Carpenter v. United States: Big Data is DifferentPublication Date: July 20, 2018 19 minute read
Carpenter v. United States, 585 U.S. ___ (2018) (Roberts, C.J.).
Response by Margot E. Kaminski
Geo. Wash. L. Rev. On the Docket (Oct. Term 2017)
Slip Opinion | SCOTUSblog
Carpenter v. United States: Big Data Is Different
A central truism of U.S. privacy law is that if you share information, you do not have an expectation of privacy in it. This reasoning runs through both Fourth Amendment jurisprudence and privacy tort cases, and has repeatedly been identified as a central failing of American privacy law in the digital age.1 On June 22, in Carpenter v. United States,2 the Supreme Court did away with this default. While repeatedly claiming to be fact-bound and incremental,3 Chief Justice Roberts’s opinion has paradigm-shifting implications not only for Fourth Amendment law, but also for private-sector privacy law.
In short, the Court in Carpenter has declared that Big Data is different. Just how different remains to be seen.
A Reasonable Expectation of Privacy in Shared Information
The question addressed in Carpenter—whether obtaining historic location information from cellular phone service providers constitutes a search under the Fourth Amendment—arose at the confluence of two lines of cases.4 One addresses location tracking in public spaces,5 and the other addresses records that have been shared with third parties.6 Until recently, neither doctrinal thicket looked particularly good for Timothy Carpenter, or for privacy. But the Carpenter decision does not come out of thin air. Starting with the Court’s recent GPS-tracking decision in United States v. Jones7—and what has been referred to as the Jones “shadow majority”8—the Supreme Court has recently appeared to take a different approach to Big Data. Carpenter cements this change.
Historically, Fourth Amendment searches were connected to concepts of physical property. Early wiretap case law notoriously found that tapping a person’s phone line did not constitute a search because it did not require physical trespass.9 In Katz v. United States,10 however, the Supreme Court overruled that wiretap case and found that “the Fourth Amendment protects people, not places.”11 Privacy protection can travel with a person into the public sphere.12 Under the Katz reasonable-expectation-of-privacy test, courts must ask (1) whether a person has shown a subjective expectation of privacy and (2) whether society is prepared to recognize that expectation of privacy as reasonable.13
Under the Katz test, the Supreme Court initially refused to find an expectation of privacy in either public location information14 or information voluntarily shared with companies.15 In United States v. Knotts,16 a case about using a beeper to remotely track a vehicle’s location, the Court found that a person does not have an expectation of privacy in her location information in public streets because she has “voluntarily conveyed” that information “to anyone who wanted to look.”17 The third-party doctrine similarly reasons that when a person voluntarily turns information over to a company such as a bank or a telecommunications company, she assumes the risk that it will be more widely shared, including with the government.18
The third-party doctrine rests on two related prongs of reasoning: that the information shared is not really sensitive (or private, or confidential) in nature, and that by sharing it a person assumes the risk it will be shared further. Bank records, the Court reasoned in United States v. Miller,19 are not sensitive information but “negotiable instruments.”20 Phone numbers dialed are treated the same way.21 Sharing information with a company only bolsters the argument that the information is not sensitive or private in nature because, the reasoning goes, a person would not knowingly assume the risk of further sharing if the information were in fact sensitive. These two prongs of reasoning together obviate arguments for both a subjective and objective expectation of privacy under Katz.
Thus, the Court in Carpenter faced two questions: whether cell-site location information is different in nature than these two categories of information addressed in Miller and Smith v. Maryland22 (bank records and phone numbers dialed), and whether the same logic of “you shared it and therefore you assumed the risk it would be shared further” should apply.23 The dated doctrine on public location information and third-party sharing pointed strongly against a holding for Carpenter. But in recent years, serious changes have been brewing in the Court’s Fourth Amendment jurisprudence.
