This month marks a year since the Supreme Court issued its landmark privacy decision in Carpenter v. United States, ruling that the government must get a warrant before accessing a person’s sensitive cellphone location data.
Carpenter, which the ACLU argued before the Supreme Court, concerned information revealing where Timothy Carpenter had traveled with his phone. The police, searching for evidence to connect Carpenter to the scenes of various robberies, obtained months’ worth of Carpenter’s detailed location data from his cellphone company without a warrant. That data exposed Carpenter’s daily routines, including where he slept and attended church.
The court held that government access to such detailed location data provides a method of “near-perfect surveillance,” and recognized that the Fourth Amendment must protect such sensitive information. It added that old-world legal rules don’t automatically apply in the digital age.
The Supreme Court’s decision stands as one of the most consequential rulings regarding privacy in the digital age, providing a roadmap for lower courts to protect many other kinds of sensitive data from warrantless government intrusion. One year in, we’re working to ensure that lower courts heed the high court’s call and extend the lessons of Carpenter to other contexts.
For instance, we were in the Georgia Supreme Court last week arguing that Carpenter made clear courts cannot “mechanically apply” older legal doctrines that allow warrantless searches to new, complex digital-age contexts. Instead, courts should carefully assess what protections are necessary in light of rapidly advancing technology and increasingly accessible data.
In that case, the state of Georgia is arguing that a legal doctrine dating back to the early 20th century should give police the authority to obtain — without a warrant — the vast and detailed data modern cars collect on us. This data can include everything from our car’s speed and braking data, to call record and text history, to music preferences and GPS coordinates. Under the dated doctrine, known as the “vehicle exemption,” police do not need a warrant to search a car for physical items due to the “ready mobility of vehicles,” which might drive away before a warrant is obtained. But, as we argued in court last week, that old rule shouldn’t be extended to override people’s unprecedented privacy interest in new kinds of sensitive digital data.
Similarly, in our lawsuit challenging the government’s warrantless searches of electronic devices at the U.S. border, the federal government has been invoking a centuries-old rule allowing border agents to search travelers’ physical luggage without individualized suspicion or a warrant for contraband or import violations. We argue that old-world rules can’t be twisted into unfettered authority to search the incredible volumes of data on people’s phones and laptops when they return from a trip abroad.
In both cases, Carpenter (and a predecessor Supreme Court case, Riley v. California) provide a powerful rebuke to the government’s arguments. The quantities and types of information that might be discovered by a manual search of a car’s trunk and glove compartment — or a traveler’s luggage — pale in comparison to the kinds of comprehensive data stored on our electronic devices today. This requires greater protections under the Fourth Amendment.
Carpenter also holds that, in the digital age, our sensitive information does not lose Fourth Amendment protections merely because we store that information on a “third party” server, such as with Google or DropBox. This is a game-changer.
In the digital age, it is virtually impossible to avoid leaving a trail of highly sensitive data. Our information is saved not only on our personal laptops and phones, but also on the servers of the companies with which we interact. As we argued in a case now before the First Circuit Court of Appeals, the government can no longer get away with warrantless searches of our personal information by relying on the “third party” doctrine.
That case concerns the Drug Enforcement Administration’s efforts to access — without a warrant — people’s prescription records stored in the New Hampshire Prescription Drug Monitoring Program, a secure state-run database set up for public health purposes. The DEA is arguing that when people reveal their symptoms to their doctor and bring the doctor’s prescription to their pharmacist, they have given up their Fourth Amendment privacy rights in that sensitive health information. That can’t be right when the result is unfettered police access to deeply private information about our health and medical history.
In other cases, we have similarly argued that people’s location history stored in gargantuan automated license plate reader databases should be protected by a warrant requirement because of the intense privacy interest in digitized location data recognized in Carpenter.
The Supreme Court rightfully understood in Carpenter that courts have an essential role in ensuring that privacy protections remain vital in the digital age. While the government advocates for unfettered access to the personal information companies are sweeping up on us, it’s crucial the courts make clear, as Carpenter does, that we do not forfeit our Fourth Amendment rights simply for owning a laptop, driving a car, or having a cellphone.
Nathan Freed Wessler, Staff Attorney, ACLU Speech, Privacy, and Technology Project