An armed robber’s Supreme Court case could affect all Americans’ digital privacy for decades to come

How much can your cellphone reveal about where you go?

Cityscape with location symbols Enlarge
How much can your cellphone reveal about where you go? Courtesy Getty Images

A man named Timothy Carpenter planned and participated in several armed robberies at Radio Shack and T-Mobile stores in Michigan and Ohio between 2010 and 2012. He was caught, convicted and sentenced to 116 years in federal prison. His appeal, which was heard by the U.S. Supreme Court on Nov. 29, will shape the life of every American for years to come – no matter which way it’s decided.

During its investigation of the robberies, the FBI got records not only of the phone calls made and received by Carpenter’s cellphone, but also its location over 127 days. The information clearly placed Carpenter’s phone nearby at the times and places of each of the robberies, providing strong circumstantial evidence against him. But it also revealed other information unrelated to the investigation, such as which nights Carpenter slept at home and what church he prayed in on Sunday mornings. The FBI didn’t get a search warrant for that information; the agency just asked Carpenter’s cell service provider, MetroPCS, for the data.

Carpenter is appealing his conviction on the grounds that his Fourth Amendment right to be protected from an unreasonable search was violated because his cellphone location was tracked without a search warrant. If you have a cellphone, what the Supreme Court decides will affect you.

Cell companies know where people are

As part of providing their services, cellphone companies know where their users are. Mobile phones connect to nearby towers, which have separate antennas pointing different directions. Noting which antennas on which towers a particular phone connects to allows the phone company to triangulate a fairly precise location.

Composite image describing how to triangulate a position Enlarge
Triangulating the location of a mobile device. N. Moayeri/NIST

In addition, technological advances are allowing cell towers to serve smaller and smaller areas. That means connected users are in even more specific locations. The FCC actually requires phone companies to be able to locate most cellphones within 50 meters when they call 911, to be able to direct emergency responders to the correct location.

Police want to track suspects’ movements

It is in the public’s interest for police to be able to track, catch and convict criminals. But to protect innocent citizens from harassment, the Bill of Rights established a process requiring investigators to get a judge’s signoff before conducting most searches for evidence.

Early in the 20th century, courts thought phone wiretaps didn’t require a warrant as long as the physical wiretap equipment was placed outside a target’s home. Over time, the importance of the telephone as a communications medium and the rise of the internet led to the increased protections provided by the 1986 Stored Communications Act. That law clarified constitutional procedure for the telephone age.

Under the law, police need a warrant to tap a person’s phone and listen to all his conversations. Without a warrant, officers can see what numbers a phone called, what numbers called that phone and when and how long the conversations lasted – but cannot eavesdrop on what was said.

Those rules have not been updated for the age of the mobile phone. As a result, a legal principle called the “third party doctrine” applies in Carpenter’s case – and in dozens, if not hundreds, of others. It says that if a person gives someone else a piece of information, that knowledge is no longer considered private.

In practice, it seems straightforward: If you tell a friend what you did last night, you can’t later stop your friend from telling the police what you said. And in fact, the Supreme Court has held that your friend could wear a “wire” so that the police can listen in, without a warrant and without informing you.

The way this plays out regarding the location of a cellphone is the assumption that by carrying a cellphone – which communicates on its own with the phone company – you have effectively told the phone company where you are. Therefore, your location isn’t private, and the police can get that information from the cellphone company without a warrant, and without even telling you they’re tracking you. This assumption is what Carpenter’s appeal is challenging.

Technology intrudes on privacy

I have been at the leading edge of data science for over 30 years. Based on my work on the ethics of data science, I believe the assumptions that were safe in 1986 – when almost nobody had cellphones and nearly all telephones were landlines serving fixed locations – are no longer reasonable. Back then, the information a phone user revealed to a phone company was very limited. Today, people disclose their location all the time, for routine, law-abiding activities, by carrying around cellphones.

Cellphone companies can know not only whom you call and for how long you speak, but where you are when you make the call, where you go in between calls and much more. They can deduce even more information, such as individuals’ religious affiliations and any number of personal habits that might be better kept secret – including how often an employee uses the restroom during a workday.

It makes no practical sense to claim a person could protect the privacy of their location and movements by not carrying a cellphone: The social and economic burden that would impose on each person would be too high.

Image Enlarge
An automated license plate reader on the street. ScottMLiebenson, CC BY-SA

This threat to privacy goes well beyond mobile phones: Automated license plate readers on bridges, roadsides and even police cars can easily record the identity of every vehicle, confirming its presence at a specific location at a particular time. A privacy-conscious person might give up driving, and instead rely on walking and taking public transportation. Cameras on the streets, at bus stops and in transit vehicles – coupled with tremendous recent advances in face recognition technology – can still track every move you make.

Personal health devices collect a great deal of information about users to help them achieve fitness goals, and may even be useful to provide early diagnosis of diseases. But information from a pacemaker has already been used to charge an alleged arsonist, and a Fitbit helped solve a murder.

Companies that provide internet service can learn a great deal about their customers simply by observing what websites users connect to, even if they don’t read the contents of each web page or email message. As electronic personal assistants (like Siri and Alexa) and home devices (like Nest) become more common and used more heavily, they will soon learn even more intimate details about people’s lives.

Declining to provide information to these “third party” service providers would require people to opt out of normal life – which isn’t really a choice.

Privacy extends to companies too

Most Americans don’t want their mobile phone companies to just hand over to police the enormous amount of information cellphones can reveal – at least not without getting a warrant first. But Americans’ privacy problem goes much deeper. Most people also don’t want their mobile phone companies to sell these data to others.

Many companies may seek that information to try to persuade more customers to buy their products, but nefarious uses are also possible. A person could be blackmailed with a threat of publicizing their (completely lawful) secrets – such as a particular health condition, religious affiliation or sexual preference.

Today, the protection people get goes only as far as the fine print of each service’s privacy policy. When a company goes out of business, its creditors try to make money from its assets – including data collected from and about its users. That is why I have called for companies to take the Data Destruction Pledge, promising that all customer data will be destroyed if the company ceases operation.

The FBI found Timothy Carpenter because one of his accomplices told them about him. I believe the FBI could have obtained a search warrant to track Carpenter, if agents had applied for one. Instead, federal agents got cellphone location data not just for Carpenter, but for 15 other people, most of whom were not charged with any crime. One of them could be you, and you’d likely never know it.

The more people rely on external devices whose basic functions record and transmit important data about their lives, the more critical it becomes for everyone to have real protection for their private data stored on and communicated by these devices.

This article was originally published on The Conversation. Read the original article.

Explore:
H.V. Jagadish; Research News; Security and Privacy