Carpenter v United States Decision: expectation of privacy
Carpenter v United States Decision: expectation of privacy
A year ago, in Law v. Technology, I wrote that SCOTUS was going to hear argument in Carpenter v. United States, exploring whether law enforcement needs a warrant to use cell phone location data. The key question comes down to whether use of that data constitutes a “search” under the Fourth Amendment (henceforth 4A). The case was argued in November of 2017, and a 119-page decision handed down in June 2018.
The short version: Yes, such data constitutes a search under 4A and thus requires a warrant. The Court wrote, in part:
The Fourth Amendment protects not only property interests but certain expectations of privacy as well.
This “expectation of privacy” has been the key aspect of most privacy-related Court decisions for a long time. Clearly there’s a continuum, ranging from something you do locked in a closet in your basement (whatever that might be—I sure don’t want to know!) to running onto the field at halftime during the Super Bowl. Nobody can argue that the first of these is not something a reasonable person would normally expect to be a private activity, nor that the latter is. So the first would be covered by 4A—would require a warrant for a government organization to monitor and use in court—while the second could be broadcast to the world without any control on your part (although, of course, the NFL would own and control the rights).
The key in cases like Carpenter is where that dividing line lies, between reasonable and not. And it’s clear that technology evolution changes the privacy picture, which is why the Court is involved here: 50 years ago, this issue didn’t exist.
Another aspect that makes Carpenter SCOTUS-worthy is its superficial similarity to police using a GPS device to track a suspect’s movements. In United States v. Jones, police installed a GPS tracking device on a suspect’s car without a warrant, and used that data in court. This was ruled to be an invasion of privacy per 4A. But back in 1976, in United States v. Miller, a conviction based on bank records was upheld, ruling that the financial information was willingly provided to the bank as “business records” and thus was not protected under 4A.
Carpenter differs from Jones in that there it required no overt action on the part of the police to collect the data: it’s an artifact of cell phone operation. The argument thus was that the information was “willingly provided”, as in Miller. But the court did not agree:
A majority of the Court has already recognized that individuals have a reasonable expectation of privacy in the whole of their physical movements. Allowing government access to cell-site records—which “hold for many Americans the ‘privacies of life,’” … —contravenes that expectation.
The Court was also concerned that the typical five-year retention period for such data would “give the Government near perfect surveillance and allow it to travel back in time to retrace a person’s whereabouts”, that cell phones are indispensable as a “a pervasive and insistent part of daily life”, and that since the cell phone location data is created “by dint of its operation, without any affirmative act on the user’s part beyond powering up”, it is fundamentally different from the bank data in Miller.
The Carpenter decision is actually fairly narrow, and is about use of large quantities of metadata, which is “data about data”. His cell phone location data is not itself evidence of a crime; it is merely suggestive of proximity to a crime—information related to one. Tapping his phone to listen in on his calls would (presumably) have provided direct evidence of a crime, and it has long been established that doing so would require a warrant. On the other hand, if someone is using a phone in a public place, there is no expectation of privacy regarding that call. The exact same call, made at home, would be private. This may all seem self-evident, but it gets interesting at the edges: what if someone is at home, but has the windows open and is yelling? Can police stand outside and collect evidence? Cases are won and lost on such fine points.
It’s important to note that this decision does not say “Law enforcement cannot ever use metadata without a warrant”. Because metadata is by definition not necessarily private—the cell phone location data was collected and stored by the cellular carrier for everyone; it was not under Carpenter’s control—there are certainly cases where it can be used. The objections were to the volume and breadth of that data. For example, if Bad Bob is known for knocking over convenience stores, it seems likely that the police could check to see if a phone registered to Bad Bob was in the area of that store at that time without going against Carpenter. But the data in question comprised almost 13,000 location points over 18 weeks. Such “fishing expeditions” tend to make SCOTUS nervous.
One can easily imagine future cases including other types of metadata—such as email routing information—also perhaps being considered using criteria similar to Carpenter: email server logs may go back many years; email is indispensable in modern business; and the metadata is created simply by using email, not through any conscious action on the part of the users. Similarly, a recent Wall Street Journal story questions police use of an Instagram photo to search driver’s license records for a match using facial-recognition software. The Instagram photo likely meets the “willingly provided” criterion; however, since the majority of the driver’s license photos are of folks never convicted of a crime, their use is questionable. And the media have covered several recent cases where crime-scene DNA that was not in any government database was matched using genealogy data of relatives, obtained from public websites. Again, it’s not entirely clear whether these third-party matches violate 4A.
Carpenter is an important decision. Some will decry it as making things harder for the police, and it certainly does so. However, that argument misses a basic goal of 4A: to keep the State’s powers in check, lest it slide down the slippery slope into totalitarian control. One need only read about life back in the Soviet Union, or in North Korea today, to understand the danger inherent in this kind of privacy invasion.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Simir_Shah on: ArcSight Training in Canada: Earn CPE Credits and Get Certified
- pbrettle on: What is SIEM Anyway? How the evolution of threats has changed Security Operations
- GlynTownsend on: ArcSight Investigate digital learning is now available!
- sswargam on: SCA: Various approaches for including dependency source code during scans
- todd.densmore on: WebInspect Tips: Changing settings to improve scans