EPIC - Carpenter v. United States

Carpenter v. United States

Whether the Fourth Amendment Permits the Government to Obtain Six Months of Cell Phone Location Records Without a Warrant

Background|
EPIC's Interest|
Legal Documents|
Resources|
News

FCC Proposes Fines for Wireless Location Data Violations: Today the FCC announced proposed fines against T-Mobile, AT&T, Verizon, and Sprint for selling customers' location information. FCC Chairman Ajit Pai said: "This FCC will not tolerate phone companies putting Americans' privacy at risk." The companies are given an an opportunity to respond to the FCC before the Commission makes a final decision. EPIC has long advocated for protection of location privacy. EPIC pursued a lawsuit against a mobile app company that led to greater protection of users' location data. EPIC also successfully petitioned the FCC to safeguard sensitive data collected by phone companies. And EPIC filed an amicus brief in Carpenter v. US. The Supreme Court held in that case that the Fourth Amendment protects cell site location information. (Feb. 28, 2020)
Victory for Privacy: Supreme Court Says Cell Phone Location Records Protected Under Fourth Amendment: In a landmark ruling, the U.S. Supreme Court held that the Fourth Amendment protects location records generated by mobile phones. The government in Carpenter v. United States had obtained more than 6 months of location records without a warrant. EPIC filed a "friend-of-the-court" brief in Carpenter, signed by thirty-six technical experts and legal scholars, urging the Court to recognize that the "world has changed since Smith v. Maryland" was decided. EPIC argued that "Cell phones are now as necessary to the life of Americans as they are ubiquitous" and that users expect their location data will remain private. The Court agreed, in a decision by the Chief Justice, emphasizing the importance of protecting privacy as technology advances: "As technology has enhanced the Government's capacity to encroach upon areas normally guarded from inquisitive eyes, this Court has sought to 'assure[ ] preservation of that degree of privacy against government that existed when the Fourth Amendment was adopted.'" The Court held that "an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through" a cell phone. Dissenting opinions were filed by Justices Kennedy, Thomas, Alito, and Gorsuch. (Jun. 22, 2018)

More top news »

Report Details EU States' Use of Automated Decision-Making During Pandemic » (Sep. 2, 2020)

In a report released this week, AlgorithmWatch analyzed how 16 countries throughout the European Union have adopted automated decision-making tools in response to the COVID-19 pandemic. Deployment of these tools is widespread across the EU, including voluntary exposure notification apps, a mandatory app recently greenlit by Slovenian government, and an app used in Poland and Hungary that relies on geolocation and face surveillance to enforce quarantine rules. The report notes that the effectiveness of automated contract tracing "lack[s] hard evidence . . . even months after the first deployments." EPIC has published recommendations on preserving privacy during the pandemic and has called on Congress to establish privacy safeguards for digital contact tracing.

Unsealed Documents: Google Employees Knew Location Privacy Settings Were Misleading » (Sep. 1, 2020)

Documents recently disclosed in Arizona's consumer protection lawsuit against Google show that the company's employees admitted Google's location privacy settings were "confusing" and potentially misleading. The suit, brought by Arizona Attorney General Mark Brnovich, alleges that Google violated the Arizona Consumer Fraud Act by collecting and storing location data on mobile devices—even after users believed they had turned off location tracking. A newly-unsealed version of Arizona's complaint reveals that Google employees knew the interface was "[d]efinitely confusing from a user point of view[.]" One employee wrote that Google's interface "feels like it is designed to make things possible, yet difficult enough that people won't figure it out." In July, twenty-seven members of EPIC's advisory board signed a letter urging the court to reject Google's efforts to delay a decision on unsealing the documents. In 2018, EPIC told to the Federal Trade Commission that Google's surreptitious tracking of user location data violated the FTC's 2011 Google consent order. The 2011 settlement with Google followed a detailed complaint brought by EPIC and a coalition of consumer organizations.

D.C. Circuit Reverses District Court Ruling on Unsealing Electronic Surveillance Records » (Jul. 13, 2020)

Last week, the D.C. Circuit reversed a lower court decision and ruled that electronic surveillance records in closed federal investigations are subject to public access. Investigative journalist Jason Leopold and the Reporters Committee for Freedom of the Press litigated for years to unseal electronic surveillance records that allow law enforcement to collect different types of electronic information for surveillance, including metadata about a telephone subscriber's activity or cell site location information. The lower court incorrectly determined that administrative burden to providing public access to these seal records was enough to justify the interminable sealing of these records. But the D.C. Circuit reversed the lower court's decision stating "although administrative burden is relevant to how and when documents are released, it does not justify precluding release forever...Production may be time-consuming, but time-consuming is not the same thing as impossible." The D.C. Circuit noted that providing public access to judicial records like the electronic surveillance records at issue "is a fundamental element of the rule of law" and "is the duty and responsibility of the Judicial Branch." EPIC is currently litigating a case against the Department of Justice seeking the public release of information about the agency's collection of cell site location information through "§ 2703(d) orders" and warrants. The case is EPIC v. DOJ, No. 18-1814 (D.D.C.)

