Law Prof Argues Cell Location Records Shouldn't Need Warrants Because Cell Phones Have Encryption
from the towards-a-more-government-friendly-reading-of-the-4th-Amendment dept
As the Supreme Court readies itself for an important Fourth Amendment decision, the supporting briefs are beginning to trickle in. At stake is a potential redefining of the expectation of privacy under the Fourth Amendment, something that was diminished by the 1979 Supreme Court decision that created the so-called Third Party Doctrine.
In Carpenter's case, the third party records in question are something gathered by all cell phone companies: location data. The government used months of cell site location data to retrace Carpenter's movements, all without a warrant. This warrantless access turns cell phones into proxy tracking devices for the government. The government is perfectly fine with this turn of events and is asking the Supreme Court to uphold the lower court's decision.
A brief [PDF] siding with the government has been submitted by George Washington University law prof (and Volokh Conspirator) Orin Kerr. In it, Kerr makes some strange arguments.
The least weird argument is Kerr's assertion cell site location records shouldn't be covered by the Fourth Amendment because they are the equivalent of "observation in a public space." This is undoubtedly true, but it does allow the government to perform these "observations" without actually having to use its own eyeballs. Instead of tracking someone's movement through direct, in-person surveillance, the government can serve a subpoena to phone companies and use constantly-collected data to perform retrospective tracking.
Kerr goes on to serve up an analogy to buttress his assertion the Fourth Amendment should provide no protection for ostensibly "public" activities. And that's where the arguments start going off the rails.
[I]magine a world without communications networks. If Alice wants to communicate with Bob, Alice has to leave her home and travel to Bob’s house. If the police suspect that Alice and Bob are conspirators planning a crime, and they assign an officer to watch Alice’s whereabouts, the police can collect only some information without triggering the Fourth Amendment. The police cannot learn the contents of what Alice and Bob said inside Bob’s home without a warrant. On the other hand, the police can observe Alice and see what she did in public – when she left home, where she traveled, when she arrived at Bob’s house, and where they both live – without triggering the Fourth Amendment.
Next imagine that Alice calls Bob on her cell phone instead of meeting him in person. Alice no longer has to travel to meet Bob. The cell phone network delivers the call from Alice to Bob, making a remote transfer that eliminates the need for a public trip. But, critically, the same information exists. What was previously the contents of the conversation in Bob’s house is now the contents of the phone call between Alice and Bob. And what was previously Alice’s publicly observable trip from her house to Bob’s house is now a record that the phone provider generated and may keep about when the call was made, to and from what numbers, and what cell towers were used to deliver it.
What's glossed over in this analogy is the existence of landlines. This middle step is instructive and its absence from Kerr's brief seems almost disingenuous. For years, criminal collaborators used landlines and payphones to converse. This is what the Third Party Doctrine is predicated on: phone records. The Supreme Court's 1979 decision forced companies to comply with (and provide technical assistance for) pen register/trap-and-trace orders. These captured numbers dialed and length of conversations. The only location of interest was already known: the residence/phone booth containing the targeted phone. If law enforcement wanted information on suspects' movements, they still needed to deploy some form of additional surveillance.
Kerr is arguing law enforcement should have access to people's public movements without having to do the actual legwork. And he starts this argument by ignoring the fact law enforcement has -- for years! -- been unable to do anything more than collect phone records sans location data. But now phone records also contain information about people's movements, and Kerr believes they should be inseparable and easily-accessible. This assertion is made despite Kerr attempting to draw a straight line from the good old days of walking from house to house directly through CSLI and email header info.
To maintain the balance of the Fourth Amendment, courts should treat the same information in the same way in both the physical and network contexts. The contents of phone calls should be protected, as they are the telephone equivalent of protected inside space. This means, in the Internet context, that the contents of e-mails, text messages, and files that users place in cloud storage should receive full Fourth Amendment protection. On the other hand, non-content records generated by network providers – the business records they generate about how they delivered the communications – should not be protected because they are the network equivalent of the publicly observable trip that is outside such protection in the physical world.
Going on from there, Kerr says the court -- along with legislators -- must maintain an "equilibrium" between expectations of privacy and lawful access. But in this case, the equilibrium must shift towards the government. Why? Because criminals use cell phones.
