E17: Carpenter Decision Builds Up Privacy from #SCOTUS

In this episode of “Are You DataSmart?” we examine the Supreme Court’s most important ruling on privacy in Carpenter v. United States. It is a major development in privacy law, laying the foundation for an interpretation of the Fourth Amendment that protects against generalized government surveillance by electronic means. Together with United States v. Jones, it brings Fourth Amendment jurisprudence into the digital age, and may well effect change in everything from mobile carrier terms of service to the fate of Privacy Shield.

PODCAST

TRANSCRIPT

Jay: “Are You DataSmart?” The weekly podcast on data security, information management, and all things related to the data you have, how to protect it and maximize its value. I’m Jay Ward.

Christian: And I’m Christian Ward. And today, we’re going to discuss the Carpenter Decision by the Supreme Court. Jay, this is a big deal for privacy. I’m kind of surprised by how much coverage it’s already gotten in Carpenter versus the United States. We have a new ruling on privacy that particularly talks about, from a Fourth Amendment perspective, whether or not location data currently provided by the CSLIS or cell site location information services, that’s when your cell phone makes a ping on a regular basis to individual cell towers to know which [crosstalk 00:00:55]…

Jay: “Can you give me a Ping, Vasili?…”

giphy-2
Christian: “One ping only, please.“… So, as it goes through, and that tells people they can triangulate, not necessarily with a ton of certainty where your data gets to or where your location is, I should say, but it’s close enough and it starts to really get into this decision whereby Carpenter was convicted. I think it was for a few hundred years or something on, you know, a bunch of Radio Shack robberies, allegedly. But that has now been overturned because of this. What are your initial thoughts on this? This is…has pretty far-reaching ramifications.

Jay: I think you can be sure that its long-term ramifications because the Supreme Court issued it in late June. The court sits from October till the end of June, there’ll be one more set of rulings that are going to come out, they’re coming out right now, but they save the really jam cases for the end of the term. They leave everybody in suspense and there’s, you know, crowds waiting and people are running out with the briefs because the Supreme Court doesn’t post them on their website until the judge, the justice who wrote the opinion, reads the summary from the bench. So, there are people, you know, live-blogging from the gallery at the Supreme Court when these things come out.

This is an important case. It’s an important case for a lot of reasons. I think for Mr. Carpenter, it probably won’t matter all that much. I think when he’s re-tried, he will probably be convicted. But under the circumstances, I think that you can be sure this is a case we’ll be talking about for a long time. And the reason is it’s a movement away from the line of cases that had existed before that sort of dealt with the nature of the privacy of data. And, you know, we’re going to get into it, but suffice to say from the outset, that this, you know, dealing with data has to be a central component of any privacy law regime. And I think the court made a big step into addressing data in the 21st century and how it relates to privacy.

Christian: And, you know, interestingly enough, I think there’s a lot going on in this case because it also has to do with how they track the data or they access to the records. So, my understanding is that the law enforcement compelled the cell companies to share historical data about where Mr. Carpenter was over a pretty long period of time. According to one article I saw, it’s about 127 days of information. But quite frankly, they have that data. If you’re on the same cell plan, one company would have that data for, potentially for some of us, I’ve been with the same carrier for a good decade, they literally know and have that data going back that far, and that data is not destroyed. And there are arguments, quite frankly, to keep that data legally available. Part of it is is that through triangulation and through access points and timeliness of connection, they can improve where they’re placing cell towers and cell data. But something that’s pretty interesting to me is this wasn’t even GPS signals, Jay, this was literally the cell connection, you know. It’s sort of the four bars, five bars or no bars if you’re in the Newark Airport, so no bars for AT&T there if you’re…so, that’s the attempt. That’s what we’re talking about is that ping.

