Appeals Court: No Expectation Of Privacy In Credit Card Magnetic Strips
from the TIMELY dept
Just as we're learning of law enforcement's bold new plan to take travelers' prepaid debit cards down to a $0 balance without ever leaving the highway, the Eighth Circuit Court of Appeals comes along [PDF] to remind us that swiping (not as in "taking") a credit card to determine its legitimacy is not a search under the Fourth Amendment. (via Ars Technica)
The court notes a couple of obvious things about the search that isn't. First, it can't be a physical search because swiping the card does nothing more than (if it's legit) return the same information that's printed on the front of the card.
[S]canning the magnetic strips on the cards was not a physical intrusion into a protected area prohibited by the Fourth Amendment. See Florida v. Jardines, 133 S. Ct. 1409, 1417 (2013). The magnetic strip on the back of a debit or credit card is a type of "external electronic storage device, [that] is designed simply to record the same information that is embossed on the front of the card." Accordingly, the information embossed on the front of the card and recorded in the magnetic strip will only be different if the card has been tampered with. Credit card readers reveal whether the information in the magnetic strip on the back of the card matches the information on the front. The process of using a credit card reader "is analogous to using an ultraviolet light to detect whether a treasury bill is authentic, . . . [which is not a] . . . 'search.'" Thus, because "sliding a card through a scanner to read virtual data does not involve physically invading a person's" space or property, there was no Fourth Amendment violation under the original trespass theory of the Fourth Amendment.
Unfortunately for the defendant, none of the dozens of credit cards and gift cards he was caught with returned information confirming him as the owner. All of the cards (which ranged from gas cards to Subway gift cards to Amex credit cards) contained information linking them to other cardholders. There was a seizure, as the Secret Service took control of the cards after the defendant was arrested and scanned them to determine their legitimacy. There may have been an avenue to challenge the seizure without a warrant, but the defendant never raised the issue.
The court also finds the Third Party Doctrine applies here.
Although DE L'Isle claims he had an actual, subjective privacy interest in the cards, he is unable to make that case. As to the ten American Express credit cards, he could not have had an expectation of privacy simply because his name was embossed on the front of the cards. He also could not have had a subjective expectation of privacy in any of the other cards because the purpose of a credit, debit, or gift card is to enable the holder of the card to make purchases, and to accomplish this, the holder must transfer information from the card to the seller, which negates an expressed privacy interest. [...] When the holder uses the card he "knowingly disclose[s] the information on the magnetic strip of his credit card to a third party and cannot claim a reasonable expectation of privacy in it."
The dissenting opinion is an interesting read, as it starts out by suggesting justice would best be served by the throwing of last-minute wrenches into the gears before stalking off into the weeds for a bit.
This appeal presents a narrow legal issue: Does scanning the magnetic stripe on the back of a credit or debit card to access the data stored on it implicate the protections of the Fourth Amendment? In my view, answering this question requires further factual development, and I would remand the case to the district court to hold an evidentiary hearing.5
5I recognize the difficult position in which the district court found itself, faced with a motion to suppress almost on the eve of trial. The district court would have been within its rights to deny the motion as untimely. In a commendable effort to grant the defendant a full opportunity to present his defense, the district court instead excused the delinquency of the motion and decided it on the merits. Although I recognize that the district court’s decision not to hold an evidentiary hearing is reviewed deferentially, United States v. Hill, 750 F.3d 982, 986 (8th Cir. 2014), I believe an evidentiary hearing is necessary to resolve this case.
Judge Kelly suggests there may be an expectation of privacy in magnetic strips, but only if this information is easily modified by cardholders at their discretion.
In my view, the answer to this question depends on whether there are significant technological barriers to an individual rewriting information on the magnetic stripe of their cards, and I would remand the case to the district court to develop evidence on this point. If the information on the magnetic stripe can be modified without much difficulty, the cardholder may indeed have a reasonable expectation of privacy in the contents of the stripe, based on the straightforward principle that law enforcement conducts a Fourth Amendment “search” when it reads the contents of rewritable digital storage media.
It's safe to say no card issuer is going to let end users alter the coding on their cards. It either matches the info on front or it's not a legitimate credit card. This argument's attempt to equate credit cards with storage media is more than a bit of a stretch. (For gift cards, though, this is a little murkier. There's no name to match against the info uncovered by swiping it through a reader. The only thing that can be discovered is whether the card type matches the encoded data.)