Big Data Is Different
In Jones, all nine Justices of the Court held that placing a GPS tracker on a car for twenty-eight days constituted a Fourth Amendment search. Jones began the process of unraveling Knotts, and with it, in the tangible distance, the third-party doctrine. The majority of the Court found for Jones on a theory of physical trespass, as the government physically placed the tracker on the car. The so-called “shadow majority” of the Court, however—created by Justice Sotomayor who wrote separately to join the majority but also to indicate agreement with Justice Alito’s four-Justice concurrence—found that location surveillance today is qualitatively different than it was in 1983. Knotts contained a loophole for more sophisticated, pervasive, persistent surveillance of location data,24 and the Jones shadow majority drove the GPS-tagged car right through it.25
It is hard to emphasize just how important Justice Sotomayor’s Jones concurrence is. In the age of Big Data, when information can be gathered, stored, and analyzed cheaply,26 Justice Sotomayor reasoned that location data is not just location data anymore. It is transformed, through inference-making, into other, more historically sensitive information: “familial, political, professional, religious, and sexual associations.”27 It is this line of reasoning that Chief Justice Roberts directly picked up in the Court’s cell phone search case, Riley v. California,28 finding that data is not just data, but all the sensitive things—including First Amendment interests in free speech, freedom of religion, and freedom of assembly—that one can infer from it.29
Thus, the central move in Carpenter stems from Justice Sotomayor’s opinion in Jones and Chief Justice Roberts’s opinion in Riley, and reasons that, in large enough quantities and at great enough detail, public location information becomes something different, something more. The central, narrow holding in Carpenter is that in the age of Big Data, detailed historic location information is now sensitive information.30 A person can have a reasonable expectation of privacy in it, despite having ventured through public places. This evidences two important moves in the Court’s reasoning about Big Data: (1) an understanding that formerly categorically nonsensitive data can become categorically sensitive through the inferences one makes using it; and (2) the beginning of an understanding that the law should protect sensitive inferences themselves, regardless of the sensitivity of the underlying data being revealed.31
The second important move in Carpenter is, of course, its handling of the third-party doctrine. This was the most anticipated aspect of the case. The Court found that if information is sensitive, the fact that you have shared it (essentially nonvoluntarily as a condition of digital services) does not eliminate your expectation of privacy.32 This is a point that scholars33 and civil society34 have been making for years. As Sotomayor wrote in her Jones concurrence, it was high time for the Court to address and curb the scope of the third-party doctrine.35
Broader Implications for Other Technology and Other Laws
As factually-bound as the Carpenter decision explicitly is,36 common law by its very nature extends to other facts.
First, Carpenter has clear implications for other technologies under Fourth Amendment law. The biggest immediate impact may be on email. The Stored Communications Act (“SCA”)37 has been criticized for years for allowing police to obtain emails stored over 180 days, with the Sixth Circuit finding in 2010 that its application to emails is unconstitutional, despite the third-party doctrine.38 Now that the third-party doctrine has been defanged, this argument has a great deal more heft, as the contents of communications have historically been considered sensitive information.39
The Court’s cabining of the third-party doctrine will also affect near-future technologies. Scholars, myself included, have rolled out disaster scenarios of how police might harness the surveillance capacities of in-home robots,40 the Internet of Things,41 or Amazon’s Alexa42 under the third-party doctrine. Now that scenario is far less certain. Carpenter suggests that if these devices gather sensitive information, courts will find that Fourth Amendment protections apply even if that information is shared with service providers. Both cellular phone usage and location data sharing are not voluntary in any meaningful sense, the Court found, in part because it is now socially necessary to have a cell phone.43 Thus, any wide social adoption of these other devices will actually now argue for, rather than against, Fourth Amendment protection, limiting Katz’s potentially slippery slope.44
Carpenter’s potential impact goes beyond the third-party doctrine as well. Technologies that gather location information in public places, such as police surveillance drones, now face heightened Fourth Amendment attention. I and others have been arguing since Jones that police drone surveillance should be subject to a warrant requirement.45 While Justice Roberts is careful in Carpenter to limit the holding to not apply to other forms of surveillance in public (such as video cameras), it is hard to argue how the case’s reasoning about the sensitivity of location data would not apply to persistent drone surveillance or, for that matter, to police body cameras. This is especially the case because drones and body cameras, unlike cell phones, do not risk running into any remaining aspects of the third-party doctrine.
Finally, Carpenter’s clear holding—that one can have a reasonable expectation of privacy against being location-tracked for more than six days at a time in public—may also affect privacy laws that address the private sector. This pushes back against arguments, such as that made by Justice Gorsuch in his dissent, that the Fourth Amendment’s reasonable-expectation-of-privacy standard should be linked to the content of existing positive law.46 In fact, Carpenter shows that Fourth Amendment jurisprudence might expand positive law protections.47 For example, both Wisconsin and Florida have drone surveillance laws that apply to the private sector and restrict recordings where a person has a “reasonable expectation of privacy” (Florida’s only applies on private property, but it is still a noteworthy regulation).48Carpenter’s expansion of sensitive information to include information that has been shared in public and with others may impact future litigation under these laws. More generally, Carpenter’s reasoning that privacy protections travel with sensitive data—even when it is controlled by third parties49—could develop into a hook for more complex private sector data privacy regimes in the future.
