By Allen O’Rourke
On Friday, June 22, 2018, the Supreme Court issued its much-anticipated opinion in Carpenter v. United States, 585 US. __ (2018),[1] and declared a Fourth Amendment privacy right for cell phone location data. Seeing how “seismic shifts” in technology have altered our conceptions of privacy, the Court revised its long-held “reasonable expectation of privacy” test and ruled that police obtaining cell site location information (CLSI) records from a person’s cell phone service provider constitutes a Fourth Amendment “search” requiring a warrant.
The case involved a string of nine robberies in Michigan and Ohio. One man arrested early on for several of these robberies confessed to the crime spree and identified a number of accomplices, telling the police their cell phone numbers. The police then obtained court orders under Section 2703(d) of the Stored Communications Act (SCA) to require their cell phone service providers to share historical CLSI records for these cell phones from the four-month period of the robberies.2 In general, cell phone service providers maintain a vast network of towers with sensors mounted on top (usually three sensors forming a triangle) that send and receive radio signals to and from people’s cell phones when they make or receive calls or text messages or otherwise transmit data over the cellular network. The providers maintain a record of which tower and sensor – or “cell site” – was used whenever a cell phone makes or receives a call or text message. By analyzing such business records, the police can infer the approximate location of the cell phone at the time of the call or text message. In the Carpenter case, the historical CLSI records obtained by the police indicated that Carpenter’s cell phone was near four of the charged robberies when they were committed. He was later convicted of multiple robbery charges following a trial and then appealed.
Writing for the Court, Chief Justice Roberts reasoned that CSLI records do not “fit neatly under existing precedents” and instead lie at the “intersection of two lines of cases” about the scope of a person’s reasonable expectation of privacy protected by the Fourth Amendment. Id. at *7. On one hand, there is the third-party doctrine established by Smith v. Maryland, 442 U.S. 735 (1979) (no reasonable expectation of privacy in records of dialed telephone numbers held by a telephone company) and United States v. Miller, 425 U.S. 435 (1976) (no reasonable expectation of privacy in financial records held by a bank). Under that doctrine, “‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties,’” id. at *9 (quoting Smith, 442 U.S. at 743–44), and “[t]hat remains true ‘even if the information is revealed on the assumption that it will be used only for a limited purpose,’” id. (quoting Miller, 425 U.S. at 443).
On the other hand, there are the Court’s cases about police use of “sophisticated technology” to track the location and movements of a vehicle, including United States v. Knotts, 460 U.S. 276 (1983) (use of a beeper hidden inside a barrel of chemicals sold to the suspect to help police conduct aerial surveillance of his vehicle) and United States v. Jones, 565 U.S. 400 (2012) (covert installation of a GPS tracking device on a suspect’s vehicle that enabled police to remotely monitor its movements for 28 days). These decisions address what Chief Justice Roberts called “a person’s expectation of privacy in his physical location and movements.” Carpenter, at *7. Although finding no Fourth Amendment violation in Knotts, the Court specifically reserved the question of whether “different constitutional principles may be applicable” if “twenty-four-hour surveillance of any citizen of this country [were] possible.” Knotts, 406 U.S. at 283–84. More recently, although the Fourth Amendment violation found by the Jones decision was premised on the act of trespass when police installed the GPS tracking device, five concurring Justices agreed that “‘longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy’—regardless whether those movements were disclosed to the public at large.” Carpenter, at *8 (quoting Jones, 565 U.S. at 430 (Alito, J., concurring); Jones, 656 at 415 (Sotomayor, J., concurring)).
In the face of these two competing lines of cases, the Court elected to continue down the path indicated by the Jones concurring opinions, declaring, “Whether the Government employs its own surveillance technology as in Jones or leverages the technology of a wireless carrier, we hold that an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CSLI.” Carpenter, at *11. The Court noted that, after the Jones decision, five Justices had “already recognized that individuals have a reasonable expectation of privacy in the whole of their physical movements.” Id. at *12. Now, in the Carpenter decision, the Court simply adopted their reasoning about long-term GPS monitoring – namely, that such precise and lengthy location monitoring contravenes society’s expectations about the degree of physical surveillance to be expected from law enforcement, and that such comprehensive location records can uncover a person’s most private affairs. “As with GPS information,” the Court explained, “the time-stamped [CSLI] data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations.’” Id. at 12 (quoting Jones, 565 U.S. at 415 (Sotomayor, J., concurring)).
