Appeals Court: No Expectation Of Privacy In Credit Card Magnetic Strips

from the TIMELY dept

Just as we're learning of law enforcement's bold new plan to take travelers' prepaid debit cards down to a $0 balance without ever leaving the highway, the Eighth Circuit Court of Appeals comes along [PDF] to remind us that swiping (not as in "taking") a credit card to determine its legitimacy is not a search under the Fourth Amendment. (via Ars Technica)

The court notes a couple of obvious things about the search that isn't. First, it can't be a physical search because swiping the card does nothing more than (if it's legit) return the same information that's printed on the front of the card.

[S]canning the magnetic strips on the cards was not a physical intrusion into a protected area prohibited by the Fourth Amendment. See Florida v. Jardines, 133 S. Ct. 1409, 1417 (2013). The magnetic strip on the back of a debit or credit card is a type of "external electronic storage device, [that] is designed simply to record the same information that is embossed on the front of the card." Accordingly, the information embossed on the front of the card and recorded in the magnetic strip will only be different if the card has been tampered with. Credit card readers reveal whether the information in the magnetic strip on the back of the card matches the information on the front. The process of using a credit card reader "is analogous to using an ultraviolet light to detect whether a treasury bill is authentic, . . . [which is not a] . . . 'search.'" Thus, because "sliding a card through a scanner to read virtual data does not involve physically invading a person's" space or property, there was no Fourth Amendment violation under the original trespass theory of the Fourth Amendment.

Unfortunately for the defendant, none of the dozens of credit cards and gift cards he was caught with returned information confirming him as the owner. All of the cards (which ranged from gas cards to Subway gift cards to Amex credit cards) contained information linking them to other cardholders. There was a seizure, as the Secret Service took control of the cards after the defendant was arrested and scanned them to determine their legitimacy. There may have been an avenue to challenge the seizure without a warrant, but the defendant never raised the issue.

The court also finds the Third Party Doctrine applies here.

Although DE L'Isle claims he had an actual, subjective privacy interest in the cards, he is unable to make that case. As to the ten American Express credit cards, he could not have had an expectation of privacy simply because his name was embossed on the front of the cards. He also could not have had a subjective expectation of privacy in any of the other cards because the purpose of a credit, debit, or gift card is to enable the holder of the card to make purchases, and to accomplish this, the holder must transfer information from the card to the seller, which negates an expressed privacy interest. [...] When the holder uses the card he "knowingly disclose[s] the information on the magnetic strip of his credit card to a third party and cannot claim a reasonable expectation of privacy in it."

The dissenting opinion is an interesting read, as it starts out by suggesting justice would best be served by the throwing of last-minute wrenches into the gears before stalking off into the weeds for a bit.

This appeal presents a narrow legal issue: Does scanning the magnetic stripe on the back of a credit or debit card to access the data stored on it implicate the protections of the Fourth Amendment? In my view, answering this question requires further factual development, and I would remand the case to the district court to hold an evidentiary hearing.5

5I recognize the difficult position in which the district court found itself, faced with a motion to suppress almost on the eve of trial. The district court would have been within its rights to deny the motion as untimely. In a commendable effort to grant the defendant a full opportunity to present his defense, the district court instead excused the delinquency of the motion and decided it on the merits. Although I recognize that the district court’s decision not to hold an evidentiary hearing is reviewed deferentially, United States v. Hill, 750 F.3d 982, 986 (8th Cir. 2014), I believe an evidentiary hearing is necessary to resolve this case.

Judge Kelly suggests there may be an expectation of privacy in magnetic strips, but only if this information is easily modified by cardholders at their discretion.

In my view, the answer to this question depends on whether there are significant technological barriers to an individual rewriting information on the magnetic stripe of their cards, and I would remand the case to the district court to develop evidence on this point. If the information on the magnetic stripe can be modified without much difficulty, the cardholder may indeed have a reasonable expectation of privacy in the contents of the stripe, based on the straightforward principle that law enforcement conducts a Fourth Amendment “search” when it reads the contents of rewritable digital storage media.

