of police absent a search warrant founded upon probable cause. However, once the letter is received and opened, the destiny of the letter then lies in the control of the recipient of the letter, not the sender, absent some legal privilege. . . . Thus an e-mail message, like a letter, cannot be afforded a reasonable expectation of privacy once that message is received. Moreover, a sender of e-mail runs the risk that he is sending the message to an undercover agent.[51]

{19} Courts have also declined to extend Fourth Amendment protection to electronic postings in Internet chat rooms,[52] since the contents of these communications are knowingly exposed to public view.[53]

{20} At least two other courts have concluded that Net users surrender any expectation of privacy in personal information voluntarily passed to an ISP when contracting for Internet service.[54] These courts analyzed the issue using the assumption of risk analysis developed in Miller and Smith, and concluded that an Internet user assumes the risk that an ISP will disclose sign-up information (including name, address, social security number, and credit card number) to authorities.[55] Significantly, the district court in United States v. Hambrick noted that the traditional Katz expectation of privacy framework was ill-suited for application to cyberspace; nonetheless, the court applied it to the defendant's motion to suppress sign-up information obtained by law enforcement from the defendant's ISP, and denied the motion because "employees [of the ISP] had ready access to these records in the normal course of [the ISP's] business, for example, in the keeping of its records for billing purposes, and nothing prevent[ed] [the ISP] from revealing this information to nongovernmental actors."[56]

{21} The two-prong Katz expectation of privacy test is ill-suited to cyberspace since it fails to take into account the unique nature of the Internet.[57] Application of this test to clickstreams will almost certainly lead courts to conclude that Web users lack a legitimate expectation of privacy based upon two rationales: (1) users lack a subjective expectation of privacy in their clickstreams due to private monitoring, and (2) any actual expectation of privacy is objectively unreasonable since Net users assume the risk that their clickstream data will be disclosed to law enforcement.[58] The growing body of authority applying the Fourth Amendment to email, chat room postings, and ISP sign-up information shows courts moving in this direction. Only one court has considered the existence of an expectation of privacy in clickstream data; in a brief opinion, the Fourth Circuit concluded that an employee could not claim Fourth Amendment protection for clickstream data generated while at work because an employment policy put him on notice that his government employer was monitoring his Internet use.[59] Rigid adherence to the two-prong Katz expectation of privacy test requires a Net user to establish a subjective expectation of privacy in her clickstream data as a prerequisite for Fourth Amendment protection. However, it will ultimately be impossible for Net users to hold such an expectation due to the lack of privacy protection on the Net.[60] As the fact of clickstream monitoring becomes widely known, Net users will be forced to acknowledge that their transmissions may be monitored by online businesses or ISPs.[61] Instead of leading courts to conclude that clickstream data should be unprotected, courts should instead conclude that the Internet presents the type of situation envisioned by the Supreme Court in Smith in which "Katz' two-pronged inquiry would provide an inadequate index of Fourth Amendment protection."[62]

{22} Application of the assumption of risk principle to online expectation of privacy issues is similarly flawed because the principle fails to take into account the extent of intrusion made possible by clickstream data. There is a significant qualitative difference between clickstream data and other types of transactional data routinely provided to third parties in the course of business. A police officer who learns that a suspect has called a particular phone number, as in Smith, knows only that a call was made; the number is content neutral, and does not give the officer a means to reconstruct the suspect's conversation.[63] Similarly, an officer who searches bank records, as in Miller, learns only that transactions were made, and by whom; he or she does not learn the underlying circumstances of the transactions. In contrast, an Internet address, while itself content neutral, allows an officer to view the same information that the suspect viewed. The clickstream, a record of a person's cyberspace activity, allows officers to entirely recreate an online experience.[64]

{23} Instead, clickstream data is better analogized to library records which reveal the titles of books read by library patrons.[65] Using such records, officers could view the same content viewed by the suspect. Officers could potentially reconstruct the suspect's interactions in the library by interviewing other patrons or reviewing security camera tapes. However, even this analogy significantly underestimates the intrusiveness of a clickstream search. An Internet user's clickstream reveals not only what sites were visited, but also for how long each site was visited, how often each site was re-visited, and which links were followed from each site. A comparable level of knowledge in the concrete world would require that the officers know not only which books the suspect borrowed, but also when she read the books, how long she spent reading each book and each page, and the sequence in which she read each book and each page. Furthermore, clickstream data, unlike the hypothetical library search, is not subject to poor witness memory.