The dissents in Carpenter criticize the majority for opening the floodgates to more Fourth Amendment litigation with a fuzzy test.50 I understand the majority opinion rather differently. Because Fourth Amendment protection is inherently fuzzy—it is about applying a reasonableness standard, after all—the majority in Carpenter in fact draws a clear line around a clear category of information that should by default (but not always51) be subject to a warrant requirement: detailed historic location data. In addition, the majority provides numerous guideposts for ascertaining when other information might be moved into the category of sensitive information and thus outside of the scope of the third-party doctrine.52
Of course, the big puzzle in the age of Big Data is that all information is arguably sensitive information because of the inferences that can now be drawn.53 This will now be the looming question for the Fourth Amendment and for privacy law more generally, rather than whether we have privacy in information shared with third parties: if location data becomes sensitive data because of the inferences we can draw from it, why not phone records? Or bank records?54 Or . . . everything?55
Margot E. Kaminski teaches, researches, and writes on law and technology. Her work has focused on privacy, speech, and online civil liberties, in addition to international intellectual property law and legal issues raised by AI and robotics. Recently, much of her work has focused on domestic drones (UAVs or UASs). Her academic work has been published or is forthcoming in the UCLA Law Review, Minnesota Law Review, Southern California Law Review, Boston University Law Review, and Washington Law Review, among others. From 2014 to 2017, she was an Assistant Professor at The Ohio State University Moritz College of Law; and since 2017, she has been an Associate Professor of Law at Colorado Law.
Kaminski is a graduate of Harvard University and Yale Law School. While at Yale, she co-founded the Media Freedom and Information Access Clinic (MFIA), a law school clinic dedicated to increasing government transparency, defending the essential work of news gatherers, and protecting freedom of expression. She was a law clerk to the Honorable Andrew J. Kleinfeld of the Ninth Circuit Court of Appeals in Fairbanks, Alaska. She worked at a literary agency prior to law school, and has worked at Creative Commons and the Electronic Frontier Foundation. From 2011–2014 Kaminski served as the executive director of the Information Society Project at Yale Law School, an intellectual center addressing the implications of new information technologies for law and society. She remains an affiliated fellow of the Yale ISP.
- See, e.g., Gerald G. Ashdown, The Fourth Amendment and the “Legitimate Expectation of Privacy”, 34 VAND. L. REV. 1289, 1315 (1981); see also Danielle K. Citron, Mainstreaming Privacy Torts, 98 CAL. L. REV. 1805, 1852 (2010) (“[C]ourts might move beyond their narrow conception of ‘private’ information. Rather than reflexively dismissing public disclosure claims on the grounds that plaintiffs revealed personal information to others . . . .”); Susan Freiwald, First Principles of Communications Privacy, 2007 STAN. TECH. L. REV. 3, ¶¶ 46–49; Stephen E. Henderson, The Timely Demise of the Fourth Amendment Third Party Doctrine, 96 IOWA L. REV. BULL. 39, 39–40 (2010); Daniel J. Solove, Digital Dossiers and the Dissipation of Fourth Amendment Privacy, 75 S. CAL. L. REV. 1083, 1135 (2002).
- No. 16-402, slip op. at 17 (U.S. June 22, 2018).
- Id. at 17 (“Our decision today is a narrow one.”).
- Id. at 7 (“[R]equests for cell-site records lie at the intersection of two lines of cases, both of which inform our understanding of the privacy interests at stake.”).
- See United States v. Knotts, 460 U.S. 276 (1983); United States v. Karo, 468 U.S. 705 (1984); United States v. Jones, 565 U.S. 400 (2012).
- See United States v. Miller, 425 U.S. 435 (1976); Smith v. Maryland, 442 U.S. 735 (1979).
- 565 U.S. 400 (2012).
- See In re Application of the United States of America for an Order Authorizing Disclosure of Historical Cell Site Information for Telephone Number [Redacted], 40 F. Supp. 3d 89, 92 (D.D.C. 2014); Jonathan Siegel and Kate Hadley, Jones’ Second Majority Opinion: Justice Alito’s Concurrence and the New Katz Test, 31 YALE L. & POL’Y REV. INTER ALIA 1, 2 (2012); Margot Kaminski, Three thoughts on U.S. v. Jones, CONCURRING OPINIONS: THE LAW, THE UNIVERSE, AND EVERYTHING (Jan. 24, 2012), https://concurringopinions.com/archives/2012/01/three-thoughts-on-u-s-v-jones.html (“The real result of Jones is thus not a narrowly held majority about physical trespass. It is, for precedent-citing purposes, but not for its impact on practice or lower courts. Sotomayor uses her concurrence to clearly signal to cops and judges. The next time one of these cases comes up, Sotomayor will be joining Alito on the reasonable expectation of privacy question.”).
