Federal Court Narrows ‘Third Party’ Warrant Requirement

In United States v. Carpenter, the United States Supreme Court ruled that, before the police could obtain historical cell site location information (CSLI) about the location of someone’s cell phone in the past, they had to seek and obtain a warrant from a judge based on probable cause under the Fourth Amendment. Absent some other “exigent circumstance,” getting the records from the phone company is a violation of the constitution, even though Congress had passed a law permitting prosecutors and cops to get that cell data from phone companies without a warrant.

The Fourth Amendment trumps a statute.

Cybersecurity Live - Boston

The Carpenter case also established a major exception to what had previously been the “third party” rule — that, in most instances, you didn’t have the ability (standing) to challenge the production of records by third parties. That rule was what permitted (and still permits) the government to get things like your phone bills, your bank statements and other records about you from your phone company or bank without getting a search warrant or serving you with a subpoena. With the rise of third party data — advertising data, marketing data, cloud data, metadata, social media data, etc., there’s a lot that a litigant or investigator can find out about someone with a subpoena. At least a warrant requires both probable cause and somebody in a black robe, right?

In Carpenter, the Supreme Court held that people can have a reasonable expectation of privacy in data like historical location data in the hands of third parties, and therefore a search warrant was required to get it. But a recent case from a federal appeals court casts doubt on the scope of the Supreme Court’s holding in Carpenter, and the application of the third party doctrine.

In United States v. Hammond, the federal appeals court in Detroit found that the Carpenter case is not retroactive – meaning that unconstitutional warrantless seizures of historical cell site location data can still be used if they occurred before the date of Carpenter, since the police did not know that the seizures were unconstitutional, and acted in “good faith” in conducting the seizure which violated the constitution.

Since the purpose of “suppression” of evidence unlawfully seized is to deter police from acting unreasonably, if the police believed that they were acting within the law (at the time) then, even though the search is unconstitutional (and by definition, unreasonable) the “fruits” of that search are still admissible. The Court also ruled that other cell cite location data obtained without a warrant which was given to the police “voluntarily” by the cell provider without a warrant was not introduced at trial (nor were the “fruits” of that search) and therefore, the defendant had no recourse even if the data was released improperly. Essentially, “no harm, no foul.”

Of course, obtaining cell location records, without a warrant, which eliminate others as suspects helps the police focus on the defendants. Thus, if in an investigation of a robbery of a key bank in downtown Cleveland, for example, I got the cell location records of hundreds of people near the bank without a warrant, but none of them showed the person I was looking for, since I didn’t “use” those records against the person I ultimately prosecuted, the only people who could complain about the unlawful search are the hundreds of people whose cell phones pinged the relevant towers — none of whom know that their privacy was violated by the police, and the cops ain’t about to tell them.

The federal court also used a bit of legerdemain to make the unconstitutional search “acceptable” under the doctrine of “inevitable discovery” or “independent source.” So the cops got the cell records illegally without a warrant. OK; these records are “tainted” by the unlawful search. But … the cops could get the identical records from an “independent source” that was not “tainted” so, again, no harm, no foul. In this case, though, the “independent source” was the same exact source as the tainted source — the same phone company and the same records. Well, there’s an exception that can swallow the rule. But the most important part of the Seventh Circuit case is the fact that the Court limited the application of Carpenter to providing an expectation of privacy only in historical cell location data (where you have been), and refusing to find a similar expectation of privacy in where you are.

The Hammond court opined that historical cell data was more sensitive than current cell location data, since it can show every place you have been, who you met with, when you go to church, the hospital, the doctor, etc., all of which is intimate information about which you have an expectation of privacy. Current cell data just tells the cops where you are right now. It’s no different than the cops just following you as you drive down the street. The Hammond Court noted:

The “narrow” Carpenter decision did not determine whether the collection of real-time CSLI constitutes a Fourth Amendment search. … Carpenter emphasized that historical CSLI allowed the government to learn of a person’s whereabouts on a nearly 24-hour, seven-day-a-week basis. Meanwhile, seizing CSLI in real-time only reveals a person’s whereabouts at the moment of its seizure … The Hammond court reasoned that, since the police obtained the subjects’ “real-time” location data for only a few hours, that was no different than following that person around as they drove, or tracking them with a beeper at close range.

Certainly no privacy impact there, right? It’s not like I know everything about where you were, I just know where you are right now. That’s not private, is it?!

Crucially, unlike in Carpenter, the record of Hammond’s … movements for a matter of hours on public roads does not provide a “window into [the] person’s life, revealing … his familial, political, professional, religious, and sexual associations” to the same, intrusive degree as the collection of historical CSLI. … Law enforcement used the real-time CSLI to find Hammond’s location in public, not to peer into the intricacies of his private life. So, no “reasonable expectation of privacy” in where you are as opposed to where you were. And since you have no privacy interest, guess what? No warrant required, either.

For the purposes of the Fourth Amendment, the case takes sweeping language by the Supreme Court in Carpenter and narrows it in favor of law enforcement – limiting Carpenter to requiring a warrant only for historical CSLI. That means that other documents or records – internet browsing history, cookies, email metadata and even things like access logs, cloud log data, IP history information and possibly the contents of documents and records (not communications which are covered by another law) in the hands of a third party (including cloud providers) may not enjoy protections against warrantless searches and seizures.

It’s funny, ’cause if you were to ask people whether they thought they had a reasonable expectation of privacy in their current location, most people would likely say “Yes.” Just ask a woman stalked by her ex-boyfriend, or an ex-wife looking to hide out at a battered women’s shelter. And while three hours of tracking in real time might reveal less about someone that receiving two weeks (or two months) of historical data, it might reveal the one day you visit the AIDS clinic, the cancer ward or a political meeting. Sure, if the cops follow you in a car, they can find out much the same thing, but the truth is, people’s expectation of privacy depends not only on what the police learn, but how they learn it.

The case risks eroding legitimate privacy interests in data held by third parties. There was no reason the cops could not have gotten a warrant for the real-time location data. Magistrates and judges issue warrants over the phone, by email and even through apps. Easy peasy, lemon squeezy. If Carpenter only holds that a warrant is required to obtain historical CSLI (and indeed, only when that CSLI reveals something personal about the individual) then it’s not much of a precedent. And that serves the interests of police and prosecutors – to narrow privacy rights (and their obligations to get warrants) as much as possible.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 139 posts and counting.See all posts by mark