The 4th Circuit overturned a previous three-judge panel’s decision, which held that the government’s warrantless procurement of CSLI was a unreasonable search in violation of the Fourth Amendment and that defendants had a legitimate privacy expectation in that data.
This Supreme Court still has the final word if the decision is appealed (as it likely will be). This case, which ensued in the wake of other precedents on cell-phone and GPS tracking, is of particular interest for the debate around digital privacy and the future development of surveillance law.
The ruling concerns a series of armed robberies of several business establishments located in Maryland in 2011. The government obtained two court orders for disclosure of CSLI for calls and text messages transmitted to and from the phones of two suspects, which eventually led to their conviction. The agents obtained from the cell phone provider information over 221 days that included roughly 29,000 location-identifying data points for each defendant, which placed them in the vicinity of the robberies when they occurred.
Defendants filed a motion to suppress use of the CSLI at trial, arguing that the length of time and extent of the CSLI monitoring conducted by the government without a warrant, intruded on defendants’ expectation of privacy and was therefore in violation of their Fourth Amendment rights.
The Fourth Amendment of the U.S. Constitution provides that “[T]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the person or things to be seized.”
District court held that government needed no warrant to obtain CSLI; therefore, government had not violated defendants’ Fourth Amendment rights
The district court denied the defendants’ motion, holding that the government’s conduct was not an unreasonable search: the court relied on the Supreme Court’s third-party doctrine, according to which individuals have no legitimate expectation of privacy in information voluntarily turned over to third parties (Smith v. Maryland, 442 U.S. 735, 1979). Under this legal theory, the U.S. government can obtain from third parties information voluntarily conveyed by individuals without a warrant, since this information is beyond the reach of the Fourth Amendment prohibition against search and seizure without probable cause and a judicial search warrant.
According to the district court, since defendants voluntarily transmitted signals to cellular towers in order for their calls to be connected, the third-party doctrine applied. U.S. courts have relied on this doctrine for a broad range of scenarios, from financial records and dialed telephone numbers to card statements, employment records and internet subscriber information.
4th Circuit’s panel reversed the district court’s ruling and found government’s data acquisition in breach of Fourth Amendment
The U.S. Court of Appeals, 4th Circuit, reversed the district court’s ruling – United States v. Graham, 796 F. 3d 332 (4th Cir. 2015). The court began by acknowledging that the government conducts a search under the Fourth Amendment when it obtains and inspects a cell-phone user’s historical CSLI for an extended period of time.
The court then held that examination of a person’s historical CSLI can enable the government to trace the movements of the cell phone and its user across public and private spaces and thereby discover the user’s private activities and personal habits.
Therefore, mobile phone users have an objectively reasonable expectation of privacy in this information and its inspection by the government requires a warrant.
The court concluded that government’s warrantless procurement of CSLI violated the Fourth Amendment’s guarantee against unreasonable searches and seizures (although the court also acknowledged that the government acted in good faith in doing so, therefore it declined to suppress the evidence). In the court’s words, “The fact that a provider captures this information in its account records, without the subscriber’s involvement, does not extinguish the subscriber’s reasonable expectation of privacy.
Applying the third-party doctrine in this context would simply permit the government to convert an individual’s cell phone into a tracking device by examining the massive bank of location information retained by her service provider, and to do so without probable cause.”
4th Circuit En Banc found that government did not breach the Fourth Amendment since users voluntarily disclosed CSLI under third-party doctrine
Now, the full panel of the U.S. Court of Appeals reversed the three-judge panel’s decision by holding that the government’s warrantless acquisition of historical CSLI from defendant’s cell-phone provider did not breach the Fourth Amendment.
First, the court contends that the government’s acquisition of this data constituted a Fourth Amendment “search”. Defendants had no reasonable expectation of privacy under the third-party doctrine since the government obtained the CSLI records from a third party (i.e. the carrier), which, in turn, collected this information in the course of its business activity and did not obtain this data through a direct surveillance of defendants.
In this respect, the court relies on the Supreme Court’s precedents that applied the third-party doctrine, recalling that the Fourth Amendment does not protect information voluntarily disclosed to a third party because even a subjective expectation of privacy in such information is “not one that society is prepared to recognize as ‘reasonable’” (Smith v. Maryland, 442 U.S. 735). More recently, the 6th Circuit of the Court of Appeals held that a warrantless acquisition of cell-phone location data did not breach the Fourth Amendment (United States v. Carpenter, April 13, 2016).
The court notes that defendants “exposed” the information at issue to the phone carrier, which used it to route defendants’ cell-phone calls and texts. By doing so, they could not expect the phone carrier to keep that information secret and “assumed the risk” that it would disclose their information to the government.
The court hastened to add that the Supreme Court may in future limit, or even eliminate, the third-party doctrine, and that Congress may require a warrant for CSLI.
However, it concluded that current legislation and established precedents weigh in the government’s favor.
Dissenting Judge Wynn deems that government’s warrantless search breached Fourth Amendment
Dissenting Judge Wynn highlights many of the majority’s shortcomings. First, he disagrees that CSLI is beyond the Fourth Amendment’s reach since it would be “voluntarily conveyed” by users to phone carriers under to the third-party doctrine.
According to Judge Wynn, the Supreme Court’s precedents suggest that “voluntary conveyance” means that defendant (i) knew he was communicating particular information, and (ii) acted to submit the particular information he knew. For example, when users type a form providing their details to a service provider to secure internet access, they have knowledge of the typed information and affirmatively act to communicate it.
Judge Wynn reasons that CSLI is different from other data because it is not voluntarily disclosed by phone users, who likely are unaware that they are providing this information and do not know which cell-phone tower their call will be routed through. They also do not generally act to disclose this information – for example, CSLI is generated when a phone receives a call, even if the user does not answer.
Judge Wynn concludes that by acquiring large amounts of CSLI to trace defendants’ long-term movements the government infringed defendants’ reasonable expectation of privacy and thereby engaged in a search. Because the search was warrantless, the government breached the Fourth Amendment.
The decision can still be appealed to the Supreme Court, which will have the task to clarify whether the 1970s third-party doctrine is still fit for a time where individuals reveal large quantities of information about themselves, sometimes without being aware of this.
For example, “Internet of Things” technologies (e.g., wearable devices, home automation, connected toys) may reveal many aspects of an individual’s private life – habits, behaviors and preferences, religious or political beliefs, sexual orientation, driving habits, whether they are at home or not, etc.
Yet this extensive information may represent a valuable resource for law enforcement authorities to prevent and detect crimes or other wrongdoings. The debate around the appropriate balance between privacy and public security is certainly set to continue, with the possible review of the 4th Circuit’s decision in the Supreme Court, the Microsoft Ireland email privacy case pending (where the company is challenging a U.S. government search warrant seeking access to customers’ emails in a data center located in Ireland) and the ongoing EU-U.S. Privacy Shield negotiations.
This article was first published on the IAPP’s Privacy Tracker blog.