{24} The assumption of risk doctrine is further ill-suited to clickstream data since a Net user seldom knows the type or extent of data being collected by Web sites or ISPs.[66] In addition, clickstream data is often unwillingly exposed. Recent studies indicate that the majority of Net users dislike clickstream data collection by online companies.[67] It is logically infirm to hold that a person surrenders his or her expectation of privacy in clickstream data when he or she neither knows nor intends to expose such information to public view. As Justice Marshall explained in his dissent in Smith, "[i]mplicit in the concept of assumption of risk is some notion of choice."[68] Application of the assumption of risk principle to involuntary data collection is contrary to the values the Fourth Amendment was intended to protect.[69]

{25} Nonetheless, there are indications that courts will apply the subjective expectation of privacy and assumption of risk principles to clickstream data. As discussed above, these principles have already been applied to email, chat room postings, and sign-up information provided to ISPs. The only court to thus far address expectations of privacy in clickstream data held that a Web user lacked an expectation of privacy in clickstream data generated while at work since he had notice that his Internet usage was being monitored. In United States v. Simons,[70] the Fourth Circuit considered whether an employee retained a legitimate expectation of privacy in records of his Internet use from work in light of a policy implemented by his employer, the Foreign Bureau of Information Services,[71] which warned employees that all Internet activity in the workplace would be monitored and recorded.[72] Applying the traditional two-prong Katz test, the court concluded that the policy stripped the defendant of any expectation of privacy by putting him on notice that his online activity was not private:

Simons did not have a legitimate expectation of privacy with regard to the record or fruits of his Internet use in light of the FBIS Internet policy. . . . The policy placed employees on notice that they could not reasonably expect that their Internet activity would be private. Therefore, regardless of whether Simons subjectively believed that the files he transferred from the Internet were private, such a belief was not objectively reasonable after FBIS notified him that it would be overseeing his Internet use.[73]

{26} Simons is frightening because it could potentially be read as eliminating an expectation of privacy in clickstream data whenever the user knows or should know that his or her clickstream is being monitored. As discussed above, the rapid development of data tracking technology and data mining practices make it virtually inevitable that the capacity will soon exist to monitor and record all online activity. As this technology becomes commonplace, so too will public knowledge of its use. In such a world, Simons could be read for the proposition that a Net user enjoys no expectation of privacy in clickstream data.

{27} Such a broad reading of Simons is improper. Importantly, a government agency was defendant Simons' employer; in light of the Internet use policy, Simons was knowingly and voluntarily exposing his clickstream data directly to the government.[74] Furthermore, Simons does not stand for the proposition that the government can place the clickstream data of non-government employees beyond the reach of the Fourth Amendment merely by announcing that it is subject to monitoring. As the Supreme Court explained in Smith, a nationwide announcement by the government proclaiming that all homes are henceforth subject to warrantless entry would not defeat a homeowner's legitimate expectation of privacy.[75] In addition, even if Simons establishes that Web users who know that their clickstreams are monitored lack a subjective expectation of privacy, this is not necessarily fatal to a legitimate expectation of privacy.[76]

{28} Unfortunately, the doctrinal basis for finding an expectation of privacy in clickstream data is far from clear. As discussed above, application to the Internet of contemporary expectation of privacy jurisprudence might well lead courts to conclude that Net users lack an expectation of privacy in clickstream data. Such a result is clearly incorrect.

{29} Courts foraying into cyberspace must shift their focus away from the two-prong Katz expectation of privacy test in order to preserve the values underlying the Fourth Amendment. In developing a new framework for expectation of privacy analysis in cyberspace, courts should focus on the historic context of the Fourth Amendment and the intent of its Framers. Government monitoring and analysis of clickstream data is closely analogous to the general searches which the Framers sought to curtail in enacting the Fourth Amendment. Both types of searches are indiscriminate, exposing lawful activity along with contraband or unlawful action. Both are also incredibly intrusive, exposing intimate details about the lives of citizens to government scrutiny. A new rule needs to be established which recognizes that clickstream data may be protected by the Fourth Amendment, not because that protection fits well with expectation of privacy analysis as developed by the Court in recent years, but rather because government clickstream analysis is precisely the type of search the Framers intended to be subject to the Amendment's limitations.

{30} Courts addressing this question should apply the normative analysis set forth by the Supreme Court in Smith v. Maryland instead of the rigid two-prong Katz test. The Court in Smith recognized that the two-prong Katz expectation of privacy test will sometimes provide "an inadequate index of Fourth Amendment protection."[77] In such situations, the Court explained, courts must undertake a normative inquiry to determine whether Fourth Amendment protection was appropriate.[78] This normative inquiry asks a very simple question: should an individual in a free and open society be forced to assume the risk that the government will monitor her as she engages in the activity at issue?[79] Courts employing the normative inquiry "must evaluate the 'intrinsic character' of investigative practices with reference to the basic values underlying the Fourth Amendment."[80] Unlike the two-prong test, which assumes that society has already reached an objective conclusion about the proper amount of protection a particular activity deserves, the normative test acknowledges that society has not reached a consensus about the proper level of protection a certain activity warrants. In that case, the activity can be evaluated against constitutional norms.[81]

{31} Application of Smith's normative inquiry to clickstreams reveals that Net users should retain an expectation of privacy in clickstreams because this data is precisely the type of information the Framers sought to protect against arbitrary government intrusion.[82] The Fourth Amendment was intended to limit government searches which held the potential to intrude into the intimate details of the private lives of citizens; courts must recognize a legitimate expectation of privacy in the intimate records of our online activity in order to satisfy these constitutional norms.

