This fall may prove a landmark in the ongoing debate between security and privacy. Poised to take action are both the U.S. Supreme Court, in Carpenter v. United States, and the U.S. Congress, with the impending sunset of Section 702 of the Foreign Intelligence Surveillance Act (FISA). Decisions made—or not made—this autumn will have ripple effects in the United States and around the globe.
This post explains the dynamics of the Supreme Court’s upcoming decision in Carpenter, and how it could impact this and other important surveillance authorities. It then discusses the implications of Carpenter to the emerging global privacy regime, and the conflicts of law that may ensue.
The Supreme Court
In its upcoming term, the Supreme Court will reconsider the so-called third-party doctrine, which states that an individual has no reasonable expectation of privacy under the Fourth Amendment in information voluntarily disclosed to third parties. The doctrine is over forty years old and traces its roots to earliest Fourth Amendment jurisprudence; but many—including Justice Sotomayor in her concurrence in United States v. Jones—question whether the doctrine is still appropriate given the digital world, a world in which we routinely share mountains of personal data with third parties via mobile devices, apps, web-based email, and increasingly even cars and clothing. With every movement we make while holding our cellphones, wearing our web-enabled fitness devices, and making online purchases, we freely hand over information that, either in isolation or in aggregation, can reveal tremendous things about us, suggesting a fundamental constitutional question: is the Government entitled to such personal information without a warrant?
In Carpenter v. United States, the Court this term will consider whether there is a protected privacy interest in the history of our locations, which, whether consciously or not, we routinely turn over to our wireless carriers. The Sixth Circuit, in United States v. Carpenter, applied the third-party doctrine to find that Carpenter had no reasonable expectation of privacy in cell site location information (CSLI) maintained by his telephone company and accessed by the Government under the Stored Communications Act (SCA), which permits the government to obtain records that are “relevant and material to an ongoing investigation.” Carpenter, along with a co-defendant, were convicted in the Eastern District of Michigan for several robberies that took place in and around Detroit. To build its case, the FBI requested Carpenter’s CSLI, which had been collected each time he made a call and his mobile phone pinged the nearest cell tower. The CSLI did not contain the content of his calls, but it did provide valuable metadata, including the date, time, length of each call; the phone numbers engaged on the call; and the cell sites where the call began and ended. From this information, the FBI put together a map of where Carpenter had been over the course of 127 days, which proved critical to securing the conviction.
On appeal, the Sixth Circuit affirmed on third-party doctrine grounds, holding that the defendant had no reasonable expectation of privacy in business records kept by the phone company. While content is protected under the Supreme Court decision Katz v. United States, the metadata is not. The court reasoned that, like the suspected robber in Smith v. Maryland whose dialed numbers were communicated to the telephone company and then collected by the government via a pen register, Carpenter must have known that phone companies receive (and record) the type of information collected by the police here.
Importantly, the Sixth Circuit also distinguished the 2012 case of United States v. Jones, in which the Supreme Court denied law enforcement’s attempts to track a defendant’s location by attaching a GPS to his car. The Sixth Circuit explained that unlike in Jones in which a GPS was directly affixed to the defendant’s vehicle, this tracking resulted from information handed over to a third-party and kept in the ordinary course of business. The Jones court also anchored its holding in a trespass theory in which the attaching of the GPS device was a trespass to Jones’s property under the Fourth Amendment, which for many observers was a convenient solution to an increasingly thorny third-party problem.
In Jones, Justice Sotomayor, in her concurrence recognized that classic third-party doctrine may no longer apply and urged the court to confront the issue squarely, which it finally may do this fall in Carpenter.
