Late last week, the Supreme Court ruled that the government obtaining cell site location information (CSLI) from a telephone company constitutes a Fourth Amendment “search,” and requires a warrant. The 5-4 ruling in favor of petitioner Timothy Carpenter is the latest in a string of seminal data privacy cases working their way through the U.S. court system.
Factual and Procedural Background
In 2011, law enforcement officials arrested four men accused of robbing a series of Radio Shack and T-Mobile stores in Detroit. Based on information and call records provided by a cooperating suspect, prosecutors applied for warrants to obtain the cell phone records of Timothy Carpenter and several other suspects under the Stored Communications Act (SCA).
The court subsequently issued two orders compelling MetroPCS and Sprint, Carpenter’s cell phone providers, to disclose cell site location information for Carpenter’s cell phone. By triangulating thousands of disclosed data points, the government confirmed that Carpenter was present at the site of the robbery at the precise moment when the robbery occurred. He was later convicted in all but one of the firearm counts and sentenced to over 100 years in prison.
The case proceeded to the Court of Appeals for the Sixth Circuit. The appeals court affirmed the lower’s court’s ruling, reasoning that Carpenter forfeited his “reasonable expectation of privacy” when he shared his location data with his wireless carriers.
Implications for Foreign Surveillance and Intelligence-Gathering
On June 22, the Supreme Court reversed and remanded the Sixth Circuit’s decision in a 5-4 ruling. Writing for the majority, Chief Justice John Roberts cautioned against drawing conclusions on the broader implications of the Carpenter decision, including with regards to foreign surveillance. He wrote:
This decision is narrow. It does not express a view on matters not before the Court; does not disturb the application of Smith and Miller or call into question conventional surveillance techniques and tools, such as security cameras; does not address other business records that might incidentally reveal location information; and does not consider other collection techniques involving foreign affairs or national security.
Nonetheless, commentators have begun to cautiously foretell what Carpenter may mean for data collection and surveillance in national security and international criminal enforcement contexts. In a blog post for Lawfare, David Kris considers the implications for single-user collection of CSLI under the Foreign Intelligence Surveillance Act as well of bulk collection of non-location call data and metadata under FISA and the USA Freedom Act of 2015. Under the third-party doctrine, courts have generally held that a person loses the reasonable expectation of privacy when he or she voluntarily discloses information to a third-party, such as an ISP. Kris sees Carpenter, however, as drawing a distinction between records obtained via 21st century technology, such as CSLI, from those obtained via 20th-century means. “The gravamen of the decision in Carpenter,” he writes, “is that retrospective, comprehensive, long-term CSLI is materially distinguishable from old-school business records traditionally obtained without a warrant from third parties.”
Kris argues that Carpenter carves out an exception from the third party doctrine for records that rely on 21st century technology, such as CSLI. He distinguishes 21st century records from the more traditional 20th century records, such as telephone toll records and financial documents, on the grounds that the former are more invasive, and are not explicitly disclosed to a third party by the data subject. With regards to both single-user and bulk foreign intelligence collection, Kris predicts that the presence of modern 21st century technologies in the collection process will determine whether a particular act of foreign intelligence collection constitutes a Fourth Amendment search post-Carpenter.
Still, speculating on what Carpenter may mean in a national security or international enforcement context is difficult, if not impossible. The details of national security-related cases implicating data privacy are particularly sensitive; crucial case-specific details thus remain classified. Without those details, it becomes challenging to accurately predict how the courts will rule across cases that differ in the type of data obtained by the government, the purpose of the data collection, the sheer scope of collection, and other key characteristics.
In the upcoming terms, the Court is likely to agree to hear more cases that implicate law enforcement’s access to e-evidence, both stored domestically and abroad, and the individual’s right to privacy. Thus far, the Roberts Court seems intent on preserving the balance between those two competing interests, even as technology progresses. This Court has steered clear, however, of updating relevant statutes, such as FISA and the SCA, to better take into account the capabilities of 21st century technologies – that is a job it considers better suited for Congress.