It's safe to say no card issuer is going to let end users alter the coding on their cards. It either matches the info on front or it's not a legitimate credit card. This argument's attempt to equate credit cards with storage media is more than a bit of a stretch. (For gift cards, though, this is a little murkier. There's no name to match against the info uncovered by swiping it through a reader. The only thing that can be discovered is whether the card type matches the encoded data.)

The dissent is on sturdier ground when it argues that swiping cards to match them up with the info printed on the front is still a search. Judge Kelly points out that the majority decision allows the results of the search to determine the legitimacy of the search, which is the wrong way around.

The problem with this approach is that it is only possible to determine whether the information on the magnetic stripe is blank or matches the information embossed on the front of the card by scanning the magnetic stripe to determine its contents. And the results of a search cannot be used to justify its legality.

Even if it were to go Judge Kelly's way, the Third Party Doctrine would undo it, as payments with credit cards are very much a voluntary act in which purchasers know information about them is being relayed to retailers, card processing companies, and the card's issuer.

However, Kelly does make a good point when suggesting the court shouldn't be in such a hurry to declare this a foregone conclusion.

Although the stakes may appear small at this stage, technological progress has a way of ensuring that they do not remain so. The Supreme Court has instructed that “the rule we adopt must take account of more sophisticated systems that are already in use or in development.” What advances are likely to be made in this area is a topic that deserves further factual development by the district court, especially because the available evidence suggests that the amount of information storable on a credit card will not long be numbered in the dozens of characters.

Already many newly-issued credit cards in the United States contain chips that have a storage capacity much greater than that of the old magnetic stripes. As cards are able to store more information, the privacy interests they implicate increase.

This is especially important considering the recent development in law enforcement forfeiture tech. Cards will be seized, read and drained -- all without warrants because there's apparently no privacy interest in the cardholder information printed on the front, or any of the information obtained by running the card through a reader. If a court comes to the opposite conclusion -- that card swipes are searches -- it will make it that much harder for law enforcement agencies with ERAD tech and a fistful of bad incentives to participate in highway robbery.

Filed Under: 4th amendment, credit cards, eight circuit, magnetic strips, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 13 Jun 2016 @ 12:55pm

    I have to agree that there really is no expectation of privacy with credit card strips. When you use your credit or debit card, you are sharing your information with any and every retailer you do business with, therefore, sharing your information with third parties. How anyone can claim "privacy" regarding this is ridiculous.

    If the courts say that there is an expectation of privacy then any third party could be sued by simply using your credit card at a place of business (i.e., retailer).

    reply to this | link to this | view in chronology ]

    • identicon
      I.T. Guy, 13 Jun 2016 @ 1:21pm

      Re:

      "any and every retailer you do business with"
      So by that line of thinking no "private" sale is private either? You could be compelled to disclose what I bought from you?
      IMHO my transaction either by cash or by credit is a private transaction between 2 parties. Nobody needs to know I bought a purple tutu, case of beer and a box of condoms.
      -
      The only difference between having your money stolen:
      By Police, you know the culprit.
      Hackers, you don't.
      Either way it's still being stolen from you by criminals.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jun 2016 @ 1:52pm

      Re:

      When you use your credit or debit card, you are sharing your information with any and every retailer you do business with, therefore, sharing your information with third parties.


      If you use the card, sure. But what if you *don't* use the card? The third party doctrine needs an actual third party, not a hypothetical one.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Jun 2016 @ 2:06pm

        Re: Re:

        3rd party doctrine still does not pass muster against the 4th.

        There is no exception provided in the 4th to make private information public for the purposes of privacy breaching government interests.

        Any information I give to or share with a business, 3rd, 4th, or 50th party is still private information safe from government prying unless there is a warrant.

        This really is not hard to figure out and it very clear what the founders and the Constitution says about the subject.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 13 Jun 2016 @ 2:20pm

          Re: Re: Re:

          Not to mention the fact that if the only bar that needs to be cleared for the Third Party Doctrine to apply is that at some point in the past you gave or told this information to someone else, then as far as information goes, almost no information you have is covered by the 4th.

          How could your phone's contacts be protected? Those are all names and numbers that other people know because it is other people's names and numbers. How are any emails protected, even those sitting on a server less than 180 days, after all they passed through the hands of your email provider as well as your ISP and countless other on its way through the intertubes.

