As close observers of the implications of privacy law on companies’ data collection, usage and disclosure practices, we at Socially Aware were among the many tech-law enthusiasts anticipating the U.S. Supreme Court’s recent decision in Carpenter v. United States, in which the Court held that the government must obtain a warrant to acquire customer location information maintained by cellular service providers, at least where that information covers a period of a week or more.
Authored by Chief Justice John Roberts, the 5-4 opinion immediately enshrines greater protections for certain forms of location data assembled by third parties. It also represents the Court’s growing discomfort with the so-called “third-party doctrine”—a line of cases holding that a person does not have a reasonable expectation of privacy in records that he or she voluntarily discloses to a third party. In the longer run, there will likely be further litigation over whether the same logic should extend Fourth Amendment protections to other types of sensitive information in the hands of third parties as courts grapple with applying these principles in the digital age.
Anytime a cell phone uses its network, it must connect to the network through a “cell site.” Whenever cell sites make a connection, they create and record Cell Site Location Information (CSLI). Cell phones may create hundreds of data points in a normal day, and providers collect and store CSLI to spot weak coverage areas and perform other business functions.
Obtaining CSLI records is a fairly common law enforcement tool, and—until now—such information could typically be obtained by court orders issued under the Stored Communications Act. Those orders require the government to make certain types of showings to a court, but they are not warrants and do not require probable cause.
The Supreme Court’s review of this practice stemmed from the arrest and conviction of Timothy Carpenter for (ironically) his involvement in several robberies of cell phone stores. Without obtaining a warrant, the FBI sought and obtained orders directing MetroPCS and Sprint to hand over 152 days of Carpenter’s CSLI records generated when his phone placed, received, or ended a call, as well as seven days of overall CSLI records. This evidence was used to help convict Carpenter of various robbery charges.
Carpenter’s case reached the Supreme Court as part of a broader dispute over whether and in what circumstances an individual’s location data is protected by the Fourth Amendment’s warrant requirement. In a 2012 decision involving the use of a GPS tracking device affixed to a vehicle, five Justices had suggested that people generally have a reasonable expectation of privacy in information that would reveal their location and movements over time, but the Court’s majority opinion in that case had not squarely resolved the issue. The key question in Carpenter turned on the applicability of the third-party doctrine: Do customers have a reasonable expectation of privacy in their location information when, through their phones, they disclose that information to cellular providers?
The government argued that cell phone users voluntarily “share” their location information by using cell phones that connect with cell sites. As such, it argued that CSLI records should be treated in the same way as phone records in the hands of a telephone company or bank records in the hands of a financial institution—both of which the Supreme Court has held can be obtained through a subpoena and without a warrant. The American Civil Liberties Union (ACLU), representing Carpenter, argued that warrantless access to historical CSLI records permitted the government to obtain a tremendous amount of revealing information, incomparable to what previous circumstances allowed. The ACLU argued that access to this type of information violates the basic “reasonable expectation of privacy” test.
The Court ruled for Carpenter, holding that individuals have a legitimate expectation of privacy in their locations as captured by CSLI. As such, a warrant based on probable cause is required in order to obtain these records. The opinion made several key observations:
- The Fourth Amendment is not static. As technological changes make some searches easier or lead to entirely new techniques, Fourth Amendment protections must keep pace. For that reason, rules like the third-party doctrine cannot be “mechanically” applied regardless of the circumstances or the type of information that the government seeks to obtain.
- People have a reasonable expectation of privacy in their location as captured by CSLI records. Even though people can expect to be observed as they move about in public, they have an expectation that they are not being continuously monitored. And because almost everyone “compulsively carr[ies] cell phones with them all the time,” CLSI offers “near perfect surveillance.”
- The third-party doctrine does not apply to CSLI. The Court distinguished CSLI records from the types of business records at issue in prior cases, concluding that bank records and phone records do not contain information that is as personal or invasive as continuous location information. The Court also noted that CSLI is not voluntarily shared in any meaningful sense: just by being on, cell phones continually “ping” cell towers and generate this data.
- The Court stated that its opinion reaches only historical CSLI compiled for a period of at least seven days. It did not address CSLI records obtained on a real-time basis, or any other type of information obtained through a subpoena. The Court also noted that existing exceptions to the warrant requirement—such as exigent circumstances—could apply to historical CSLI records where appropriate.
Most obviously, in light of Carpenter, a mobile communications provider should ask to see a warrant if the government requests historical CSLI records covering a period of a week or more. (And, undoubtedly, law enforcement agencies will be updating their protocols accordingly.) Slightly less obviously, businesses that possess other types of customer location information (e.g., through GPS tracking) may also expect to see a warrant—or may be able to argue that a warrant is required—if they are asked to turn over such information to law enforcement in aid of an investigation. In fact, the Carpenter decision generally describes GPS data as more precise and therefore more potentially invasive than CSLI.
While the ruling will create some uncertainty, service providers can take some comfort in the fact that the Stored Communications Act precludes plaintiffs from suing providers who comply with court orders or subpoenas. So businesses are unlikely to be successfully sued simply for having complied with a subpoena or court order requesting this type of information.
More broadly, Carpenter continues a trend of recent Supreme Court cases adapting Fourth Amendment rules to account for changing technology. A key refrain throughout the opinion is the ease of compiling CSLI records and the sheer volume of data at stake. The Court’s practical focus on the type and volume of data being obtained creates doubts about the third-party doctrine and its application in other circumstances. Carpenter suggests that this rule cannot function like an on/off switch, eliminating all expectations of privacy if something is shared with a third party.
Notably, several prominent technology companies similarly advocated in an amicus brief for a more practical and less rigid approach—in part because many types of technology require users to “share” data (including sensitive data) with technology companies in order to function. Although the Court’s opinion attempted to limit itself to historical CSLI records, emphasizing collection of location information over a week or more at a time, there will almost certainly be future litigation on collections of other types of information, potentially including real-time location information as well as subpoena requests for other types of arguably sensitive data.
* * *
For more on the intersection of privacy law and location data, please read the following Socially Aware posts: Privacy Law Considerations in Tracking Event Attendees’ Whereabouts; First Circuit Issues Potentially Significant Ruling on Federal Video Privacy Statute’s Application to Mobile Apps; and California Passes Four Bills Protecting Privacy Rights.