From a data perspective, I’m very interested in this because there was even a comment, and I believe it’s from Chief Justice Roberts, around the historical nature of the data, not necessarily real-time data. And I find that absolutely fascinating. I know people are very concerned about privacy-wise of the real-time nature of their data. But if you were to download your GPS activity from Google Maps or Waze or others over the years, and many people have done this visually, to see where you’ve gone, jogged, walked, driven, flown over a period of years, that data is stored in an ongoing way at many of the app providers as well as GPS-enabled applications. But this one wasn’t even that, this was literally just, “Hey, you’re within this several block radius,” and they could show that with some level of certainty. What do you think the ruling means in terms of real-time data versus historical data?

Jay: Well, I think it was very important to the chief. You know, he came back to the fact that this is coming over and over and over again. That, you know, because this went back, there were 12,000 iterations of the CSLI data. You know, that was very meaningful for him. And under the circumstances, it limits the extent of the case, right? Owen Car [SP] who’s one of the leading privacy law experts in the country said a pretty good one-sentence summary of Carpenter is that you now have a right not to be monitored too much without a warrant. And, you know, that’s one of the things that the Chief Justice Roberts’ opinion will get you is it’ll give you some guidelines and move the ball forward. But you’re kind of like, “Well, what about this case?”

The chief is not the biggest proponent of bright-line rules, and I think he does that for a lot of reasons. A lot of them have to do with consensus-building on the court, something he and his predecessor were really committed to. And I think that’s one of the reasons why he’s in this opinion with, you know, the justices who are typically deemed the more liberal ones. So, Justice Breyer, Justice Ginsburg, Justice Kagan, Justice Sotomayor, you know. Why I see with them? Well, there’s a number of potential reasons, one being that if you’re the chief, when you join an opinion, you get to decide who writes it and you get to decide what the scope is. So, it might have been the case, you know, and this is like criminology or Vaticanology, figuring out what goes on at 1 First Street is tough, but he may have wanted to, you know, cabin some of the restrictions. And I can see that being a possibility. The Fourth Amendment brings out some strange bedfellows.

But I think knowing that there was all of this historical data, he tied it in the majority opinion to, you know, the generalized ability to detect where someone is, a persistent and infallible record of where you are and what you’ve done. And if you…you have to parse the opinion closely. He talks a lot about the right of the fourth…the Fourth Amendment right really being about the right against unwanted and pervasive government intrusiveness. And that’s interesting because that’s kind of not what Fourth Amendment jurisprudence has looked like over the past 50 years. There’s been a big change in this opinion. Because in the past, it was all the search had to do is be reasonable. Then it was some searches without a warrant were per se unreasonable. And then we got to this place in the ’60s, in the Katz decision where the court said famously, “The Fourth Amendment protects people, not places.” Because in the past, it had been your home was a high zone of privacy, but walking around on the street was a low zone of privacy. Katz was sort of…Katz shifted the question to be, “Do you have a reasonable expectation of privacy in this activity and what you’re doing and where you are?”

But Katz, you know, 30 years before the internet was pervasive and 50 years before, you know, ubiquitous tracking technology, and, you know, the persistent use of mobile devices, Katz could not have known the effect that compilations of data would have on the expectation of privacy. And Justice Gorsuch who descends, but kind of not really, Justice Gorsuch says,

“Nobody believes that the information that they’ve handed over to AT&T from their cell phone location data is going to just be handed over to the government.”

If you put that in the terms and conditions loudly and overtly that people read it, they would be terrified and no one would do it.

So, this reasonable expectation of privacy tests that’s existed for so long, we’re getting quietly, but nevertheless, firmly push back on that. And that’s fascinating because the long-term implications for what privacy law means in the Fourth Amendment context in this country are going to shift.

Christian: Well, so looking at it from that perspective, so recognize that the Fourth Amendment, the understanding in a digital age is evolving. We are stating…and I want to be careful here because I think there’s the concept of a place. But there is a concept of a digital place, right? A digital self. This doesn’t necessarily extend and say all data about people that is historically gathered is now in some way protected or must have, you know, a warrant in order for the government to access it. In fact, it looks like it still leaves the room open that for a seven-day period, that might still be able to get some of the CSLI data without a warrant.