The dissent is on sturdier ground when it argues that swiping cards to match them up with the info printed on the front is still a search. Judge Kelly points out that the majority decision allows the results of the search to determine the legitimacy of the search, which is the wrong way around.
The problem with this approach is that it is only possible to determine whether the information on the magnetic stripe is blank or matches the information embossed on the front of the card by scanning the magnetic stripe to determine its contents. And the results of a search cannot be used to justify its legality.
Even if it were to go Judge Kelly's way, the Third Party Doctrine would undo it, as payments with credit cards are very much a voluntary act in which purchasers know information about them is being relayed to retailers, card processing companies, and the card's issuer.
However, Kelly does make a good point when suggesting the court shouldn't be in such a hurry to declare this a foregone conclusion.
Although the stakes may appear small at this stage, technological progress has a way of ensuring that they do not remain so. The Supreme Court has instructed that “the rule we adopt must take account of more sophisticated systems that are already in use or in development.” What advances are likely to be made in this area is a topic that deserves further factual development by the district court, especially because the available evidence suggests that the amount of information storable on a credit card will not long be numbered in the dozens of characters.
Already many newly-issued credit cards in the United States contain chips that have a storage capacity much greater than that of the old magnetic stripes. As cards are able to store more information, the privacy interests they implicate increase.
This is especially important considering the recent development in law enforcement forfeiture tech. Cards will be seized, read and drained -- all without warrants because there's apparently no privacy interest in the cardholder information printed on the front, or any of the information obtained by running the card through a reader. If a court comes to the opposite conclusion -- that card swipes are searches -- it will make it that much harder for law enforcement agencies with ERAD tech and a fistful of bad incentives to participate in highway robbery.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, credit cards, eight circuit, magnetic strips, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
If the courts say that there is an expectation of privacy then any third party could be sued by simply using your credit card at a place of business (i.e., retailer).
[ link to this | view in chronology ]
Re:
So by that line of thinking no "private" sale is private either? You could be compelled to disclose what I bought from you?
IMHO my transaction either by cash or by credit is a private transaction between 2 parties. Nobody needs to know I bought a purple tutu, case of beer and a box of condoms.
-
The only difference between having your money stolen:
By Police, you know the culprit.
Hackers, you don't.
Either way it's still being stolen from you by criminals.
[ link to this | view in chronology ]
Re:
If you use the card, sure. But what if you *don't* use the card? The third party doctrine needs an actual third party, not a hypothetical one.
[ link to this | view in chronology ]
Re: Re:
There is no exception provided in the 4th to make private information public for the purposes of privacy breaching government interests.
Any information I give to or share with a business, 3rd, 4th, or 50th party is still private information safe from government prying unless there is a warrant.
This really is not hard to figure out and it very clear what the founders and the Constitution says about the subject.
[ link to this | view in chronology ]
Re: Re: Re:
How could your phone's contacts be protected? Those are all names and numbers that other people know because it is other people's names and numbers. How are any emails protected, even those sitting on a server less than 180 days, after all they passed through the hands of your email provider as well as your ISP and countless other on its way through the intertubes.
"[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures"
Anything on you, your car, your phone, or your email account is most certainly one of your person, your papers, or your effects. The Third Party Doctrine needs to die in a fire.
[ link to this | view in chronology ]
Re:
How is that ridiculous? Is it ridiculous to expect a private conversation to be private? This is no different.
[ link to this | view in chronology ]
Re: Re:
Just like if I rent someone's house to stay in there is a reasonable and hence implied expectation of privacy between me and the owner that the house is not secretly bugged.
The lack of privacy occurs if I use someone else's card without permission. It's no different than me, for instance, sneaking in their house and using their land line or stealing their cell phone and using it without permission only to find out I was being monitored by the owner the whole time. There is no reasonable expectation of privacy between me and the owner of a cell phone, laptop, or tablet that I stole. No deal was made between me and the owner, there is no consideration that the owner willingly accepted in return for what you stole and hence this avails the owner nothing and so they aren't reasonably required to provide privacy or anything in return.
Or if I'm at work and the business I work for wishes to monitor my work related behavior while at work. There is no implied expectation of privacy between the owner of the credit card/stolen cell phone and the person that stole it and so the CC owner can freely give authorities the necessary permission to track usage without the need for a warrant.
