By LÉA NICOLAS
Carpenter v. United States, which was decided on June 22, 2018, asked the Supreme Court to address the constitutionality under the Fourth Amendment of the warrantless search and seizure of historical cell phone records revealing the location and movements of a cell phone user over the course of 127 days. The Court rightfully decided in the Appellant’s favor that the acquisition of his cell site location information qualified as a search under the Fourth Amendment. In so doing, the Supreme Court overruled the judgment of the United States Court of Appeals for the Sixth Circuit, which was based on an erroneous reliance on pre-digital age precedent, and affirmed the people’s reasonable expectation of privacy in cell phone location records.
The advent of cellular devices has revolutionized all aspects of society and human interaction, a reality with which the Fourth Amendment must come to terms. David Strauss, author of The Living Constitution, argues that the valued common law tradition upon which our legal system operates was borne of an evolutionary process that takes into consideration societal realities when developing precedent. The social realities of today create a virtual requirement to own a cell phone. Given the location information produced by mere ownership of this device can be used to track its user’s movement, it warrants protection as private data. Accordingly, the Court is correct in opining that the acquisition of longer-term cell site location information should constitute a search under the Fourth Amendment. However, this case is merely tip of the iceberg in the privacy debate.
The right to privacy predates the technological era, promulgated in 1890 by attorney Samuel Warren and Supreme Court Justice Louis Brandeis in The Right to Privacy. While the Constitution does not grant an explicit right to privacy, various Amendments, namely the Fourth, and precedent have recognized it as a fundamental right. In 1928, Justice Brandeis famously advocated for the “right to be let alone” as “the most comprehensive of rights and the right most valued by civilized men.”[i] The right to privacy was further codified in American common law in landmark cases such as Griswold v. Connecticut (1965) and Roe v. Wade (1972), as well as in various state constitutions. In Katz v. United States (1967), Justice Harlan developed the Reasonable Expectation of Privacy Test, which remains a fundamental component of Fourth Amendment analysis. The test has two requirements, government violations of which constitute a violation of an individual’s Fourth Amendment right. The requirements consist of a) an individual’s demonstration of a subjective expectation of privacy; and b) society’s plausible recognition of this expectation as reasonable.[ii]
In this case, Timothy Carpenter had an expectation that his cell phone location records would not be made available to the government for a minute-by-minute tracking of his whereabouts without proper judicial oversight. This court’s precedent has identified an identical expectation in society. As technology has “lowered the cost of government surveillance” and removed barriers to previously private information, this Court has recognized that the rapid nature of technological advancement renders necessary a preservation of the “degree of privacy against government that existed” prior to the emergence of new technology.[iii].
Society’s expectation of privacy is also supported by the “everyday expectations of privacy that we all share” in terms of our data.[iv] Until the digital age, most individuals simply expected privacy in their homes and in other places “where they made an effort to be out of earshot of others.”[v] As Justice Alito said, “the greatest protections of privacy were neither constitutional nor statutory, but practical” given the lack of technology.[vi] Essential to Justice Brandeis’ definition of the right to privacy is the condition of anonymity, made possible by this lack of technology. While an individual is reasonably aware that his or her movements might be observed while in the public square, his or her expectation of privacy is predicated on the assumption that those movements are insignificant to onlookers. When technology infringes on this expectation of anonymity, so too does it infringe on the right to privacy.
