22
Jun 18

Supreme Court: Police Need Warrant for Mobile Location Data

The U.S. Supreme Court today ruled that the government needs to obtain a court-ordered warrant to gather location data on mobile device users. The decision is a major development for privacy rights, but experts say it may have limited bearing on the selling of real-time customer location data by the wireless carriers to third-party companies.

Image: Wikipedia.

At issue is Carpenter v. United States, which challenged a legal theory the Supreme Court outlined more than 40 years ago known as the “third-party doctrine.” The doctrine holds that people who voluntarily give information to third parties — such as banks, phone companies, email providers or Internet service providers (ISPs) — have “no reasonable expectation of privacy.”

That framework in recent years has been interpreted to allow police and federal investigators to obtain information — such as mobile location data — from third parties without a warrant. But in a 5-4 ruling issued today that flies in the face of the third-party doctrine, the Supreme Court cited “seismic shifts in digital technology” allowing wireless carriers to collect “deeply revealing” information about mobile users that should be protected by the 4th Amendment to the U.S. Constitution, which is intended to shield Americans against unreasonable searches and seizures by the government.

Amy Howe, a reporter for SCOTUSblog.com, writes that the decision means police will generally need to get a warrant to obtain cell-site location information, a record of the cell towers (or other sites) with which a cellphone connected.

The ruling is no doubt a big win for privacy advocates, but many readers have been asking whether this case has any bearing on the sharing or selling of real-time customer location data by the mobile providers to third party companies. Last month, The New York times revealed that a company called Securus Technologies had been selling this highly sensitive real-time location information to local police forces across the United States, thanks to agreements the company had in place with the major mobile providers.

It soon emerged that Securus was getting its location data second-hand through a company called 3Cinteractive, which in turn was reselling data from California-based “location aggregator” LocationSmart. Roughly two weeks after The Times’ scoop, KrebsOnSecurity broke the news that anyone could look up the real time location data for virtually any phone number assigned by the major carriers, using a buggy try-before-you-buy demo page that LocationSmart had made available online for years to showcase its technology.

Since those scandals broke, LocationSmart disabled its promiscuous demo page. More importantly, AT&T, Sprint, T-Mobile and Verizon all have said they are now in the process of terminating agreements with third-parties to share this real-time location data.

Still, there is no law preventing the mobile providers from hashing out new deals to sell this data going forward, and many readers here have expressed concerns that the carriers can and eventually will do exactly that.

So the question is: Does today’s Supreme Court ruling have any bearing whatsoever on mobile providers sharing location data with private companies?

According to SCOTUSblog’s Howe, the answer is probably “no.”

“[Justice] Roberts emphasized that today’s ruling ‘is a narrow one’ that applies only to cell-site location records,” Howe writes. “He took pains to point out that the ruling did not ‘express a view on matters not before us’ – such as obtaining cell-site location records in real time, or getting information about all of the phones that connected to a particular tower at a particular time. He acknowledged that law-enforcement officials might still be able to obtain cell-site location records without a warrant in emergencies, to deal with ‘bomb threats, active shootings, and child abductions.'”

However, today’s decision by the high court may have implications for companies like Securus which have marketed the ability to provide real-time mobile location data to law enforcement officials, according to Jennifer Lynch, a senior staff attorney with the Electronic Frontier Foundation, a nonprofit digital rights advocacy group.

“The court clearly recognizes the ‘deeply revealing nature’ of location data and recognizes we have a privacy interest in this kind of information, even when it’s collected by a third party (the phone companies),” Lynch wrote in an email to KrebsOnSecurity. “I think Carpenter would have implications for the Securus context where the phone companies were sharing location data with non-government third parties that were then, themselves, making that data available to the government.”

Lynch said that in those circumstances, there is a strong argument the government would need to get a warrant to access the data (even if the information didn’t come directly from the phone company).

“However, Carpenter’s impact in other contexts — specifically in contexts where the government is not involved — is much less clear,” she added. “Currently, there aren’t any federal laws that would prevent phone companies from sharing data with non-government third parties, and the Fourth Amendment would not apply in that context.”

And there’s the rub: There is nothing in the current law that prevents mobile companies from sharing real-time location data with other commercial entities. For that reality to change, Congress would need to act. For more on the prospects of that happening and how we wound up here, check out my May 26 story, Why is Your Location Data No Longer Private?

The full Supreme Court opinion in Carpenter v. United States is available here (PDF).

Tags: , , , , , , , , , , , , , ,

24 comments

  1. I see in the near future legislation to try and get around this!

    • Productive legislation means Congress would have to get their noses out of the lobbyists feed buckets and put the good of the private citizen above their desire for re-election. I don’t think this is likely. Our Congress is the best money can buy, just ask any telecom lobbyist.

  2. I’m glad to see the ‘third party dictrine’ has finally been knocked down a notch. Hopefully the influence of this ruling will spread to other third party information holders, and eventually it will be illegal to obtain banking and other info. without a warrant. Information is sometimes more valuable and private than physical possessions.

    On a side note: Brian, could you please optimize your website for mobile devices? I have to zoom in just to read the articles and then move the page from side to side to get through a sentence. Unless the article looks extremely interesting, I usually pass it up because it’s such a chore to read on this site. You have great content and I’d like to read more.

