Jennifer Lynch is a senior staff attorney for the Electronic Frontier Foundation, which filed an amicus brief in support of Timothy Carpenter’s petition for certiorari in Carpenter v. United States.
This summer, the Supreme Court granted certiorari in Carpenter v. United States, a case that offers the court another chance to address just how far the Fourth Amendment’s protections against warrantless searches and seizures extend to cover information generated by the modern technologies we rely on every day.
In Carpenter, the FBI accessed location data linked to Timothy Carpenter’s and his co-defendant’s cell phones in its attempt to place the suspects at the sites of several robberies. But the data the FBI asked for and received weren’t limited to the days and times of the known robberies – they also included months of records that could reveal everywhere the defendants were every time they made or received a phone call. And the FBI got all of this information without a warrant.
The specific data at issue in the case are called cell-site-location information, or CSLI. These data, maintained by wireless carriers, are records of the cell towers our phones connect to every time they try to send and receive calls, texts, emails and any other information. The records – generated hundreds and sometimes thousands of times per day – include the precise GPS coordinates of each tower as well as the day and time the phone tried to connect to it. While this all may sound complicated, the important point is that, in cases like this one, the government argues that CSLI is really just a proxy for where the phone – and, by extension, the phone’s owner – is or has been.
Police ask for these records a lot – in 2016, Verizon and AT&T alone received about 125,000 requests for CSLI – and each request may involve months of information on multiple people. No federal statutes place any specific restrictions on how much data the police can ask for at any one time, and the standard required to obtain access – whether there are “specific and articulable facts showing that there are reasonable grounds to believe” the data are “relevant and material to an ongoing criminal investigation” – is much lower than probable cause. As a result, cases like this one, in which the government obtained 88 days and 127 days worth of location information for each defendant, appear to be the norm. (In another cert petition filed this past term, Graham v. United States, the police accessed 221 days of CSLI for each defendant.)
In Carpenter, the Supreme Court will address whether access to this information is a “search” under the Fourth Amendment and whether that search requires a warrant. The issues raised in this case are important because location information like CSLI shows where we are and where we have been. And where we travel can reveal very sensitive details about our lives. As Justice Sonia Sotomayor noted in her concurring opinion in United States v. Jones, location information can provide the government with a “precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.” Or, as the lower court in Jones put it, “[a] person who knows all of another’s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups—and not just one such fact about a person, but all such facts.”
Despite the sensitive nature of location data and the volume of information collected in Carpenter and other cases, five federal appellate courts, in deeply divided opinions, have held that historical CSLI isn’t protected by the Fourth Amendment – in large part because the information is collected and stored by third-party service providers. The courts have relied on a legal principle called the “third-party doctrine,” which was developed in two 1970s Supreme Court cases, Smith v. Maryland and United States v. Miller. This principle holds that information you voluntarily share with someone else – whether that “someone else” is your bank (such as deposit and withdrawal information) or the phone company (the numbers you dial on your phone) – isn’t protected by the Fourth Amendment because you can’t expect that third party to keep the information secret. By sharing that information with a third party, you have assumed the risk that it will be shared with others.
The Electronic Frontier Foundation and many others have argued that it’s time for the Supreme Court to revisit this outdated doctrine. As Sotomayor noted in Jones, the third-party doctrine “is ill suited to the digital age.” This is because, as she also noted, we live in an era “in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.” We use cellphones to stay in touch with friends and family on the go, store data in the cloud to be able to access it anywhere later, rely on GPS mapping technologies to find our way about town, and wear activity trackers to try to improve our health. It’s impossible to use any of these technologies without sharing data with third parties.
This dilemma highlights a key weakness in this line of the Supreme Court’s Fourth Amendment jurisprudence: Assuming that it is unreasonable to expect privacy when we share something with others makes secrecy a prerequisite for privacy. But Justice Thurgood Marshall recognized in his dissent in Smith years ago that “[p]rivacy is not a discrete commodity, possessed absolutely or not at all.” That an individual discloses information to a third party for one purpose does not mean he believes he has relinquished all privacy interests in that information. Nor is it clear that such a belief would be good for society. To maintain secrecy as a prerequisite for Fourth Amendment safeguards would mean that information once protected in the non-digital world would lose that protection today.
Some third-party cases at the Supreme Court and federal appellate courts have recognized that sharing information with others doesn’t always equal blanket disclosure to all. The court has held that patients have a reasonable expectation of privacy in diagnostic test results, even when the hospital maintains the records (Ferguson v. City of Charleston); passengers retain an expectation of privacy in luggage placed in an overhead bin despite the possibility of external inspection by others (Bond v. United States); and hotel guests are entitled to constitutional protections even though they provide “implied or express permission” for third parties to access their rooms (Stoner v. California). And at least one lower court, the U.S. Court of Appeals for the 6th Circuit, in United States v. Warshak, has ruled that people have an expectation of privacy in email content, even if they use a third party service provider to transmit that email.
Thus, the main challenge for the Supreme Court in Carpenter will be to figure out how to reset the parameters of the third-party doctrine for the digital age – or do away with it altogether.
One thing is clear: These thorny issues are not going away. How the Supreme Court decides this case will have important ramifications for the future – especially for the “internet of things,” where sensors and devices in our homes, on our cars, and throughout our world will constantly collect, generate, and share data about us with little to no volition on our part. Choosing to participate in society in the 21st century will require use of these technologies; it shouldn’t require us to relinquish our constitutional rights.