Last Wednesday, I had the opportunity to go to the Supreme Court to watch the oral arguments in a case called United States v. Carpenter. This isn't something that I ordinarily would do, but this isn't an ordinary case. Carpenter deals with what standard law enforcement must meet to obtain cell site location information from a wireless carrier, which fundamentally is about the appropriate balance between privacy and security. This is an issue of great interest to Verizon (and to me personally); it is important enough, in fact, that I blogged about the changing technology at issue last fall, Verizon joined an amicus brief in the case this summer, and we will host an event in Washington, DC to discuss it in more detail in the new year (more on that below).
I will note that I don't believe that it is the role of companies to decide the proper balance between security and privacy; rather, it is the role of all of us as citizens. Of course, the way we as citizens have our policy views represented is through Congress and it is not Congress that currently is addressing this issue but the Supreme Court (a topic for another time is the degree to which gridlock in Washington, DC over the past decade has led to a shift in policy making away from Congress and to the courts and administrative agencies). In considering the issue, it is important that the Court have the benefit of the views of those who are close to the issue, and Verizon has expertise in this area. After all, we receive more than 250,000 warrants, court orders and other demands each year from law enforcement, and we operate wireless networks like the one from which Carpenter's location information was obtained. So we submitted our view to the Court, which we did in a brief in conjunction with a dozen leading technology companies, and we are following the case closely.
The “third party doctrine” and the expectation of privacy
Some quick background on the case: Carpenter was arrested, in part, based on cell site location information that placed his phone in the general area of a string of robberies committed in 2010 and 2011. Carpenter challenged his arrest and conviction on the basis that law enforcement obtained his phone's location information from his wireless carrier with a court order rather than a warrant (a court order requires law enforcement to satisfy a court that it has specific facts showing that the information sought is relevant to an investigation, while a warrant requires law enforcement to meet the higher Fourth Amendment standard of probable cause). So Carpenter argues that the Constitution required law enforcement to use a probable cause warrant before obtaining his phone's location information from his carrier.
The larger question posed by the Carpenter case is whether, in a world in which so much information about ourselves is shared with third parties, does the third party doctrine mean that we have an expectation of privacy in a diminishing amount of our personal information?
Underlying this argument is the "third party doctrine." In short, this doctrine holds that a person who voluntarily conveys information to a third party has no expectation of privacy in that information. Carpenter's phone conveyed its location to the cell phone network (in order to route his calls) and, under the doctrine, because that information was shared with a third party Carpenter therefore has no expectation of privacy in it. In the 1970s, the Supreme Court applied the third party doctrine in cases involving phone numbers transmitted to the phone company when making a telephone call and financial information disclosed to the bank during financial transactions, with the result that many believe the current law is that we do not have an expectation of privacy in information shared with phone companies, banks and other third parties.
One interesting thing about the world in which we all now live is that we convey a lot of information, often sensitive, to third parties. For instance, in my previous blog I noted how the location information transmitted to wireless carriers has become more voluminous and more precise as technology has changed. Today, we store our emails, photos, music, medical records, and countless other types of digital information with third party providers. And, no doubt, developing technologies and services will lead to more information being shared with companies. This is especially the case for Verizon, a key player in the emerging IoT (Internet of Things) industry: as we make connected cars and smart homes and cities possible we are entrusted with new types of sensitive, digital information by our customers. The larger question posed by the Carpenter case is whether, in a world in which so much information about ourselves is shared with third parties, does the third party doctrine mean that we have an expectation of privacy in a diminishing amount of our personal information?
How the court might reconcile the third party doctrine with the Internet age
In order to challenge law enforcement's access to the location information for Carpenter's phone, Carpenter's lawyer had to call into question the validity of the third party doctrine in his case. To do so, he had two options: (1) the third party doctrine should be overturned generally or (2) Carpenter's case should be seen as an exception to the third party doctrine. Carpenter’s lawyer chose the latter. (The Court will have to analyze other issues, as well – for instance, at Wednesday’s argument, some questioning addressed an alternative way of looking at the issue based on property rights – but I’m trying hard to keep this brief.)