          "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures"

          Anything on you, your car, your phone, or your email account is most certainly one of your person, your papers, or your effects. The Third Party Doctrine needs to die in a fire.

          reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 13 Jun 2016 @ 6:02pm

      Re:

      "How anyone can claim "privacy" regarding this is ridiculous."

      How is that ridiculous? Is it ridiculous to expect a private conversation to be private? This is no different.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jun 2016 @ 6:07am

        Re: Re:

        Agreed, there is an expectation of privacy between the card holder, the card issuer, and the card depositor.

        Just like if I rent someone's house to stay in there is a reasonable and hence implied expectation of privacy between me and the owner that the house is not secretly bugged.

        The lack of privacy occurs if I use someone else's card without permission. It's no different than me, for instance, sneaking in their house and using their land line or stealing their cell phone and using it without permission only to find out I was being monitored by the owner the whole time. There is no reasonable expectation of privacy between me and the owner of a cell phone, laptop, or tablet that I stole. No deal was made between me and the owner, there is no consideration that the owner willingly accepted in return for what you stole and hence this avails the owner nothing and so they aren't reasonably required to provide privacy or anything in return.

        Or if I'm at work and the business I work for wishes to monitor my work related behavior while at work. There is no implied expectation of privacy between the owner of the credit card/stolen cell phone and the person that stole it and so the CC owner can freely give authorities the necessary permission to track usage without the need for a warrant.

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 14 Jun 2016 @ 8:39pm

          Re: Re: Re:

          "The lack of privacy occurs if I use someone else's card without permission."

          The comment I was replying to did not make that limitation. It asserted that there is no expectation of privacy at all.

          The point you are making is valid to an extent, but in the case of credit card transactions the expectation of privacy in the moment would certainly remain even if the card was being used fraudulently. That's because nobody involved aside from the crook can know that the use is unauthorized at the moment. That expectation of privacy would dissolve, of course, the moment the card holder gives the cops or credit card company permission to investigate the transaction.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 15 Jun 2016 @ 4:47am

            Re: Re: Re: Re:

            "but in the case of credit card transactions the expectation of privacy in the moment would certainly remain even if the card was being used fraudulently."


            OK, I read the article wrong the first time. I don't disagree with you here.

            reply to this | link to this | view in chronology ]

    • identicon
      BigPun, 21 Jun 2016 @ 11:38pm

      Re:

      If you shut your cooler, are people able to see inside the cooler? Are they allowed to 'open' the cooler and look at what's in there? No. It's not there's, it's closed, and you closed it, which means there is an expectation of privacy.

      The same can be said about the card. The card is closed until it's opened. You cannot look at the card with your eyes and determine what's inside of it, which means the person holding the card closed it for a reason.

      How anyone can argue this isn't a breach of privacy is ridiculous.

      I shut my door, you can't see through it = private. I close my curtains, you don't see through them = private. I create a bank account, you don't see into it = private. I place my cash on something that requires a special kind of reader to determine what's on it, and since I'm in possession of said card, I chose to keep it closed until I choose to open it = private.

      You're on the wrong side of the 4th amendment. I

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jun 2016 @ 1:00pm

    The question with card swiping is not expectation of privacy once the card is in other hands, but rather expectation of privacy of the contents of ones wallet.

    reply to this | link to this | view in chronology ]

    • identicon
      I.T. Guy, 13 Jun 2016 @ 1:23pm

      Re:

      Gives new meaning to:
      "What's in your wallet?"

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Jun 2016 @ 2:32pm

        Re: Re:

        Hey now, you can't say that. Using their trademark might confuse people into thinking you represent Capitol One. You might be sued!

        ..Oh crap, now I said Capitol One, and people might be confused into thinking that I represent them! I might be sued! /runs away

        reply to this | link to this | view in chronology ]

  • identicon
    Lurker Keith, 13 Jun 2016 @ 1:02pm

    right of the people to be secure in their persons, houses, papers, and effects

    Wouldn't a Credit Card qualify as a Paper or Effect? It might even be covered by persons, since they are usually carried on you, usually in a wallet, which I'm pretty sure is subject to 4th Amendment protections.

