Mobile Phone Location Privacy: U.S. Justice Now Says It Doesn't Exist

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

In a case that may have profound ramifications for retailers' ability not only to collect but also to protect the privacy of customers' location information, the U.S. Justice Department argued to a U.S. appeals court on Monday (Oct. 1) that Americans do indeed have no right to privacy when it comes to mobile phone geolocation data. This comes about two months after a different appellate court reached the same conclusion, ruling that Americans have no such privacy rights.

The case before the U.S. Court of Appeals for the Fifth Circuit in New Orleans involves law enforcement efforts to obtain search warrants for cell phone records. The case is significant not because of its impact on cell companies but because of the expansive way the government wants to read its authority to get intimate personal data about anyone—and make third parties like retailers essentially an agent for collecting this information for the government.

The case involves the government's efforts to subpoena a phone company to pony up records relating to the location of a cellular telephone user. Not too unusual. But what is unusual is the two arguments the government used to assert that it could get these records from the phone company without a warrant and without any probable cause. The government argued that "because customers know that cell phone companies must obtain their location information in order to connect cell phone calls, they voluntarily convey location information to cell phone companies" and "the Fourth Amendment is not violated when that information is turned over to the government."

Really? Do most people know that the phone sitting in their pocket is constantly transmitting its location simply to get phone calls even when they aren't making a call? Do most people think the phone company stores those records? Do most people think that what is essentially transient information is being stored and sent to the government? When I listen to a song on the cloud or read an e-book, do I think, "Hmmm, the government can now track me"?

The government then argued that people have no expectation of privacy in their location—after all, they are out and about on the roads and subways, in public buildings and shopping malls—so how can they reasonably expect their activities to be private? Certainly, the government argued, teams of undercover agents could follow people around and see where they are, who they are with, where they are going, etc. So if the government doesn't need a warrant to do that, why would it need a warrant to get similar information from cell phone data?

If there truly is no expectation of privacy in what is called "historical cell data" (where you were, as opposed to where you are right now), then there would be no problem with retailers collecting this data about their customers with or without the knowledge and consent of those customers. Just as video cameras in the mall capture images of customers (and their locations), retailers could use cell data to find out where their best (and worst) customers are. Accepting the government's argument before the federal court, there would be no privacy violation for a retailer doing this. Now, before you run out and start collecting your customers' location data without their consent, recognize that the government's argument just implicates the Constitution and not laws that protect cell records or the federal laws on "trap and trace" that require some type of legal process to get records from the phone company. So you can't just traipse to your local phone company and get these records.

More significant to retailers is the government's argument that it doesn't need a warrant for these records and that people have no expectation of privacy in where they are when they have (whether or not they use) a cell phone, because these records are those of a third party (the phone company). Just like the government (and your spouse's divorce attorney) can get records of your bank statements and phone bills without a warrant (just a subpoena), the government (and anyone else with a subpoena) can find out where you are, where you were and who you were with by subpoenaing the records from the phone company. You see, these aren't your records. They are the phone company's records, and it can do whatever its want with them.

As the government argued: "A historical cell-site record is a phone company's record of the cell tower and sector it used to handle a customer's call. It is a business record generated and stored by a cell phone company at its own discretion. No federal law mandates that a phone company create or keep historical cell site records" and "a customer has no Fourth Amendment privacy interest in business records created and held by a third party."So here's where the trouble comes in for retailers. Location data is, and will continue to be, critically important for advertizing, marketing and point of sale. Thousands of Web apps collect data about a consumer's location—ostensibly to help the consumer connect to businesses but also to help businesses find local consumers. Services like Yelp! Foursquare, Google Maps and OpenTable all link GPS data with retailers to help those retailers and their customers connect. As a lawyer, I would ensure that if I was collecting or obtaining location data, I would do so under a privacy policy that told the customers what I was collecting—and what I was going to do with that information. The policy could be something like, "I will only use your data to help you find a restaurant" or, "I will use your location data to send you coupons for shoe stores near you." The customer consents to the collection of location data, and you are set, right? Not so fast.

The government's argument that people have no expectation of privacy in third-party data is just flat out wrong—wrong, wrong, wrong. Did I mention that it was wrong? Indeed, while third parties can "know" where I am, what I eat, what I read, what songs I listen to, who my friends are, what I look like, what sizes I wear, what medications I take, where and when I bank, what I study and almost anything else about me, it would be wrong to say that, by virtue of the fact that this information is collected and/or stored by third parties, I have no privacy interest in such information.

Otherwise, the government could turn retailers into its own private data collection enterprises. As long as the government doesn't tell the retailer what to collect and the retailer collects data in the ordinary course of business, the government could get all of this data without telling the customer a thing. This belies the contract between the customer and the retailer, where the customer essentially says, "I will let you know what Kindle book I am reading so you can send me offers on similar books, but I am not authorizing you to tell the FBI that I just read Fifty Shades of Whatever." To think that consumers have no expectation of privacy in the intimate facts they are forced (often) to reveal to third parties as a condition of modern life is absurd.

More than 40 years ago, in a case involving a subpoena for phone records, Justice Thurgood Marshall dissented from the majority opinion that no warrant was necessary for these phone records because they were in the hands of a third party, the phone company.

Justice Marshall noted that "Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes." Justice Marshall went on to note "Implicit in the concept of assumption of risk is some notion of choice" unless "a person is prepared to forgo use of what for many has become a personal or professional necessity [namely, the use of a phone], he cannot help but accept the risk of surveillance."

This is exactly what Justice Sotamayor predicted in her concurring opinion in the June case involving the surreptitious installation of a GPS tracking device, where she noted: "It may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers.

Perhaps, as Justice Alito said, some people may find the "tradeoff" of privacy for convenience "worthwhile," or they may come to accept this "diminution of privacy" as "inevitable." I, for one, doubt that people would accept without complaint the warrantless disclosure to the government of a list of every Web site they had visited in the last week or month or year.

Just because the record exists and is held by a third party (like a retailer) doesn't mean people don't expect the data to be protected from disclosure. This doesn't mean the government can't get these records, just that it has to show probable cause and get a warrant for them. As more records are held by third parties—including phone companies, retailers, credit card companies, processors and cloud providers and their agents and vendors—we need to stop making these entities into agents of the state. Otherwise, consumers will simply stop trusting them, and then they will revolt. And that's not good for anyone.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.