EPIC Obtains Records about Utah's Contact Tracing App; State Hasn't Conducted Privacy Audit of App » (May. 29, 2020)

Through a Freedom of Information request, EPIC has obtained records concerning Utah’s "Healthy Together” COVID-19 app. The documents include a presentation from Twenty Holdings, Inc., the company that developed the app, and include details of its development. The records reveal that “[o]nce the economy resumes normalcy, the App will continue to provide the mechanism to monitor any emerging risks.” It has been reported that Twenty hopes to sell the app and app back end to other states and private companies. The developers of the app plan to integrate the Apple/Google API when it is available. The app current methodology relies on collated location data from all users, rather than decentralized proximity tracking. The Utah Governor’s Office of Management and Budget found no records of any audits or independent privacy assessments of the contact tracing app. EPIC has called on Congress to ensure that government agencies and private companies establish privacy safeguards for digital contact tracing. But without audits and independent privacy assessments, contact tracing apps like Healthy Together cannot be "robust, scalable, and provable."

Senator Markey Says Contact Tracing Plans Must Protect Privacy » (Apr. 22, 2020)

Senator Edward Markey [D-MA] has outlined nine key principles to guide federal leadership on coronavirus contact tracing in the United States. In a letter sent today to the White House Coronavirus Task Force, Senator Markey urged the administration to design and implement a comprehensive coronavirus contact tracing plan with key privacy safeguards. In a statement to the Senate and House Commerce Committees last week, EPIC said it is "essential that government agencies and private companies implement standards that safeguard privacy." EPIC's letter followed a proposal from Apple and Google for a contact tracing app to "combat the spread of the novel coronavirus." EPIC cited public health officials in support of data protection and human rights. For digital contact tracing techniques, EPIC recommended that "(1) participation should be lawful and voluntary; (2) there should be minimal collection of personally identifiable information; (3) the system should be robust, scalable, and provable; and (4) the system should only be operated during the pandemic emergency."

DOJ Responds to EPIC FOIA on Location Data » (Apr. 3, 2020)

In response to EPIC's Freedom of Information Act request to the Justice Department for information about the use of location data, including cell phone records, to counter the pandemic the DOJ wrote there are no "responsive records." EPIC had asked for "all legal memos, analysis, communications, and guidance documents, in the possession of the Department of Justice, concerning the collection or use of GPS data and cell phone location data for public health surveillance." The DOJ forwarded EPIC's request to its Office of Legal Counsel to see if responsive records exist in that office. EPIC will continue to seek information about the DOJ's views on the use of location data, and particularly phone records. After 9-11, the Justice Department supported the warrantless surveillance of Americans, a program that was later terminated after the New York Times broke the story, and EPIC pursued a FOIA lawsuit and then a Supreme Court petition.

European Commission Seeks Anonymized Location Data, Citing Coronavirus » (Mar. 27, 2020)

The European Commission has reportedly asked telecom companies to turn over anonymized cell phone location data, citing a need to track the spread of the novel coronavirus. The planned transfer would give the Commission access to location information and other data from hundreds of millions of cell phone users. European Data Protection Supervisor Wojciech Wiewiórowski, responding to the proposal, warned that “effective anonymisation requires more than simply removing obvious identifiers” and called on the Commission to “clearly define the dataset it wants to obtain and ensure transparency towards the public.” The European Data Protection Board explained that any use of location data in connection with the coronavirus must be “strictly limited to the duration of the emergency at hand” and “in accordance with the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms.” EPIC recently submitted a Freedom of Information Act request to the U.S. Department of Justice seeking legal analysis concerning the collection and use of GPS and cell phone location data for public health surveillance.

EPIC Seeks Records About Lawfulness of Use of Location Data for Public Health Surveillance » (Mar. 24, 2020)

EPIC has submitted a Freedom of Information Act request to the Department of Justice seeking legal analysis concerning the collection and use of GPS and cell phone location data for public health surveillance. EPIC explained "The Department of Justice plays a key role advising the President regarding the lawfulness of proposed activities, and particularly the proposed expansion of government authorities during a time of national crisis." EPIC wrote, "If the Department of Justice is considering the use of cell phone data to address the public health crisis, it should first consider whether the use is lawful and that analysis should be made available to the public." EPIC pursued a FOIA lawsuit during the Bush Administration, EPIC v. DOJ, for the legal memos concerning the warrantless wiretapping program that was later repealed by Congress.