So, I think there are some carve-outs here. And as you said, maybe perhaps that’s why Roberts stepped in in order to temper it in writing it. But when I look at this, I think it’s kind of fascinating. We’re living in between this world right now where we have Europe with GDPR, we have certain states, California, Vermont, stepping in to try and build their own privacy legislation. But the fascinating thing is this is yet another perspective, which is law enforcement or the government’s intrusiveness into your own life. And to some degree, we’re not only enabling this, but we’re actually asking for it on the front end of every terms and condition of every app that we download. So, as someone comes to the weather app, let’s say they download, you know, Weather, Channel Four News, whatever it is, weather apps are notorious for always getting people to not only turn on their GPS signal but to turn on their GPS signal at all times…

Jay: When you’re not even using the app.

Christian: When you’re not using it. Where a lot of other apps at this point have kind of been relegated to the bin of, “Hey, if I’m using you, sure, but if I’m not, nope, no, you can’t see it.” Weather apps, on the other hand, have a very high opt-in rate for it at all times. And seeing that, when they have access to that, this…I mean, talk about what the government would be able to access if they could just download or ask one of these app providers for this data because now you’re talking GPS signals, and we’re getting into what a few years ago was military-grade GPS, which can put the phone within less than one yard from its actual location, we’re starting to head down that path. So, do you think that this, not from a surveillance perspective, do you think this extends? Will this not just be sort of CSLI data, but will be any application? Because I think it would be a little bit sort of frustrating is if the government can’t go to the cell phone companies and ask for CSLI, does this by extension go over GPS-enabled apps? Is it safe to assume that?

Jay: I think, no. I think the likely…the fairest interpretation of this opinion is, you know, this is the way the common law works, right? We have to extrapolate from the limited words that we get in an opinion. But I think it would be…I think the stronger argument by a wide margin is that the FBI can’t now go subpoena under the Stored Communications Act, which is what they did, another dinosaur of the data security law. They can’t go subpoena your weather.com app or your Fitbit app to get the same information because if it’s doing the same thing, the source of the data is not necessarily all that relevant. And you got to remember this case concerned activities that took place in 2012. So, back then, the most consistent and most reliable source of location data was going to be your cell site location information.

Christian: Interesting.

Jay: Nowadays, of course, there’s so much more. I mean, the technology has advanced so rapidly in the last six years. So, I think it would be…it’s an unlikely winner to argue before a federal court, “I don’t need a warrant because this is not cell site location information.” GPS data, I think that’s all going to be swept up within this. I do want to cabin this a little bit by saying that the Fourth Amendment is about what government does, right? Christian, you’re talking about law enforcement in the government. This is not one of those instances where what your boss does or what happens in, you know, by private actors counts. So, you have to be mindful of the fact that this is only about what the government does, and the government can still go get a warrant. It’s not terribly difficult to get a warrant. They can go get a warrant, and then still get all this information anyway.

Christian: Yep. Yeah. And that’s an important distinction here. We’re not saying that this data is no longer available. It’s available just with, you know, the protective measure of having to go and receive a warrant to pursue it. I wanted to come back just before we start on the operation regarding real-time, and I think this is the last thing that we can end on is people are very worried about their real-time data. However, real-time data and location information is not really covered here. And as you said, I think it’s fascinating that Roberts kept coming back to this, but real-time data location to know where you are right now, that is the playground of the digital marketing universe at this point, and it’s a world of GDPR and others.

We’re getting to this point where knowing where you are exactly right now so I can put the right ad in front of the right person at the right time, as we all like saying the marketing space, that is not necessarily in this scenario. He really wanted people to understand that this is about the government or others knowing exactly where you are for the last three years and everything you’ve done, and that’s one of those really important aspects to it. But we’ll wrap up there. That’s it for this episode of “Are You DataSmart?” We look forward to continuing to follow this as people interpret the law. And tune in next time when we’re going to dive a little bit deeper into some of the European law that is finally coming from judgment, the first one in Germany.

Jay: Thank you, everyone.

Leave a Reply