{32} The passage of the Fourth Amendment was the Framers' reaction to overly intrusive searches and seizures conducted by British and colonial authorities. Prior to the Amendment's passage, the colonists were plagued by the use of general warrants and writs of assistance which authorized law and customs enforcement officers to enter and search any building suspected of housing contraband.[83] The searches conducted using these devices were broad and abusive, occurred without particularized suspicion and were led by executive officials with unlimited discretion.[84] For example, the New Hampshire Council once allowed search warrants for "all houses, warehouses, and elsewhere in this Province"; the Pennsylvania Council once required a weapons search of "every house in Philadelphia."[85] Far from being isolated instances, such searches were widespread.[86]

{33} In response to these abuses, the Framers sought to limit the power of government actors to search or seize persons, houses, papers, and effects.[87] The invasion the Framers sought to prohibit was not merely the physical intrusion upon a "person" or "house." Instead, "the amendment's opposition to unreasonable intrusion ... sprang from a popular opposition to the surveillance and divulgement that intrusion made possible."[88] As one scholar explained, "[t]he objectionable feature of general warrants was their indiscriminate character."[89] In addition to any contraband or unstamped goods that the generalized searches uncovered, the entirety of a person's private life was exposed to prying government eyes. This sort of indiscriminate search stripped the colonists of privacy without adequate justification, exposing them to the arbitrary and potentially despotic acts of government officials.[90]

{34} Monitoring and analysis of clickstreams by government officials is closely analogous to colonial general searches because it exposes the intimate lives of Web users, fails to discriminate between lawful and unlawful activity, and grants enormous discretion to front-line executive officials. As with general searches of colonial homes, clickstream searches will unnecessarily reveal private information to government view, even when this information pertains to lawful activity. For example, law enforcement agents monitoring clickstreams could learn that an outwardly heterosexual man spends time entertaining homosexual fantasies online in an adult chat room, or that a high-profile political leader used the Internet to reserve a spot in an addiction recovery center.[91] While such conduct is certainly legal, it is also intensely private. Allowing government agents to expose the conduct of the innocent in order to pursue the guilty contradicts the purpose and intent of the Fourth Amendment.[92]

{35} On a more general level, the broad and arbitrary intrusion occasioned by a clickstream search is contrary to "the most basic values underlying the Fourth Amendment." Although the use of general warrants and writs of assistance undoubtedly motivated the Framers in drafting the Amendment, they did not intend its protection to be limited to the narrow purpose of outlawing general searches.[93] Instead, the Amendment was intended to protect citizens against the type of arbitrary invasions by government into the lives of citizens which general searches typified.[94] As one commentator explained:

While the history of the Fourth Amendment reveals many facets, one central aspect of that history is pervasive: controlling the discretion of government officials to invade the privacy and security of citizens, whether that discretion be directed toward the homes and offices of political dissentients, illegal smugglers, or ordinary criminals.[95]

{36} Similarly, the Supreme Court has repeatedly recognized that the harm the Fourth Amendment seeks to prevent is not the tangible invasion of one's person, papers, effects, or home, but rather the intangible invasion upon the sanctity and privacy of those objects occasioned by an unreasonable search or seizure.[96]

{37} The indiscriminate nature of clickstream searches illustrates their incompatibility with the values upon which the Fourth Amendment was based. As one scholar argued:

The first [problem with indiscriminate searches] is that they expose people and their possessions to interferences by government when there is no good reason to do so. The concern here is against unjustified searches and seizures: it rests upon the principle that every citizen is entitled to security of his person and property unless and until an adequate justification for disturbing that security is shown. The second [problem] is that indiscriminate searches and seizures are conducted at the discretion of executive officials, who may act despotically and capriciously in the exercise of the power to search and seize. This latter concern runs against arbitrary searches and seizures; it condemns the petty tyranny of unregulated rummagers.[97]

{38} Absent an expectation of privacy in clickstream data, law enforcement agents will be free to rummage through our online lives, revealing intensely private conduct. The Framers found the ability to conduct such arbitrary and suspicionless searches to be one of the most offensive aspects of general warrants and writs of assistance,[98] and clearly intended such searches to be illegal.[99] Allowing such intrusions into private cyberspace activity merely because an outdated expectation of privacy test would find assumption of risk or the absence of a subjective expectation of privacy in clickstream data does intense violence to the values underlying both the Fourth Amendment and a free society.[100] Yet this is exactly the result that will be reached if courts continue to cling to Katz's two part test.

{39} Once an expectation of privacy is established in clickstream data, traditional Fourth Amendment principles regulating the reasonableness of searches and seizures can easily be applied. The traditional test of reasonableness, which balances the nature and quality of the intrusion upon an individual's Fourth Amendment interests against the importance of the governmental interests alleged to justify the intrusion,[101] is perfectly suited for cyberspace. This test allows courts to protect against overly extensive and indiscriminate intrusion into our online lives while also acknowledging that a sufficiently compelling governmental interest may justify such searches. This is the question that should be getting asked in every clickstream search; however, it will never be asked until courts loosen their vise grip on the two-prong Katz test and decide that Internet users should retain a legitimate expectation of privacy in clickstream data.