Federal Appeals Court Green-Lights Tracking Shoppers By Mobile

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

Retailers wrestling with how far they can legally go with tracking shoppers' movements within their stores and in neighborhoods near their stores have been given an unexpected green light from a federal appeals court. The Sixth Circuit of the U.S. Court of Appeals ruled that Americans have no right to expect privacy when it comes to their phones' location.

Although the case before the panel—which ruled August 14—involved accused drug traffickers, the jurists made it clear that privacy was not waived simply because of criminal activity. "We do not mean to suggest that there was no reasonable expectation of privacy because (defendant's) phone was used in the commission of a crime, or that the cell phone was illegally possessed," the Sixth Circuit ruled in its written decision. "On the contrary, an innocent actor would similarly lack a reasonable expectation of privacy in the inherent external locatability of a tool that he or she bought."

That's a crucial point for retailers, as was wording that people who could otherwise be seen by other people—such as when walking down an aisle at Costco or JCPenney or walking in a neighborhood near a Target or Walgreens—could not reasonably believe that their location is a Constitutionally protected secret. "We determine whether a defendant's reasonable expectation of privacy has been violated by looking at what the defendant is disclosing to the public and not what information is known to the police," the appellate court said.

The judges also suggested that shoppers' lack of awareness of how easily—and how precisely—they can be tracked is not relevant from a Constitutional privacy perspective. "The drug runners in this case used pay-as-you-go (and, thus, presumably more difficult to trace) cell phones to communicate during the cross-country shipment of drugs. Unfortunately for the drug runners, the phones were trackable in a way they may not have suspected. The Constitution, however, does not protect their erroneous expectations regarding the undetectability of their modern tools."

This decision may make it ever so slightly easier—or potentially a wee bit more legal—for retailers to collect this type of information, even if the consumer doesn't agree. But this is not necessarily a cause for celebration.

There are various restrictions on the collection and use of location data. A retailer could hire a bunch of private detectives to follow every consumer around and find out what he or she buys and from where, and where each goes every day, and report back. Not terribly practical.

Big data applications, web tracking, and data sharing and data mining provide a good deal of that information to retailers already. What those options don't say, however, is where a consumer is right now. For that you have to either install a device on the consumer or in his or her car, or track a device the consumer already has.In June, the Supreme Court ruled in United States v. Jones that for the police to install a location-tracking device onto someone's car they needed to have a warrant—a particular type of court order—because the installation of the device is intrusive and invades the person's property interest. Similarly, it would be unreasonable to allow retailers to walk out to the parking lot and install GPS tracking devices onto customers' cars.

Shoppers, however, are already walking around with devices that give detailed information about their whereabouts. There are primarily three ways to extract the GPS data from the phone. First, you can hack the phone and extract the data. But that violates a host of federal and state laws, so we can rule that out. Second, you can have the consumer install an application that is location aware and that shares the consumer's data with you. For this, you would likely need the consumer's knowledge and consent, in addition to a specific privacy policy about what data you are collecting, how you will use the data and a host of other data use practices.

But there is a third, and more devious and nefarious, way to get consumers' location data from their phones: Get it from the cell phone company or even set up your own cell phone network. Here's where things get legally hairy.

Cell phone records are kinda sorta private. They are the property (maybe) of the cellular provider, and both privacy statutes and state public utility laws and regulations restrict how this data can be shared. So the phone company probably isn't going to pony up the data to retailers. At least not under current law. Probably.

But the premise behind these privacy laws is that cell phone information—and the location data held by the cell phone companies—is private. That is, consumers have a legitimate expectation of privacy in their current location, at least when such information is collected by the phone company. And it is this premise (and not the constitutionality of the laws protecting cell phone records) that was addressed by the Appeals court, in a case called United States v. Skinner.

This ruling makes consumer location data a bit—and only a bit—more accessible to retailers. First, of course, it is only one ruling in only one court in a very specific context. Second, it is unlikely that the phone companies will share this data, unless there is some type of joint venture with the retailer. Third, federal communications laws restrict the use of this information. But the Skinner court did eliminate the Constitutional restriction on collecting and using this information, in addition to flat out stating that location information is not private, irrespective of how it is collected.

I can envision a network of traffic cameras (installed by either the government, enterprising retailers or even just Twitter followers) which would capture license plate numbers, link them to consumers and, viola! We have real-time location data that is sharable, indexable, mineable. Skinner took care of privacy objections from a Constitutional perspective. Other technologies, such as facial recognition and tracking, could be deployed without Constitutional objection under the Skinner rationale. It's a whole new world. I am just not sure I want to live in it.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.