[ link to this | view in chronology ]
Re: Re: Re:
The comment I was replying to did not make that limitation. It asserted that there is no expectation of privacy at all.
The point you are making is valid to an extent, but in the case of credit card transactions the expectation of privacy in the moment would certainly remain even if the card was being used fraudulently. That's because nobody involved aside from the crook can know that the use is unauthorized at the moment. That expectation of privacy would dissolve, of course, the moment the card holder gives the cops or credit card company permission to investigate the transaction.
[ link to this | view in chronology ]
Re: Re: Re: Re:
OK, I read the article wrong the first time. I don't disagree with you here.
[ link to this | view in chronology ]
Re:
The same can be said about the card. The card is closed until it's opened. You cannot look at the card with your eyes and determine what's inside of it, which means the person holding the card closed it for a reason.
How anyone can argue this isn't a breach of privacy is ridiculous.
I shut my door, you can't see through it = private. I close my curtains, you don't see through them = private. I create a bank account, you don't see into it = private. I place my cash on something that requires a special kind of reader to determine what's on it, and since I'm in possession of said card, I chose to keep it closed until I choose to open it = private.
You're on the wrong side of the 4th amendment. I
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
"What's in your wallet?"
[ link to this | view in chronology ]
Re: Re:
..Oh crap, now I said Capitol One, and people might be confused into thinking that I represent them! I might be sued! /runs away
[ link to this | view in chronology ]
right of the people to be secure in their persons, houses, papers, and effects
Now, stolen & forged cards just lying around would fall under the protections of whatever they're in (i.e. houses, cars, a bag, etc. would need to be searched to find them), if they're in anything.
A pile lying on an outdoor table would probably be fair game for the police, though.
[ link to this | view in chronology ]
Re: right of the people to be secure in their persons, houses, papers, and effects
It's really funny the ends people, especially law enforcement, will go through to justify their actions and nosy fucking behavior.
I do not think its a problem to open a wallet enough to get a persons name and address so that it can be returned, but to attempt to record, interact with or, rifle through its for other information is a breach!
[ link to this | view in chronology ]
This may not be exactly true. For credit and debit cards, the magnetic strip also contains a code that is not printed anywhere on the card. In theory a vendor needs that code to make a transaction when the card is present (source: https://en.wikipedia.org/wiki/Card_security_code).
I assume prepaid gift cards sporting a Visa, Mastercard, or other major credit card company, would also have such a code.
However even if it does, I'm not sure what impact (if any) it would have on a privacy argument.
[ link to this | view in chronology ]
Re:
They would be in breach to use the numbers on the face to access the account without a warrant, therefore scanning the card to interact with any other component is the same.
The information on the strip is not "conspicuous" therefore that makes it private and protected under the 4th! No ifs, ands, or buts!
[ link to this | view in chronology ]
Actually, mag-stripes are read/write
The people forging cards, even those that should have security chips, obviously have easy/cheap access to devices that can write what ever they want onto a cards mag-stripe.
[ link to this | view in chronology ]
Re: Actually, mag-stripes are read/write
[ link to this | view in chronology ]
Re: Actually, mag-stripes are read/write
Course the end result will be garbage information but hey it proves people can overwrite their card.
[ link to this | view in chronology ]
Re: Actually, mag-stripes are read/write
[ link to this | view in chronology ]
The Card Security Code (CSC), also called the Card Verification Value (CVV)
The expiration date
The Card Security Code (CSC), also called the Card Verification Value (CVV)
[ link to this | view in chronology ]
Re:
What are the current contents of the floppy disk that AOL sent to me back around 1993? Hint: It's not the same as the original contents that AOL put on the disk.
[ link to this | view in chronology ]
Huh.
[ link to this | view in chronology ]
What's on the "private" list?
Also, why don't we update the wording of these amendments, and the constitution in particular? The wording is way, way out of line from reality for most of them. I'm not talking "constitutional convention" or "ratify amendments", I'm just talking clear wording according to today's laws. It would keep stupid arguments to a minimum, economize on judicial decisions, things like that.
I realize that this won't happen because of judges' proclivity to make rulings in favor of the legal profession itself, and if we had a clearly worded basic document, then lawyers would be just a little less necessary. Also, cops. If we had clear rules, then "good faith" exceptions wouldn't be nearly as applicable. So, just call me a crank.