- See, e.g., Olmstead v. United States, 277 U.S. 438 (1928).
- 389 U.S. 347 (1967).
- Id. at 351.
- Carpenter v. United States, No. 16-402, slip op. at 12 (U.S. June 22, 2018) (“A person does not surrender all Fourth Amendment protection by venturing into the public sphere.”).
- See id. at 5 (“When an individual ‘seeks to preserve something as private,’ and his expectation of privacy is ‘one that society is prepared to recognize as reasonable,’ we have held that official intrusion into that sphere generally qualifies as a search and requires a warrant supported by probable cause.” (quoting Smith v. Maryland, 442 U.S. 735 740 (1979))).
- See United States v. Knotts, 460 U.S. 276, 280–81 (1983).
- See United States v. Miller, 425 U.S. 435, 439 (1976); Smith v. Maryland, 442 U.S. 735, 743–44 (1979).
- 460 U.S. 276 (1983).
- See Knotts, 460 U.S. at 281; Carpenter, slip op. at 8.
- See Miller, 425 U.S. at 443 (stating that defendant had “take[n] the risk, in revealing his affairs to another, that the information [would] be conveyed by that person to the Government”).
- 425 U.S. 435 (1976).
- See id. at 442.
- See Smith, 442 U.S. at 743.
- 442 U.S. 735 (1979).
- Carpenter v. United States, No. 16-402, slip op. at 11, 17 (U.S. June 22, 2018).
- See United States v. Knotts, 460 U.S. 276, 283–284 (1983); Carpenter, slip op. at 8.
- See Carpenter, slip op. at 8.
- See Kevin S. Bankston & Ashkan Soltani, Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones, 123 YALE L.J. ONLINE 335 (2014), http://yalelawjournal.org/forum/tiny-constables-and-the-cost-of-surveillance-making-cents-out-of-united-states-v-jones.
- United States v. Jones, 565 U.S. 400, 415 (2012) (Sotomayor, J., concurring).
- Riley v. California, 134 S. Ct. 2473 (2014).
- See id. at 2489–91.
- Carpenter, slip op. at 11 (“Whether the Government employs its own surveillance technology . . . or leverages the technology of a wireless carrier, we hold that an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CSLI.”).
- Carpenter, slip op. at 17 (“Yet the Court has already rejected the proposition that ‘inference insulates a search’ . . . From the 127 days of location data it received, the Government could, in combination with other information, deduce a detailed log of Carpenter’s movements, including when he was at the site of the robberies.” (quoting Kyllo v. United States, 533 U.S. 27, 36 (2001))). European data privacy law now recognizes this, finding that privacy law applies to sensitive information inferred from other nonsensitive information. ARTICLE 29 DATA PROTECTION WORKING PARTY, GUIDELINES ON AUTOMATED INDIVIDUAL DECISION-MAKING AND PROFILING FOR THE PURPOSES OF REGULATION 2016/679, 17/EN WP251rev.01, 17–18 (Feb. 6, 2018).
- See Carpenter, slip op. at 17
- See, e.g., Brief of Scholars of Criminal Procedure and Privacy as Amici Curiae in Support of Petitioner, Carpenter v. United States, No. 16-402 (U.S. June 22, 2018), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3019294.
- See, e.g., Electronic Communications Privacy Act (ECPA), ELECTRONIC PRIVACY INFO. CTR. https://epic.org/privacy/ecpa/#fourth (last visited June 28, 2018); Rainey Reitman, Deep Dive: Updating the Electronic Communications Privacy Act, ELECTRONIC FRONTIER FOUNDATION (Dec. 6, 2012), https://www.eff.org/deeplinks/2012/12/deep-dive-updating-electronic-communications-privacy-act.
- See United States v. Jones, 565 U.S. 400, 416–417 (Sotomayor, J., concurring) (“I would also consider the appropriateness of entrusting to the Executive, in the absence of any oversight from a coordinate branch, a tool so amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent a too permeating police surveillance.” (internal quotation marks omitted)).
- Roberts refuses to extend it to “conventional surveillance techniques and tools, such as security cameras,” foreign affairs, or national security. He also takes care to clarify that the court is not overruling Smith or Miller (or “disturbing [their] application”), offering indirect support to laws allowing the collection of phone records, ECPA pen registers, real-time cell site location info, and tower dumps. Carpenter, slip op. at 18.
- 18 U.S.C. §§ 2701–2713 (2012).
- United States v. Warshack, 631 F.3d 266 (6th Cir. 2010).
