The U.S. Supreme Court has handed down a major decision, Carpenter v. United States,1 concerning the Fourth Amendment’s application to the rapidly evolving technological landscape. The 5-4 decision dramatically alters the status quo concerning government requests for data about individuals that is collected and held by third parties. Under Carpenter, personal location information maintained by a third party that the government could previously obtain with a subpoena or similar order will now require a warrant meeting the standards of the Fourth Amendment.
By finding that information held by a third party is—in at least some circumstances—protected by the Fourth Amendment, the Supreme Court has upended decades of precedent in an effort to keep the amendment relevant in the digital age. Although portrayed by the court as a narrow decision, like other recent Supreme Court decisions concerning privacy and the Fourth Amendment, Carpenter will likely result in a broad reconsideration of what information law enforcement can properly obtain without a warrant. Companies will now have to carefully consider their statements regarding the sharing of data with law enforcement, and how they will respond to law enforcement agencies’ requests for data without a warrant.
Background
Carpenter began with the arrest of four men suspected of robbing stores in Detroit. Prosecutors applied for court orders under the Stored Communications Act (SCA) to obtain cell phone records for Carpenter and other suspects. The SCA permits the government to compel the disclosure of certain telecommunications records when it “offers specific and articulable facts showing that there are reasonable grounds to believe” that the records sought “are relevant and material to an ongoing criminal investigation.”2 Orders were issued for “cell site location information” (CSLI), a record of all the cell phone towers a mobile phone connected to, and by extension, a detailed map of the cell phone owner’s movements over time. Prior to trial, Carpenter moved to suppress the CSLI provided by the wireless carriers, arguing that the government’s seizure of the records violated the Fourth Amendment because they had been obtained without a warrant supported by probable cause. The district court denied the motion, and Carpenter was convicted of a variety of crimes relating to the robberies. On appeal, the U.S. Court of Appeals for the Sixth Circuit affirmed, holding that Carpenter lacked a reasonable expectation of privacy in the location information collected by the FBI because he had shared that information with his wireless carriers.3
Chief Justice Roberts, writing for the majority in the Supreme Court opinion, provided a brief history of the Fourth Amendment’s application to modern technology. The Court has been intent on preserving Fourth Amendment protections in a world of increasing technological complexity. For instance, in Kyllo v. United States, the Court found that the use of a thermal imager to detect heat radiating from the side of a home was a search because otherwise the homeowners would be left “at the mercy of advancing technology.”4 More recently, in Riley v. California, the Court held that police officers must generally obtain a warrant before searching the contents of a mobile phone, given their “immense storage capacity” and the sensitive information they contain.5
Chief Justice Roberts explained that the request for cell-site records at issue in Carpenter lies “at the intersection of two lines of cases.”6 The first address a person’s expectation of privacy in his physical location and movements. In United States v. Jones,7 the FBI installed a GPS tracking device on a vehicle and monitored its movements for 28 days.8 The Court found this to be a violation of the Fourth Amendment based on the government’s physical trespass of the vehicle.9 The second line of decisions highlighted by the Court concerns the “line between what a person keeps to himself and what he shares with others.”10 In a pair of cases, Smith and Miller, the Court held that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”11 As a result, under the so-called “third party doctrine,” the government may generally obtain information from a third party that possesses it without the need for a warrant meeting the standard of the Fourth Amendment. This doctrine is premised on the ideas that a defendant cannot assert ownership of information held by a third party, the defendant lacks or has a limited expectation of privacy in the information, the information is not confidential and is voluntarily disclosed to others, and the defendant takes the risk that information will be conveyed to the government at the time it is shared. This doctrine has served as the linchpin allowing the government to obtain virtually any record or data held by a third party, with an order far easier to obtain than a warrant.
Opinion
With regard to whether the logic underpinning the third party doctrine should be applied to CSLI, the Court found that it is “not clear whether [this] logic extends to the qualitatively different category of cell-site records” since “few could have imagined a society in which a phone goes wherever its owner goes, conveying to the wireless carrier not just dialed digits, but a detailed and comprehensive record of the person’s movements.”12Crucially, the Court held that “the fact that the information is held by a third party does not by itself overcome the user’s claim to Fourth Amendment protection.”13 Though it does not go so far as to overrule the cases that created the third party doctrine, this holding undercuts the doctrine’s core logic. Because information held by a third party is not inherently free from Fourth Amendment protection under Carpenter, defendants are likely to challenge the government’s collection of a wide variety of information that is commonly collected in criminal investigations.
