- Last week’s Supreme Court decision in Carpenter v. United States is one of many cases involving the privacy of your cell phone data.
- The debate over what constitutes a reasonable expectation of privacy is shifting because today’s technology can tie so much sensitive data together.
- Other cases will hit on whether you can be compelled by law enforcement to use biometric data, like a fingerprint or facial scan, to open a device.
The Supreme Court last week ruled that pulling cellular site records from a wireless carrier requires law enforcement to obtain a warrant, a potentially far-reaching decision for the telecom industry,
In ruling 5-4 on the side of Timothy Carpenter, who was convicted in 2013 of robbing Radio Shack and T-Mobile stores, the court determined that law enforcement officers illegally procured location data from his cell phone carriers. The government was able to get 12,898 location points tracking Carpenter over 127 days, with four of those hits putting Carpenter near sites where robberies had occurred.
The court said that collecting cell site location information (CSLI) constituted a Fourth Amendment search and should have required a warrant. Chief Justice John Roberts, who wrote the majority opinion, said "modern cell phones generate increasingly vast amounts of increasingly precise CSLI.”
The decision in Carpenter v. United States could lead to a flood of litigation by defendants in pending criminal cases, challenging whether CSLI data can be used against them if a warrant wasn't issued.
“The main issue is what type of legal process the government needs to obtain location data," said Hanley Chew, a privacy and security lawyer at Fenwick & West LLP, in Mountain View, California. "With the Carpenter decision, it is definitive that they have to meet the higher burden of obtaining a warrant for that type of information.”
Chew, who previously served as a computer crimes prosecutor in the U.S. Attorney’s Office for the Northern District of California, said there are additional issues that the courts will have to address in the future, such as whether real-time GPS information is treated differently.
Then there are cases related to device encryption. Courts will have to consider whether a person accused of wrongdoing can be required by the government to supply a fingerprint or facial scan to unlock an encrypted device, or whether that act should be covered by the Fifth Amendment protections against self-incrimination, said Bret Cohen, a partner in the privacy and cybersecurity practice at Hogan Lovells LLP in Washington, D.C.
“The question is whether law enforcement can compel someone to provide a password or other mechanism for opening a device, or even identifying it as theirs,” he said.
In January, the Minnesota Supreme Court determined that law enforcement could compel a burglary suspect to provide a fingerprint to open an encrypted device. The court said the suspect’s fingerprint “elicited only physical evidence from [his] body and did not reveal the contents of his mind,” and therefore did not violate Fifth Amendment protections.