Mobile Phone Location Privacy: U.S. Justice Now Says It Doesn’t Exist
Written by Mark RaschAttorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
In a case that may have profound ramifications for retailers’ ability not only to collect but also to protect the privacy of customers’ location information, the U.S. Justice Department argued to a U.S. appeals court on Monday (Oct. 1) that Americans do indeed have no right to privacy when it comes to mobile phone geolocation data. This comes about two months after a different appellate court reached the same conclusion, ruling that Americans have no such privacy rights.
The case before the U.S. Court of Appeals for the Fifth Circuit in New Orleans involves law enforcement efforts to obtain search warrants for cell phone records. The case is significant not because of its impact on cell companies but because of the expansive way the government wants to read its authority to get intimate personal data about anyone—and make third parties like retailers essentially an agent for collecting this information for the government.
The case involves the government’s efforts to subpoena a phone company to pony up records relating to the location of a cellular telephone user. Not too unusual. But what is unusual is the two arguments the government used to assert that it could get these records from the phone company without a warrant and without any probable cause. The government argued that “because customers know that cell phone companies must obtain their location information in order to connect cell phone calls, they voluntarily convey location information to cell phone companies” and “the Fourth Amendment is not violated when that information is turned over to the government.”
Really? Do most people know that the phone sitting in their pocket is constantly transmitting its location simply to get phone calls even when they aren’t making a call? Do most people think the phone company stores those records? Do most people think that what is essentially transient information is being stored and sent to the government? When I listen to a song on the cloud or read an e-book, do I think, “Hmmm, the government can now track me”?
The government then argued that people have no expectation of privacy in their location—after all, they are out and about on the roads and subways, in public buildings and shopping malls—so how can they reasonably expect their activities to be private? Certainly, the government argued, teams of undercover agents could follow people around and see where they are, who they are with, where they are going, etc. So if the government doesn’t need a warrant to do that, why would it need a warrant to get similar information from cell phone data?
If there truly is no expectation of privacy in what is called “historical cell data” (where you were, as opposed to where you are right now), then there would be no problem with retailers collecting this data about their customers with or without the knowledge and consent of those customers. Just as video cameras in the mall capture images of customers (and their locations), retailers could use cell data to find out where their best (and worst) customers are. Accepting the government’s argument before the federal court, there would be no privacy violation for a retailer doing this. Now, before you run out and start collecting your customers’ location data without their consent, recognize that the government’s argument just implicates the Constitution and not laws that protect cell records or the federal laws on “trap and trace” that require some type of legal process to get records from the phone company. So you can’t just traipse to your local phone company and get these records.
More significant to retailers is the government’s argument that it doesn’t need a warrant for these records and that people have no expectation of privacy in where they are when they have (whether or not they use) a cell phone, because these records are those of a third party (the phone company). Just like the government (and your spouse’s divorce attorney) can get records of your bank statements and phone bills without a warrant (just a subpoena), the government (and anyone else with a subpoena) can find out where you are, where you were and who you were with by subpoenaing the records from the phone company. You see, these aren’t your records. They are the phone company’s records, and it can do whatever its want with them.
As the government argued: “A historical cell-site record is a phone company’s record of the cell tower and sector it used to handle a customer’s call. It is a business record generated and stored by a cell phone company at its own discretion. No federal law mandates that a phone company create or keep historical cell site records” and “a customer has no Fourth Amendment privacy interest in business records created and held by a third party.”
-Marc
October 4th, 2012 at 11:45 am
Mark,
Though I’m just a mere POS IT Program Manager geek, I do enjoy following a good legal argument. Thanks for your insight – and defense of my privacy rights.
Was wondering what your expert legal opinion is on the credibility of historic mobile phone location data as evidence. After all, it is a mobile phone and therefore, it can be carried by anyone to a location. How would they prove from the data that I was personally at that location? Seems like an easy way to set someone up. I would think they would need to correlate the location data with a call made at the same time, to someone they would call as a witness to state it was me on the line. And text messages don’t count.
It is just as hard for me to prove I didn’t have my phone at the time – guess I don’t have the burden of proof to refute location data as a defendant, though the defense would want to cast doubt.
October 16th, 2012 at 9:41 am
Location data does prove the location of your device and not neccesarily YOU, but it is both admissible and very persuasive circumstantial evidence that you were where your device was. You can add other circumstantial evidence to the mix, like you checked and appropriately responded to e-mail on the device, you entered a user id and password (that only you should know) on the device, that pictures of you were geotagged with the device, etc. Add other evidence (video surveillance, witnessess) and voilia! Privacy gone. Even evidence of habit (he ALWAYS takes his phone with him…) can be enough to pursuade a factfinder that the phone didnt just out out by itself.