EPIC Seeks Records About White House Plan to Use Cellphone Data for Coronavirus Tracking » (Mar. 24, 2020)

EPIC has submitted a Freedom of Information Act request to the Office of Science and Technology Policy seeking information about the White House plan to use cell phone location data for public health surveillance. According to news reports, the White House has sought the assistance of large tech companies including Facebook, Apple, and Google, to use cell phone location data. It is not clear at this time whether the U.S. program is lawful or how the data will be used. EPIC has asked the OSTP to provide "all policies, proposals, and guidance documents for the collection of cell phone location data in connection with the coronavirus" and also "any privacy assessments, including but not limited to privacy threshold assessments and privacy impact assessments, related to the collection of cell phone location data in connection with the coronavirus."

Government Considers Location Data to Track Coronavirus » (Mar. 19, 2020)

According to the Washington Post, the U.S. Government is in active discussions with tech companies about tracking telephone customers to monitor the spread of the coronavirus. Cellphone data is currently protected under federal privacy law. In the Carpenter case, the Supreme Court made clear that government access to location information implicates the Fourth Amendment. EPIC has long advocated for protection of location privacy. EPIC pursued a lawsuit against a mobile app company that led to greater protection of users' location data. EPIC also successfully petitioned the FCC to safeguard sensitive data collected by phone companies. The FCC recently announced fines against T-Mobile, AT&T, Verizon, and Sprint for selling customers' location information.

FCC Proposes Fines for Wireless Location Data Violations » (Feb. 28, 2020)

Today the FCC announced proposed fines against T-Mobile, AT&T, Verizon, and Sprint for selling customers' location information. FCC Chairman Ajit Pai said: "This FCC will not tolerate phone companies putting Americans' privacy at risk." The companies are given an an opportunity to respond to the FCC before the Commission makes a final decision. EPIC has long advocated for protection of location privacy. EPIC pursued a lawsuit against a mobile app company that led to greater protection of users' location data. EPIC also successfully petitioned the FCC to safeguard sensitive data collected by phone companies. And EPIC filed an amicus brief in Carpenter v. US. The Supreme Court held in that case that the Fourth Amendment protects cell site location information.

FCC Announces Enforcement Action on Location Privacy » (Jan. 31, 2020)

FCC Chairman Pai has announced upcoming enforcement actions against wireless carriers that disclosed subscribers' location data. Last year Members of Congress called an emergency briefing with the FCC and urged the agency to investigate companies that were selling subscribers' location data. EPIC has long advocated for protection of location data. EPIC pursued a lawsuit against a mobile app company that led to greater protection of users' location data. EPIC also successfully petitioned the FCC to safeguard sensitive data collected by phone companies. And EPIC filed a amicus brief in Carpenter v. US. The Supreme Court held in that case that the Fourth Amendment protects cell site location information. EPIC maintains detailed webpages on location privacy.

Facebook Admits to Location Tracking, Ignoring Privacy Settings » (Dec. 17, 2019)

Facebook has admitted that it can determine a user's location even after the user has disabled location services. The statement came in response to a letter from Sens. Josh Hawley (R-Mo.) and Chris Coons (D-Del.). Sen. Hawley tweeted: "There is no opting out. No control over your personal information. That's Big Tech. And that's why Congress needs to take action." The FTC's 2011 consent order with Facebook, followed EPIC's 2009 complaint which established that Facebook ignores user privacy settings. EPIC is challenging the proposed 2019 settlement in part because it does not fix the location tracking problem. A federal court has ordered both Facebook and the FTC to file replies to EPIC. In a related matter, an EPIC case required Accuweather to end surreptitious tracking of users.

EPIC Pursues Release of Location Tracking Orders » (Dec. 17, 2019)

EPIC has moved for summary judgment in EPIC v. DOJ, concerning law enforcement's collection of cell site location data through "§ 2703(d) orders." In Carpenter v. United States, the Supreme Court ruled that these searches were unconstitutional. EPIC filed multiple Freedom of Information Act requests to obtain the government orders issued between 2016 and 2019. However, the DOJ claimed that it "does not track" the information EPIC sought and refused to search for records. EPIC explained to the Court that the DOJ has not satisfied its obligations under the FOIA. EPIC also charged that the agency has engaged in "an unlawful pattern and practice" of refusing to search files even when it could do so. EPIC stated that "This unlawful agency practice impacts EPIC and all other requesters who would seek disclosure of records" at the Department of Justice. The case is EPIC v. DOJ, No, 18-1814 (D.D.C.).

