Mobile Phone Location Privacy: U.S. Justice Now Says It Doesn’t Exist

Written by Mark Rasch
October 3rd, 2012

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

In a case that may have profound ramifications for retailers’ ability not only to collect but also to protect the privacy of customers’ location information, the U.S. Justice Department argued to a U.S. appeals court on Monday (Oct. 1) that Americans do indeed have no right to privacy when it comes to mobile phone geolocation data. This comes about two months after a different appellate court reached the same conclusion, ruling that Americans have no such privacy rights.

The case before the U.S. Court of Appeals for the Fifth Circuit in New Orleans involves law enforcement efforts to obtain search warrants for cell phone records. The case is significant not because of its impact on cell companies but because of the expansive way the government wants to read its authority to get intimate personal data about anyone—and make third parties like retailers essentially an agent for collecting this information for the government.

The case involves the government’s efforts to subpoena a phone company to pony up records relating to the location of a cellular telephone user. Not too unusual. But what is unusual is the two arguments the government used to assert that it could get these records from the phone company without a warrant and without any probable cause. The government argued that “because customers know that cell phone companies must obtain their location information in order to connect cell phone calls, they voluntarily convey location information to cell phone companies” and “the Fourth Amendment is not violated when that information is turned over to the government.”

Really? Do most people know that the phone sitting in their pocket is constantly transmitting its location simply to get phone calls even when they aren’t making a call? Do most people think the phone company stores those records? Do most people think that what is essentially transient information is being stored and sent to the government? When I listen to a song on the cloud or read an e-book, do I think, “Hmmm, the government can now track me”?

The government then argued that people have no expectation of privacy in their location—after all, they are out and about on the roads and subways, in public buildings and shopping malls—so how can they reasonably expect their activities to be private? Certainly, the government argued, teams of undercover agents could follow people around and see where they are, who they are with, where they are going, etc. So if the government doesn’t need a warrant to do that, why would it need a warrant to get similar information from cell phone data?

If there truly is no expectation of privacy in what is called “historical cell data” (where you were, as opposed to where you are right now), then there would be no problem with retailers collecting this data about their customers with or without the knowledge and consent of those customers. Just as video cameras in the mall capture images of customers (and their locations), retailers could use cell data to find out where their best (and worst) customers are. Accepting the government’s argument before the federal court, there would be no privacy violation for a retailer doing this. Now, before you run out and start collecting your customers’ location data without their consent, recognize that the government’s argument just implicates the Constitution and not laws that protect cell records or the federal laws on “trap and trace” that require some type of legal process to get records from the phone company. So you can’t just traipse to your local phone company and get these records.

More significant to retailers is the government’s argument that it doesn’t need a warrant for these records and that people have no expectation of privacy in where they are when they have (whether or not they use) a cell phone, because these records are those of a third party (the phone company). Just like the government (and your spouse’s divorce attorney) can get records of your bank statements and phone bills without a warrant (just a subpoena), the government (and anyone else with a subpoena) can find out where you are, where you were and who you were with by subpoenaing the records from the phone company. You see, these aren’t your records. They are the phone company’s records, and it can do whatever its want with them.

As the government argued: “A historical cell-site record is a phone company’s record of the cell tower and sector it used to handle a customer’s call. It is a business record generated and stored by a cell phone company at its own discretion. No federal law mandates that a phone company create or keep historical cell site records” and “a customer has no Fourth Amendment privacy interest in business records created and held by a third party.”


2 Comments | Read Mobile Phone Location Privacy: U.S. Justice Now Says It Doesn’t Exist

  1. Jack A Says:

    Though I’m just a mere POS IT Program Manager geek, I do enjoy following a good legal argument. Thanks for your insight – and defense of my privacy rights.

    Was wondering what your expert legal opinion is on the credibility of historic mobile phone location data as evidence. After all, it is a mobile phone and therefore, it can be carried by anyone to a location. How would they prove from the data that I was personally at that location? Seems like an easy way to set someone up. I would think they would need to correlate the location data with a call made at the same time, to someone they would call as a witness to state it was me on the line. And text messages don’t count.

    It is just as hard for me to prove I didn’t have my phone at the time – guess I don’t have the burden of proof to refute location data as a defendant, though the defense would want to cast doubt.

  2. Mark Rasch Says:

    Location data does prove the location of your device and not neccesarily YOU, but it is both admissible and very persuasive circumstantial evidence that you were where your device was. You can add other circumstantial evidence to the mix, like you checked and appropriately responded to e-mail on the device, you entered a user id and password (that only you should know) on the device, that pictures of you were geotagged with the device, etc. Add other evidence (video surveillance, witnessess) and voilia! Privacy gone. Even evidence of habit (he ALWAYS takes his phone with him…) can be enough to pursuade a factfinder that the phone didnt just out out by itself.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.