Cracking Open a Can of Worms: Why Carpenter v. United States May Not Be the Privacy Decision That Was Needed … or Wanted

On June 22, 2018, the United States Supreme Court appeared to establish a new standard for privacy rights when its decision in Carpenter v. United States, 2018 BL 222220 (2018), held that the government’s acquisition of a defendant’s historical cell-site location information (CSLI) from a third party constituted a Fourth Amendment search. The public reaction to the ruling was swift and dramatic. But a closer look reveals significant gaps in the privacy protections created by the case. Far from defining a new era of privacy law, the decision provides a precariously narrow and potentially problematic precedent.

Razor Thin Scope

Many observers expect Carpenter to expand Fourth Amendment protections over new types of personal information. Some of these expectations flow from the nature of CSLI itself. CSLI is data collected by an individual’s mobile phone service provider, which, to greatly simplify a complex matter, records the time and the angle of signals hitting the provider’s wireless antenna towers, allowing anyone with the data to approximate the phone’s location. The person about whom the data is collected—Carpenter in this case—never possesses the data and has little control over its collection and use. See generally 47 U.S.C. § 222 (giving telecommunications carriers control over the disclosure of proprietary information relating to telecommunications services). By acknowledging a personal privacy right in this mobile phone location data, the Supreme Court effectively reversed earlier precedent and acknowledged a new right regarding data developed and maintained by third-party technology companies. If the defendant in Carpenter has an expectation of privacy in CSLI data, he must surely have an expectation of privacy with respect to the reams of data created by new technology companies interested in his movements and activities.

Not so fast.

For one, the decision’s factual scope is explicitly narrow. The Court declined to decide whether obtaining historical CSLI data covering less than one week of activity would require a warrant. Carpenter, 2018 BL 222220, at *51 n.3. Thus, the decision on its face does not even bar all warrantless CSLI collection. Perhaps more perplexing, the decision does not bar “tower dumps,” which is the download of everyone’s cell service location data—not just a suspect’s—in a wedge-shaped area covering up to four square miles from a particular tower. Carpenter, 2018 BL 222220, at *17.

Second, the Court’s refusal to issue broad restrictions on warrantless information collection makes it clear that the third-party doctrine lives on. That doctrine, which flows from the Supreme Court’s decision in United States v. Miller, states that the Fourth Amendment does not protect individual records voluntarily shared with a third party. 425 U.S. 435, 440-46 (1976). Carpenter is a narrowly-tailored exception to the doctrine, exalting a person’s “reasonable expectation of privacy” in a “novel” and “unique” set of information that is nevertheless voluntarily handed over to and owned by a third party. See Carpenter, 2018 BL 222220, at *9. The Supreme Court apparently sees no tension between Carpenter and Miller, but provides no concrete test for restricting the application of the third-party doctrine. The absence of clear guidelines may further narrow and confuse the scope of the Carpenter decision.

Finally, it is important to acknowledge that Carpenter only applies to searches by the government, as no private access to CSLI would implicate the Fourth Amendment. Therefore, the decision does little to assuage the growing modern privacy concerns increasingly focused on collection and sharing of data not by the government, but by private companies.

Current and Future Technologies Pose New Analytical Problems

To compound its problematic scope, the Carpenter decision fails to address the concerns posed by the more mature forms of location-based data. In fact, it is at least a decade behind current technology. The government investigation at issue in the case occurred in 2010 and 2011, before ride-share applications, which track precise GPS movement, had begun to reach their current level of ubiquity. The types of personal data collected by third parties today have far greater breadth and specificity than CSLI, which could only narrow an individual’s location to an area ranging from a dozen to a hundred city blocks. The new data also generates what can be categorized as “fourth party” privacy concerns, where third-party vendors collect information to share with fourth parties.

CSLI’s geographic precision cannot compete with the data compiled by modern map applications, ride-share applications, or even casual dating programs. All of these applications involve affirmatively sharing one’s geographic and personal information with third parties to aid in interactions with fourth parties. Often, the purpose of these applications is to share that location data with the fourth party: the outside contracting driver or the potential date. Companies increasingly employ tracking cookies of various subtypes in order to catalog web browsing habits, location, and content for sale to fourth parties. Today, these transactions are the reason users see ads for local restaurants upon landing in new cities. In the future, the application of these technologies will lead to entirely new analytical problems, and Carpenter does not even hint at how those problems might be resolved.

Consider also the issues posed by the proliferation of autonomous navigation. According to current thinking, the successful deployment of autonomous driving technology will rely on connection to upcoming 5G networks. Without getting too technical, such a system will involve numerous private governmental networks sharing location data to facilitate vehicle navigation and increase personal safety on public roads. This data, by necessity, will be comprehensive, exacting, and shared with governments. Had CSLI been systematically shared with the government in Carpenter, it seems unlikely that investigators would have needed to use any legal process to determine the defendant’s location.