To date, “[s]cience has brought forth far more effective devices for the invasion of a person’s privacy than the direct and obvious methods of oppression which were detested by our forebears and which inspired the Fourth Amendment.”[vii] At present, approximately 75% of smartphone users “report being within five feet of their phones most of the time.”[viii]. Therefore, CSLI can “provide an intimate picture of one’s life,” State v. Earls, including visits that are assumed to be “private,” such as those to a priest or to a gynecologist. United States v. Davis. From this information can be inferred the “people and groups [individuals] choose to affiliate with and when they actually do so.” Commonwealth v. Augustine. CSLI can also be used to determine if an individual is in a private residence. This information collection “falls within the ambit of the Fourth Amendment when it reveals information that could not have been obtained through visual surveillance” from a public location, such as confirmation regarding whether “a particular article is actually located at a particular time in the private residence.”[ix]
However, the Sixth Circuit decided that CSLI records were not deserving of Fourth Amendment protection based on the precedent set in Smith v. Maryland and United States v. Miller, pre-digital age cases that together form the basis for the “third-party” doctrine. This legal principle dictates that when an individual voluntarily shares information with a third party, that third party is absolved of the responsibility to protect that information.[x] According to this argument, because Carpenter signed MetroPCS’ terms of agreement in order to use its services, he no longer had a proprietary interest in the data created by his movements. This application of the third-party doctrine is erroneous because CSLI is more sensitive than the information involved in those cases and, more importantly for future cases, is not voluntarily given.
Cell phone users do not voluntarily provide cellular service providers with their location information in a meaningful way. Location information is generated not only when a cell phone user actively engages with the device, such as placing a call, but also when his or her device involuntarily receives a call or social media updates. Therefore, “the analog-era notion that transmission of data to a third party is necessarily “voluntary” conduct that precludes Fourth Amendment protection should not apply in a world where devices and applications constantly transmit data to third parties by dint of their mere operation.”[xi]
“No constitutional doctrine should presume that consumers assume the risk of warrantless government surveillance simply by using technologies that are […] increasingly integrated into modern life.”[xii] In fact, it can be argued that cellular devices are becoming necessary to meaningful participation in society given 95% of Americans own a cellphone.[xiii] Many employers require their employees to be within digital reach in and out of the office, rendering cell phones vital to a professional career in most cases. Furthermore, cell phones are increasingly becoming tools of personal safety and health, capable of “monitor[ing] bodily functions and transmit[ting] data to doctors in real time.[xiv] The FCC also reports that approximately 70% of 911 calls are placed using wireless phones, assigning cell phones significance beyond tools of personal and recreational communication.[xv] Therefore, as smartphones become essential tools of survival, “people should not be forced to choose between their privacy and their safety, health, or livelihood.”[xvi]
While the Court defended the people’s right to privacy in reversing the Sixth Circuit’s judgement, its work is not yet finished. The advent of the Internet of Things and smart home devices comes to mind as an example of technology that has begun to pose a significant privacy threat to “the right of the people to be secure in their … houses.”[xvii] Those who oppose this ruling might still contend that CSLI records are not the property of the customer if he or she signs ownership of the data to the cellular service provider via their terms of agreement. However, the recent debate regarding the use of legalese highlights the deceptive nature and decreasing legitimacy of these contracts. The right to privacy, “terms of agreement” and technology companies’ legal responsibility to their customers as titans of a traditionally unregulated sector must be explored in light of the implications of Carpenter v. United States.
