Supreme Court Cell Privacy Ruling Thwarted

If the government wants to track your location for hours, days, weeks, months or even years, it has various tools at its disposal: It can commit the resources of teams of detectives to follow you around. It can install a beeper tracker into some device that you take with you and monitor that device’s movements in public. It can get a court order to install a GPS tracking device on you or your car. It can track your cell phone using what’s called an “IMSI” tracker (variants include so-called “stingray” or “dirtbag” devices.

In 2017, the U.S. Supreme Court ruled that, to obtain what is called cell site location information (CSLI) from a provider, the government needed a search warrant signed by a judge, supported by probable cause and an oath by some police officer, and narrowly focused on only the data for which there was probable cause. A fishing license—but with a fishing pole, not a net. The court reversed the holdings of both a federal court in Michigan and a federal appeals court, holding that the cell records, being those of a third-party telecommunications provider, needed no warrant and that people had no reasonable expectation of privacy in the location data held by such a third party. Because the records implicated the suspect’s legitimate privacy interests and because the obtaining of the cell location data was a “search” under the Fourth Amendment, the Supreme Court opined that a warrant was required to get the record.

This was a victory for privacy and a minor burden on law enforcement to get a warrant instead of a simple subpoena (or, alternatively, a cooperative phone company person).

Not so fast.

While the Supreme Court ruled against the government, it remanded—that is, sent the case back—to the Michigan court. On June 11, the U.S. Court of Appeals for the Sixth Circuit ruled that, even though the obtaining of and search for the cell location records was an unconstitutional search and seizure and violated the privacy rights of the defendant, the government could use the records anyway. You see, the Supreme Court invalidated a federal statute called the Stored Communications Act, which permitted the government to obtain this location data with just a subpoena. The police in Michigan were merely following the procedures outlined in the (now defunct) statute. They did so in “good faith” reliance on the statutory scheme. While the search was ultimately “unreasonable” because the statute was unconstitutional, why should the criminal go free because the constable blundered?

The judicially created “exclusionary rule” provides a remedy in cases in which there is an unlawful, unreasonable or unconstitutional search or seizure. Typically, the results of the unlawful search (and those things tied to the search) are not permitted to be used against the defendant whose rights have been infringed (but they can be used against others) as a deterrent to discourage the police from engaging in unlawful or unconstitutional conduct. It’s not that the evidence seized unlawfully is “bad”—that it’s not useful or relevant—it’s just that it is “tainted” because of the manner in which it was obtained. The evidence, and the “fruits of the poisonous tree” are suppressed.

However, in cases in which a search is unconstitutional but the police acted in “good faith” reliance on things such as a court order or a statute or an interpretation of a statute (even if that interpretation leads to an arrest for something that’s actually not a crime), the unconstitutional search is not “unreasonable” and the exclusionary rule does not apply.

A different doctrine called “inevitable discovery” holds that, even if a search is illegal and the results of the search should be suppressed, the government still can introduce the evidence in court if it can show that despite the illegal search, the evidence it sought to introduce “inevitably” would have been discovered. It’s a reverse “but for” test—the evidence was found illegally, but it would have been found anyway, so no harm no foul.

The good faith and inevitable discovery line of cases—particularly with respect to warrantless searches for things such as cell location data, e-mail contents, search results, data analytics, web traffic and other electronic data—mean the constitutional protections against unreasonable searches and seizures ring somewhat hollow.

In the Carpenter cell tower case, the 7th Circuit Court of Appeals ruled that the government could use the unlawfully obtained data against Carpenter because the reliance on an unconstitutional statute was done in “good faith.” So, even if the statute was unconstitutional and permitted unreasonable searches and seizures without a warrant, data collected under the statute (at least before the statute was declared unconstitutional) can still be used.

In another case, the situation was even worse. The government, without a warrant, put a beeper on Antoine Jones’ car, which the Supreme Court found to be unreasonable. This put the GPS location data obtained and used at risk of being suppressed. So the government used the same Stored Communications Act provisions that the Supreme Court later declared unconstitutional in the Carpenter case to get Jones’ cell phone location data in leiu of the unlawfully obtained GPS data. No harm, no foul: Even if we can’t use the GPS data, we have this perfectly good cell location data that tells us the same thing, so there’s no harm. Except that the location data from the cell tower also may have been obtained unlawfully if it was obtained without a warrant (Jones ultimately plead guilty, so the record doesn’t show how the SCA records were obtained).

The “inevitable discovery” rule coupled with the good faith exception means that, even when the court says a warrant is needed to invade privacy, it may not actually be needed. This is because of the nature and character of electronic data and its movement and analysis. Take the contents of e-mail: It’s pretty clear that, for the government to “intercept” and read the contents of e-mail for which there is a “reasonable expectation of privacy,” it needs a warrant. To obtain non-content information (e.g., header, routing, IP, etc.) a subpoena or other order will suffice.

So you need a warrant to read someone’s e-mail without their consent. Right? Maybe not. You can get the consent of someone else. The person’s employer, provider or spouse. In fact, the Terms of Service and Terms of Use of many commercial e-mail services permit the ISPs to read their customers’ e-mails, private chats or messages, either by a human being or a robot. Entities such as Facebook even granted access to the contents of private messages to other third parties including Amazon, Netflix, Microsoft and Sony. By using the service with that knowledge, the government has argued, users have abandoned any “reasonable expectation of privacy” in the contents of the messages and therefore no warrant is required. Alternatively, if the government reads your emails without a warrant, it could argue that it “could have” subpoenaed the same records without a warrant from you or your correspondent under surviving portions of the Stored Communications Act, and since it could have gotten the records lawfully (but didn’t), the records would have been inevitably discovered. So much for the Fourth Amendment.

One possible solution is greater and enhanced use of end-to-end encryption products. While your data may travel through third-party purveyors, it’s still your data and you should control who has the ability to read it. If the government wants to get your data (unencrypted), it can still get it. From you or from the person with whom you are communicating (misplaced trust). What the government can’t do is get it from the transporter. But that solution does not help with data created about you by third parties, such as your browsing habits, history of your IP address and location data.

The warrant requirements imposed by the Supreme Court were intended to protect privacy. And they do—unless the government in “good faith” really wants to invade privacy without a warrant. Then all bets are off.

Mark Rasch

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 150 posts and counting.See all posts by mark