Following EPIC Suit, AccuWeather Changes Location Tracking Practices » (Nov. 12, 2019)

Following a DC consumer protection suit that EPIC filed against AccuWeather in 2018, the company has stopped deceptively gathering users' location data. In its Complaint, EPIC charged that AccuWeather grabbed consumers' location data even when they expressly opted out of location tracking. EPIC also charged that AccuWeather failed to disclose that it transferred location data to advertisers. Now AccuWeather, following EPIC's case, has changed its business practices. Users can decline dvertising and other non-functional uses of their device information, and users can delete the information that AccuWeather collects about their device. EPIC has long advocated for the privacy of location data. EPIC filed a "friend of the court" brief with the US Supreme Court in, Carpenter v. US, a case concerning police surveillance and a complaint with the Federal Trade Commission concerning Uber's tracking of subscribers. EPIC also opposed Apple's tracking of iPhone users. EPIC also maintains detailed webpages on location privacy.

EPIC Challenges Justice Department's Refusal to Search for Location Tracking Orders » (Aug. 26, 2019)

EPIC has filed an amended complaint against the Justice Department, charging that the agency engages in a "pattern and practice" of violating the Freedom of Information Act. Earlier EPIC filed a FOIA lawsuit to compel the DOJ to disclose records about locational surveillance that the Supreme Court ruled was unconstitutional in Carpenter v. United States. EPIC first filed requests in 2017 to obtain copies of government applications to ISPs that require the disclosure of customers communications. After EPIC filed suit in August 2018, the DOJ refused to search for the records and claimed that it "does not track" the surveillance orders. EPIC now alleges that the DOJ has engaged in a pattern and practice that violates the FOIA. Federal agencies are required by law to search for records that are "reasonably described." EPIC wrote "agency's unlawful policy, pattern, and practice of refusing to conduct a search in response to reasonably described FOIA requests such as EPIC's will continue absent intervention by this Court." The case is EPIC v. DOJ, No. 18-1814 (D.D.C.).

International Privacy Experts Adopt Recommendations for AI, Location Tracking » (May. 7, 2019)

The International Working Group on Data Protection has adopted new recommendations for artificial intelligence and location tracking. The Berlin-based Working Group includes data protection authorities who assess emerging privacy challenges. The IWG report "Privacy and Artificial Intelligence" sets out fairness and respect for human rights, oversight, transparency and intelligibility as key elements of AI design and use. The IWG recommendations share several principles with the Universal Guidelines for Artificial Intelligence, proposed by EPIC as the basis for federal legislation and endorsed by more than 250 experts and 60 organizations. The IWG report "Wide Area Location Tracking" addresses large scale collection of location data in devices and applications, and urges limits on the transfer of the data, location tracking switched off by default, and periodic auditing by regulators. EPIC recently provided a comprehensive report for the IWG explaining recent developments in U.S. privacy law and policy.

Senate to Consider Nomination of William Barr for Attorney General » (Jan. 14, 2019)

This week the Senate Judiciary Committee will begin hearings on the nomination of William Barr for Attorney General. In a statement to the Committee, EPIC warned that "Mr. Barr has consistently supported warrantless surveillance of the American people." EPIC pointed to Barr's previous Congressional testimony where he stated that FISA is "too restrictive" and that Americans have no Fourth Amendment right in records held by third parties. EPIC recommended that the Department of Justice work with Congress to update federal wiretap laws after the Supreme Court's decision in Carpenter, improve reporting on surveillance orders, and protect consumers in cases before the Supreme Court.

Congress Asks Google, Apple About Smartphone Data Collection » (Jul. 10, 2018)

Members of the House Energy and Commerce Committee have sent letters to Apple CEO Tim Cook and Alphabet CEO Larry Page seeking information about the data collection capabilities of smartphones. Prompted by recent privacy scandals, the representatives asked Google and Apple whether their devices track users' location even when location services are disabled or record users' private conversations without a "trigger" word. The issue of smartphones and privacy has generated widespread attention following the Supreme Court's landmark ruling in Carpenter v. U.S. that the Fourth Amendment protects location records generated by mobile phones. EPIC recently advised Congress to strengthen privacy protections for mobile location data in response to the Supreme Court's ruling.