- See, e.g., Ex parte Jackson, 96 U.S. 727 (1877); Katz v. United States, 389 U.S. 347 (1967).
- Margot E. Kaminski, Robots in the Home: What Will We Have Agreed To?, 51 IDAHO L. REV. 678 (2015), http://www.uidaho.edu/-/media/UIdaho-Responsive/Files/law/law-review/articles/volume-51/51-3-kaminski-margot-e.ashx?la=en&hash=DB603C8F4078548393749EE6CDE6C5240A30A121.
- Scott R. Peppet, Regulating the Internet of Things: First Steps toward Managing Discrimination, Privacy, Security and Consent, 93 TEX. L. REV. 85 (2014), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2577944.
- Anne Pfeifle, Alexa, What Should We Do about Privacy? Protecting Privacy for Users of Voice-Activated Devices, 93 WASH. L. REV. 421, 458 (2018), https://digital.law.washington.edu/dspace-law/bitstream/handle/1773.1/1778/93WLR0421.pdf?sequence=1&isAllowed=y.
- See Carpenter v. United States, No. 16-402, slip op. at 17 (U.S. June 22, 2018) (“Cell phone location information is not truly ‘shared’ as one normally understands the term . . . carrying [a cell phone] is indispensable to participation in modern society.”).
- Justice Alito described this slippery slope in his concurring opinion in Jones. See 565 U.S. 400, 427–29 (Alito, J., concurring); see also Kaminski, supra note 8.
- Letter from Robert Calhoun, Professor of Law, Golden Gate Law School, et al., to Governor Edmund G. Brown, Jr. (Sept. 4, 2014), http://arc.asm.ca.gov/member/AD44/pdf/426-AB1327supportletterlawprofs.pdf.
- William Baude & James Y. Stern, The Positive Law Model of the Fourth Amendment, 129 HARV. L. REV. 182 (2016), https://harvardlawreview.org/2016/05/the-positive-law-model-of-the-fourth-amendment.
- See Victoria Schwartz, Overcoming the Public-Private Divide in Privacy Analogies, 67 HASTINGS L.J. 143 (2015), http://www.hastingslawjournal.org/wp-content/uploads/Schwartz-67.1.pdf.
- FLA. STAT. § 934.50 (2015); WIS. STAT. § 942.10 (2014).
- See Carpenter v. United States, No. 16-402, slip op. at 2 (U.S. June 22, 2018) (Kennedy, J., dissenting) (“Customers . . . do not own, possess, control, or use the records, and for that reason have no reasonable expectation that they cannot be disclosed pursuant to lawful compulsory process.”).
- See id. at 3 (“[T]hat distinction is illogical and will frustrate principled application of the Fourth Amendment in many routine yet vital law enforcement operations). Contrary to fears, Carpenter is not a balancing decision, but instead a categorical decision that this type of data is sensitive, under a balancing test. See Orin S. Kerr, The Mosaic Theory of the Fourth Amendment, 111 MICH. L. REV. 311, 354 (2012) (criticizing mosaic theory).
- See Carpenter, slip op. at 21 (majority opinion).
- See id. at 6.
- Paul M. Schwartz & Daniel J. Solove, The PII Problem: Privacy and a New Concept of Personally Identifiable Information, 86 N.Y.U. L. REV. 1814, 1894 (2011), https://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=2638&context=facpubs; Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, 57 UCLA L. REV. 1701, 1778 (2010), https://www.uclalawreview.org/broken-promises-of-privacy-responding-to-the-surprising-failure-of-anonymization-2.
- Jonathan Mayer, Patrick Mutchler & John C. Mitchell, Evaluating the Privacy Properties of Telephone Metadata, 113 PNAS 5536, 5540 (2016), https://pdfs.semanticscholar.org/dbe1/07ce415a8252009f764afa0a058693596c64.pdf.
- In this sense, the Kennedy dissent is on point. He argues the decision “draws an unprincipled and unworkable line between cell-site records on the one hand and financial and telephonic records on the other.” Carpenter, slip op. at 3 (Kennedy, J., dissenting). However, I do not understand the majority as actually drawing that distinction. Instead, they are recognizing that those categories of information at the time of Miller and Smith were not sensitive data.
Margot E. Kaminski, Response, Carpenter v. United States: Big Data Is Different, Geo. Wash. L. Rev. On the Docket (July 2, 2018), https://www.gwlr.org/carpenter-v-united-states-big-data-is-different.
The preceding is republished on TAP with permission by its author, Professor Margot Kaminski, Colorado Law. "Carpenter v. United States: Big Data is Different" was originally published July 2, 2018 in The George Washington Law Review.