    Now, stolen & forged cards just lying around would fall under the protections of whatever they're in (i.e. houses, cars, a bag, etc. would need to be searched to find them), if they're in anything.

    A pile lying on an outdoor table would probably be fair game for the police, though.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jun 2016 @ 1:28pm

      Re: right of the people to be secure in their persons, houses, papers, and effects

      If leaving something out in view is not enough to allow random someone to walk away with it as abandoned property then it is still protected by the 4th because it IS someones property!

      It's really funny the ends people, especially law enforcement, will go through to justify their actions and nosy fucking behavior.

      I do not think its a problem to open a wallet enough to get a persons name and address so that it can be returned, but to attempt to record, interact with or, rifle through its for other information is a breach!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jun 2016 @ 1:02pm

    "...because swiping the card does nothing more than (if it's legit) return the same information that's printed on the front of the card"

    This may not be exactly true. For credit and debit cards, the magnetic strip also contains a code that is not printed anywhere on the card. In theory a vendor needs that code to make a transaction when the card is present (source: https://en.wikipedia.org/wiki/Card_security_code).

    I assume prepaid gift cards sporting a Visa, Mastercard, or other major credit card company, would also have such a code.

    However even if it does, I'm not sure what impact (if any) it would have on a privacy argument.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jun 2016 @ 1:34pm

      Re:

      Interacting with any form of technology without a warrant is a clear violation.

      They would be in breach to use the numbers on the face to access the account without a warrant, therefore scanning the card to interact with any other component is the same.

      The information on the strip is not "conspicuous" therefore that makes it private and protected under the 4th! No ifs, ands, or buts!

      reply to this | link to this | view in chronology ]

  • identicon
    UniKyrn, 13 Jun 2016 @ 1:22pm

    Actually, mag-stripes are read/write

    Now knowing what to write on them is a different story, but the tech to re-write a mag-stripe has been around for decades. So, I can kind of see the judges point, that mag-stripe is not a fixed item. It's entirely possible, and probable, that somebody could emboss one number on the front, but the number that got submitted to commit fraud was different. How many sales clerks would notice the difference?

    The people forging cards, even those that should have security chips, obviously have easy/cheap access to devices that can write what ever they want onto a cards mag-stripe.

    reply to this | link to this | view in chronology ]

    • identicon
      I.T. Guy, 13 Jun 2016 @ 1:28pm

      Re: Actually, mag-stripes are read/write

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jun 2016 @ 1:36pm

      Re: Actually, mag-stripes are read/write

      Yeah a magnet will rewrite that may strip easily.

      Course the end result will be garbage information but hey it proves people can overwrite their card.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jun 2016 @ 2:11pm

      Re: Actually, mag-stripes are read/write

      It's safe to say no card issuer is going to let end users alter the coding on their cards.
      Should we consider that relevant? Maybe an end user wants to use an expired credit card to store a crypto key or something. (This could be very interesting with chip cards, if someone finds a way to reprogram them. But even a magstripe could hide a bit of data out of plain view, separated from possibly-compromised storage.) Just because the issuer doesn't like it doesn't mean it should be treated as illegal or as something not deserving privacy.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jun 2016 @ 1:43pm

    What seems to be getting ignored here is that the information contained within that magnetic strip is very limited. It coontains "the card holder's name", "the card's account number", "the expiration date", "the card security number (CSC)" and the "card verification value (CSV)". This information allows the transaction between the retailer and the bank that holds your credit card account. This information is not protected by "privacy laws" and is only the result of ridiculous lawyers trying to stretch the law to cover data that should not be covered by privacy laws.



    The Card Security Code (CSC), also called the Card Verification Value (CVV)




    The expiration date
    The Card Security Code (CSC), also called the Card Verification Value (CVV)

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jun 2016 @ 1:56pm

      Re:

      There's a problem with that, though.

      What are the current contents of the floppy disk that AOL sent to me back around 1993? Hint: It's not the same as the original contents that AOL put on the disk.

      reply to this | link to this | view in chronology ]

  • icon
    Mat (profile), 13 Jun 2016 @ 2:05pm

    Huh.