EPIC Urges Supreme Court to Steer Clear of Warrantless Vehicle Searches » (Nov. 20, 2017)

EPIC has filed an amicus brief in Byrd v. United States, a case about warrantless searches of rental vehicles. EPIC urged the Supreme Court to recognize that a modern car collects vast troves of personal data. EPIC explained cars today "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC pointed to the routine collection of cell phone contents with a Bluetooth connection, data which is stored in the car even after "deletion." EPIC also emphasized that the status of the driver has no bearing on Fourth Amendment privacy interests. The lower court held that because the driver was not an authorized renter, he was not entitled to privacy protection. EPIC has filed extensive comments with the National Highway Traffic Safety Administration, the Federal Trade Commission and the Department of Transportation, and testified before the U.S. Congress regarding the privacy and consumer safety risks posed by connected vehicles. EPIC also routinely participates as amicus curiae in cases before the Supreme Court, such as in United States v. Jones, Riley v. California, and Florida v. Harris.

Supreme Court to Hear Two Fourth Amendment Cases » (Sep. 28, 2017)

The Supreme Court has agreed to review two Fourth Amendment car search cases. In Collins v. Virginia, the Court will decide whether police can search a vehicle parked in the driveway of a private home without first obtaining a warrant. In Byrd v. United States, the Court will decide whether a person driving a rental car loses their expectation of privacy in the vehicle solely because they are not the official driver on the rental agreement. The Court is already set to hear Carpenter v. United States this fall, a major Fourth Amendment case about warrantless searches of cell phone location data. EPIC filed a "friend-of-the-court" brief in that case urging the Court to extend Constitutional protection to cell phone data. EPIC regularly files briefs with the Supreme Court arguing for greater Fourth Amendment protections, including in Utah v. Strieff, Los Angeles v. Patel, and Riley v. California.

DC Court: Warrantless Tracking with "Stingray" Violates Fourth Amendment » (Sep. 22, 2017)

The D.C. Court of Appeals has ruled that warrantless use of a cell-site simulator or "stingray" violates the Fourth Amendment. The court found that Stingray devices enable "officers who possess a person's telephone number to discover that person's precise location remotely and at will." The court held that the use of a Stingray invaded a reasonable expectation of privacy and thus, was a Fourth Amendment search. EPIC recently filed a brief in a U.S. Supreme Court case arguing that warrantless location tracking violates the Fourth Amendment. EPIC has also promoted oversight of Stingrays by law enforcement agencies. An EPIC FOIA lawsuit in 2012 revealed that the FBI was using stingrays without a warrant, and that the FBI provided Stingrays to other law enforcement agencies. EPIC has also filed amicus briefs in federal and states courts arguing that cell phone location data is protected by the Fourth Amendment.

EPIC Urges Supreme Court to Apply Constitution to Cell Phone Data » (Aug. 14, 2017)

EPIC has filed a “friend-of-the-court” brief in Carpenter v. United States concerning the Fourth Amendment and location data. EPIC urged the Supreme Court to reject a 1970s case, Smith v. Maryland (1979), that allows for the warrantless collection of calling data. As EPIC told the Court, that case is from an era “when rotary phones sat on desk tops” and was decided before cell phones and location tracking. EPIC argued that "Cell phones are now as necessary to the life of Americans as they are ubiquitous.” EPIC urged the Court to extend Constitutional protection to cell phone data. Noting that Congress may also pass important privacy laws, EPIC wrote that the Supreme Court “remains the interpreter of the Fourth Amendment in our modern age." EPIC previously argued against warrantless searches of location data in Riley v. California, United States v. Jones, State v. Earls, and Commonwealth v. Connolly.

Supreme Court to Hear Case on Privacy of Cell Phone Location Data » (Jun. 5, 2017)

The U.S. Supreme Court has granted review in Carpenter v. United States, a case concerning the privacy of cell phone location data. At issue is data that can be used to track cell phone users and whether police are required to obtain warrants to conduct these searches. A lower court ruled that the Fourth Amendment does not require officers to get a warrant before they obtain location records from a cell phone provider. In State v. Earls, EPIC successfully argued that a warrant is required under the New Jersey constitution. EPIC will file an amicus in Carpenter supporting the application of the warrant standard to obtain location data.

House Committee to Examine Cell Phone Surveillance » (Oct. 21, 2015)

The House Subcommittee on Information Technology will examine law enforcement use of "Stingrays," a technique for tracking cell phones users. The Department of Justice adopted guidelines that require a warrant before using Stingray devices to track the location of mobile devices. Senators Grassley and Leahy recently asked DHS Secretary Jeh Johnson to adopt a similar policy for DHS. California passed a law requiring a warrant for a Stingray. Documents obtained by EPIC in a FOIA lawsuit revealed the FBI was using the cell-site simulators without a warrant. EPIC also filed amicus briefs in U.S. v. Jones and State v. Earls, arguing that a warrant is required to obtain location information from cell phone subscribers.