Technology companies have notoriously skirted Congress’ requirement of explicit customer consent for the disclosure of their data by cornering consumers with terms of agreement written in “legalese.” While the Supreme Court has yet to address a case based on the use of legalese, trends in both the public and private sectors indicate a growing awareness and rejection of this practice. In 2010, Congress passed and President Obama signed the Plain Writing Act, which aims to “promot[e] clear government communication that the public can understand and use.”[xviii] Perhaps the largest affront to the use of legalese and other barriers to meaningful consent came in the form of Europe’s General Data Protection Regulation (GDPR), implemented in May of 2018. Having already affected the business practices of many American companies, GDPR “signals a new age for the protection of privacy.”[xix]
Given that the terms of agreement of third-party service providers are generally designed to minimize the customer’s understanding of their implications and often do achieve this goal, it should be the implied contract of privacy between a customer and his or her service provider that prevails in this case. Justice Louis Brandeis established that in some cases where protection of an individual’s right to privacy should be afforded, jurisdiction can be asserted “not on the ground of property, or at least not wholly on that ground, but upon the ground of an alleged breach of an implied contract or of a trust or confidence.”[xx] As was discussed earlier, state and federal laws currently reflect “public attitudes” toward the expectation of privacy in cell phone location records, which was confirmed in this Court’s ruling in Jones based on the “everyday expectations of privacy that we all share.”[xxi] This expectation of privacy is not unfounded. To the contrary, it is, rather ironically, largely based on the marketing strategies employed by the most pervasive technology companies of this era. Apple’s self-publicized refusal to compromise the security of its encryption technology by helping the FBI decrypt a terrorist’s iPhone password[xxii], Facebook’s $13 billion drop in stock upon the reveal of its data breach by Cambridge Analytica, and Google’s recent nationwide marketing campaign emphasizing its commitment to data privacy all contribute to the individual’s, and to society’s, reasonable expectation of privacy and form the practical basis for a claim of an “implied contract,” “trust,” or “confidence” regarding privacy between customer and service provider.[xxiii]
Therefore, it can be argued that companies illegitimately obtain ownership of customers’ data via the use of intentionally confusing terms of agreement that fail to produce meaningful consent. Furthermore, the marketing ploys of these very companies have led customers to develop a confidence in the companies’ ability and desire to protect their data, thereby creating an “implied contract” of privacy between consumer and provider that heightens the reasonable expectation of privacy. This implied contract was breached when law enforcement obtained Timothy Carpenter’s CSLI with a mere court order and violated his Fourth Amendment right to privacy.
Nevertheless while this post has argued against warrantless access to private data, it does not aim to minimize the problems posed by technology to the United States’ law enforcement capability. The Going Dark debate is legitimate and highly pertinent to this case, as law enforcement is increasingly unable to gain access to evidence for which it has legally obtained a warrant due to increased technological barriers. For more information regarding the problem of Going Dark, please see Susan Hennessey’s Lawfare article on the subject.
[i] Olmstead v. United States, 277 U.S. 438, 478 (1928)
[ii] Expectation of Privacy. Legal Information Institute. https://www.law.cornell.edu/wex/expectation_of_privacy
[iii] Carpenter, Brief for Petitioner, 15
[iv] Minnesota v. Olson, 495 U.S. 91, 98 (1990)
[v] Hon. Fogel, J. A Reasonable Expectation of Privacy. AMERICAN BAR ASSOCIATION https://www.americanbar.org/groups/litigation/publications/litigation_journal/2013-14/spring/a_reasonable_expectation_privacy/
[vi] United States v. Jones, 132 S. Ct. 945, 963 (2012)
[vii] Goldman v. United States, 316 U.S. 129, 139 (1942) (Murphy, J., dissenting)
[ix] United States v. Karo (1984)
[x] Lynch, J). Symposium: Will the Fourth Amendment protect 21st-century data? The court confronts the third-party doctrine – SCOTUSblog. SCOTUSblog. http://www.scotusblog.com/2017/08/symposium-will-fourth-amendment-protect-21st-century-data-court-confronts-third-party-doctrine/
[xiv] Eric J. Topol. The Future of Medicine Is in Your Smartphone. THE WALL STREET JOURNAL. https://www.wsj.com/articles/the-future-of-medicine-is-in-your-smartphone-1420828632
[xv] 911 Wireless Services. FEDERAL COMMUNICATIONS COMMISSION https://www.fcc.gov/consumers/guides/911-wireless-services.
[xvi] Carpenter, Brief for Petitioner, 42.
[xvii] Fourth Amendment of the Constitution of the United States
[xviii] S. Burton. Why It’s Time to Kill Legalese. HARVARD BUSINESS REVIEW. https://hbr.org/2018/01/the-case-for-plain-language-contracts
[xix] A. Ahmed. Employee Data Privacy In The GDPR Era: What You Should Know. FORBES. https://www.forbes.com/sites/ashikahmed/2018/05/02/employee-data-privacy-in-the-gdpr-era-what-you-should-know/#5f3ee7345c5c