The U.S. Supreme Court today ruled that access to historical cell-site records of a person's location based on their mobile phone will require law enforcement to obtain a warrant before searching a person's historical location records.
This is the first time the high court has ruled on whether a phone subscriber has a legitimate expectation of privacy regarding a telephone company's records of their cellphone location data, according to Aloke Chakravarty, a partner in the Denver-based law firm of Snell & Wilmer.
"This is a landmark case for privacy, and how the court will deal with emerging technologies going forward," Chakravarty said via email. "It creates a new lens through which to view a government's ability to obtain third-party records where a criminal defendant neither possesses the records, doesn't have a property interest in them, may not even know they exist, and he cannot personally even access them."
While the government can still obtain a warrant for cellphone location records, that is a higher standard than is often possible to achieve early in an investigation or before specific individuals have been identified as suspects, Chakravarty said.
The Court's decision revolved around a 2011 robbery case involving Timothy Carpenter, a man accused of a Detroit robbery whose wireless provider allowed the FBI access to four months of phone location data in order to build their case against him.
In all, the FBI collected 12,898 location points cataloging Carpenter's movements over 127 days, which place him near four of the robbery locations at the time they occurred.
A Sixth Circuit Court of Appeals judge had ruled the FBI didn't need a court warrant because mobile phone location data is not protected by the Fourth Amendment's prohibition against unreasonable search and seizure.
In a 5-4 ruling written by Chief Justice John Roberts, the court determined the Fourth Amendment "protects not only property interests but certain expectations of privacy as well.
"Just because you have to entrust a third party with your data doesn't necessarily mean you should lose all Fourth Amendment protections in it," Roberts wrote.
The case, Chakravarty said, is critical to consumer mobile privacy, but more broadly, for signaling that users have a privacy interest in the data third party companies collect about a user of their services; in short, the government's search of those records must be reasonable.
The Court compared cellphone location data to an earlier case involving GPS devices used by law enforcement to track a vehicle over an extended period of time. The precedent in the earlier case was that "longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy."
"Society's expectation has been that law enforcement agents and others would not... secretly monitor and catalogue every single movement of an individual's car for a very long period," Roberts wrote. "Allowing government access to cell-site records contravenes that expectation."
Historical cell-site records, the court determined, presents an even greater privacy concern than the GPS monitoring of a vehicle.
The time-stamped data from a wireless provider's mobile tracking technology provides "an intimate window into a person's life," revealing not only his or her particular movements, but through them his "familial, political, professional, religious, and sexual associations.
"Critically, because location information is continually logged for all of the 400 million devices in the United States – not just those belonging to persons who might happen to come under investigation – this newfound tracking capacity runs against everyone," Roberts concluded.
Sen. Ron Wyden, D-Ore., who first introduced the Geolocation Privacy and Surveillance Act in 2011 to require warrants any time the government accesses Americans' electronic geolocation information, said the ruling "strikes a blow against the creeping expansion of government intrusion into the most personal parts of Americans' lives.
"The court's recognition that digital devices can generate 'near-perfect surveillance' of a person's private life is a validation of the vital protections against unreasonable search and seizure provided by our Constitution," Wyden said in a statement.
Privacy involving mobile phones has been a hot-button issue as of late.
In May, it was revealed that LocationSmart, a U.S. company that aggregates real-time data about mobile phone location, had been unwittingly leaking the information via its website because of a software vulnerability.
The buggy service, originally discovered by a Carnegie Mellon doctoral student, was taken offline by LocationSmart. The Federal Communications Commission is now looking into the data breach.
Apple has also been embroiled in a fight with law enforcement over its use of encryption cracking services used to break into the iPhones of customers who are under criminal investigation.
Local and regional police departments and federal agencies are lining up to buy technology from two companies whose products can bypass iPhone security mechanisms.
Amid those reports, Apple rolled out a new feature in iOS 12 to prevent further intrusions by locking down the USB port on iPhones. Privacy advocates applauded the move.
Nate Cardozo, senior staff attorney with the Electronic Frontier Foundation (EFF), a non-profit digital rights group, said law enforcement is in the "golden age of surveillance," with an unprecedented ability to look into people's lives and more data available than ever before. Tech firms, he said, shouldn't have to "weaken security for millions of innocent users, just to keep one exploit working longer."
The Supreme Court decision, however, provides little direction to law enforcement or to the third-party holders and users of this data, Costello said.
If the location data at issue before the court revolved around what websites a defendant visited, it would probably have been less controversial, Costello noted.
"As data analytics and marketing information is increasingly the currency of the cyber-realm, this type of data collection is going to increase, going to interconnect," Costello said, "and in the view of five of the justices, whether transactional data becomes entitled to specialized content-like privacy protections will be determined by a post-hoc review of what you can do with the data, depending on the 'nature of the particular documents sought' and the legitimate expectation of privacy in their contents."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.