Appeals Court Upholds Fourth Amendment Protection of Location Data » (Aug. 6, 2015)

The U.S. Court of Appeals for the Fourth Circuit ruled that the Fourth Amendment protects a cell phone user's location records and that officers must get a warrant to inspect them. The Fourth Circuit is the first federal appeals court to hold that the Fourth Amendment warrant requirement applies to location data following the decision by the Eleventh Circuit earlier this year permitting warrantless searches. The Supreme Court will likely review one of these two cases to resolve the split between federal appeals courts. EPIC has filed amicus curiae briefs in the New Jersey Supreme Court and the Fifth Circuit arguing that the Fourth Amendment protects an individual's location privacy.

Federal Court Finds Fourth Amendment Protects Cell Phone Location Data » (Aug. 4, 2015)

A federal court in California ruled that police must get a warrant before obtaining a user's location records. The court found individuals have a "reasonable expectation of privacy" in their cell phone location data, based on the Supreme Court's recent decisions in United States v. Jones and Riley v. California. These records, the court found, can be even "more invasive" than the "GPS device attached to the defendant's car in Jones." EPIC has filed amicus curiae briefs in the New Jersey Supreme Court and the Fifth Circuit Court of Appeals arguing that the Fourth Amendment protects an individual's locational privacy.

In the States: NH Adopts Location Privacy Law » (Jul. 28, 2015)

New Hampshire has enacted a strong location privacy law that requires a judicial warrant for access to cell phone location data. New Hampshire joins several other states that protect the privacy of cell phone location records, by public law or court decision. EPIC has filed amicus curiae briefs in the U.S. Supreme Court and the Supreme Court of New Jersey arguing that location tracking by the government is a search under the Fourth Amendment and should be conducted only with a judicial warrant.

EPIC Launches State Policy Project » (May. 5, 2015)

EPIC has launched the EPIC State Policy Project to track legislation across the county concerning privacy and civil liberties. The EPIC State Project will identify new developments and model legislation. The Project builds on EPIC's extensive work on emerging privacy and civil liberties issues in the states. The new State Project will focus on student privacy, drones, consumer data security, data breach notification, location privacy, genetic privacy, the right to be forgotten, and auto black boxes.

FTC Reaches Settlement with Customer Tracking Technology Firm Over Privacy Violations » (Apr. 24, 2015)

The Federal Trade Commission announced a settlement with the firm Nomi, whose sensors recorded the physical location of customers in stores using their mobile devices' MAC addresses. Nomi's privacy policy stated that customers would be able to opt out of tracking, however, customers were not informed when they were being tracked. The settlement agreement will prohibit Nomi from deceiving consumers in their privacy policies. EPIC supports the use of privacy enhancing technologies to protect consumers from tracking, including the adoption of randomized MAC addresses that prevent persistent identification.

Summary

In Carpenter, the Supreme Court considered the Fourth Amendment standard for the use of mobile location data by law enforcement. The Fourth Amendment guarantees the "right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures." However, the Supreme Court has not previously had an opportunity to address the application of the Fourth Amendment to many types of modern data, including cell phone location data. Justice Sotomayor famously remarked in her concurring opinion in the 2012 decision in United States v. Jones that it "may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties," an approach that she described as "ill-suited to the digital age." The Court held that mobile location data is protected under the Fourth Amendment, declining to extend the "third-party doctrine" from Smith and Miller to this modern surveillance technique.

In Carpenter v. United States, the Supreme Court reversed the decision of the lower court that seizure and search of 127 days' worth of an individual's cell phone location data was not a "search" under the Fourth Amendment. In the criminal case below, the District Court for the Eastern District of Michigan denied Defendant’s motion to suppress the location data, and later denied post-trial motion for acquittal, and motion for new trial. Carpenter appealed, and the U.S. Court of Appeals for the Sixth Circuit upheld the district court's decision. The government obtained the Defendant's location data under the Stored Communications Act, which requires phone companies to disclose certain historical call records when the government provides “specific and articulable facts showing that there are reasonable grounds to believe” that records at issue “are relevant and material to an ongoing criminal investigation.”

Question Presented

Whether the warrantless seizure and search of historical cell-phone records revealing the location and movements of a cell-phone user over the course of 127 days is permitted by the Fourth Amendment.