[ link to this | view in chronology ]
Re: What's on the "private" list?
That would allow the government to punch holes big enough to drive an aircraft carrier through into the constitution.
[ link to this | view in chronology ]
When you apply for a credit card, you are granting the entity you're using that card at to use the information on your card to properly charge your account for the goods or services you are buying.
I simply don't find any reason why anyone would claim that the information on your credit card strip is private information when it is not. The appeals court came to the right conclusion. The information contained in that strip is not privacy information. I would rather think it would be the bank that could claim that, NOT the person whose name is on that card.
[ link to this | view in chronology ]
Re:
Then why not post yours here?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
If it's really public information that is readily available to the public, then they can get it the same way the rest of the public can. But if you want to do something that every other average joe can't legally do, then you need probable cause or get a fucking warrant.
[ link to this | view in chronology ]
Legitimate vs illegitimate
"It's safe to say no card issuer is going to let end users alter the coding on their cards. It either matches the info on front or it's not a legitimate credit card. "
I'm going to respectfully disagree. It doesn't matter what you think the card-issuer is "going to let end-users" do. I get to copy magstripes as I see fit on my card. You may argue that the card is the property of the issuer. Yup. I'm allowed to mark on it, disfigure numbers, cut it up, etc. I'm also allowed to demagnetize it if I leave it on a loudspeaker, and that's not unlawful either. Writing a new mag stripe is just the same.
As legitimate examples of lawfull use there are times when I don't want to "flash" my platinum card. However, I can encode its data onto the magnetic strip of my crappy Southwest Airlines credit card. Sure, the information doesn't match. However, it's still my card and I can swipe it and if I were stupid get cash advances on it.
That's the simple example. Sometimes my business lets me have a card or a friend will lend me a car and their credit card to go purchase something. In that case the card doesn't even bear my name but I am legally authorized to use it. Should I copy THAT magnetic strip onto my Southwest Airlines card IT TOO would be legal for me to possess and use.
The courts both erred in failing to address the plain-language meaning of the 4th Amendment. Is it a "search" to reach into my pocket, pull out my wallet, open it, extract a card, and put it in a card-reader? I believe the answer to all those is yes.
The DATA on the magnetic strip on my card is *NOT* in plain-view, does *NOT* create any exigent circumstance, and is in *NO WAY* indicative of anything in and of itself. This is a fishing expedition hunting deep into where the unknown is.
I argue a warrant is DEFINITELY required, and one that indicates with SPECIFICITY what is to be examined and why.
E
[ link to this | view in chronology ]
Re: Legitimate vs illegitimate
To be fair to the police here, the cards weren't in the guy's wallet. There were over 50 cards; they wouldn't have FIT in his wallet. The seizure of the cards isn't at issue, only the search of the magnetic strip.
[ link to this | view in chronology ]
Re: Re: Legitimate vs illegitimate
So what if I have 50 cards rubber-banded sitting on my car seat. At the very best you can see the front of one card and the back of another. You can't see the other 98 sides nor the stuff imprinted on them and you CERTAINLY can't *see* the ***DATA*** on the magstrip.
I do believe the requirement for a warrant is palpable.
E
[ link to this | view in chronology ]
When you give your card to a cashier at a store, you are doing a voluntary action in buying something. You know your information is being used to make the transaction, but you choose to give it (or pay cash).
When a cop takes your cards and scans them, my guess is that it is less than voluntary. There may be no threat of force given, but I'm guessing no one just gives the cops their credit cards to run voluntarily since the only thing you are going to get our of the transaction is nothing if your lucky and trouble if not.
[ link to this | view in chronology ]
I'm really confused
I didn't think it applied to information they retrieved from you and then said that it's fair game, because you've given the same info to a third party in the past.
Don't they actually have to get it from the third party, and not from you?
[ link to this | view in chronology ]
Re: I'm really confused
[ link to this | view in chronology ]
Imaginary third parties?
Uh what? Third party doctrine concerns information actually given to third parties, not information that could potentially be given to third parties.
I am allowed to search a credit card for differences to the printed information because if the information on the strip might differ from the printed information, it is conceivable that at some later point of time somebody else might be getting to read it?
Isn't that sort of carte blanche? I can perform any search because it is conceivable that the results of such search might be made known to a third party at some unknown point in the future?