For me, it is helpful to think of the third party doctrine as deriving from the principle that if you tell something to someone, you no longer can consider it private. Based on that, one might argue that it is hard to envision overturning the third party doctrine in its entirety because surely it is the case that there is certain information that we affirmatively share with a third party and therefore can no longer expect to be private. But should it be the case that every bit of information that we share with third parties should lose privacy protection, especially in a world in which our electronic devices are conveying vast amounts of information to third parties?
If the Court were to carve out an exception to the third party doctrine, it seems to me it would have to be based on one of three frameworks. First, there could be a temporal limit, e.g., law enforcement could only get information for a 24-hour period (this is the rule suggested by Carpenter's lawyer). Second, there could be a rule based on how sensitive the information is. Third, the rule could be based on volition, i.e., did you take action to convey the information to a third party.
In the end, these are difficult questions, and that is why this case is at the Supreme Court. The Supreme Court doesn't take the easy cases.
The problem is that each of these require courts to draw very difficult and perhaps unworkable lines. A temporal limit seems arbitrary or at least without logical underpinnings. On the one hand, what is the difference, from a privacy perspective, between 24 hours’ worth of information versus a week's worth or a month's worth? Yet, five years ago many of the Justices were drawing a line between prolonged and short-term surveillance in an important Fourth Amendment case.
A sensitivity rule is subjective: we may each have different opinions about whether location information is more sensitive than financial information or vice versa. On the other hand, the important reasonable expectation of privacy test in modern Fourth Amendment cases has really been trying to do just that – measure what is sensitive.
Another option is differentiate between information that is directly conveyed by affirmative action on our part (e.g., dialing the digits on a telephone so the phone company can complete your call or placing a check in commerce so it will be submitted to the bank for payment) and information that is conveyed passively or indirectly (e.g., your phone connecting to the network and thereby conveying your location to the phone company, even when you are not actively using it). But, admittedly, there are counterarguments here, too, including, of course, identifying what is conveyed affirmatively or passively and evaluating related concepts of knowledge and consent.
In the end, these are difficult questions, and that is why this case is at the Supreme Court. The Supreme Court doesn't take the easy cases. The Justices must grapple with how to apply older doctrines to new technologies. Indeed, various questions at the argument last week were focused on changes in technology and the Justices no doubt realize this important issue will transcend the Carpenter case. If they decide that the third party doctrine does not apply, they must explain how to draw a workable line. Based on my morning at the Court. the Justices certainly appreciate that this is a challenge. Many times the Justices remarked about the difficulties in drawing lines based on time, sensitivity or volition. Perhaps Justice Breyer stated it best: “This is an open box. We know not where to go.”
Join us in February for a panel discussion
At Verizon we will continue to follow the case and the issues it explores. To that end, I am pleased to announce that on February 15, 2018, Verizon will host a panel, which I will moderate, to discuss the Carpenter case. We have a very impressive group of panelists:
- Amit Agarwal. Florida Solicitor General, who previously argued a case similar to Carpenter on behalf of the government before the en banc 11th Circuit Court of Appeals
- James Garland. Partner at Covington & Burling LLP, and former Deputy Chief of Staff and Counselor to Attorney General Eric Holder at the U.S. Department of Justice.
- Lisa Hayes. General Counsel at The Center for Democracy & Technology.
- Chris Madsen. Vice President and Chief Counsel for Law Enforcement, Security and Safety issues at Oath
- Nathan Wessler. Staff Attorney at the ACLU who argued the case on behalf of Carpenter before the Supreme Court
The event will be held at our Washington, D.C. office, from 11 a.m. to 1 p.m. Additional details and registration info can be found here
For related media inquiries, please contact email@example.com