Friday, 28 October 2016

Should Police Need A Warrant To Obtain Your Cellphone Location Data?

On TV and in the movies, when the police want location information on a suspect’s cellphone, the world-weary detectives just mosey into the office of a wireless company and bully/sweet-talk the receptionist into handing over this information by saying things like “You don’t want us to have to wait here while we get a warrant, do you?” In the real world, it’s not that simple, and the question of whether or not an actual warrant is needed has yet to be resolved.

The U.S. Supreme Court has recently been asked to hear a pair of similar but currently separate cases that involve suspects accused of robbery (why can’t these appeals ever involve more pleasant people?), but which also get to questions about the extent our constitutional privacy protections in the smartphone era.

Graham v. U.S.

The first of the two cases, Graham v. U.S., began with the police investigation into a string of armed robberies in and around Baltimore in early 2011. Aaron Graham and another man were arrested after being spotted in outfits and driving a vehicle that matched the description of the robbers in one incident.

After Graham was arrested, police suspected he was connected to other robberies in the area and obtained court orders to get the cell site location information (CSLI) for his phone from Sprint. This court order covered more than 200 days and some 29,000 points of information related to Graham’s movements.

He was ultimately charged with multiple counts of felony firearms possession, robbery, and other charges. In April 2012, he was found guilty by a jury.

On appeal to the Fourth Circuit, Graham argued that the CSLI data should not have been admitted into evidence.

The court order used to obtain these location records was granted under a Stored Communications Act (SCA) request.

To obtain a court order under SCA, law enforce is not required to demonstrate probable cause, but only that there are “specific and articulable facts” and “reasonable grounds to believe” the information sought will be “relevant and material” to an investigation. This is a lower standard of proof than is needed to obtain a search warrant.

The SCA also explicitly lists the sort of data that a wireless provider can be forced to turn over under such a court order: the user’s name, address, call records, length of service with that provider, phone number, and means and source of payment. The law does not include or exclude location data, nor does it spell out when an SCA-based search would require a warrant.

In Aug. 2015, the majority of a three-judge Fourth Circuit appeals panel agreed with Graham [PDF], ruling that the search of his CSLI records without a warrant violated his Fourth Amendment protections against illegal search and seizure.

“We hold that the government conducts a search under the Fourth Amendment when it obtains and inspects a cell phone user’s historical CSLI for an extended period of time,” explained the court. “Examination of a person’s historical CSLI can enable the government to trace the movements of the cell phone and its user across public and private spaces and thereby discover the private activities and personal habits of the user. Cell phone users have an objectively reasonable expectation of privacy in this information. Its inspection by the government, therefore, requires a warrant, unless an established exception to the warrant requirement applies.”

At the same time, the panel concluded that the lower court was right to allow the location records into evidence because law enforcement had acted in good faith by using the SCA court orders to obtain the data.

Even though the appeals court upheld Graham’s conviction, its ruling set a precedent — at least in the area covered by the Fourth Circuit — that law enforcement should obtain an actual search warrant for CSLI data going forward. Federal prosecutors disagreed, and appealed the panel’s decision to the entire Fourth Circuit.

Last May, the court issued an opinion [PDF] overturning the appeals panel ruling. The full Fourth Circuit concluded that “an individual enjoys no Fourth Amendment protection in information he voluntarily turns over to a third party.” So, because Graham’s location was already being shared with Sprint, he could have no reason to expect that Sprint would consider that data private.

“The Government did not surreptitiously view, listen to, record, or in any other way engage in direct surveillance of Defendants to obtain this information,” reads the ruling, which explains that the government might indeed be violating someone’s privacy by using technological devices to track their location, but that this was not the issue with Graham, where the CSLI data was used after the fact to check his locations against robberies he was suspected of being involved in.

“No government tracking is at issue here,” continues the opinion. “Rather, the question before us is whether the government invades an individual’s reasonable expectation of privacy when it obtains, from a third party, the third party’s records, which permit the government to deduce location information.”

Carpenter v. U.S.

The second case that the Supreme Court could take up involves Timothy Carpenter, a man convicted for his alleged role in a string of robberies in Ohio and Michigan in 2010 and 2011. Once again, police used SCA court orders to obtain phone records — this time from MetroPCS and T-Mobile — that were used at trial to demonstrate Carpenter and his alleged accomplice’s locations at the times these robberies occurred.

Unlike the Graham case, where a federal appeals panel initially ruled that such a warrantless search was unconstitutional, a Sixth Circuit Court of Appeals panel held in April 2016 [PDF] that while the law does protect individuals from warrantless searches of the content of a message, there is no expectation of privacy for “the information necessary to send” that message.

“The Fourth Amendment protects the content of the modern-day letter, the email,” explained the panel. “But courts have not (yet, at least) extended those protections to the internet analogue to envelope markings, namely the metadata used to route internet communications, like sender and recipient addresses on an email, or IP addresses.”

Similarly, ruled the Sixth Circuit, location data is a “business record” that falls outside the scope of Fourth Amendment protection.