Future interactions with autonomous robots are similarly problematic. Those robots and their collective systems will generate copious data about people’s movements, likely by interacting with personal communication devices like mobile phones and wearables. The resulting maps and associated data they generate will create a new stockpile of data for government investigators to mine, and the detailed portraits derived from it will make CSLI data look like cave paintings.

For now, the “third-party doctrine” persists, and evolving technologies will continue to exploit information handed over from users to third and fourth parties. It may be that Carpenter’s exception to the third-party doctrine marks just a momentary detour. Soon, our public movements may not be private at all, in the standard sense. Or maybe a new legal standard should be formulated. What is clear is that the Supreme Court will be asked to further address these issues in the coming years.

Privacy Concerns at the Edges of the Decision

Even more concerning, the Carpenter holding may actually result in a net decrease in privacy protections by encouraging law enforcement to seek information more traditionally considered private. In Carpenter, the government obtained the defendant’s CSLI through an order under the Stored Communications Act (SCA), which requires the government to offer specific and articulable facts showing reasonable grounds for believing that records are relevant and material to an ongoing investigation. 18 U.S.C. § 2703(d). The Court, however, found such a showing to be inconsistent with the Fourth Amendment protections that should be afforded to CSLI, noting that the requirements under the SCA fall “well short of the probable cause required for a warrant.” Carpenter, 2018 BL 222220, at *13.

In practice, however, the distinction offered by the Court is small. In Carpenter, the government had, of course, already identified the person to be searched and obtained his cell phone number. The defendant had also been identified by a co-conspirator who had confessed to the crime. Carpenter, 2018 BL 222220, at *18. With this information, and possibly with the other investigative techniques not specifically prohibited by the court—shorter surveillance periods and tower dumps—one would assume it would take little extra effort to obtain a warrant instead of an order under the SCA.

This is an important inflection point for the future of governmental investigations. In Carpenter, law enforcement sought no process on Carpenter’s data other than the SCA order for the carriers’ CSLI. All that the investigators needed was Carpenter’s proximity to the robberies to pair with the other evidence that they gathered implicating him. However, if they were required to write a search warrant, and they had possession of enough appropriate evidence, there would be no good reason for law enforcement to confine the warrant to CSLI over more revealing evidence, such as the phone itself and its content. If location data is private, then law enforcement will seek more warrants to look inside that private garden.

It may be that, in future cases, short historical CSLI orders and “tower dumps” will be deemed searches under the Fourth Amendment as well. However, in many cases, a combination of pen register returns and subpoenaed toll records, none of which require warrants, will likely still support an adequate quantum of individualized suspicion to obtain a warrant. By holding that CSLI location data held by parties is covered by the Fourth Amendment, the Court has raised the risk that more classical Fourth Amendment information will be placed in law enforcement crosshairs.

The Future of the Court

The philosophical divisions in the Carpenter court are relatively clear. Chief Justice Roberts’s opinion was joined by Justices Sotomayor, Kagan, Breyer, and Ginsburg. Dissenting were Justices Kennedy, Thomas, Alito, and Gorsuch. Although the dissenters each wrote separately, they appear to have coordinated the division of issues in their respective dissents.

As a necessary aside, Justice Anthony Kennedy dissented, joined by the conservative wing of the Supreme Court (other than Roberts). Assuming that Justice Kennedy’s replacement has views that fall on the continuum between Kennedy and Thomas, the new Justice may not swing future cases. The only swing vote on this issue appears to be Chief Justice Roberts. Moreover, as the author of both the Carpenterand Riley v. California, 134 S. Ct. 2473 (2014), majority opinions, it appears that Chief Justice Roberts is the architect of these new privacy principles.

Next Steps

It is not yet clear what the Supreme Court’s next steps will be in the privacy sphere. There are a number of reasons why Carpenter may actually be a step in the wrong direction. While the decision will likely always be historically significant when assessing governmental access to digital evidence and an individual’s right to privacy, it could bear very little relevance to the technologies and laws that we actually live with.

Author Information

Chris Ott, CIPP/US, advises industry-leading organizations in sensitive cyber incidents, national security matters, white-collar investigations, government enforcement actions, and high-stakes litigation. Chris has served as an influential law enforcement official for multiple administrations, led some of the largest white-collar investigations in United States Department of Justice (DOJ) history, won more than 30 trials as a first-chair litigator, and spearheaded some of the DOJ and the SEC’s first successful cyber investigations. Chris, who is a partner in the Washington, D.C. office of Davis Wright Tremaine, can be reached at chrisott@dwt.com.