Coming soon to an appellate court near you: Can law enforcement avoid the strictures of the Fourth Amendment by purchasing cell phone location data from a commercial database rather than requesting the data from cell service providers? As of December 2020, the federal government believes that the answer is yes. The legality of this practice likely turns on whether, and to what extent, the U.S. Supreme Court’s third-party doctrine applies to data privacy in the digital age.
The Government’s Warrantless Use of Cell Phone Location Data
The Wall Street Journal and BuzzFeed News both reported that the Department of Homeland Security (DHS) has been purchasing cell phone location data from a government contractor that, in turn, buys the data from private marketing companies. Byron Tau & Michelle Hackman, “Federal Agencies Use Cellphone Location Data for Immigration Enforcement,” Wall St. J. (Feb. 7, 2020); Hamed Aleaziz & Caroline Haskins, “DHS Authorities Are Buying Moment-By-Moment Geolocation Cellphone Data to Track People,” BuzzFeed News (Oct. 30, 2020). The news outlets further report that DHS has done so in lieu of obtaining warrants to freely access the data as part of immigration enforcement efforts. Tau & Hackman, supra; Aleaziz & Haskins, supra.
In response, the House Committee on Oversight and Reform has opened an investigation into the practice, and several U.S. senators have requested that the DHS inspector general open an investigation as well. Byron Tau, “House Investigating Company Selling Phone Location Data to Government Agencies,” Wall St. J. (June 24, 2020); Letter from Ron Wyden et al., Sens., U.S. Senate, to Joseph V. Cuffari, Inspector Gen., Dep’t of Homeland Sec. (Oct. 23, 2020). The American Civil Liberties Union (ACLU) also has sued DHS under the Freedom of Information Act (FOIA) for records related to the practice. Complaint, ACLU v. U.S. Dep’t of Homeland Sec., No. 1:20-cv-10083 (S.D.N.Y. Dec. 2, 2020).
To date, DHS has acknowledged that it is buying access to individuals’ cellular data without a warrant. See Aleaziz & Haskins, supra; Letter from Wyden, supra. But the agency has not publicly disclosed its legal justification for doing so. According to BuzzFeed News, an internal DHS memorandum concludes that the practice does not implicate the Fourth Amendment under the U.S. Supreme Court’s third-party doctrine because the data is commercially available. See Aleaziz & Haskins, supra.
The Third-Party Doctrine and Carpenter
The text of the Fourth Amendment provides thus:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The Court has interpreted this text to protect against unreasonable searches and seizures by the government. The Founders drafted the amendment in “response to the reviled ‘general warrants' and ‘writs of assistance’ of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity.” Riley v. California, 573 U.S. 373, 403 (2014). As a result, “[w]hen an individual ‘seeks to preserve something as private,’ and his expectation of privacy is ‘one that society is prepared to recognize as reasonable,’” then “official intrusion into that private sphere generally qualifies as a search and requires a warrant supported by probable cause.” Carpenter v. United States, 138 S. Ct. 2206, 2213 (2018) (quoting Smith v. Maryland, 442 U.S. 735, 740 (1979)).
By contrast, no search occurs, and no warrant is required, for government intrusion into “[w]hat a person knowingly exposes to the public, even in his own home or office.” Katz v. United States, 389 U.S. 347, 351 (1967). For example, under the Court’s third-party doctrine, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith, 442 U.S. at 743–44.
The third-party doctrine stems from a pair of cases in the 1970s. In United States v. Miller, the Court held that the defendant had no legitimate expectation of privacy in certain bank records; and, therefore, a warrant was not required for law enforcement to access them. 425 U.S. 435, 440 (1976). The Court reasoned that “[a]ll of the documents obtained, including financial statements and deposit slips, contain[ed] only information voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business.” Id. at 442. Then, in Smith, the Court held that law enforcement did not need a warrant to install and use a pen register, which disclosed the numbers dialed by a particular telephone. Smith, 442 U.S. at 742. The Court reasoned that “[a]ll telephone users realize that they must convey phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed.” Id. (internal quotation marks omitted).
In Carpenter, however, the Court declined to extend the third-party doctrine to cell phone location data obtained from a cell service provider. The Court held that, “[g]iven the unique nature of cell phone location records, the fact that the information is held by a third party does not by itself overcome the user’s claim to Fourth Amendment protection.” 138 S. Ct. at 2217. In particular, the Court held “that an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through” such cell location data, regardless of “[w]hether the Government employs its own surveillance technology . . . or leverages the technology of a wireless carrier.” Id. As a result, “the Government must generally obtain a warrant supported by probable cause before acquiring such records.” Id. at 2221.
In so holding, the Court reasoned that “[m]apping a cell phone’s location . . . provides an all-encompassing record of the holder’s whereabouts,” which thereby “provides an intimate window into a person’s life, revealing not only his particular movements, but through them his familial, political, professional, religious, and sexual associations.” Id. at 2217 (internal quotation marks and citation omitted). The Court thus distinguished between “the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of location information casually collected by wireless carriers today.” Id. at 2219. Moreover, the Court noted that cell phone users do not voluntarily turn over their location to service providers: “a cell phone logs a cell-site record by dint of its operation, without any affirmative act on the part of the user beyond powering up.” Id. at 2220.
Data Privacy in the Digital Age?
Here, DHS appears to have applied the third-party doctrine—and distinguished Carpenter’s rejection of it for cell phone location data—on the basis that the data is being purchased commercially rather than requested directly from cell service providers. No court has yet addressed whether the commercial availability of geolocation data impacts the reasonableness of an individual’s expectation of privacy in the data under the Fourth Amendment.
The import of the issue is significant. As documented by the New York Times, dozens of data companies use software in mobile phone apps to collect and store the precise geolocation data of millions of cell phone users every second of every day. Stuart A. Thompson & Charlie Warzel, “Twelve Million Phones, One Dataset, Zero Privacy,” N.Y. Times (Dec. 19, 2019). And, as noted by the Court, “cell phones and the services they provide are ‘such a pervasive and insistent part of daily life’ that carrying one is indispensable to participation in modern society.” Carpenter, 138 S. Ct. at 2220 (quoting Riley, 573 U.S. at 385). Indeed, for that reason, a panel of the U.S. Court of Appeals for the Ninth Circuit recently joined two Supreme Court justices in “question[ing] the continuing viability of the third-party doctrine under current societal realities.” United States v. Moalin, 973 F.3d 977, 992 (9th Cir. 2020) (quoting United States v. Jones, 565 U.S. 400, 417 (2012) (Sotomayor, J., concurring); Carpenter, 138 S. Ct. at 2262 (Gorsuch, J., dissenting)).
Amidst this uncertainty, legislatures have worked to safeguard the privacy of cell phone geolocation data, over and above the protections provided by the Fourth Amendment. For example, Congress has introduced a number of draft privacy bills and policy proposals in recent years. E.g., Geolocation Privacy and Surveillance (GPS) Act, S. 395 & H.R. 1062, 115th Cong. (2017). And California enacted the California Consumer Privacy Act of 2018, which includes explicit protections for cell phone location data. See Cal. Civ. Code § 1798.140(t), (v)(1)(G).
But until federal law prohibits the practice of purchasing cell phone location data from a commercial database to bypass the need for a warrant, or courts decide that the third-party doctrine does not apply, data privacy indeed may be for sale to federal law enforcement.
Robert Koch is of counsel at Tonkon Torp in Portland, Oregon.
Copyright © 2021, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).