“Those records say nothing about the content of any calls,” ruled the court. “Carriers necessarily track their customers’ phones across different cell-site sectors to connect and maintain their customers’ calls. And carriers keep records of these data to find weak spots in their network and to determine whether roaming charges apply, among other purposes. Thus, the cell-site data—like mailing addresses, phone numbers, and IP addresses—are information that facilitate personal communications, rather than part of the content of those communications themselves. The government’s collection of business records containing these data therefore is not a search.”

The Appeals

Lawyers for both Graham and Carpenter have petitioned the Supreme Court to finally decide this matter and hope that the nation’s highest court will reach the conclusion that SCA court orders are not adequate for obtaining cellphone location data.

The Graham petition [PDF] notes that the location data collected by the police in this case was so extensive as to paint a picture of virtually every move Graham made over a seven-month period:

“These records included information on 20,036 calls, 14,805 of which included location information,” reads the petition. “These 14,805 calls showed the government 29,659 location points. This data revealed an average of 134 location points per day, or approximately one location point every 11 minutes for seven months. Taken together, these records allowed the government to create a 221-day surveillance map of Mr. Graham’s movements at all times of the day and night, both inside and outside his home.”

This is because, unlike landline phones — or the few mobile phones that were in existence when the SCA was written 30 years ago — most of us now carry our cellphones with us all (or nearly all) the time.

Thus, contends the petition, “CSLI implicates privacy issues far beyond any location tracking case this Court has yet considered. Cell phones are only useful when carried in close proximity to their users, meaning that the location of a cell phone is a near-perfect proxy for the location of a person.”

The petition also contends that while the SCA was written during the very early days of the mobile phone era, the legislators who wrote the law were not imagining devices that are anything like your typical smartphone.

“In 1986… what is now routine was the stuff of science fiction,” argues Graham’s lawyers. “Mobile phones had only been commercially available for two years, at a cost approaching $4,000 per handset. The technological capacity to monitor and store location information for wireless calls would not even exist for about ten years, when the government and telecommunications providers entered into a joint protocol to develop and deploy hardware and software that enabled law enforcement to track people’s location using their cell phones.”

Because there is no overriding precedent that clearly states that all law enforcement is (or isn’t) required to get a search warrant, you end up with a patchwork of legal standards around the country, argues the petition.

“In Florida or New Jersey, whether the government must use a warrant or a subpoena depends on whether the request comes from federal or state agencies,” explains the Graham petition. “In Pennsylvania and Delaware, this issue is left to a magistrate judge’s discretion. In other jurisdictions, federal judges have asked for guidance from this Court, even though they have found that the Fourth Amendment’s warrant requirement does not apply.”

This argument is echoed in the Carpenter petition [PDF], which notes that the “five courts of appeals to consider the Fourth Amendment status of historical CSLI have generated 18 separate majority, concurring, and dissenting opinions, highlighting the need for this Court to act.”

“Without guidance from this Court, a cell phone user cannot know the scope of his constitutional protection, nor can a policeman know the scope of his authority,” continues that petition. “As law enforcement seeks ever greater quantities of location data and other sensitive digital records, the need for this Court to speak grows daily more urgent.”

Today, the Electronic Frontier Foundation, the Brennan Center for Justice at NYU School of Law, the Center for Democracy & Technology, the Constitution Project, and the National Coalition to Protect Civil Freedoms filed a joint amicus brief [PDF] that applies to both the Graham and Carpenter petitions.

The brief notes that, because wireless providers must be able to locate users in order to transmit data to their devices, phones are nearly constantly connecting to cell towers — anywhere from every few seconds to every few minutes. Thus, contend these organizations, CSLI data is not merely a byproduct of making a phone call, but a way to effectively track a user’s movements.

“Cell phones generate CSLI even in the absence of any user interaction with the phone” because of apps running in the background, explains the brief, which also points out that CSLI data has now gotten so specific as to be able to locate someone within 50 meters of their actual position.

The brief also paints a picture on the huge — and growing — number of CSLI requests made on wireless providers in the U.S. For example, Verizon is currently receiving around 50,000 CSLI requests a year, around two-thirds of which the company says are warrantless. The brief reminds the court that each CSLI request could seek information about multiple account.

“The amount of CSLI generated as a result of society’s reliance on cell phones means that law enforcement has access to an incredibly detailed picture of people’s private lives and associations,” explains the brief, pointing to a 2013 ACLU analysis that was able to use the CSLI data to figure out when Graham’s wife was probably visiting her OB/GYN.

“CLSI can give law enforcement far more information about a person’s movement than GPS tracking—cell phones go everywhere their owners go,” explains EFF Staff Attorney Andrew Crocker in an emailed statement. “If GPS tracking implicates Americans’ Fourth Amendment rights, prolonged cell-site data collection — which provides sensitive details about where we went, who we met with, and what we did —should also be protected against warrantless searches.”

There’s no guarantee that the Supremes will take up either or both of these cases. Lawyers for the federal government have yet to file their responses to either petition.


by Chris Morran via Consumerist

No comments:

Post a Comment