Finally, Carpenter distinguished the third-party doctrine from Smith and Miller by emphasizing “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection.” Id. at *22. On this last point, the Court reasoned that CSLI records “[are] not truly ‘shared’ as one normally understands the term” because they are generated “by dint of [the cell phone’s] operation, without any affirmative act on the part of the user beyond powering up,” and now “cell phones and the services they provide are ‘such a pervasive and insistent part of daily life’ that carrying one is indispensable to participation in modern society.” Id. at *17 (quoting Riley v. California, 573 U.S. at —, 134 S. Ct. 2473, 2484, (2014)).
Chief Justice Roberts’s majority opinion claims that “[o]ur decision today is a narrow one” relating only to historical CSLI records. Id. at *17. However, the implications of this decision are manifold and far-reaching. Whereas before this line of cases had been Knotts dicta and Jones concurring opinions, now the Court has firmly declared that “individuals have a reasonable expectation of privacy in the whole of their physical movements” that will be protected from police intrusion by the Fourth Amendment. Id. at 12. In addition, whereas the Jones concurrence focused on “longer term GPS monitoring,” the Carpenter decision provided no guidance on the duration of the time period of cell phone location data that is protected by this Fourth Amendment right. What is more, the Court applied its ruling to historical CSLI records that had been originally collected and maintained by a private company for its own commercial purposes. Before now, private surveillance or data collection (even unlawful wiretapping) which had not been conducted at the Government’s behest was considered beyond the scope of the Fourth Amendment because that applies only to Government searches and seizures. See United States v. Jacobsen, 466 U.S. 109, 113-14 (1984).
Ultimately, Carpenter may have even greater implications for Fourth Amendment jurisprudence. In the seminal decision of Katz v. United States, 389 U.S. 347 (1967), the Court overruled earlier case law which limited Fourth Amendment protection to police trespassing upon one’s property and declared that the Fourth Amendment also protects a person’s reasonable expectation of privacy. In what became settled law, this “expectation of privacy” test required “that a person has exhibited an actual (subjective) expectation of privacy … that society is prepared to recognize as ‘reasonable.’” Id. at 361 (Harlan, J., concurring). At a basic level, this involved “draw[ing] a line between what a person keeps to himself and what he shares with others.” Carpenter, at *9. Although the Carpenter Court invoked the Katz test like always, their decision actually moved away from this classic analysis and embarked upon a different approach to the scope of the Fourth Amendment. Under Carpenter, the test is not “reasonable expectation of privacy” as such, but instead “reasonable expectation of privacy from the Government.” The touchstone is not protecting “what [one] seeks to preserve as private,” Katz, 389 U.S. at 351, but instead “‘plac[ing] obstacles in the way of a too permeating police surveillance.’” Carpenter, at *6 (quoting United States v. Di Re, 332 U.S. 581, 595 (1948)).
Another key feature of Carpenter is how the Court grapples with the technological and social changes of modern society. As observed in Justice Kennedy’s dissenting opinion, “[cell phone service] providers contract with their customers to collect and keep these [CSLI] records because they are valuable to the providers . . . [who] aggregate the records and sell them to third parties along with other information gleaned from cell phone usage.” Id. at *5 (Kennedy, J., dissenting). Likewise, customers routinely agree to share with private companies their GPS location data, web browsing habits, social networking communications, and all manner of sensitive personal data when using online services and connected devices. In such a world where personal information has become a proliferating commodity that is widely shared and utilized in the digital economy, the classic “reasonable expectation of privacy” test requiring actual privacy would, in the end, chip away at the Fourth Amendment as a bulwark against unfettered police surveillance. In this context, the Carpenter decision makes sense and may represent the future of the Fourth Amendment.
About the Author
Allen O’Rourke co-chairs the Privacy and Cybersecurity Team at Womble Bond Dickinson (US) LLP and is a Certified Information Privacy Professional (CIPP/US). He conducts cyber investigations and represents clients facing regulatory actions, consumer litigation, and business disputes arising out of cybersecurity incidents. Allen also handles data breach response, and he counsels clients concerning data privacy compliance, cybersecurity preparedness, and legal aspects of computer network defense. Prior to joining Womble, Allen was a cybercrime prosecutor who helped lead the Cyber Unit at the US Attorney’s Office in Washington, DC, where he received two Special Achievement Awards for his work to combat cybercrime.
[1] https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf. Page citations refer to this slip opinion.
[2] Section 2703(d) enables the Government to seek a court order requiring disclosure of certain “non-content” business records from an electronic communications service provider upon presenting “specific and articulable facts showing that there are reasonable grounds to believe that … the records or other information sought, are relevant and material to an ongoing criminal investigation.” 18 U.S.C. § 2703(d).