July 26, 2018
Your phone cannot be used to warrantlessly track your location, thanks to a recent Supreme Court decision—but law enforcement’s facial recognition software still can.
The Supreme Court recently handed down a landmark decision—one in favor of Americans’ right to privacy. Seven years after the government first collected Timothy Carpenter’s cell site location information (CSLI), the court ruled in Carpenter v. United States that those historical data are protected by the Fourth Amendment’s warrant requirement. CSLI data are created whenever your cellphone is turned on. In order to establish the strongest cellular connection possible, your phone is constantly “pinging” the closest cell tower, revealing your location with tremendous accuracy.
The Court used Carpenter as an opportunity to issue a stark warning to law enforcement: that it is skeptical of the warrantless collection of Americans’ data, and of the outdated theories that law enforcement employs to justify that collection. When it ruled that law enforcement must obtain a warrant before obtaining historical CSLI, it cautioned that “when the Government tracks the location of a cell phone it achieves near perfect surveillance,” and that the information it collects is “detailed, encyclopedic, and effortlessly compiled” “at practically no expense.”
And yet, despite this meaningful victory for privacy rights, the Court, in key ways, failed to extend warrant protections for the many other types of revealing data we now create in this increasingly connected world. As a result, it is important to consider what the recent decision achieved, yes, but also the work still to be done when it comes to bolstering online privacy.
Crucially, the Court’s privacy concerns led it to do two things. First, it decided that the Third Party Doctrine does not extend to CSLI. This doctrine says that you lose Fourth Amendment protections for your information if you voluntarily share it with a third party, like a phone company or a bank. This is why the government has been able to collect your financial records and information about whom you call and when you call them without obtaining a warrant. In its decision, the Court focused on how technology has changed over the last four decades. It found that because cell phones are essential to functioning in modern society, and because CSLI is created “by dint of their operation,” we cannot be considered to have voluntarily handed those data over to our cell phone company. As such, the Court “declined to extend” the Third Party Doctrine to that category of data.
Second, the Court decided that the Fourth Amendment’s warrant requirement protects historical CSLI. The justices in the majority were worried about how revealing that location information is, analogizing it to “attach[ing] an ankle monitor to the phone’s user.” In addition, they were also worried that CSLI represented just one example of the “seismic shifts in digital technology” that have taken types of data that were once limited and extremely expensive to collect, and made them voluminous and extremely inexpensive to collect. Put it this way: Without higher legal standards, large-scale surveillance based on thin justifications for suspicion will be the norm.
But while both decisions are indisputably important, the concerns about sweeping surveillance based on thin justifications extend far beyond historical CSLI. The technologies and services we use create troves of data that reveal almost every movement, affiliation, and social interaction. We trust the tech companies that hold those data to keep them private. However, even though the Court indicated that it is apprehensive about how other data are used for surveillance, it did not take concrete action to limit law enforcement’s ability to warrantlessly collect them.
Take location data. Even after Carpenter, there is a risk that warrantless location tracking can still occur. The Court was vague about when the warrant requirement is triggered if law enforcement is collecting historical CSLI. It was explicit that a warrant is required for collection of data that covers seven or more days, but it didn’t clarify whether the same legal standard would apply for a shorter time frame. The justices also didn’t rule on whether law enforcement must get a warrant before collecting real-time CSLI or so-called “tower dumps,” which divulge the data of every user whose device connects to a specific cell tower at a given point in time. Apart from CSLI, the government can still seek to approximate your physical location without a warrant by subpoenaing IP addresses from when your devices connect to the internet.
More than that, there are even newer forms of surveillance beyond what was covered in Carpenter. Most troubling is facial recognition software. It is typically not subject to any judicial oversight, and law enforcement increasingly uses it to monitor public spaces to identify whomever is in the vicinity. They can set up cameras equipped with facial recognition technology in heavily trafficked areas, strap them on drones or spy planes that they fly over marches and protests, or use the technology to analyze recorded video feeds. It enables the government to rapidly scan crowds for “suspicious” individuals and warrantlessly track them from place to place. With half of all American adults’ drivers licenses and ID photos in police databases, it is more likely than not that the faces this unregulated technology scans will be identified—often incorrectly.
Carpenter also raises more questions about how law enforcement should handle the surveillance of other data created or stored online. The Electronic Communications Privacy Act of 1986 does not require the government to get a warrant to collect the contents of your online communications that are over 180 days old. Further, the government claims that your web browsing history doesn’t constitute communications contents, and thus is not subject to a warrant requirement, so long as it doesn’t collect the data after the slash. In other words, the government asserts that it does not need a warrant to learn that you visited www.plannedparenthood.com, but it would need a warrant to learn that you visited its “learn more: abortion” page. In the government’s view, your contacts, buddy lists, and communication logs are also not protected by a warrant requirement. And the list goes on. Whether it’s data created by Internet of Things devices like Amazon Alexa and smart television sets or DNA databases held by companies like 23andMe or Ancestry.com, Carpenter leaves many other types of personal data in legal limbo.
The American people can’t wait another seven years for the Court to address these new types of surveillance, or close the loopholes on law enforcement’s use of surveillance. Unless Congress or the courts act, the government may still argue that it is able to collect information about the most intimate details of our lives without a warrant—and sometimes without approval by a judge. The good news is that the Court’s powerful statement in Carpenter, that the Fourth Amendment should protect us in an increasingly connected world, lays the groundwork for future challenges to the warrantless collection of other types of data.
The bad news, though, is that law enforcement will continue to test the boundaries of their warrantless surveillance powers, and it could take years for the courts to answer the questions it raised about which types of data are protected and which aren’t. During the time the Carpenter case dragged on, CSLI became dramatically more precise and therefore more invasive. Several lawmakers see how urgent the need is for Congress to intervene, and have already introduced several bills on data and location privacy. The ball is now in their court to fill the gaps the justices left behind.