Law v. Technology

A great number of the cases that make it to the United States Supreme Court hinge upon the Fourth Amendment (henceforth 4A) to the U.S. Constitution. The protections this Amendment offers against unreasonable search and seizure need frequent interpretation against changing technology.

Technology and PrivacyIn early June, the high court agreed to hear Carpenter v. United States. Timothy Carpenter’s 2013 armed robbery conviction was based partly on cellphone metadata—location information showing where he (or his cellphone, anyway) was at various times. Had this metadata been obtained through a probable cause warrant, the case would not have been considered by SCOTUS (Supreme Court of the United States); however, because no warrant was obtained, the contention is that this was a violation of his 4A freedom from unreasonable search and seizure.

This case may sound similar to the Constitutional challenges to the NSA metadata collection revealed by the Snowden leaks. It differs in that the NSA program was much broader and less targeted; SCOTUS has thus far declined to hear several cases stemming from the program, but has agreed to rule on Carpenter.

Previous, long-standing rulings have established the Third-Party Doctrine (3P), which states that information voluntarily given to third parties is not covered by 4A. This evolved in the 1970s, specifically with regard to phone “pen registers”—landline metadata, showing numbers called by a target phone number (Smith v. Maryland). The contention then was that by dialing a phone, the target was aware that this information was being sent to a third party, and thus was giving up his or her reasonable expectation of privacy. Cellular location data is clearly at least somewhat different; the Court will decide whether it is different enough. Like all cases that reach the high court, there have been a variety of past decisions on this exact issue, in both directions, at various court levels.

There has been increasing pressure for the Court to reconsider 3P as people have become more aware of the amount of personal data that is being captured and stored by companies. It is one thing for a company to reveal that I am a customer, sharing with law enforcement the information I provided them when I signed up; it is not necessarily the same thing for a cellular provider to share information about the location of my cellphone every time it moves. I may know that they have this information, but I may not; worse, the cellphone will continue to be observed when it is not in public spaces, such as within my car or home, which are not public spaces and in which the courts have held that I do have a reasonable expectation of privacy.

A key 4A term is “reasonable”: not only is that word subject to interpretation, but that interpretation will quite reasonably vary over time. In the 18th century, nobody imagined electronic bugs, much less cellphones, remote laser listening devices, or spy satellites! These change the equation significantly. In United States v. Jones, 3P was ruled not to apply to a GPS tracker placed on a vehicle without a warrant. In that decision, Justice Sonia Sotomayor wrote that “it may be necessary to reconsider [3P]…This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks”. This reflects the court’s awareness that societal and technological changes have effects on interpretation of the Constitution.

For most of us, automated personal data collection and storage by new technology is usually just an annoyance (unless it is unprotected, and gets stolen and used); for someone like Carpenter, facing a 116-year prison sentence, it is clearly much more serious. If the Court rules in his favor, it is difficult to imagine how the more general NSA program can be defended constitutionally. It will be interesting to see how this case shakes out, and its impact on our privacy (or lack thereof).

More to come…

About the Author
Phil Smith III is Senior Architect & Product Manager, Mainframe & Enterprise, at HPE Security – Data Security, formerly Voltage Security, Inc. He is the author of the popular blog series, Cryptography for Mere Mortals.

Leave a Reply

Your email address will not be published. Required fields are marked *