    So what happens if you use one of those fancy card organizers that stores multiple cards on one chunk of plastic? user programmable is the whole point of those...

    reply to this | link to this | view in chronology ]

  • identicon
    Median Wilfred, 13 Jun 2016 @ 2:15pm

    What's on the "private" list?

    So 3rd Party-style doctrines cover this kind of abusive behavior. OK. What, exactly, does the 4th Amendment provision protect? Must be a pretty short list here in 2016, eh?

    Also, why don't we update the wording of these amendments, and the constitution in particular? The wording is way, way out of line from reality for most of them. I'm not talking "constitutional convention" or "ratify amendments", I'm just talking clear wording according to today's laws. It would keep stupid arguments to a minimum, economize on judicial decisions, things like that.

    I realize that this won't happen because of judges' proclivity to make rulings in favor of the legal profession itself, and if we had a clearly worded basic document, then lawyers would be just a little less necessary. Also, cops. If we had clear rules, then "good faith" exceptions wouldn't be nearly as applicable. So, just call me a crank.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jun 2016 @ 2:44pm

      Re: What's on the "private" list?

      I'm just talking clear wording according to today's laws

      That would allow the government to punch holes big enough to drive an aircraft carrier through into the constitution.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jun 2016 @ 2:15pm

    The thing is, if someone makes the argument 'what if I never use my credit card' is absurd. The whole point in getting a credit card is to use it to buy things that you don't have the money at the time to pay for them.

    When you apply for a credit card, you are granting the entity you're using that card at to use the information on your card to properly charge your account for the goods or services you are buying.

    I simply don't find any reason why anyone would claim that the information on your credit card strip is private information when it is not. The appeals court came to the right conclusion. The information contained in that strip is not privacy information. I would rather think it would be the bank that could claim that, NOT the person whose name is on that card.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jun 2016 @ 2:22pm

      Re:

      I simply don't find any reason why anyone would claim that the information on your credit card strip is private information when it is not.

      Then why not post yours here?

      reply to this | link to this | view in chronology ]

    • identicon
      AnonymousNemesis, 13 Jun 2016 @ 2:22pm

      Re:

      You're aptly named.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jun 2016 @ 2:26pm

      Re:

      It has nothing to do with the fact that it's "private information" and everything to do with the fact that it's mine. It doesn't matter if I've handed it out to hundreds of businesses. In every case that's a voluntary exchange. So if the police want to do things involuntarily, they need a fucking warrant. And every time I've given it up to someone else it was with the implicit assumption that they won't give it to anyone else. So, if the police want to get that information from some business, I expect the company to tell them "alright, let us see your warrant".

      If it's really public information that is readily available to the public, then they can get it the same way the rest of the public can. But if you want to do something that every other average joe can't legally do, then you need probable cause or get a fucking warrant.

      reply to this | link to this | view in chronology ]

  • icon
    Ehud Gavron (profile), 13 Jun 2016 @ 2:22pm

    Legitimate vs illegitimate

    When you REACH into my pocket, PULL out my wallet, OPEN that wallet, EXTRACT the credit card, and ANALYZE it for hidden DATA that is a violation of my 4th Amendment rights.

    "It's safe to say no card issuer is going to let end users alter the coding on their cards. It either matches the info on front or it's not a legitimate credit card. "

    I'm going to respectfully disagree. It doesn't matter what you think the card-issuer is "going to let end-users" do. I get to copy magstripes as I see fit on my card. You may argue that the card is the property of the issuer. Yup. I'm allowed to mark on it, disfigure numbers, cut it up, etc. I'm also allowed to demagnetize it if I leave it on a loudspeaker, and that's not unlawful either. Writing a new mag stripe is just the same.


    As legitimate examples of lawfull use there are times when I don't want to "flash" my platinum card. However, I can encode its data onto the magnetic strip of my crappy Southwest Airlines credit card. Sure, the information doesn't match. However, it's still my card and I can swipe it and if I were stupid get cash advances on it.