The ways that cell phones can facilitate crime and avoid detection counsels against creating new Fourth Amendment protections for cell phone records. Obviously, most people don’t use their phones to commit crimes. But most people don’t have their records collected by court order under the Stored Communications Act, either. The key point is that the effect of cell phone technology on the “often competitive enterprise of ferreting out crime,” Johnson v. United States, 333 U.S. 10, 14 (1948), operates as a two-way street. The ability of cell phone companies to deliver communications quickly and silently over any distance cuts both ways. It can lead to records about the delivery that helps the police, and it can aid in the commission of crime that helps wrongdoers. Both should be considered.
He's right that both should be considered. But his argument doesn't suggest both should be considered. Kerr believes the government's view should be given priority -- a view that allows for no narrowing of the Third Party Doctrine. No one should be granted a higher expectation of privacy because criminals use cell phones. That's basically the argument. And it leads directly to this argument, which isn't any better. The Third Party Doctrine should remain intact because people -- including criminals -- use encryption.
It is too early to tell how far encryption will interfere with government investigative powers. But because users generally can’t encrypt non-content records such as historical cell-site records, the collection of such records may take on a more important role in future surveillance practices. The Court should be reluctant to introduce new constitutional protections for non-content records when the existing constitutional framework for access to contents may be impeded by new encryption technology.
I'm honestly unsure what to make of that argument, which seems to imply the Court should only view the Fourth Amendment as an avenue for law enforcement access, rather than its true purpose: protecting citizens from their government. Kerr talks about maintaining a balance, but posits that relevant technological advancements should work for the government, rather than against it. If people can have encryption and little metal-and-glass rectangles that allow them to hold private, long distance conversations, then the government should have uninterrupted, warrantless access to anything the government deems to be a "third party records."
This isn't the way to maintain balance. The Fourth Amendment isn't the government's enabler. And it never has been. It was written to curb government overreach and abuse. The government has been dealing with unobservable conversations for decades now. That it can now track people without ever leaving the office may be handy, but it doesn't necessarily follow it should always be able to do this without a warrant. The Supreme Court should take a close look at the implications of allowing the status quo to remain in place. Thousands of electronic devices generate millions of third party records every day, all less than a warrant away. Ignoring these implications in favor a simplistic rehashing of a forty-year-old decision is only going to cause further difficulties down the road.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, cell site location info, csli, encryption, location info, orin kerr, scotus, third party doctrine
Reader Comments
Subscribe: RSS
View by: Time | Thread
Only a problem for those without a case
This means, in the Internet context, that the contents of e-mails, text messages, and files that users place in cloud storage should receive full Fourth Amendment protection.
While this sounds nice at face value, what he says later rather nearly undermines his 'the content should be protected' claim, by arguing that because the content should be protected location data shouldn't be, so that it can help fill in the 'gaps' left by that pesky 'encryption' getting in the way.
The Court should be reluctant to introduce new constitutional protections for non-content records when the existing constitutional framework for access to contents may be impeded by new encryption technology.
'New constitutional protections'? You can follow someone around without a warrant, it just takes effort, yet I'm pretty sure that if you want to place a tracking device on say their car you do need a warrant, because it's generally considered that that's an invasion of their privacy a step farther than having someone tail them.
The fact that people are carrying a device that can also double as a tracking device should not mean that the warrant requirement magically goes away, because the privacy implications certainly didn't, and if anything they are even more extensive as people can carry a phone where they would leave a car behind.
What it really comes down to is that a warrant requirement is only a problem if the agents/officers involved are grossly incompetent, incredibly lazy, have no credible case or evidence, or a mix of the above. 'Getting a warrant' is not a huge problem if those involved in an investigation have more than a flimsy hunch, so the fact that this issue has reached the point of consideration by the US Supreme Court does not paint a good picture of the police and government agencies taking advantage of a system to go on baseless fishing expeditions looking for something juicy.
[ link to this | view in thread ]
No, I doubt it's true. Regular people cannot observe the RF spectrum, and even with a special device (see Kyllo v. United States about observation with specialty devices from public space), the IMSI isn't just transmitted in the clear. You'll either need an IMSI catcher actively impersonating the cellular network, or help from the carrier that holds the encryption keys. The public can't realistically do it.
