The ongoing court battle over warrantless cell phone location tracking continues and the latest decision is another setback for the Fourth Amendment. The Fifth Circuit Court of Appeals held that individuals have no reasonable expectation of privacy over their location data. The decision states that location data is a "business record" created by private companies with the implicit consent of cell phone users and therefore are not subject to privacy protections.
[C]ell site information is clearly a business record. The cell service provider collects and stores historical cell site data for its own business purposes . . . the government merely comes in after the fact and asks a provider to turn over records the provider has already created.
The rationale is that cell phone companies are not required by the government to create or retain this data and that citizens are not required by the government to carry or use cell phones, thus making this data subject to the Third Party Doctrine and removing any expectation of privacy.
This rationalization goes counter to the recent NJ Supreme Court decision
(unrelated other than in subject matter), which found that location data should
be subject to privacy protections for nearly the same reason. Although cell phones aren't in any way "mandatory," the court stated that no one uses a cell phone with the intent of creating a location-specific metadata trail for law enforcement to scoop up without a warrant.
The decision to declare cell phone location data "business records" also plays into the hands of intelligence agencies like the NSA and FBI, allowing them to harvest vast amounts of data on Americans without running the risk of violating their constitutional rights (at least, not according to these interpretations). The court also added that there is some form of recourse for citizens worried about their rights being violated -- but both suggestions are a dead end.
"But the recourse for these desires is in the market or the political process: in demanding that service providers do away with such records (or anonymize them) or in lobbying elected representatives to enact statutory protections."
As the ACLU points out, neither of these "remedies" are likely to result in additional privacy protections.
Regarding the first point, perhaps the court is unaware how opposed the cell phone companies are to even disclosing how long they keep subscriber data. It took a nation-wide public records act request campaign before we received a Justice Department information sheet on how long carriers keep such records. (According to the 2010 document, Verizon keeps historical cell phone records for "1 rolling year" while Sprint keeps them for "18-24 months.") There is no cell phone company that doesn't retain historical cell site location data, or even one that keeps it only for a short time. And anyway, our Fourth Amendment rights should not depend on the largesse of for-profit corporations.
As for pressing for Congressional change, the ACLU has been doing just that for years. (The federal statute the government uses to obtain cell phone location records was written way back in 1986 and hasn't been meaningfully updated since.) But the mere fact that some other branch of government could provide a remedy is no reason for courts to take a pass on protecting Americans' privacy.
Expecting corporations to protect your privacy is, for the most part, a non-starter, especially if these corporations can monetize the data in any way. Furthermore, how many people actually believe the government would allow cell phone providers to simply scrap the data (or anonymize it) once it's served it purpose (monthly billing, for instance), rather than retain it for months on end? Intelligence agencies and law enforcement would simply push for legislation and court orders to ensure this flow of data continues uninterrupted.
In a 25-page dissent, Judge James Dennis pokes holes in the majority's "business records" rationalization, quoting Justice Sotomayor's reservations about the majority's opinion in US vs. Jones
[In future cases] considering the existence of a reasonable societal expectation of privacy in the sum of one’s public movements[,] . . . it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. . . . I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.
By allowing law enforcement to access "business records" without a warrant, the Court opens up the possibility that these agencies will find a person's internet history, email and contact lists to be similarly devoid of Fourth Amendment protections. Saying one thing is
a business record and one thing isn't
only further obscures an aspect that needs clear delineation, one that would preferably draw the line before
location data rather than attempt to determine which "parts" of a person's cell phone are subject to privacy protections.
We also have to ask why there's such an aversion to obtaining a warrant. In many cases, the information needed is historical. In other cases, when something more current or time-sensitive might be needed, there are emergency orders and other legal remedies (once in the courtroom) to allow some warrantless data collection to be admitted as evidence. The more these battles drag on, the more it appears that these agencies are benefiting from multiple interpretations of outdated laws, a benefit they'd clearly prefer to keep intact. This creates a path of least resistance, which becomes especially problematic when combined with the agencies' natural tendency to collect as much data
as possible, "just in case."