Factual Background

This case arises from a criminal investigation in 2010 and 2011. The government obtained more than five months of historical cell phone location records for 16 different phone numbers from various wireless carriers. The magistrates granted the applications pursuant to the Stored Communications Act (“SCA”), which does not require a finding of probable cause. Under the SCA, the government may require the disclosure of telecommunications records when “specific and articulable facts show that there are reasonable grounds to believe” that the records sought “are relevant and material to an ongoing criminal investigation.” 18 U.S.C. § 2703(d). With the location data provided by the wireless carriers, the agents created maps showing that certain phones had been within a half mile to two miles of certain businesses around the times when robberies had occurred.

The government later charged the defendants with six counts including aiding and abetting robbery that affected interstate commerce—a violation of the Hobbs Act—and aiding and abetting the use or carriage of a firearm during a federal crime of violence.

Technical Background

This case, and other similar cases before federal and state courts, involves the search and seizure of cell phone location data. There are three main types of cell phone location data: (1) historical location data showing prior connections to cell phone towers and/or antennas, (2) real time location data showing current connections to cell phone towers/antennas, and (3) real time location data based on the handset’s GPS signal. Advances in cell phone and cell tower technology have increased the availability and precision of data such that both GPS and tower-based location data can be used to accurately track the location of a cell phone.

Historic Location

The data created when a cell phone communicates with a nearby cell tower can be used to determine the location of any given cell phone and, in turn, its user. Cell phone networks consist of a series of antennas (or “cell sites”). Mobile devices communicate with nearby cell sites during a process called “registration,” which occurs automatically even when the device is idle.1 During the registration process, mobile devices also communicate with nearby cell sites in order to identify the strongest signal. A similar process occurs when a user moves from one cell site to another while making a call. Once registration occurs, the information is stored temporarily in-service provider databases in order to route calls. A log is also typically created every time a call is made or data downloaded, including when smartphone apps access the internet without a user’s knowledge. These logs reveal “which particular cell site a phone was near at the time of the call.” The accuracy of tower-based cell phone location data varies depending on the frequency of connections between the phone and the tower as well as number and proximity of towers. As density increases, so does accuracy. For example, three towers used to triangulate a location can be accurate up to 3/4 of a square mile.

Additionally, data from “small cell” technology, such as microcells and femtocells, can be used to locate a device to within ten feet. The use of this technology in urban environments continues to increase with the number of cell phone users. Municipal governments have partnered with providers to install small cell technology in cities. Verizon is set to place 400 small cells on utility poles in San Francisco and Ericsson installing 100 “Smart Poles” in Los Angeles. There are also indications that machine learning can be applied to historical data to accurately predict not only the home and work of cell phone owners, but potentially the place they are most likely to visit next.

In Carpenter, the Court will consider whether seizure of historical cell phone data obtained from a cell phone provider pursuant to a court order under 18 U.S.C. 2703(d) violates the Fourth Amendment. The data at issue in Carpenter includes logs of which cell towers/antennas were accessed during calls made by the target phones. The court found that “cellphones work by establishing a radio connection with nearby cell towers (or ‘cell sites’); that phones are constantly searching for the strongest signal from those towers; and that individual towers project different signals in each direction or “sector,” so that a cellphone located on the north side of a cell tower will use a different signal than a cellphone located on the south side of the same tower.” The government’s expert had testified that “cell towers are typically spaced widely in rural areas, where a tower’s coverage might reach as far as 20 miles” and that “in an urban area like Detroit, however, each cell site covers ‘typically anywhere from a half-mile to two miles.’” He testified that “wireless carriers typically log and store certain call-detail records of their customers’ calls, including the date, time, and length of each call; the phone numbers engaged on the call; and the cell sites where the call began and ended.”

Real Time Location Data: Cell Towers

Real time or “prospective” cell phone location data from cell towers can be obtained when the provider proactively pings a target phone, rather than waiting for the user to initiate contact with the tower. A request for real time location data may also give the government access to more precise location data generated to comply with the FCC’s E-911 requirements. While this data is created to allow emergency services to locate a cell phone user when they call 911, police and other government officials might request this information in the course of an investigation. Per the FCCs mandate, “[a]ll providers must achieve 50-meter horizontal accuracy or provide dispatchable location for 50 percent of all wireless 911 calls.”

Real Time Location Data: GPS

Several cases have considered the acquisition and use of GPS data during police investigations. GPS receivers in mobile phones can use the satellite signals to calculate “extremely accurate, three-dimensional location information (latitude, longitude and altitude), velocity (speed and direction) and precise time.” However, buildings and other environmental factors in urban areas can reduce the accuracy of GPS location data. GPS data is considered more accurate than cell tower location data and can typically locate a phone within ten meters.