I mean, what would be covered at all any more by the 4th Amendment given this nonsensical rationale?
[ link to this | view in chronology ]
Court Jesters and Pretzel Logic
Jurisprudence pretzel logic.
A credit card holder and vendor at the place of sale voluntarily agree to scan/read the magnetic strip in order to complete a transaction between the two parties.
The specious government claim of Third Party Doctrine is just that a specious claim as when a credit card holder enters into an agreement with a credit card company it is strictly a matter between card holder and card provider. It is/was not an agreement to furnish details of a private business transaction with the government.
Third Party Doctrine is simply the governments way of circumventing the protections of the 4th Amendment by saying -- because we say so.
Third Party Doctrine is where timid court jesters go to hide and the Constitution dies.
[ link to this | view in chronology ]
Re: Court Jesters and Pretzel Logic
It's insane.
[ link to this | view in chronology ]
More
Card readers are not special in any manner. There is no special decoding required, nor is the information on the mag strip something controlled (normally) by the end user - it actually is information set by the card owner (the issuing company is technically owner of the card).
It's another case of Techdirt erring too far on the side of protecting a non-existent privacy.
[ link to this | view in chronology ]
'Timely' indeed
[ link to this | view in chronology ]
Dang it!
[ link to this | view in chronology ]
Box of 5,000
It wouldn't be that hard to set up my card writer to write out "GO AWAY COPPER!" on every magnetic strip in the box. Would take them a whole day to scan every card in there.
And I would waste a whole day programming them if I knew it would be one (or two) less police on the road hassling other drivers.
[ link to this | view in chronology ]
Not true
This is factually incorrect. The magnetic strip on many debit cards, including two that I have, includes information that is not on the front of the card, including the card's PIN.
[ link to this | view in chronology ]
Re: Not true
[ link to this | view in chronology ]
Re: Not true
Wait. You can get the card's PIN just by swiping it? What kind of stupid security system is that?
[ link to this | view in chronology ]
Re: Re: Not true
Aside from the idiocy that a crook can just read the PIN off the stripe, there's the additional idiocy that, with about $20 worth of equipment, you can also change the PIN on someone else's card.
[ link to this | view in chronology ]
Re: Not true
[ link to this | view in chronology ]
Very simple rule of thumb:
(Though I'm sure the police/government would find some way of twisting the 'rule', offhand at least it seems like it would shoot down most of the more absurd claims regarding what and what is not private.)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If someone has my credit card and I give the authorities permission to 'search' my credit card usage for the sake of tracking who has my credit card, then I don't see why a warrant is needed. The card is being 'searched' with the permission of the owner (an owner who gave no prior permission for someone else to use said card), no different than my house being searched with my permission.
[ link to this | view in chronology ]
Re:
But that has almost nothing to do with what happened here. It's not like they caught the guy while he was trying to use a card. Usage tracking had nothing to do with it. Also, you can be forgiven for believing what Tim wrote, but it was technically incorrect - not *all* of the cards had information linked to other cardholders. Ten were blank. (Read page 2 of the embedded document.) And the police couldn't know whose they were until *after* they scanned them, since the front of at least some of the cards had the suspect's name on them.
You can't say "well, some random person gave us permission to search for their card, therefore we can search all cards we may happen to find anywhere, just in case it happens to be theirs." That's like saying "hey, a car was stolen and the user gave us permission to get it back, therefore we can search all garages just in case that car is in it."
I mean... 59 cards in a duffle bag is suspicious. The police correctly figured that something was up. But if there's probable cause to think a crime was committed, why not get a warrant?
[ link to this | view in chronology ]
Re:
That means not only do they NOT have anyone's permission to search the data, but that this "owner" thing you claim has nothing to do with the "identified person in the data".
Even if you are that person who has said "Hey I'm John Doe and I give police everywhere permission to look in everyone's pockets for my credit card" this is not that and you can't provide police that privilege.
Sorry, Johnny, but your false "I'm the owner and I allow police to search other people's magstripes" logic doesn't in any way make sense NOR trump the need for a SEARCH WARRANT.
E
[ link to this | view in chronology ]
Credit Cards SUCK
[ link to this | view in chronology ]
I would argue that by carrying the card, I have chosed an added layer of privacy and security since if I carried the equivalent cash, the police could just seize that too. If they can do the same with cards, what rights do we really have?
[ link to this | view in chronology ]