    That's the simple example. Sometimes my business lets me have a card or a friend will lend me a car and their credit card to go purchase something. In that case the card doesn't even bear my name but I am legally authorized to use it. Should I copy THAT magnetic strip onto my Southwest Airlines card IT TOO would be legal for me to possess and use.

    The courts both erred in failing to address the plain-language meaning of the 4th Amendment. Is it a "search" to reach into my pocket, pull out my wallet, open it, extract a card, and put it in a card-reader? I believe the answer to all those is yes.

    The DATA on the magnetic strip on my card is *NOT* in plain-view, does *NOT* create any exigent circumstance, and is in *NO WAY* indicative of anything in and of itself. This is a fishing expedition hunting deep into where the unknown is.

    I argue a warrant is DEFINITELY required, and one that indicates with SPECIFICITY what is to be examined and why.

    E

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jun 2016 @ 2:35pm

      Re: Legitimate vs illegitimate

      When you REACH into my pocket, PULL out my wallet, OPEN that wallet, EXTRACT the credit card, and ANALYZE it for hidden DATA that is a violation of my 4th Amendment rights.


      To be fair to the police here, the cards weren't in the guy's wallet. There were over 50 cards; they wouldn't have FIT in his wallet. The seizure of the cards isn't at issue, only the search of the magnetic strip.

      reply to this | link to this | view in chronology ]

      • icon
        Ehud Gavron (profile), 13 Jun 2016 @ 3:59pm

        Re: Re: Legitimate vs illegitimate

        The key here is that the ***DATA*** on the magnetic stripe on the card is not obvious to the onlooker. It is not "in plain sight." I admit to using the wallet analogy to make it even more obvious how much they had to "reach" to get the ***DATA***.

        So what if I have 50 cards rubber-banded sitting on my car seat. At the very best you can see the front of one card and the back of another. You can't see the other 98 sides nor the stuff imprinted on them and you CERTAINLY can't *see* the ***DATA*** on the magstrip.

        I do believe the requirement for a warrant is palpable.

        E

        reply to this | link to this | view in chronology ]

  • identicon
    TripMN, 13 Jun 2016 @ 2:36pm

    So this makes me wonder about the difference between voluntary and coerced actions in cases like this.

    When you give your card to a cashier at a store, you are doing a voluntary action in buying something. You know your information is being used to make the transaction, but you choose to give it (or pay cash).

    When a cop takes your cards and scans them, my guess is that it is less than voluntary. There may be no threat of force given, but I'm guessing no one just gives the cops their credit cards to run voluntarily since the only thing you are going to get our of the transaction is nothing if your lucky and trouble if not.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jun 2016 @ 2:40pm

    I'm really confused

    I thought the 3rd party doctrine applies if when the police get your information from a 3rd party (that you've shared the info with).

    I didn't think it applied to information they retrieved from you and then said that it's fair game, because you've given the same info to a third party in the past.

    Don't they actually have to get it from the third party, and not from you?

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 13 Jun 2016 @ 4:30pm

      Re: I'm really confused

      At this point the Third Party Doctrine can basically be summed up as 'Any information you share with anyone at any time is fair game and doesn't require a warrant to acquire.'

      reply to this | link to this | view in chronology ]

  • identicon
    David, 13 Jun 2016 @ 2:51pm

    Imaginary third parties?

    Even if it were to go Judge Kelly's way, the Third Party Doctrine would undo it, as payments with credit cards are very much a voluntary act in which purchasers know information about them is being relayed to retailers, card processing companies, and the card's issuer.

    Uh what? Third party doctrine concerns information actually given to third parties, not information that could potentially be given to third parties.

    I am allowed to search a credit card for differences to the printed information because if the information on the strip might differ from the printed information, it is conceivable that at some later point of time somebody else might be getting to read it?

    Isn't that sort of carte blanche? I can perform any search because it is conceivable that the results of such search might be made known to a third party at some unknown point in the future?

    I mean, what would be covered at all any more by the 4th Amendment given this nonsensical rationale?

    reply to this | link to this | view in chronology ]

  • identicon
    Personanongrata, 13 Jun 2016 @ 4:01pm

    Court Jesters and Pretzel Logic

    When the holder uses the card he "knowingly disclose[s] the information on the magnetic strip of his credit card to a third party and cannot claim a reasonable expectation of privacy in it."