[ link to this | view in thread ]
More encryption needed
It's time to use more encryption to interfere with those powers. It's not even technically that difficult, we just need the cellular equivalent of Tor to ensure those records don't exist (or more accurately, can't identify a specific user).
[ link to this | view in thread ]
There is no question of balance.
This is the last bulwark of the citizens. Talking about how much of a breach we need in it in order to maintain balance is madness.
[ link to this | view in thread ]
[ link to this | view in thread ]
to keep the status quo.
And everywhere that Mary went,
the feds were sure to know.
[ link to this | view in thread ]
Just because something is possible does not mean it should be done. Usually one goes through, at a minimum, a cost/benefit analysis - so what is the cost and what is the benefit?
The cost can not be measured and the benefit is limited to those in positions of power and influence. There is nothing but the consequences for the remainder of the population who is encouraged to accept their personal responsibilities and deal with whatever lousy conditions are tossed at them, and they had better not complain or it's the gulag for them.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
If you're really paranoid, probably don't then enable WiFi while in airplane mode.
GPS is only a receiver, not a transmitter. The received GPS data tells THE PHONE where it is at. Now the phone can do anything with that information, including sending it to the cloud to obtain, for example, map information, and advertisements that Taco Bellyache is two blocks ahead. Thus the cloud now knows where your phone is. Your phone (or some app such as your mapping app) might maintain a log of where it has been.
[ link to this | view in thread ]
How is Encryption connected with Cell Location?
Whether your device is or is not encrypted is unrelated to whether the government should be able to get your phone's location from third parties without a warrant.
[ link to this | view in thread ]
Re: There is no question of balance.
[ link to this | view in thread ]
Re:
Does Kerr's equation change when someone is in a private place physically but they are assumed to be in a public place rhetorically because they have a cellphone?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Tracking Kerr
[ link to this | view in thread ]
[ link to this | view in thread ]
Legal Malpratice
Kerr believes the government's view should be given priority -- a view that allows for no narrowing of the Third Party Doctrine. No one should be granted a higher expectation of privacy because criminals use cell phones. That's basically the argument. And it leads directly to this argument, which isn't any better. The Third Party Doctrine should remain intact because people -- including criminals -- use encryption.
Following Orin Kerr's defective line of reasoning - that the US governments investigatory needs outweigh the Rights of American citizens because criminals may use certain items during the planning and operational stages of their criminal acts - the US Constitution is for all intents and purposes a dead-letter.
[ link to this | view in thread ]
Really?
"I'm honestly unsure what to make of that argument..."
It's actually pretty clear. Those are the arguments of someone who supports a tyrranical, all-powerful government where rights are "GIVEN" by the government - and when something is GIVEN, it can be taken away, seemingly for any reason THEY find legit... Terror, think of the children, easier for law enforcement, because it's Tuesday...
[ link to this | view in thread ]
Re:
They can. Scanners are cheap and easily available. Mine even connects to my network and monitors several types of digital trunked systems used by emergency services these days.
But as you elaborate, the difference is encryption. Only the police may demand the decrypted metadata.
BTW, some police services are encrypting their signals. But like cellular networks the trunking system that controls those signals offers a wealth of metadata. The app that comes with my scanner doesn't have a tool to look at it, but there's a command in the programming API that will fetch it.
[ link to this | view in thread ]
You've noticed the intrinsic drawback to cell phones and computers.
Yot. It's the 21st century, sonny.
The whole cell phone system not only has this intrinsic and necessary ability, but "They" designed it in. -- And you don't even want to know about the even worse computer operating systems!
[ link to this | view in thread ]
Re: You've noticed the intrinsic drawback to cell phones and computers.
A key point omitted as always here is Techdirt has NO problem with Google tracking everyone all over the net -- and giving "direct access" to NSA according to Snowden -- in fact regards tracking by corporations as desirable, instead focuses in on this rather small and logical extension.
[ link to this | view in thread ]
Re: Re: You've noticed the intrinsic drawback to cell phones and computers.
Another key point omitted as always here is that 2+2=7. For the same reason.
