Come Back with a Warrant: The Potential Impact of the Carpenter Decision Beyond Cell Phones – Info Gadgets

This summer, the Supreme Court ruled in Carpenter v. United States that cell phone location information was subject to Fourth Amendment protections rather than the third party doctrine, which allows law enforcement to obtain such information with only a subpoena. In general, this ruling reflects contemporary norms about how we use today’s technology to share personal information with a third party without fully abolishing the third party doctrine.

By subjecting certain data to Fourth Amendment protections, the Court increased the standard that must be met for law enforcement to access such data as part of an investigation. Under the prior standard that only required a subpoena, it was easier for prosecutors and law enforcement to prove that such information was necessary to the investigation. For data protected by the Fourth Amendment, law enforcement must show probable cause and obtain a warrant from a judge before requesting such information. Ideally this will limit such requests to only the data actually relevant to the case and help provide a check on civil liberties.

The Court was quick to point out that the ruling should be considered narrow in its application, but many technologies provide the same or even more sensitive data than the cell phone location data at issue in Carpenter. Courts will likely be called to rule on these questions increasingly often in the future and will have to answer these often tricky legal questions.

Much like cell phones, wearable tracking technologies like FitBits and Apple Watches provide a good deal of information about a person’s location and activity at a specific time. Already, data from such wearable technologies have been used as evidence in a murder trial and to support a defendant’s alibi. Although not specifically mentioned, it is probably safe to assume that device location data collected would be subject to Fourth Amendment protections in the same way as the cell service location information at issue in Carpenter.

But many of these devices have the ability to collect more personal information than cell phones, such as pulse rates, that could also be used in investigations like the cases mentioned above. The Court based its decision in Carpenter on its previous findings that a person has a “reasonable expectation of privacy in the whole of their physical movements.” There are additional privacy requirements, such as HIPAA, regarding the sharing of medical information, but the narrow tailoring of such statutes often does not currently apply to a wearable device or an app creator when information is willingly shared. At what point one has or ceases to have a reasonable expectation of privacy in the data like heart rate and general activity uploaded via such devices will likely be an issue in coming years.

Questions surrounding the possible application of third party data to genetic databases created through products like 23andme or Ancestry DNA are also likely to arise in the coming years. Recently, the potential application of these DNA services to help solve cold cases has come to light with the Gold State Killer case. Law enforcement used an open source database, GEDMatch, and worked with genealogists to identify a suspect through existing DNA information and the information uploaded by potential relatives. Many would assume that genetic information such as genomic mapping should easily fall in the category of “reasonable expectation of privacy;” however, those individuals uploading the information to a searchable public database for genealogical purposes could reasonably be seen to have waived their rights to such privacy. In some cases the terms of service clearly indicate that such rights have been waived.

The use of such services raises unique questions not just of third party doctrine as with location data, but of fourth party consent. In cases of third party doctrine, one party knows or should know that they have given the information to someone not directly involved in the transaction and made that information public. But in these “fourth party” scenarios, the party whose information is discovered was not involved in the decision to give that personal information to someone else.

As R Street’s Lars Trautman and Nila Bala point out, “In these new fourth-party cases, we may not have given up the expectation of privacy.” By entering genetic information into an open source database, one is not only giving up his or her own genetic privacy, but at least some of the genetic privacy of all of his or her relatives. As such, it seems like a Carpenter-esque response protecting the genetic information of individuals who had not themselves been involved in providing information to such databases could be on the horizon. This could be grounded in the fact that, like cell phone location information, an individual is not knowingly providing access to their genetic information when an unknown second cousin chooses to waive such privacy.

As my colleague Jordan Reimchisel argued in his discussion of the Golden State Killer arrest, “The recent arrest of DeAngelo thanks to forensic genetics, and the reports of rapid increases in these techniques, make it clear that courts must rethink their application of the Fourth Amendment. Legislatures at all levels ought to also consider how they might implement new protections that go beyond current jurisprudence.” Carpenter shows that the Supreme Court is aware that our increasing willingness to share previously private data as part of our connected culture may shift our understanding of where the lines of public and private are.

It took the Supreme Court over 20 years to update its view of the Stored Communications Act and third party doctrine to cover cell phones. It is unlikely that clear answers on where and when information used with current disruptive technology like wearables, at-home genetic testing, and Internet of Things devices are coming soon. Still, while narrowly tailored, restricting Carpenter to only location data also seems unlikely.

These concerns also raise questions of how we should approach Fourth Amendment protections more generally. In some ways, they show just how difficult it is to determine what is and isn’t a reasonable expectation of privacy in our increasingly data-sharing world. But even a more traditional analysis of basic questions such as when there is a search and when there is a seizure become more complicated when the “real world” and cyberspace intersect.