Last week’s Supreme Court decision in Carpenter is one of the most important privacy rulings in the Court’s history. In a 5-4 opinion written by Chief Justice Roberts, the Court sided with Mr. Carpenter and his ACLU lawyers, holding that the government must obtain a warrant to access more than seven days of cell site location information (CSLI) from our cell phone providers. But the decision has implications that go far beyond the narrow confines of cell phone location information. When the Court rejected the government’s argument that mobile users have no privacy interest in the detailed location data our phones leave behind us, it also, crucially, rejected the application of a 1970s era legal doctrine to the 21st century of big data and automation. Digital is different, the Court held.
Carpenter: The facts
Back in April 2011, the police arrested four people suspected of committing a string of armed robberies in Michigan and Ohio. Using a suspect’s confession, the FBI sought access to robbery suspect Timothy Carpenter’s cell-site location information (CSLI) by making an application to a magistrate judge, who approved the request. Crucially, the FBI did not seek a warrant, but rather applied for and obtained what’s called a 2703(d) order to demand the CSLI.
The government’s failure to get a warrant was the heart of Carpenter’s challenge. Warrants require the government to show they have probable cause to believe the information returned from a search will be evidence of a crime. The (d) orders, on the other hand, merely require the government demonstrate there are “reasonable grounds” to believe the records sought “are relevant and material to an ongoing criminal investigation,” a much lower standard. Law enforcement officials across the country have long used (d) orders to obtain extremely sensitive information about people without showing probable cause. In a 2012 paper on the use of these surveillance demands, former Magistrate Judge Stephen Smith concluded that it’s “reasonable to infer that far more law-abiding citizens than criminals have been tracked” using (d) orders, and blasted the secrecy surrounding the surveillance orders.
CSLI is data generated when phones interact with nearby cell towers; these towers record which phones interact with them and when, so analysts can use data from multiple cell towers within a region to determine a phone’s location at a given time. Wireless carriers maintain cell-site records for up to five years, meaning these companies keep an extensive record of their customers’ locations and movements. This data can reveal a host of personal information including a person’s relationships, religion, and political activity.
Using the CSLI obtained without a warrant, law enforcement was able to place Carpenter in the vicinity of each of the robberies. In court, Carpenter argued that the FBI’s access of his cell-site location information constituted a search under the Fourth Amendment that should have required a warrant. The district court rejected this argument, and he was convicted and sentenced. On appeal, the Sixth Circuit also rejected Carpenter’s Fourth Amendment argument. Last week, the Supreme Court reversed and remanded, siding with the ACLU and holding that CSLI is protected by the Fourth Amendment, and that law enforcement must therefore get warrants to demand it.
A digital Fourth Amendment revolution at the Supreme Court
The key legal question at issue in Carpenter involves what’s called the third-party doctrine. Stemming from United States v. Miller and Smith v. Maryland, the doctrine stipulates that a person does not have a reasonable expectation of privacy in information they willingly hand over to a third party like a phone company or a bank. In Miller, the Court held that the Fourth Amendment does not prevent government access to bank records because consumers willingly give banks their financial information, and furthermore, that these are “business records” created by and for the bank—not the property of the customer. In Smith, the Court held that telephone users have no right to defend their call records from warrantless searches or seizures because customers willingly share their call history with their telephone companies.
Based on these precedents, the government argued that the third-party doctrine also applied to Carpenter. In the government’s view, Carpenter wasn’t different from Smith: both men transmitted information to phone companies, and thereby lost their Fourth Amendment rights to protect it.
The Supreme Court rejected this argument, maintaining that the government’s application of these older cases to Carpenter is not straightforward but rather requires “a significant extension” of the third-party doctrine, ignoring “seismic shifts in digital technology.” The “mechanical” application of the third-party doctrine to Carpenter does not work, the Court held, for two core reasons. First, the kind of information shared in Carpenter is fundamentally distinct from that in Miller and Smith; and second, it isn’t at all clear that Carpenter willingly shared his location information with his wireless provider. The information at issue in Carpenter is both quantitatively and qualitatively different from the types of information obtained in Smith and Miller. (In another ACLU case a few years back, the Massachusetts Supreme Judicial Court held similarly, concluding that the third party doctrine does not apply to CSLI.)
