Congress, meanwhile, passed an obscure statute that month called the Stored Communications Act that has become much more relevant 30 years later as the Supreme Court will have two opportunities to help define the scope of digital privacy under a law enacted when cellphones and email hardly existed.
To obtain electronic communications, the government must obtain a warrant for any that are held for 180 days or fewer by a computer service provider. This means establishing probable cause that the evidence sought is related to a crime.
But for anything older than that, investigators need only a grand jury or administrative subpoena, as long as the person whose communications are sought is informed. That notification can be delayed by as much as 90 days if disclosure might have an adverse effect, such as destroying or tampering with evidence.
Back in 1986, Congress viewed communications over six months old to be abandoned and therefore subject to reduced protection, a notion that looks quaint today when emails and texts may be held for years.
Another provision of the statute allows investigators to obtain information from the provider about a subscriber to any electronic service, like cellphones, by seeking a court order based on “reasonable grounds to believe” that the records are relevant to a criminal investigation. This is a lower standard than probable cause, the usual requirement for a search warrant.
It is this lower threshold for getting information that is at issue in Carpenter v. United States, which the Supreme Court will hear in its next term starting in October.
The defendants were convicted of organizing a string of robberies in the Detroit area where they served as lookouts by parking near the stores. The government obtained orders directing wireless carriers to provide cell site location information showing where different numbers linked to the crew conducting the robberies were at the time of the crimes. Armed with data from various cell towers, prosecutors showed at trial that the defendants’ phones were a half-mile to two miles from the robberies, helping to link them to the actual perpetrators.
The defendants sought to suppress that information, arguing that it constituted a search of their phones so that the reasonable grounds standard in the Stored Communications Act for the order did not meet the probable cause requirement of the Fourth Amendment.
The United States Court of Appeals for the Sixth Circuit in Cincinnati rejected that claim, finding that “although the content of personal communications is private, the information necessary to get those communications from point A to point B is not.” Therefore, the defendants had no privacy interest in the information held by the carriers about their location and the constitutional probable cause requirement did not apply.
The Carpenter case raises a fundamental question about how far the privacy protection in the Fourth Amendment, which by its terms applies to “persons, houses, papers and effects,” should reach in protecting data generated by a person’s electronic devices. Chief Justice John G. Roberts Jr. wrote in Riley v. California, a 2014 decision, that cellphones are now “such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.”
In Riley, the court found that a warrantless search of an arrestee’s cellphone was unconstitutional, explaining that what distinguishes the device from other items that might be found on a person that the police could look at “is their immense storage capacity.” But rummaging through the contents of a phone or computer is not necessarily the same as getting site information that is broadcast to the carrier, especially when a person may enable it by using an app like Find My Phone.
In a 2012 case, United States v. Jones, the Supreme Court found that the use of a GPS tracker attached to a car was a search governed by the Fourth Amendment. Justice Sonia Sotomayor explained in a concurring opinion that the privacy interests in a person’s specific location required investigators to get a warrant because gathering that information “enables the government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on.”
In the Carpenter case, the justices will have to weigh whether cell site data is different from a GPS tracker because learning where a person is within about a one-mile radius may not be a sufficient invasion of privacy to come within the Fourth Amendment. Nor does obtaining the location of a cellphone reveal the content of any communication, only that a call was made, so the protection afforded by the Riley decision may not apply.
Another case involving the Stored Communications Act that may come before the justices concerns the territorial reach of a warrant authorizing investigators to obtain emails held by Microsoft. The United States Court of Appeals for the Second Circuit in Manhattan, in Microsoft v. United States, found that the warrant did not apply to emails stored on a server in Dublin because there was no indication in the statute that Congress intended to authorize a search outside the United States.
The Justice Department filed a petition with the Supreme Court on June 22 asking for a review of that decision, arguing that it was “wrong, inconsistent with this court’s framework for analysis of extraterritoriality issues, and highly detrimental to criminal law enforcement.” Those requests are often granted because the justices rely on the solicitor general’s office to identify cases that have significant law enforcement implications.
Another factor in favor of granting review is that the Second Circuit’s decision has not been followed by federal district courts in Philadelphia, San Francisco, Washington and Wisconsin, which have enforced warrants to produce email records that may have been stored abroad. A note in the Harvard Law Review criticized the decision because it “did not acknowledge the ‘un-territorial’ nature of data.”
Microsoft is fighting the effort to apply the Stored Communications Act to electronic records held outside the United States, pointing out in a company blog post that the European Union’s new General Data Protection Regulation scheduled to go into effect next year will make it illegal to transfer customer data from Europe to the United States. That could put global technology organizations like Google and Microsoft in the difficult position of balancing demands for greater privacy with efforts to investigate crime that could result in large fines for failure to comply.
Determining how digital information fits under a constitutional protection adopted when there were only “persons, homes, papers and effects” that could be searched requires the Supreme Court to figure out the scope of privacy expectations in a very different world from the 18th century. The problem is that legal challenges take a piecemeal approach to a statute adopted over 30 years ago, and the courts cannot rewrite provisions that may be hopelessly out of date.
The House of Representatives adopted the Email Privacy Act in February to modernize the protections afforded electronic communications that would require obtaining a search warrant in almost every case. That proposal met resistance in the Senate last year when Attorney General Jeff Sessions, then a senator from Alabama, sought to add a provision allowing law enforcement to skip the warrant requirement in emergency situations.
Whether the legislation can get through the current Senate is an open question, and it is not clear whether President Trump would sign off if the Justice Department opposes the bill. That may mean the Supreme Court will have to establish the broad parameters of digital privacy while Congress tries to deal with the intricacies of a world of electronic communication that continues to evolve rapidly.
Devices connected to the internet, from cellphones to watches to personal training trackers that facilitate our personal habits and communications, are a fact of daily life, and the Supreme Court will have to start drawing clear lines around what types of electronic information are — and are not — protected by the Fourth Amendment. Simply asserting that there is a right to privacy does not provide much help in determining how far that protection should extend in a digital world.