[ link to this | view in thread ]
Re: You've noticed the intrinsic drawback to cell phones and computers.
Location-tracking is not a necessary ability. Onion routing and zero-knowledge proofs of payment would prevent tracking.
[ link to this | view in thread ]
Re: Re: You've noticed the intrinsic drawback to cell phones and computers.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: There is no question of balance.
[ link to this | view in thread ]
Re: Re: You've noticed the intrinsic drawback to cell phones and computers.
For mobile phones, it is as the system has to deal with handoffs between cell towers, and to know which towers to route incoming messages and calls to. However, keeping records of that tracking beyond beyond current location is not required.
[ link to this | view in thread ]
Re: Re: Re: You've noticed the intrinsic drawback to cell phones and computers.
No, the infrastructure company will have a record of some unknown phone at that tower. They don't need to know whose phone it is, they just need to know it paid. And the company that assigns your phone number just needs an open communication channel to route calls to you, they don't need to know where you are.
Is it their phone or my phone? If it's under my control it's not going to give up those records.
[ link to this | view in thread ]
Re: Re: Re: You've noticed the intrinsic drawback to cell phones and computers.
Nope. You can think of a mobile phone like a Tor hidden service. Those migrate around the network constantly, but we can always reach them at their address even though we don't know where they went. There's a data path, but nobody knows the full path.
A handoff would be like resuming a Tor connection from another IP address. I've no idea whether it works, but it's easy in principle (simple cryptography: open a new connection to one of the nodes in your circuit, and use the key to prove your the same person from a new address).
[ link to this | view in thread ]
Orin Hatch's brother?
[ link to this | view in thread ]
Non-sequitirs - race to the bottom
But, but, location tracking should require a warrant because...because cell phones have batteries!
[ link to this | view in thread ]
Re: Re: You've noticed the intrinsic drawback to cell phones and computers.
[ link to this | view in thread ]
FBI argues people don't deserve encryption because they have privacy.
Government argues people don't deserve anonymity because they have privacy and encryption.
Confused?
[ link to this | view in thread ]
It's time to ditch 3rd Party Doctrine completely
What about my electronic eyeglass vendor?
What about my electronic hearing aid vendor?
What about my heart pacemaker vendor?
What about my digital Parkinson's implant vendor?
[ link to this | view in thread ]
Re: You've noticed the intrinsic drawback to cell phones and computers.
[ link to this | view in thread ]
Re: Re: Re: Re: You've noticed the intrinsic drawback to cell phones and computers.
With a mobile phone an established connection, needs to be switchable to a different tower while the call is in progress, hence the need to keep track of individual phones, and predict which towers the will likely be switched to. This also applies to Internet connection with the phone, where the tower may be switched mid document.
The crucial difference is that TOR has static routing for the lifetime of a (TCP) connection, while mobile phones need the ability for predictive dynamic rerouting.
[ link to this | view in thread ]
Stop Right There
[ link to this | view in thread ]
Re: Re: Re: Re: Re: You've noticed the intrinsic drawback to cell phones and computers.
Yeah, currently, but where's the fundamental limitation? If you have ip_A->entry_node->node_2->..., moving the connection to ip_B->entry_node->node_2 would be possible with some simple cryptography. (It shouldn't matter than ip_A and ip_B come from different towers.) Even though the original TCP connection to entry_node is no longer usable, entry_node can keep its connection to node_2 open so it can be resumed. TLS already allows sessions to be resumed in a similar way.
A phone could connect to several towers independently, just to get an IP address. When it wants to switch, connect to entry_node from the second IP and resume the connection.
I can do all of this today with WiFi: generate a random MAC for each access point, connect to my .onion-based VPN from that IP, and use VoIP over that. When that connection drops, I reconnect to the VPN from the new IP, and since my VPN always gives my the same static IP, all my connections stay open if I'm quick enough. My VoIP provider knows who I am, but as far as they know I'm coming from my regular IP. (Latency isn't great for voice but email and web browsing are fine.)
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: You've noticed the intrinsic drawback to cell phones and computers.
Cell phone voice traffic is not generally done over IP (from the phone to the tower) is it?
[ link to this | view in thread ]