“There is a world of difference between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of location information casually collected by wireless carriers today,” Chief Justice Roberts writes. “In fact, historical cell-site records present even greater privacy concerns than the GPS monitoring of a vehicle we considered in Jones. Unlike the bugged container in Knotts or the car in Jones, a cell phone—almost a ‘feature of human anatomy,’ []—tracks nearly exactly the movements of its owner.” Due to the sensitivity and breadth of CSLI, the Court concluded that “the fact that the information is held by a third party does not by itself overcome the user’s claim to Fourth Amendment protection.”
Chief Justice Roberts also rejects the government’s claim that cell phone users willingly share their cell-site location information with their wireless carriers. In this day and age, “carrying [a phone] is indispensable to participation in modern society,” he writes. Cell phones communicate CSLI with cell towers completely on their own, without any intentional disclosure by phone users. “As a result, in no meaningful sense does the user voluntarily ‘assume[] the risk’ of turning over a comprehensive dossier of his physical movements,” Roberts concludes. Having rejected the government’s application of the third party doctrine to cell phone location information, Chief Justice Roberts holds that when the government wants to obtain CSLI from a phone company, “the Government’s obligation is a familiar one—get a warrant.”
The Carpenter decision is a landmark for privacy rights. It reflects the Court’s intent to take the power of technology seriously, and it’s sure to have far-reaching implications. Chief Justice Roberts’ ruling includes language limiting the scope of the decision to exclude real-time cell phone tracking and matters of national security, but privacy advocates are nonetheless rejoicing. While recent Supreme Court rulings on digital privacy issues often rely on physical intrusions, Carpenter is a thoroughly modern decision, and points in the direction of robust Fourth Amendment protections in the digital age. Ultimately, the most important aspect of the decision is Chief Justice Roberts’ conclusion that digital is different. It was one thing for the government to obtain a few bank records or call records in the 1970s. It’s something totally different for the government to track the precise movements of a person over a period of months. Roberts: “[T]his case is not about ‘using a phone’ or a person’s movement at a particular time. It is about a detailed chronicle of a person’s physical presence compiled every day, every moment, over several years.”
“[W]hen the Government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user. Moreover, the retrospective quality of the data here gives police access to a category of information otherwise unknowable. In the past, attempts to reconstruct a person’s movements were limited by a dearth of records and the frailties of recollection. With access to CSLI, the Government can now travel back in time to retrace a person’s whereabouts, subject only to the retention polices of the wireless carriers, which currently maintain records for up to five years. Critically, because location information is continually logged for all of the 400 million devices in the United States—not just those belonging to persons who might happen to come under investigation— this newfound tracking capacity runs against everyone.”
Cell phone companies aren’t the only entities that create and store detailed records on hundreds of millions of people. Private corporations like Amazon, Google, Facebook, and license plate tracking company Vigilant Solutions also maintain vast databases containing extremely sensitive information about millions of Americans, including location information. These records, too, enable government agents to track people’s private activity retroactively.
In the post-Carpenter future, we’re likely to see lower courts grapple with Fourth Amendment issues related to the extensive location information collected by technology like automated license plate readers, fitness trackers, apps, and systems like Google Maps. Courts may even apply Carpenter to information that allows the government to infer a person’s location. (Roberts: “[T]he Court has already rejected the proposition that ‘inference insulates a search.’”) Privacy advocates now have a strong case to demand the government get a warrant before accessing data like credit card and automatic toll transponder records, which incidentally reveal information about a person’s location. In short, Carpenter is going to revolutionize the landscape of government data access. As Georgetown University Law Center’s Paul Ohm put it, “Any time the government accesses a privately assembled database in order to track location without a warrant, it risks suppression under Carpenter.” Amen to that.
This blog post was co-authored by Iqra Asghar and Kade Crockford