    Jurisprudence pretzel logic.

    A credit card holder and vendor at the place of sale voluntarily agree to scan/read the magnetic strip in order to complete a transaction between the two parties.

    The specious government claim of Third Party Doctrine is just that a specious claim as when a credit card holder enters into an agreement with a credit card company it is strictly a matter between card holder and card provider. It is/was not an agreement to furnish details of a private business transaction with the government.

    Third Party Doctrine is simply the governments way of circumventing the protections of the 4th Amendment by saying -- because we say so.

    Third Party Doctrine is where timid court jesters go to hide and the Constitution dies.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 13 Jun 2016 @ 6:07pm

      Re: Court Jesters and Pretzel Logic

      Yep. This particular argument takes an already corrupt legal doctrine (the third party doctrine) and makes it even worse. That reasoning renders it legally impossible to have any privacy at all outside of your own head.

      It's insane.

      reply to this | link to this | view in chronology ]

  • icon
    Whatever (profile), 13 Jun 2016 @ 4:25pm

    More

    I also think the initial seizure / search also would not have been a good thing to argue, as the cards were on his person and generally subject to search.

    Card readers are not special in any manner. There is no special decoding required, nor is the information on the mag strip something controlled (normally) by the end user - it actually is information set by the card owner (the issuing company is technically owner of the card).

    It's another case of Techdirt erring too far on the side of protecting a non-existent privacy.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 13 Jun 2016 @ 4:37pm

    'Timely' indeed

    If the information on the card isn't protected then that means you can be compelled to hand over the card itself, and what with those new 'Drain a card dry on the spot' devices police are going to be increasingly using(because if you think that sort of thing will stay within a single state I've got some lovely lunar property to sell you) they can basically force you to hand over any money you might be carrying, cash or otherwise, and you'll have no grounds to refuse.

    reply to this | link to this | view in chronology ]

  • identicon
    UsedToBeGoodHiding, 13 Jun 2016 @ 5:16pm

    Dang it!

    Dag burn it! Now I'll have to find some place else to hide my 8192 byte long password!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jun 2016 @ 5:21pm

    Box of 5,000

    So when I carry my box of 5,000 cards and am stopped by the police, will they scan all 5,000 of them to see if any hold cash?

    It wouldn't be that hard to set up my card writer to write out "GO AWAY COPPER!" on every magnetic strip in the box. Would take them a whole day to scan every card in there.

    And I would waste a whole day programming them if I knew it would be one (or two) less police on the road hassling other drivers.

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 13 Jun 2016 @ 6:00pm

    Not true

    The magnetic strip on the back of a debit or credit card is a type of "external electronic storage device, [that] is designed simply to record the same information that is embossed on the front of the card." Accordingly, the information embossed on the front of the card and recorded in the magnetic strip will only be different if the card has been tampered with.


    This is factually incorrect. The magnetic strip on many debit cards, including two that I have, includes information that is not on the front of the card, including the card's PIN.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 13 Jun 2016 @ 6:55pm

      Re: Not true

      Come now, what's the harm in police knowing something like that, it's not like they've got a device capable of draining funds from a card or any account linked to it, so what possible problem could arise from them having access to both card and PIN?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jun 2016 @ 11:27pm

      Re: Not true

      This is factually incorrect. The magnetic strip on many debit cards, including two that I have, includes information that is not on the front of the card, including the card's PIN.


      Wait. You can get the card's PIN just by swiping it? What kind of stupid security system is that?

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 14 Jun 2016 @ 8:33pm

        Re: Re: Not true

        It's crazy stupid, but one bank and one credit union I use do this. I never would have believed it until I had a most enlightening conversation with a teller when I was changing my PIN on one card. That led me to start actually looking at the data stored on the stripe, when I discovered a second that also stored the PIN.

        Aside from the idiocy that a crook can just read the PIN off the stripe, there's the additional idiocy that, with about $20 worth of equipment, you can also change the PIN on someone else's card.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jun 2016 @ 4:16am

      Re: Not true

      I would also argue that if it is the "same information" then there would be no need to swipe the card, because they already have the card. They only want to swipe the card because it gives them more information.