  3. Oh, the irony! The government can’t track you, but businesses can. Reminiscent of many years ago (you may be too young) when there was concern about the abuse of SSNs. Laws were passed restricting how the government could use Social Security Numbers, but it did not restrict how businesses could use them.

  4. The Sunshine State

    Me being a libertarian this is a Fourth Amendment “win win ” for the American people

  5. 3rd party shmerd party

    I am shocked to see this ruling. So Happy. Freedom actually still means something to the judicial branch, or at least 5 out of 9 of the justices. Shame on you other 4.

    Still allows 6 days which is still unaccpetable, but at least it’s an improvement.

    • Read Gorsuch’s dissent. His problem with the majority was that he doesn’t want Third Party doctrine fixed – he wants it abolished entirely.

    • Occam's Sock 'em Robot

      Yeah, just like when they ended MKULTRA. “No one ever seizes power with the intention of relinquishing it.” ~ from Orwell’s “1984”

  6. Possibly not as big a win as one might hope, see response from Barry Friedman in NYT op-ed (paywalled):
    https://www.nytimes.com/2018/06/22/opinion/the-worrisome-future-of-policing-technology.html

    Basically, Roberts made it clear that that the narrowness is a reflection that privacy issues need legislative action. Friedman argues that the 4th amendment as interpreted by courts is not going to reach far enough.

    • Exactly. This is a “win” in the case, but for the thousands of cases that will rely on the decision I would go so far as to call it a step back. The only bright side is that Sotamayer seems skeptical of Third Party doctrine, and Gorsuch’s brilliant dissent (he thought the majority opinion was such crap that he wanted no part of it, although he probably would have joined if another vote was needed to “win”) is a spectacular takedown of why the Third Party doctrine should never have existed in the first place – whether you’re philosophically an originalist, and “living document” proponent, a consequentialist, or whatever. Supreme Court justices don’t go around saying “this is all f#@#ng bull!#$@,” but Gorsuch gets about as close as he can to that, and suggests strategies attorneys might use in future cases to better undermine Third Party.

  7. Are you excited to see privacy legislation move forward in California?

    Bill Could Give Californians Unprecedented Control Over Data
    https://www.wired.com/story/new-privacy-bill-could-give-californians-unprecedented-control-over-data

    California State Senator Robert Hertzberg said:
    “Once this is done, you’ll see a copy of this bill passed in all 50 capitals.”

  8. Yeah, good luck with that:

    https://en.wikipedia.org/wiki/Parallel_construction

    I’m sure the spooks are laughing their heads off. I would be.

  9. Some more thoughts on Carpenter v. United States at The Volokh Conspiracy blog which, despite its goofy-sounding title, is comprised of some super-heavyweight legal minds. For example: the work of USC Professor Orin Kerr, a regular contributor who offers the analysis linked below, is referenced half a dozen times in the Carpenter decision itself.

    http://reason.com/volokh/2018/06/22/first-thoughts-on-carpenter-v-united-sta

  10. Bard of Bumperstickers

    I feel so much safer.

  11. Interesting. Basically, that, now the police have to show a cause of why this information is needed. Without the warrant, it’s location value is worthless in court, this just reinforces the old rules and applies location technology to the case. If the phone was on, and not there, maybe have to hunt another suspect.
    And, that would have to be shared with the defense.

  12. Not sure how this is a big “win”. I’ve been in LE for almost 25 years and have ALWAYS had to get a warrant for that information. Never had a single company just voluntarily give it up when asked. Don’t know who is giving it freely just for the asking but prosecutors here would never allow use of that information in court without a warrant. I guess the three letter agencies maybe are getting it but no state or local ones that i know of.

    • You’d have to pay for it, Im guessing thats why local LE doesnt have that info at the ready without a warrant.

    • The case in question involved the FBI and the Stored Communications Act, which requires them to go before a judge but doesn’t carry the same burden as a warrant, which they couldn’t muster enough probable cause to get.

      This ruling is entirely about getting access to historical records. It says nothing about getting access to records in real time (hence the exceptions mentioned).

      As far as Securus Technologies goes, among others they were selling access to LE. Their user database was compromised so that information is out there floating around the internet someplace, which is where the information about who was using their services comes from. Just because your area didn’t cut corners doesn’t mean everyone everywhere was as honest and diligent. There are courts where people are being arrested and sent to jail for debts owed to debt collectors. As in criminal charges being brought over civil violations. If they’re going to cut a corner that big, I could see them using Securus.

    • It’s a huge win.

      The carriers were using third parties to provide location data on request. No warrants. Not even a subpoena from a grand jury. Simply based on official – looking letterhead.

      There are dirty cops and unethical district attorneys who would not tell defendants how they got the information, since no warrant was ever filed. Since 99% of cases are plead out, they’re rarely caught.

      And until now, most judges in the 1% of cases going to trial had no precedent to reject illegally obtained location data.

      Now there is a precedent to say that the provision of location data without a warrant is a privacy violation. This will put pressure on DAs and cops, as well as carriers, who could face liability for ignoring precedent in the future.

  13. This is a big win. Allowing people/organizations to share your location is a huge problem and puts people in jeopardy…