Editor’s Note (06/22/18): Scientific American is re-posting the following article, originally published November 28, 2017, in light of the U.S. Supreme Court’s ruling that law enforcement must first seek a warrant before obtaining historical cell phone location records from phone companies.
A case before the U.S. Supreme Court on Wednesday will tell a lot about how well the country’s privacy laws can protect people in the digital age. Carpenter v. United States specifically pits the privacy of information that wireless devices share with their service providers—the towers or “cell sites” devices connect to, the phone numbers they call and answer, and the time and length of those calls—against law enforcement’s authority to retrieve that data without a warrant.
Some background is helpful before diving into the case’s implications. In April 2011 the FBI in Detroit nabbed four suspects connected to a string of armed robberies at Radio Shack and (somewhat ironically) T-Mobile stores in Ohio and Michigan. One of the suspects later confessed and voluntarily turned over his cell phone so agents could review his calls. The FBI wanted more information about whom the suspect had been speaking to on his phone around the time the crimes were committed—but the bureau was unable to establish the probable cause it needed to get a search warrant for the info from his and his contacts’ wireless carriers.
However, federal magistrate judges determined the FBI had presented “reasonable” evidence that those records would be useful in its investigation, and they issued court orders under the 1986 Stored Communications Act (SCA) to compel the carriers to give the FBI that information. The main difference between a search warrant and the court orders used in Carpenter is that a warrant requires a higher threshold of proof that a government search will result in evidence related to a crime. The courts have decided that the government’s collection of cell-site records—created and maintained by defendants’ wireless carriers—is not a “search” under the Fourth Amendment, which protects the content of messages but not the metadata associated with their creation, movement and storage.
Without a warrant—but with the SCA court order in hand—the FBI compelled wireless carrier MetroPCS to provide about four months of location records for a smartphone owned by suspect Timothy Ivory Carpenter. The data identified the cell towers that handled calls to and from Carpenter’s phone. The FBI used that information to map 12,898 location points and determine the phone’s approximate location during the armed robberies—and found Carpenter had used his phone within a kilometer or so of several scenes at the time of the crimes, according to court records (pdf).
Right to Privacy?
To get a signal so it can make or receive a call, a cell phone establishes a radio connection with a nearby tower called a cell site. As the user moves, the device constantly scans for nearby towers for the strongest signal. That interaction between cell sites and phones lets wireless carriers log and store details including a call’s date, time and length. Carriers also track the numbers involved, and the cell sites where a call began and ended. Prosecutors used information about Carpenter’s phone location and activity to help convict and sentence him to more than 116 years in federal prison, mostly over several gun violations.
Carpenter’s defense attorney Harold Gurewitz tried to get the lower courts to exclude information obtained from MetroPCS, arguing that the cell phone records could be seized only with a warrant supported by probable cause. Carpenter’s information was instead obtained in violation of the Fourth Amendment—which, among other things, protects people in the U.S. against “unreasonable searches and seizures”—Gurewitz said last week at a press briefing ahead of the Supreme Court hearing.
Carpenter v. United States is about “location tracking made possible by the devices we all carry with us,” American Civil Liberties Union (ACLU) attorney Nathan Wessler said at the press briefing. Wessler, who will represent Carpenter before the Supreme Court this week, added that one of his concerns is the government’s apparent message that there is little reasonable expectation of privacy when a person signs up for mobile phone service. As people continue to use their devices to send and store more sensitive data—about their finances and health records, for example—the courts must make sure law enforcement is held to the probable cause standard required to obtain a warrant, Wessler said.
If the Supreme Court agrees with the lower courts’ rulings, it could encourage law enforcement to rely increasingly on warrantless court orders to access mobile data stored by wireless carriers. If the Supreme Court reverses the lower courts’ decisions and says a court-issued warrant is required for any customer cell phone information to be handed out, “then a very common practice will come to a screeching halt,” says Fred Cate, distinguished professor of law at Indiana University. This means there likely would be petitions to revisit criminal cases that were decided based on cell phone data obtained using the SCA, Cate warns, adding that the case “will send a shock wave” regardless of how the Supreme Court decides.
In a society saturated with cell phones “this case will likely have broad implications,” agrees Brian Owsley, a University of North Texas Dallas College of Law assistant professor and former U.S. magistrate judge. A recent Supreme Court case—United States v. Jones—determined that law enforcement needed a search warrant to use a tracking device. In another related case—Riley v. California—the court determined that officers needed a search warrant to examine the contents of a cell phone. Affirming Carpenter, however, would enable law enforcement to obtain a vast amount of data and personal information from people’s cell phones without a warrant, Owsley adds.
It is difficult to know whether the Supreme Court’s decision in the Carpenter case will be applied to forms of customer data outside of mobile phones, Cate says. He thinks the only way the court will address the notion that customers are voluntarily surrendering control of their data to tech companies and wireless carriers—known as the “third-party doctrine”—is if they choose to specifically tackle that broader issue. Courts have interpreted the third-party doctrine to mean that, by sharing information or records with a company or some other organization, a person gives up any reasonable expectation that the information will remain private. More likely, Cate adds, the court will limit its discussion and decision specifically to stored data, because that is what is most relevant to the Carpenter case.