Data Protection Report - digital privacy, CCPA and cybersecurity

On June 22, 2018, the US Supreme Court issued a 5-4 decision in Carpenter v. United States,  holding that the federal government needs a warrant to access cellphone location records.

In the decision, the Court agreed that there should be a higher standard for accessing location records due to their intrusive nature.

At issue in Carpenter was the government’s warrantless collection of historical cellphone location records. In several cases spanning decades, the Court had repeatedly held that individuals do not have a reasonable expectation of privacy in records held by third party service providers because individuals voluntarily provide their information to third parties.

Under this standard, the government and law enforcement were permitted to conduct warrantless searches of cell phone location data.

Here, Carpenter involved armed robberies of Radio Shacks and other stores in the Detroit area. Prosecutors relied on months of records obtained from cell phone companies to prove their case against Timothy Carpenter. The records showed that Carpenter’s phone had been nearby when several of the robberies happened, corroborating witness testimonies that Carpenter planned the robberies, supplied the guns and served as lookout. Carpenter’s lawyers said cellphone companies had turned over 127 days of records that placed his phone at 12,898 locations, based on information from cellphone towers. The FBI had obtained the information under the Stored Communications Act (SCA) which states that the government may require the disclosure of telecommunications records when “specific and articulable facts show that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”  This SCA standard, does not require a warrant and is lower than the standard applied under the Fourth Amendment, which requires a warrant where an individual demonstrates a legitimate expectation of privacy.

Following his conviction, Carpenter challenged the admissibility of his cell phone location data. Carpenter argued that the location data obtained from his cell phone records without a warrant and pursuant to the SCA violated his Fourth Amendment rights and was therefore not admissible.

The government disagreed and, seeking to uphold Carpenter’s conviction, argued that individuals do not have a legitimate expectation of privacy in cell phone records. In its case, the government cited to the third-party doctrine, which stands for the principle that any information voluntarily provided to third parties cannot sustain a reasonable expectation of privacy.

The Court disagreed with the government and sided with Carpenter. It held that individuals do have a legitimate expectation of privacy in their cell phone location records. The decision was a departure from decades of jurisprudence, which previously held that voluntarily providing your information to a third party was a forfeiture of a legitimate expectation of privacy, as in the 1979 case of Smith v. Maryland where the Supreme Court ruled that a robbery suspect’s right to privacy does not extend to the numbers he dialed from a landline phone because that information was voluntarily handed to a third party, the phone company.

By ruling in the Carpenter case that the suspect has a legitimate privacy interest in records held by wireless carriers, the Supreme Court found that the third-party doctrine was of limited use in the digital age where the government’s tracking of a cellphone can achieve “near perfect surveillance, as if it had attached an ankle monitor to the phone’s user.”  The cell phone location records sought and relied upon by the FBI had not only disclosed the fact that Carpenter was nearby where the robberies happened but also showed whether he had slept at home on given nights and whether he attended his usual church on Sunday mornings. “Mapping a cellphone’s location over the course of 127 days provides an all-encompassing record of the holder’s whereabouts,” Chief Justice Roberts wrote in the majority opinion, going on to quote from an earlier opinion. “As with GPS information, the time-stamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious and sexual associations.’”

Our take on Carpenter

The position adopted by the Court recognizes the increasing prevalence of technology in daily life and individuals’ dependence on it. For years, many organizations and privacy watchdogs have argued that the third-party doctrine was carte blanche to investigators looking to mine digital data on suspects. By ruling that cell phone users have a legitimate privacy interest in the cell phone location records collected by cell site towers and held by wireless carriers, the Carpenter decision also represents a big win for technology companies who filed a brief urging the Supreme Court to continue to bring Fourth Amendment law into the modern era. “No constitutional doctrine should presume,” the brief said, “that consumers assume the risk of warrantless government surveillance simply by using technologies that are beneficial and increasingly integrated into modern life.”

Further, with this decision, the Court acknowledges that as our lives are increasingly recorded online, expectations around those spaces are changing. Many individuals expect that the protections afforded to their home and personal effects be extended to their digital selves.

The authorities must now seek a warrant for cell tower location information and, if the logic of the decision is extended, the same protection should be afforded to other kinds of digital data that provide a detailed look at a person’s private life such as email and text messages, internet searches and bank and credit card records. The Carpenter case signals a change in how the U.S. Supreme Court views both customer privacy and the protections available to businesses when responding to law enforcement requests about their customers.

Nonetheless, Chief Justice Roberts said the ruling had limits. Not addressed in this ruling and therefore worth watching are privacy rights relating to real-time cell tower data, other surveillance techniques such as security cameras, and other business records that might incidentally reveal location information. The Chief Justice also said collection techniques involving foreign affairs or national security are not considered in this decision and exceptions will be made for emergencies like bomb threats and child abductions where the privacy rights of individuals will be weighed against the interest in protecting individuals from imminent harm or imminent destruction of evidence.