The Court explained that “when the Government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user.”14 The Court went on to justify its decision based on a number of factors, including the vast amount of data collected, the great frequency of collection, the protracted period of time included in the data,15 the sensitive nature of the data being collected (with a focus on physical tracking), the fact that the cell service providers never obtained true consent for the collection of the data, the inability to prohibit sharing once the data is in the possession of the cell service providers, and mobile phones’ general pervasiveness. These factors, though meant to apply specifically to the CSLI at issue in the case, are equally applicable to a significant portion of data collection that underlies the modern, digital economy. For instance, these same factors are at least partially applicable to credit card transaction records, vehicle tracking systems, wireless toll payment systems (such as E-ZPass and FasTrak) and location logs generated by mobile operating systems and mobile applications. Like CSLI, through these methods of location data collection, “[w]ith just the click of a button, the Government can access each [company’s] repository of historical location information at practically no expense.”16Where investigators use such records without obtaining a warrant, defendants are likely to have a strong basis on which to seek the data’s suppression.17
The decision also lays the groundwork for challenges to governmental requests for a broad range of additional data. While the Court focuses on warrantless requests for location data, people may have a reasonable expectation of privacy in their web browsing or search history, for instance. These can be far more revealing than location records, and courts will likely be forced to consider whether Carpenter’s logic extends so far as to protect them.
The Court anticipated these possibilities and stated that the decision is a “narrow one.”18 The Court explained that the decision does not “disturb the application of Smith and Miller or call into question conventional surveillance techniques and tools, such as security cameras. Nor do we address other business records that might incidentally reveal location information. Further, our opinion does not consider other collection techniques involving foreign affairs or national security.”19 Nonetheless, the logic of the decision is not so confined, and its application to a broad range of additional data is very likely.
Implications
Companies that collect detailed data over time, including location data, should carefully consider statements made to consumers regarding their privacy practices. If a company promises to turn data over to the government only pursuant to a lawful order, that company must now evaluate whether a subpoena, an order issued pursuant to the SCA, or other process, is in fact lawful. If a company that makes such promises determines that its data is sufficiently similar to CSLI, it may be obligated to challenge the government’s request, although it is unclear whether and how a third party could assert the Fourth Amendment rights of the target of the investigation. In many cases, third parties will lack the incentive to assert the rights of the target. Other companies have committed to providing the target of an investigation with an opportunity to challenge the sufficiency of a law enforcement request when possible, and Carpenter may create a new scenario where such an obligation is triggered.
Additionally, the decision states that “case-specific exceptions may support a warrantless search of an individual’s cell-site records under certain circumstances.”20 Companies may now be faced with claims that data is required, even without a warrant, due to exigent circumstances. They will therefore need to determine how to respond in such a scenario.
Ultimately, Carpenter will require companies to make new choices regarding their compliance programs. They are likely to receive an increase in warrants and a decrease in subpoenas and similar orders, and they must carefully evaluate the sufficiency of any request received.
1 No. 16-402, 2018 WL 3073916 (U.S. June 22, 2018).
2 18 U.S.C. § 2703(d).
3 819 F.3d 880 (2016).
4 533 U.S. 27, 35 (2001).
5 134 S. Ct. 2473, 2489 (2014).
6 Carpenter at *7.
7 565 U.S. 400 (2012).
8 Id. at 404-405.
9 Id.
10 Carpenter at *7.
11 Smith v. Maryland, 442 U.S. 735, 743-744(1979). See also United States v. Miller, 425 U.S. 435, 443 (1976).
12 Carpenter at *9.
13 Id.
14 Id. at *10.
15 The Court considered “whether there is a limited period for which the Government may obtain an individual’s historical CSLI free from Fourth Amendment scrutiny, and if so, how long that period might be.” However, the Court chose only to hold that “accessing seven days of CSLI constitutes a Fourth Amendment search.” Id. at *9, n3. Therefore, it is unclear whether there is any period during which data may be collected without a warrant.
16 Id. at *9.
17 What’s more, the court made clear that “[w]hether the Government employs its own surveillance technology” or seeks data from a third party, “an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CSLI.” Id. at *9. By the Court’s logic, a variety of similar tools used by law enforcement may require a warrant, including cell-site-simulators (commonly referred to as “Stingrays”), and license plate readers.
18 Id. at *13.
19 Id.
20 Id. at 15.