Carpenter v. United States Decision Strengthens Digital Privacy

Credit to Author: Louise Matsakis| Date: Fri, 22 Jun 2018 16:26:37 +0000

In a highly anticipated decision released Friday, the US Supreme Court updated Fourth Amendment protections for the digital era. In a 5-4 ruling, the court decided in Carpenter v. United States that the government generally needs a warrant in order to access cell site location information, which is automatically generated whenever a mobile phone connects to a cell tower and stored by wireless carriers for years. The ruling, however, leaves the door open for law enforcement to obtain such information without a warrant in some instances. Still, the court recognizes that cellphones are not voluntary but necessary for modern life, and that their technology poses some unique circumstances for the law.

“We decline to grant the state unrestricted access to a wireless carrier’s database of physical location information,” Chief Justice John Roberts wrote in the majority opinion. “In light of the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection, the fact that such information is gathered by a third party does not make it any less deserving of Fourth Amendment protection.”

Roberts was joined by Justices Ruth Bader Ginsburg, Stephen Breyer, Sonia Sotomayor, and Elena Kagan. Justices Anthony Kennedy, Clarence Thomas, Samuel Alito, and Neil Gorsuch dissented.

The court’s ruling represents a win for digital privacy advocates and, while narrow, it may have implications for all sorts of information held by third parties, including browsing data, text messages, emails, and bank records.

“The government can no longer claim that the mere act of using technology eliminates the Fourth Amendment’s protections. Today’s decision rightly recognizes the need to protect the highly sensitive location data from our cell phones, but it also provides a path forward for safeguarding other sensitive digital information in future cases—from our emails, smart home appliances, and technology that is yet to be invented,” ACLU attorney Nathan Freed Wessler, who argued the case before the court, said in a statement.

At issue was an antiquated legal principle called the third-party doctrine, which holds that information customers voluntarily provide to a third party—such as a telecom company or a bank—is outside the bounds of Fourth Amendment protections. The doctrine comes from United States v. Miller, a 1976 case in which the court ruled that law enforcement doesn't need a warrant in order to access bank records because "the Fourth Amendment does not prohibit the obtaining of information revealed to a third party.”

Three years later, in 1979, the court ruled in Smith v. Maryland that the third-party doctrine also extends to call records collected by phone companies.

But on Friday, the Supreme Court said that cell site location information is a “qualitatively different category” of information. CSLI allows law enforcement to paint a nearly complete picture of Americans' movements. Last year, AT&T and Verizon jointly received nearly 125,000 requests from law enforcement for CSLI data, according to their transparency reports. Law enforcement officials will now only be able to make such requests after obtaining a warrant, which will require them to demonstrate probable cause.

The court has expressed uneasiness about the collection of vast amounts of digital data before. In the 2014 case Riley v. California, it ruled that police generally need a warrant to search the cellphone of a person under arrest. And in 2012, in United States v. Jones, the court said that it does violate a person's Fourth Amendment rights for the government to place a GPS tracker on their car without a warrant.

In Carpenter, Roberts left the door open for courts to obtain location information without a warrant in two circumstances. The court declined to decide on whether law enforcement seeking a smaller window of records—fewer than seven days, which is what the government requested from Sprint in the case—constitutes a Fourth Amendment search. The opinion also allows for exceptions for emergencies, like “bomb threats, active shootings, and child abductions.”

“This is a huge victory not only for privacy, but also frankly for reality,” says Sarah St. Vincent a national security and surveillance researcher at Human Rights Watch. “When you share your location data via your cell phone, it’s not really voluntary. What’s critical is those exceptions—the lower courts are going to need to be vigilant about making sure they’re not abused.”

Carpenter v. United States began in December of 2010, when a series of robberies hit Michigan and neighboring Ohio. Ironically, the perpetrators were after cellphones. Over the course of a year, they robbed several Radio Shack and T-Mobile stores at gunpoint, filling plaid laundry bags with smartphones. The police arrested four men, including the petitioner Timothy Carpenter, who was later convicted of committing several of the robberies and sentenced to 116 years in prison (thanks, in part, to mandatory minimums).

