Expectations of Privacy: Location Matters Sometimes law enforcement needs a warrant to access cellphone data, sometimes a court order. Sometimes nothing is required. By Jane E. Brown Roaming while you roam. Depending on where you use your cellphone, law enforcement may obtain your location records from your wireless provider without a court order or warrant — neither is required in Washington state. In urban areas where there are multiple cell towers, a phone’s location can be identified to within half a mile. Turning off your location services or powering down the cellphone alone will not shield you from law enforcement. Are you where you said you’d be? When processing data, cellphones communicate with the strongest available cell tower signal. Calls, texts and internet browsing generate cell-site location information (CSLI). CSLI is time-stamped and linked to the phone number. Cell towers emit different signals in each direction, so the phone’s movement is tracked by its angular position relative to a tower. From CSLI, law enforcement can track where you are; what cell phones are near you; with what phone numbers you communicate; how long you communicate; and what routes you travel. In essence, everything except the actual communication is recorded. If you aren’t a criminal, you may not care. Depending on how CSLI is produced, even the innocent can catch the attention of law enforcement. Despite your innocence, law enforcement may receive your cellphone usage records. “Tower dumps” entail producing CSLI for all cellphones that processed data sent through a tower. If your cellphone uses a targeted tower, your data may be captured. You go from having fun with your friends to law enforcement tracking you by your number. Producing CSLI in real-time transfers your records contemporaneously as they are created by cellphone usage. If this happens, you are probably having a bad day — this method may be used in exigent circumstances. Collection of historical CSLI shows all CSLI for a cellphone for a specific period of time. One person’s record is another person’s dirty laundry. In U.S. v. Timothy Carpenter,1 the Sixth U.S. Circuit Court of Appeals2joined the Eleventh Circuit in ruling that law enforcement agencies do not need a warrant to track a caller’s location through cell tower records. Timothy Carpenter and Timothy Sanders robbed nine cellphone stores (ironic, isn’t it?) in Michigan and Ohio within four months. 1 2 www.ca6.uscourts.gov/opinions.pdf/16a0089p-06.pdf https://www.eff.org/document/us-v-q-davis-opinion Expectations of Privacy: Location Matters Jane E. Brown The FBI requested the “transactional records” of the Timothys’ wireless providers, aka, the Timothys’ historical CSLI. Court orders were issued pursuant to the Stored Communications Act (SCA) after the FBI showed there were reasonable grounds to believe the CSLI was relevant to the investigation. The FBI reviewed 127 days of CSLI for one Timothy and 88 days for the other. The government established through the historical CSLI that the Timothys were located within a half-mile to two miles of each armed robbery when they occurred. On appeal, the defendants argued that the Fourth Amendment required the government to show probable cause and use a search warrant to access the CSLI. The opinion focused on the following: 1.There was no search, because the FBI collected the wireless providers’ data routing information, which was gathered in the ordinary course of business. 2. CSLI does not refer to the content of the defendants’ private communications. 3. Every cellphone user who has paid roaming fees knows that wireless carriers collect locational information, so there was no expectation of privacy. 4. The CSLI is so comparatively imprecise compared to GPS, that there is no expectation that the cellphone user can be located exactly. 5.The SCA requires the government to meet the “reasonable grounds” to get a court order, not the “probable cause” standard to obtain CSLI. Tracking or stalking? Duration matters. The concurring opinion in Carpenter questioned whether the business record standard of proof applies in the review of an alleged violation of Fourth Amendment rights. The rationale behind the question is that a business’s production of credit card records showing purchases, for example, may be sufficiently distinct from the production of cellphone records showing personal location to require a more stringent analysis. The concurring justice also found the scope of the location monitoring troubling. Lawfully tailing a suspect is one thing. Lawfully tailing a suspect for a period of three to four months transmutes the surveillance into the realm of privacy invasion. So, how do I keep law enforcement out of my data? iOS and Android operating systems and apps offer some protection of CSLI location data. Start by turning off the location services for all your existing apps. Download apps that discard the location data cached on your cellphone. Get and stay off the grid by using localized Wi-Fi connections. Rely on an offline map or app that anonymizes the cellphone, encrypts the location data and permanently deletes your data within a certain amount of time. Regularly monitor new technology used by law enforcement and cybersecurity experts. After all, when you build a better mousetrap, law enforcement will build a better mouse. Justice William O. Douglas called upon his Pacific Northwest ideals when he wrote, “The right to be let alone is indeed the beginning of all freedom.” Cheers to freedom. Jane E. Brown Jane is Counsel to the Firm at Lane Powell and focuses her practice on both transactional matters and civil litigation. As former in-house counsel, she is skilled in focusing and quickly assessing the circumstances, alerting clients to potential revenue streams and liabilities, and working toward cost-effective resolutions. Jane’s litigation experience includes representation of clients in highly regulated industries. She assists clients with the development and maintenance of privacy policies, drafting provisions to protect privacy, and complying with state, federal and international regulations regarding cybersecurity and data breach response. She can be reached at 206.223.7126 or brownje@lanepowell.com This article was previously published on Lane Powell’s Beyond IP Law blog on April 25, 2016. Expectations of Privacy: Location Matters Jane E. Brown