Similarly, observing Justice Sotomayor’s concurrence in Jones, Judge Stranch in her concurrence in Carpenter argued that it is for the courts, not legislators, to design an updated Fourth Amendment doctrine to accommodate 21st century realities. She expressed two concerns that may help define the parameters for a Supreme Court decision. First, she found troubling the volume of governmental tracking permissible under current tests, which the Sixth Circuit earlier seemed concerned with in United States v. Skinner, where it stated: “There may be situations where the police, using otherwise legal methods, so comprehensively track a person’s activities that the very comprehensiveness of the tracking is unreasonable for Fourth Amendment purposes.” Second, Judge Stranch seemed bothered by the temporal aspect, questioning how long is it permissible for the Government to go back in time to acquire business records, with 127 days seeming excessive.
In agreeing to grant certiorari, the Court may be indicating a desire to define the new floor and ceiling for permissible searches under the third-party doctrine. It may decide to factor in volume, temporality or some other distinction –for example, single-source data or aggregated data. Or, it could resolve the case on a very narrow holding and, disagreeing with Judge Stranch, defer to the political branches, including Congress, to draw the line between privacy and security.
If the Court does defer, Congress’s action in the upcoming reauthorization debate of Section 702 of the Foreign Intelligence Surveillance Act (FISA) may become that much more significant.
FISA Section 702, set to expire at the end of 2017, permits the government to conduct surveillance, without a warrant, in order “to obtain foreign intelligence for national security purposes [that] is directed against foreign powers or agents of foreign powers reasonably believed to be located outside the United States.” It is a foundational surveillance authority of tremendous utility. But, it is vulnerable because, while a tool of foreign surveillance, it does not prohibit what is essentially inevitable: “incidental” collection and retention of overseas communications that may include or concern, U.S. persons (USPs). Section 702 also does not prohibit querying the 702 database, or information gathered under the authority of 702, using USP identifiers (e.g., a name or a phone number) to see if there are any matching results. Constitutional support for the program has traditionally resided in the often-upheld argument that querying the 702 database is not a search under the Fourth Amendment because the information has already been lawfully collected. It is not unlike the plain view doctrine in which police that are lawfully in a home for one purpose, can collect evidence of other crimes that are in plain view.
There is, therefore, also a third-party aspect to Section 702. In the government’s efforts to collect information on foreign powers or agents of foreign powers, an unsuspecting individual becomes the third party who may have his or her information incidentally collected—a probability that increases with more means of digital communications—and then searched via FBI USP queries.
This precise Section 702 issue is not scheduled to be before the Supreme Court, but a larger third-party holding in Carpenter could impact it, even if Congress acts before the Court.
If, on the other hand, the Court issues a narrower holding, Congress will remain the institution to decide whether to reauthorize Section 702 and whether to make any privacy-centric reforms, particularly to incidental collection and querying the 702 database with USP identifiers. For example, Congress could prohibit USP queries outright, permit them only for potential victims of crimes or terrorist events or permit them with some heightened judicial showing, either before—with exigency procedures—or after the fact. It could also preserve the core authority while making some reforms, such as limiting the retention or access period for USP information, heightening auditability requirements for unmasking USP information and increasing the use of amici curiae. Some versions of these latter reforms have been circulated recently by the House Judiciary Committee.
But, even a more limited Supreme Court holding confined to metadata could have a ripple effect on FISA. In 2015, Congress reauthorized FISA Section 215, the so-called telephone metadata program, which Snowden brought to the world’s attention and which is directly grounded in the third-party doctrine. Like CSLI, telephone metadata does not involve content, rather it encompasses information about calls kept by telephone companies for billing and other business purposes. After a very contentious debate, Congress reauthorized Section 215, but it made a series of privacy-enhancing reforms, specifically ending “bulk collection” of that metadata and requiring prior judicial authorization to access that information. A decision in the Carpenter case could certainly impact the 215 program, something the Court should be made aware of before it decides how broad a ruling to issue.
U.S. decisions can have broad implications both at home and abroad, especially in those countries that are also working to define their lines between privacy and security in the digital age.
