This week, the full Fourth Circuit Court of Appeals — in a decision that impacts residents in Maryland, North Carolina, South Carolina, Virginia and West Virginia — held that you have no expectation of privacy in historical location data generated by your cell phone. This decision, which follows decisions from four other federal appellate courts, means that now, in the vast majority of states, federal law enforcement agents don’t need to get a warrant to get access to this data from a cell service provider.
In the case, United States v. Graham, law enforcement officers relied on a simple court order to learn each place that Mr. Graham and his co-defendant had traveled for more than seven months. The 221 days worth of data officers obtained on the two defendants contained nearly 30,000 datapoints for each defendant — data that the ACLU discovered could reveal when the defendants were home and when they left home, when their travel patterns changed from the norm, and even that Mr. Graham’s wife was pregnant. This cell site location information (CSLI) was generated every time the defendants’ phones tried to connect with a cell tower to send or receive data.
We filed an amicus brief in the case, and, in a great opinion last year, a three-judge panel of the Fourth Circuit held, despite conflicting rulings from other circuits, that individuals have an expectation of privacy in historical cell site records like these. The court held the Fourth Amendment required police to use a search warrant to obtain this information. But the government asked the court to rehear the case en banc (with the full court), and the full court agreed.
This week the full court overturned its earlier opinion, relying on a wonky legal principle from two 1970s Supreme Court cases called the “third party doctrine.” This principle holds that information you voluntarily share with someone else — whether that “someone else” is your bank (such as deposit and withdrawal information), the phone company (the numbers you dial on your phone), or a government informant — isn’t protected by the Fourth Amendment because you can’t expect that third party to keep that information secret.
But the Fourth Circuit took the third party doctrine further than any case we’ve seen so far. The court held that it didn’t matter if cell site location information could reveal sensitive information about our lives; it didn’t matter how many days worth of data the government got from the service provider; and it didn’t even matter whether we had any idea the phone was generating the data or had any real control over when or where the phone generated data. Purely because that data was shared with a service provider, the Fourth Amendment didn’t protect it.
As the dissenting judges in the case recognized, this opinion has important ramifications for the future, and especially for the Internet of Things, where sensors and devices may constantly be generating and sharing data about us with little to no volition on our part, other than, perhaps, the initial decision to purchase or use the device.
For this reason, the dissent notes, the mere fact that the data is shared with a third party shouldn’t matter — it’s much more important to look to the sensitivity of the data collected. Here, the sheer volume of data collected by the government — 221 days worth — “far eclipses” that of any other case decided by the courts so far. It’s nearly eight times the surveillance period involved in United States v. Jones, a 2012 case where the Supreme Court held GPS tracking requires a warrant, and more than three times the period the Eleventh Circuit evaluated in United States v. Davis, a CSLI case last year.
Graham further proves Justice Sotomayor’s point in her concurring opinion in Jones that the third party doctrine “is ill suited to the digital age.” We live in an era “in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.” We use cell phones to stay in touch with friends and family on the go, rely on GPS mapping technologies to find our way about town, and wear Fitbits to try to improve our health. It’s impossible to use any of these technologies without sharing data with third parties, but choosing to rely on 21st-century technology shouldn’t mean we have to relinquish our constitutional rights.
As we’ve written before, and as Justice Sotomayor also noted in Jones, this problem arises because courts don’t understand that secrecy doesn’t have to be a prerequisite for privacy. Even if our data isn’t technically “secret,” (because we have intentionally or unintentionally shared it with someone or something else), this doesn’t mean we don’t think this information should be kept private from the prying eyes of the government.
The Graham dissent concludes:
Only time will tell whether our society will prove capable of preserving age-old privacy protections in this increasingly networked era. But one thing is sure: this Court’s decision today will do nothing to advance that effort.
Five federal appellate courts have now spoken — their hands are tied by the Supreme Court’s 1970s third-party doctrine precedent. Congress could step in and, like California and other state legislatures, require a warrant for location information. But given the lack of speed and efficiency with which our federal legislature moves, that may never happen. Now, more than ever, it’s clear that the only way to “assure preservation of that degree of privacy against government that existed when the Fourth Amendment was adopted” is for the Supreme Court to revisit and overturn the third party doctrine. We hope the Graham defendants will petition the Supreme Court for review. If they do, we’ll be right there with an amicus brief in support.
Any and all original material on the EFF website may be freely distributed at will under the Creative Commons Attribution License, unless otherwise noted. All material that is not original to EFF may require permission from the copyright holder to redistribute.