In cases considering the use of GPS data, the police either obtained a warrant or claimed exigent circumstances to justify not obtaining a warrant. United States v. Gilliam, 842 F.3d 801 (2d Cir. 2016) (cert. denied), dealt with cell phone GPS location data obtained without a warrant under 18 U.S.C. 2702(c)(4) due to exigent circumstances. The court held that cell phone location information was included in the statute’s description of “other information” in part by looking at cases interpreting § 2703, and that thus no warrant was needed given the potential danger to a minor. Similarly, in United States v. Caraballo, 831 F.3d 95 (2nd Cir. 2016), officers obtained real time GPS and cell tower location information from Sprint without a warrant due to exigent circumstances.

Procedural History

U.S. District Court for the Eastern District of Michigan

Following their indictment, defendants moved to suppress the introduction of the cell phone location data as evidence, arguing that the data was obtained in violation of the Fourth Amendment and in violation of the standards set forth in the Stored Communications Act, 18 U.S.C. § 2703(d). The trial court denied the motion, rejecting the constitutional argument and holding that the government met the statutory standard. The trial court also denied the defendants’ challenge, on timeliness and reliability grounds, to the testimony of the government’s expert on cell phone data. Defendants were subsequently convicted and filed an appeal to the U.S. Court of Appeals for the Sixth Circuit.

U.S. Court of Appeals for the Sixth Circuit

On appeal, a divided three-judge panel of the Sixth Circuit upheld defendants' convictions. It rejected the argument that the government's efforts to obtain the defendants' location data constituted a “search” under the Fourth Amendment. The court held that the “data themselves took the form of business records created and maintained by Carpenter’s wireless carrier.” When the defendants made or received calls with their cell phones, those phones sent a signal to the nearest cell-tower for the duration of the call. The government thereafter collected those records pursuant to a (non-warrant) court order. The Sixth Circuit found that because the wireless carriers had collected the data “in the ordinary course of business” for their own purposes - including billing matters, to find weak spots in their network and determine whether roaming charges apply - obtaining those records was not a Fourth Amendment search.

The court explained that although the content of personal communications is private, the information necessary to get those communications from point A to point B is not. Because the records simply show which cell towers a phone was connected to at various times, without providing any information about the content of the calls, the cell phone user has no expectations of privacy in the location data. The court relied on a finding that the defendants had voluntarily revealed their location data to the phone company and that subsequent seizure of that data was not a search under United States v. Miller, 425 U.S. 435, 443, (1976), and Smith v. Maryland, 442 U.S. 735 (1979).

Concurring in the judgment only, Judge Stranch explained that “the sheer quantity of sensitive information procured without a warrant in this case raises Fourth Amendment concerns of the type the Supreme Court acknowledged in United States v. Jones, 132 S. Ct. 945, 964 (2012) (Alito, j., concurring).” The court denied re hearing en banc on June 29, 2016.

On September 26, 2016, Carpenter filed a petition for a writ of certiorari, which the Supreme Court granted on June 5, 2017. The case will be heard in Fall 2017.

EPIC's Interest

EPIC has an interest in promoting privacy in digital spaces by upholding robust Fourth Amendment protections, including for data stored remotely by service providers. Location privacy is an increasingly important issue as more devices generate and store data that can be used to track individuals' movements over time, revealing the most intimate and private details of their lives and also chilling their First Amendment protected activities.

EPIC has filed many amicus curiae briefs in Supreme Court, Federal Court, and State cases related to location tracking and seizure of private communications records. See for example, EPIC: United States v. Jones; EPIC: In re US Application for Historic Cell-Site Location Information; EPIC: State v. Earls. The case concerns a critical question that will shape the application of the Fourth Amendment to digital data -- whether the Government must obtain a warrant before forcing a company to disclose private customer records. EPIC has argued that cell phone location records reveal sensitive information and should be protected even if that data is held by wireless carriers. For more information, see EPIC: Location Privacy.

EPIC also highlighted the dangers of location-tracking technology in People, Not Places, A Policy Framework for Analyzing Location Privacy Issues. EPIC closely monitors and provides information about privacy-invasive technologies. In this context, EPIC previously sued the FBI for details ont he use of "Sting Ray" cell phone tracking devices. EPIC's suit against the FBI revealed details of the Government's use of a cell phone tracking technology, known as a StingRay. For more than 15 years the FBI has used this "cell-site simulator" technology to track the location of cell phones and other communications devices. Cell-site simulators act like a fake cell towers and can be used to monitor and track cell phone users even when the device is not in use. The technique also tracks all individuals in a region, regardless of whether they are the suspect in an investigation.