Take Europe for example. The definition of personal data is set to expand under the European Union General Data Protection Regulation (GDPR), which becomes enforceable on May 25, 2018, and will soon explicitly include “location data.” The European Convention on Human Rights, an international treaty drafted in the immediate aftermath of the Second World War, contains a series of core principles that promote human rights. Article 8 sets out that everyone has the “right to respect for his private and family life, his home and his correspondence.” That core principle is further defined in the EU Charter of Fundamental Rights, which requires states to ensure, among other things, that every person “has the right to the protection of personal data concerning him or her,” and that such data “must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.”
GDPR will further define it to explicitly include location data, setting up a potential conflict of laws, especially for U.S. companies that do business in Europe.
While any broad U.S. Supreme Court pronouncements on this issue are unlikely to be adopted as persuasive authority by European courts, in which the privacy analysis is done on a case-by-case basis (and, especially after GDPR goes into effect, with a presumption in favor of an expectation of privacy in location data), there is an extraterritorial dimension of the GDPR which could substantially affect the privacy analysis with respect to U.S. organizations that routinely process EU citizens’ personal data.
In other words, government requests for consumer information that would not violate the Fourth Amendment might run afoul of the GDPR, thus setting up a conflict between U.S. and EU law.
Where this conflict would be most felt is for those U.S. companies that come under GDPR requirements. The extra-territorial effect of GDPR is more extensive than many realize. For example, the GDPR could directly apply if a U.S. organization is monitoring the activity of individuals in the EU, or if it is offering its goods or services to individuals located there. Similarly, the GDPR will apply if the U.S. organization collects or hosts personal data as a service provider to an EU business which is itself subject to the GDPR. This means that such an organization will be required to comply with the GDPR, and also face potentially substantial penalties—a maximum of the greater of 4 percent of the global turnover for the preceding financial year or €20 million—for failing to comply with these obligations.
Furthermore, the GDPR provides that any third country “judgment of a court” requiring a controller or processor “to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty [MLAT], in force between the requesting third country and the Union or a Member State….”
It could then follow that U.S. companies which are subject to the GDPR may be in an unenviable position when they are required to comply with a warrant, outside of an MLAT, with respect to location information held in Europe or that relates to European individuals. Those U.S. companies may find themselves on the horns of a dilemma in which they can either: face sanctions for not complying with the U.S. warrant for location information; or comply with the warrant and but be in breach of the GDPR.
Previous third-party related surveillance issues have already caused conflicts between the United States and Europe. The bulk collection program under FISA Section 215, for example, was a key factor in the Court of Justice of the European Union’s (CJEU) decision to deem the Safe Harbor agreement between the European Commission and the United States invalid. The Court felt that the Safe Harbor agreement allowed for government interference with the privacy protections required by EU legislation, and therefore, the European Commission, by entering into the Safe Harbor agreement, violated Articles 7 and 8. The outcome of the decision was to deem any transfers made under the Safe Harbor decision unlawful and required the implementation of the Privacy Shield, a redesign of the Safe Harbor agreement that also required additional US legislative safeguards. While the Privacy Shield agreement has recently passed its annual review, there are indications that, privately, there are concerns on both sides with respect to its operation.
Similar concerns about government interference was a key factor in the recent referral by the Irish Courts to the CJEU in DPC v Facebook Ireland and Maximillian Schrems which related to the use of Model Contract Clauses to transfer personal data to the United States, and which stresses the continuing sensitivity of the issue.
The Stakes are High
The upcoming months may prove to be a watershed year for the third-party doctrine, and for the larger debate between the appropriate balance between privacy and security. What is decided in the United States will also have impacts beyond its borders, especially where personal data belonging to non-U.S. residents are being processed by U.S. businesses or within the United States, and could give rise to judicial and legislative conflicts between the United States and Europe.
Ultimately, the stakes are high, and the equities on both sides of the privacy and security debate equally important. The truth that should guide both the Court and Congress is that there is no true privacy without security, and no true security without privacy. Bright lines may be elusive, but reasonable doctrines and statutory lines can—and increasingly must—be drawn.