Law enforcement was able to connect Carpenter to the crimes by obtaining more than 100 days' worth of his smartphone location data records from Metro PCS and Sprint, all without a warrant. Those records placed his phone at over 12,000 different locations, revealing which Sundays he attended church, and when he didn't spend the night in his own home.

Law enforcement officials were able to get the records under the Stored Communications Act, passed in 1986, which requires prosecutors demonstrate "specific and articulable facts showing there are reasonable grounds to believe" that electronic data being sought is relevant to an ongoing criminal investigation. But the law stops short of requiring prosecutors demonstrate probable cause, which is necessary to obtain a warrant.

Before his trial, Carpenter argued that obtaining the records constituted a Fourth Amendment search, and therefore the police should have needed a warrant. His motion was denied, and the Sixth Circuit Court of Appeals later upheld the case. The Supreme Court agreed to hear it last year.

In one of the dissents, Justice Kennedy, joined by Justices Thomas and Alito, maintains that “Cell-site records, however, are no different from the many other kinds of business records the Government has a lawful right to obtain by compulsory process.” They call the distinction between CSLI and other records like financial or telephone records made by the court “illogical”

Orin Kerr, a prominent Fourth Amendment scholar at George Washington University, filed a brief in support of the government. He argued that cellphone location data merely simulates the real world. You can't expect privacy when you walk to the store, he argued, so you aren't entitled to privacy when it comes to the cellphone location records that show you went there. A neighbor, or the store clerk, may have a memory of where you went, just as your cellphone keeps a record.

“This is a location tracking opinion case, which just happens to involve cell-site records,” Kerr wrote in a tweet after the decision came out. “The facts here, and the existing technology, are less important.”

Justice Roberts rejected Kerr’s argument. “Sprint Corporation and its competitors are not your typical witnesses. Unlike the nosy neighbor who keeps an eye on comings and goings, they are ever alert, and their memory is nearly infallible,” the majority opinion reads.

Fourteen of the largest US tech companies—including Google, Apple, Facebook, and Microsoft—filed a brief in support of updating the Fourth Amendment for the digital era. It was technically not filed in support of either party, but largely backed Carpenter's position.

The cohort even included Verizon, which cooperated with the National Security Agency as part of its broad bulk surveillance programs for years. Verizon's stance is particularly notable because the company holds the specific kind of location records that were at issue in the case.

Cyrus Farivar, a reporter at Ars Technica and the author of Habeas Data, a new book about privacy laws and the rise of surveillance technology, says the ruling shows that the court views cellphones differently.

“They’re an entirely separate class of devices that provide a very intimate look into the most detailed elements of our life, not only where we go generally, but where we go extremely specifically,” he says.

He also notes that the court was split and that it took a long time for it to come to its decision, which was unusually released on a Friday. “That suggests that this is an issue that the court came to with a great deal of thought, discussion, and deliberation. This is not an easy decision to reach.”

We don’t yet know how the ruling might impact other forms of government surveillance. Justice Roberts was careful to note that the ruling is intended to be narrow in its scope, writing that the court does not “call into question conventional surveillance techniques and tools, such as security cameras. Nor do we address other business records that might incidentally reveal location information. Further, our opinion does not consider other collection techniques involving foreign affairs or national security.”

Ultimately, if digital privacy advocates want to limit government surveillance, the Supreme Court is likely not the best avenue to do so.

“It’s important to remember that the facts of Carpenter took place eight years ago. My iPhone and your iPhone have gotten a lot better in those eight years,” says Farivar. “We can’t wait for the Supreme Court to get there. We need to do a lot more on the front end, we need to do a lot more ideally in Congress, otherwise in our states and our cities to decide where the limits are.”

The decision might not mean much for Timothy Carpenter, due to the good faith exception, which says if law enforcement obtained evidence believing they were acting according to legal authority, it's still admissible in court, even if the law changes.

https://www.wired.com/category/security/feed/