This is page 2 of:
Mobile Phone Location Privacy: U.S. Justice Now Says It Doesn’t Exist
So here’s where the trouble comes in for retailers. Location data is, and will continue to be, critically important for advertizing, marketing and point of sale. Thousands of Web apps collect data about a consumer’s location—ostensibly to help the consumer connect to businesses but also to help businesses find local consumers. Services like Yelp! Foursquare, Google Maps and OpenTable all link GPS data with retailers to help those retailers and their customers connect. As a lawyer, I would ensure that if I was collecting or obtaining location data, I would do so under a privacy policy that told the customers what I was collecting—and what I was going to do with that information. The policy could be something like, “I will only use your data to help you find a restaurant” or, “I will use your location data to send you coupons for shoe stores near you.” The customer consents to the collection of location data, and you are set, right? Not so fast.
The government’s argument that people have no expectation of privacy in third-party data is just flat out wrong—wrong, wrong, wrong. Did I mention that it was wrong? Indeed, while third parties can “know” where I am, what I eat, what I read, what songs I listen to, who my friends are, what I look like, what sizes I wear, what medications I take, where and when I bank, what I study and almost anything else about me, it would be wrong to say that, by virtue of the fact that this information is collected and/or stored by third parties, I have no privacy interest in such information.
Otherwise, the government could turn retailers into its own private data collection enterprises. As long as the government doesn’t tell the retailer what to collect and the retailer collects data in the ordinary course of business, the government could get all of this data without telling the customer a thing. This belies the contract between the customer and the retailer, where the customer essentially says, “I will let you know what Kindle book I am reading so you can send me offers on similar books, but I am not authorizing you to tell the FBI that I just read Fifty Shades of Whatever.” To think that consumers have no expectation of privacy in the intimate facts they are forced (often) to reveal to third parties as a condition of modern life is absurd.
More than 40 years ago, in a case involving a subpoena for phone records, Justice Thurgood Marshall dissented from the majority opinion that no warrant was necessary for these phone records because they were in the hands of a third party, the phone company.
Justice Marshall noted that “Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes.” Justice Marshall went on to note “Implicit in the concept of assumption of risk is some notion of choice” unless “a person is prepared to forgo use of what for many has become a personal or professional necessity [namely, the use of a phone], he cannot help but accept the risk of surveillance.”
This is exactly what Justice Sotamayor predicted in her concurring opinion in the June case involving the surreptitious installation of a GPS tracking device, where she noted: “It may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers.
Perhaps, as Justice Alito said, some people may find the “tradeoff” of privacy for convenience “worthwhile,” or they may come to accept this “diminution of privacy” as “inevitable.” I, for one, doubt that people would accept without complaint the warrantless disclosure to the government of a list of every Web site they had visited in the last week or month or year.
Just because the record exists and is held by a third party (like a retailer) doesn’t mean people don’t expect the data to be protected from disclosure. This doesn’t mean the government can’t get these records, just that it has to show probable cause and get a warrant for them. As more records are held by third parties—including phone companies, retailers, credit card companies, processors and cloud providers and their agents and vendors—we need to stop making these entities into agents of the state. Otherwise, consumers will simply stop trusting them, and then they will revolt. And that’s not good for anyone.
If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.
-Marc
October 4th, 2012 at 11:45 am
Mark,
Though I’m just a mere POS IT Program Manager geek, I do enjoy following a good legal argument. Thanks for your insight – and defense of my privacy rights.
Was wondering what your expert legal opinion is on the credibility of historic mobile phone location data as evidence. After all, it is a mobile phone and therefore, it can be carried by anyone to a location. How would they prove from the data that I was personally at that location? Seems like an easy way to set someone up. I would think they would need to correlate the location data with a call made at the same time, to someone they would call as a witness to state it was me on the line. And text messages don’t count.
It is just as hard for me to prove I didn’t have my phone at the time – guess I don’t have the burden of proof to refute location data as a defendant, though the defense would want to cast doubt.
October 16th, 2012 at 9:41 am
Location data does prove the location of your device and not neccesarily YOU, but it is both admissible and very persuasive circumstantial evidence that you were where your device was. You can add other circumstantial evidence to the mix, like you checked and appropriately responded to e-mail on the device, you entered a user id and password (that only you should know) on the device, that pictures of you were geotagged with the device, etc. Add other evidence (video surveillance, witnessess) and voilia! Privacy gone. Even evidence of habit (he ALWAYS takes his phone with him…) can be enough to pursuade a factfinder that the phone didnt just out out by itself.