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 13 Jun 2016 @ 7:06pm

    Very simple rule of thumb:

    If your average citizen without any connections can gain access to the information simply by asking for it, then odds are good it's not 'private'. If they cannot gain access simply by asking then it should be treated as private, with the requirement of a warrant for any access.

    (Though I'm sure the police/government would find some way of twisting the 'rule', offhand at least it seems like it would shoot down most of the more absurd claims regarding what and what is not private.)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jun 2016 @ 12:23am

    Now when you get stopped by local law enforcement they ask "Will that be cash or credit?" before they bend you over the hood to service the account.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jun 2016 @ 5:58am

    "Unfortunately for the defendant, none of the dozens of credit cards and gift cards he was caught with returned information confirming him as the owner. All of the cards (which ranged from gas cards to Subway gift cards to Amex credit cards) contained information linking them to other cardholders."

    If someone has my credit card and I give the authorities permission to 'search' my credit card usage for the sake of tracking who has my credit card, then I don't see why a warrant is needed. The card is being 'searched' with the permission of the owner (an owner who gave no prior permission for someone else to use said card), no different than my house being searched with my permission.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jun 2016 @ 8:51am

      Re:

      If someone has my credit card and I give the authorities permission to 'search' my credit card usage for the sake of tracking who has my credit card, then I don't see why a warrant is needed.


      But that has almost nothing to do with what happened here. It's not like they caught the guy while he was trying to use a card. Usage tracking had nothing to do with it. Also, you can be forgiven for believing what Tim wrote, but it was technically incorrect - not *all* of the cards had information linked to other cardholders. Ten were blank. (Read page 2 of the embedded document.) And the police couldn't know whose they were until *after* they scanned them, since the front of at least some of the cards had the suspect's name on them.

      You can't say "well, some random person gave us permission to search for their card, therefore we can search all cards we may happen to find anywhere, just in case it happens to be theirs." That's like saying "hey, a car was stolen and the user gave us permission to get it back, therefore we can search all garages just in case that car is in it."

      I mean... 59 cards in a duffle bag is suspicious. The police correctly figured that something was up. But if there's probable cause to think a crime was committed, why not get a warrant?

      reply to this | link to this | view in chronology ]

    • icon
      Ehud Gavron (profile), 14 Jun 2016 @ 8:53am

      Re:

      Yes while you're eager to give YOUR rights away, allow me to point out that the police -- looking at a pile of credit cards -- have NO WAY OF KNOWING before scanning them who the "identified person in the data" is.

      That means not only do they NOT have anyone's permission to search the data, but that this "owner" thing you claim has nothing to do with the "identified person in the data".

      Even if you are that person who has said "Hey I'm John Doe and I give police everywhere permission to look in everyone's pockets for my credit card" this is not that and you can't provide police that privilege.

      Sorry, Johnny, but your false "I'm the owner and I allow police to search other people's magstripes" logic doesn't in any way make sense NOR trump the need for a SEARCH WARRANT.

      E

      reply to this | link to this | view in chronology ]

  • identicon
    None of your business, 14 Jun 2016 @ 10:32am

    Credit Cards SUCK

    That ruling is PURE AND UTTER BULLSHIT. Any financial institution has a fiduciary responsibility and obligation to keep financial data secure. Where the banking system can't be trusted to that extent, no government should be insuring them. And no customers should be using their services. BAD FAITH from the gitgo is a culpable crime against the sanctity of all human endeavors and should not stand any test of time.

    reply to this | link to this | view in chronology ]

  • identicon
    g, 14 Jun 2016 @ 12:37pm

    "Even if it were to go Judge Kelly's way, the Third Party Doctrine would undo it, as payments with credit cards are very much a voluntary act in which purchasers know information about them is being relayed to retailers, card processing companies, and the card's issuer."

    I would argue that by carrying the card, I have chosed an added layer of privacy and security since if I carried the equivalent cash, the police could just seize that too. If they can do the same with cards, what rights do we really have?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.