US Supreme Court Rules in Favor of Privacy for Location-Tracking Data

When I was a prosecutor and an officer asked if they needed a warrant in any given situation, my standard response was always “get one if you can.” It’s a pretty straightforward process in most jurisdictions, and probable cause is low hurdle.

privacyI often dealt with telecommunications harassment and stalking cases where social media or cell phone location data was essential to prove a victim’s allegations. Prior to June 22, the Supreme Court consistently held that a person had no legitimate expectation of privacy in regards to information voluntarily turned over to third parties, and therefore a search warrant was not required to obtain this information. I could usually ask for a subpoena of the records directly from the social media service or cell phone carrier and comply with speedy trial requirements, without a need for police officers to pursue that information.

But on June 22, in a 5-4 decision, the U.S. Supreme Court held that police need warrants to gather phone location data as evidence in Carpenter v. United States. Based on the Smith v. Maryland decision in 1979, 442 U.S. 735, the Sixth Circuit had held that only the content of a person’s communication was protected by the Fourth Amendment, but other data shared with third parties to facilitate that communication, such as mailing addresses, phone numbers, and IP addresses, didn’t need a warrant. Timothy Carpenter appealed his conviction, arguing that geographic location data, essentially, his digital footprints, should be treated more like a search obtained with a warrant to place a GPS tracker on a vehicle like the one at issue in United States v. Jones, 565 U.S. 400 (2012).

The underlying investigation dates back to a 2011 robbery in Detroit, after which police gathered months of phone location data from Carpenter’s cell service provider. Almost 13,000 GPS locations, were compiled over 127 days without a warrant. Police had done this pursuant to the Stored Communications Act, by demonstrating “specific and articulable facts” that the records were relevant to an ongoing investigation, rather than probable cause that a crime had been committed.

The Fourth Amendment forbids unreasonable search and seizure. A Sixth Circuit Court of Appeals judge ruled Carpenter had no expectation of privacy in that data, based on the Stored Communications Act and other precedent. The data wasn’t collected or compiled by Carpenter – it was all done by the provider of the service. But in the Supreme Court’s ruling, Chief Justice John Roberts wrote that the phone records should be subject to a warrant. “The Government’s position fails to contend with the seismic shifts in digital technology that made possible the tracking of not only Carpenter’s location but also everyone else’s, not for a short period but for years and years,” he wrote.

We share our digital footprints with the manufacturers of the Apple and Android devices, just as much as the companies we pay for the service, be it AT&T, Verizon or Sprint. With the advent of Amazon’s Alexa service and other “smart” devices that monitor our movements while web-connected, such as Nest thermostats and Ring doorbell cameras, we’ve given these companies almost perfect surveillance capability. Deputy Solicitor General Michael Dreeben argued in November that in exchange for convenience, most contracts that consumers enter to use these technology tracking devices make the records subject to disclosure upon law enforcement request.

“It is asking a business to provide information about the business’ own transactions with a customer,” Dreeben said during oral arguments. But Apple, Facebook and Google disagreed, supporting Carpenter’s position. Even with warrants, these companies have demonstrated reluctance provide customer information. For example, Apple faced criticism for refusing to assist with a search of the San Bernadino shooter’s iPhone, even after the FBI got a warrant, in 2016. Facebook, as of last year, had sued the federal government to prevent gag orders on telling users that the company had responded to warrant requests, even as it pushed for the passage of S. 2383/H.R. 4943, the Clarifying Lawful Overseas Use of Data, or “CLOUD” Act, after the Cambridge Analytica scandal hit the headlines.

In essence, the CLOUD bill, rolled into the federal spending omnibus legislation in March, allows foreign governments a warrant-free path to acquiring user data, including some stored on U.S.-based servers – even local law enforcement doesn’t have the same power, per the Carpenter ruling. The justices were silent on the CLOUD Act, as it wasn’t in effect when Carpenter was convicted, or when the case was argued in November. If it had been, the search probably would have been authorized by federal law without a warrant. The Electronic Frontier Foundation pointed out that even though the legislation received minimal Congressional attention, the CLOUD Act has “large privacy implications both in the U.S. and abroad.” So what’s next?

The Carpenter decision will probably have the most significant burden on smaller agencies with limited investigative resources, particularly rural departments. Local judges will no doubt see more requests for warrants now that officers can’t rely on the third-party rule for business records to obtain historic tracking data. Victims of crimes that may be proven through location tracking may face longer waits for suspects to be identified and prosecuted. Business professionals who collect or compile smart device data should be cautious about responding to law enforcement requests for such information, and err on the side of nondisclosure until you can obtain legal counsel’s guidance. As always, if you have questions about how any court decision may impact you or your business, speak to an attorney at PS&E.

AUTHOR: Breanne Parcels
bparcels@pselaw.com