Supreme Court to look at mobile privacy. Uh-oh.

A criminal-case ruling favoring law enforcement would have implications for companies facing civil complaints

computer privacy cyberprivacy
Pixabay (Creative Commons BY or BY-SA)

Does the prospect of your company’s worst enemies getting access to full tracking information on your employees’ mobile phones freak you out? If so, you’ll want to track something yourself: a case the U.S. Supreme Court just agreed to consider. 

Although the case involves criminal law and the question of whether police need a court-issued search warrant for intimate mobile records, one former federal prosecutor points out that the Court’s ruling could open the door to civil discovery and subpoena access. In other words, the ruling could make such mobile data available to anyone who chooses to sue your company, for any reason, whether the claim is legitimate or not. 

To be clear, that civil litigation would first have to survive a hearing, where a judge could dismiss the action. But such dismissals are rare, happening only when a judge sees no realistic chance of success. Most judges are inclined to allow cases to run their course, eventually allowing either a settlement or a trial, where a jury (or another judge) would decide. That aside, anyone choosing to sue your company has a right to extensive discovery with subpoena powers. The question here is, How private and sensitive will the Supreme Court choose to consider mobile data? 

The case at issue, U.S. v. Carpenter, involves men accused of armed robberies at Radio Shacks and T-Mobile stores near Detroit. 

“The FBI applied for three orders from magistrate judges to obtain transactional records from various wireless carriers for 16 different phone numbers,” wrote the appellate panel that heard the case. “As part of those applications, the FBI recited that these records included all subscriber information, toll records and call detail records including listed and unlisted numbers dialed or otherwise transmitted to and from the target telephones as well as cell site information for the target telephones at call origination and at call termination for incoming and outgoing calls. The government’s evidence at trial included business records from the defendants’ wireless carriers, showing that each man used his cellphone within a half-mile to two miles of several robberies during the times the robberies occurred.” 

The appellate court distinguished between the contents of an email—or other mobile communications—and things such as address and routing details. As the panel described it, there is “a distinction between the content of a communication and the information necessary to convey it.” 

The problem is that information about cell towers’ locations and other elements of mobile communications convey tons of very revealing details. If I’m your competitor and I can find out where your employees’ mobile phones were at certain times, I can possibly make some highly educated guesses about the implications. Say that 14 of your employees all show up at the headquarters of a smaller competitor. That doesn’t look like oddly coincidental job interviews. Acquisition talks, perhaps? 

And if I wanted to contact one of your employees in secret, it would be very helpful to have a list of that person’s comings and goings for the last three months. 

Former federal prosecutor Mark Rasch, who is now in private practice, argues that a central question here is who owns those records: the phone company or the customer? Are you accessing my personal data or simply a business record from a third party?

“I think [the Supreme Court] is going to rule that it’s the phone company’s records. Then the only test is whether or not it’s relevant,” he says. 

Does this require a court order? Phone companies and ISPs often have a friendly relationship with law enforcement and routinely release extensive data on the say-so of a law enforcement representative. This is supposed to happen only during emergencies when there’s no time for a court order—requests along the lines of “We’re chasing kidnappers right now and we think they are about to kill their victim. Please tell me right now where the victim’s cell phone is.” 

As a practical matter, though, requests for such data are often used as an investigative technique and a convenience. And if a law enforcement official says his personnel is chasing a terrorist with a bomb, what Verizon representative is going to take a chance and challenge the request? 

The heart of the case is deciding how sensitive mobile phone data is — how much protection it merits above and beyond the contents of messages. 

And even though the direct case is about criminal law, the Supreme Court decision will absolutely influence how judges handle civil issues dealing with the same information, Rasch said. 

Let’s go back to that lawsuit. If the court rules that geolocation data and routing information are not private enough to require a judge’s court order in a criminal case, that information is far less likely to be held back during routine discovery requests and civil lawyer subpoenas. Consider how much damage that data could cause in the hands of your company’s worst enemies. 

Mobile data vs. GPS tracking

The appellate panel bizarrely argued that geolocation’s lack of precision makes it less sensitive. The court compared mobile data to GPS tracking: “GPS devices are accurate within about 50 feet, which is accurate enough to show that the target is located within an individual building. Data with that kind of accuracy might tell a story of trips to ‘the strip club, the criminal defense attorney, the by-the-hour motel, the union meeting, the mosque, synagogue or church, the gay bar and on and on[.]" Jones, 132 S.Ct. at 956 (Sotomayor, J., concurring)

But here the cell-site data cannot tell that story. Instead, per the undisputed testimony at trial, the data could do no better than locate the defendants’ cellphones within a 120- (or sometimes 60-) degree radial wedge extending between one-half mile and two miles in length. Which is to say the locational data here are accurate within a 3.5 million square-foot to 100 million square-foot area—as much as 12,500 times less accurate than the GPS data in Jones. And cell phone locational data are even less precise in suburban and rural settings. Areas of this scale might encompass bridal stores and Bass Pro Shops, gay bars and straight ones, a Methodist church and the local mosque.

The ACLU responds that so-called “femtocells” can provide service (and thus identify a phone’s location) within areas as small as ten meters. But our task is to decide this case, not hypothetical ones; and in this case there are no femtocells to be found. The defendants’ argument is without merit.” 

The problem here is that location data will consistently improve. Is there an accuracy point where it becomes private? It has been observed often that legislative bodies and courts are ill equipped to keep up with the rapid changes in technology. Consider some of the legal issues now being debated about IoT devices

Today, businesses and consumers treat their mobile devices as critical parts of their lives. Those devices often are in always-listen mode (which is how Siri, for example, can respond whenever it hears its name being called, even if the device is not connected to any network at the time), can videotape surroundings and determine location by dozens of means (including interacting with Wi-Fi networks, which can deliver remarkably precise locations and precise times). Some people and businesses use those phones for extensive web surfing—tons of private data there—and retail purchases. 

So, no, taking the position that only the contents of messages should have a reasonable expectation of privacy is absurd. Don’t believe me? If the Supreme Court keeps the appellate court’s limited view of mobile privacy, just wait for your next lawsuit, and we’ll see how you feel then.

Related:
Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon