Naked Security Naked Security

Cops need warrant for both location history and phone pinging, says judge

It's one of the first location data privacy cases to grapple with the warrant and surveillance implications of the Carpenter decision.

As we all should know full well by now, location data from our phones can reveal our every move – where and when and with whom we live, socialize, visit, vacation, worship; our trips to an emergency room or family planning clinic; and much more.

Whether law enforcement gets that intimate portrait of our lives from real-time cell phone location data handed over by a phone company or from a cell-site simulator like a stingray is moot. Either way, police need a warrant, Massachusetts Supreme Judicial Court ruled on Tuesday.

The Electronic Frontier Foundation (EFF) is calling this an important win in the ongoing debate about location privacy and the wealth of records stored by third parties – one that could play a role beyond Massachusetts.

This is one of the first decisions to grapple with the scope of the Carpenter ruling – which held that law enforcement needs a warrant for location data – but it won’t be the last.

As it is, the EFF said, momentum is growing at the state level, with legislation pending in both Maryland and Wisconsin that would require police to get a warrant for location data. From the EFF:

[The Massachusetts decision will] hopefully turn the tide on pending court cases looking at the issue.

Commonwealth of Massachusetts v. Almonor

The case in question is Commonwealth of Massachusetts v. Almonor, and it concerns police having ordered cellphone service provider Sprint to ping the phone of a murder suspect without a warrant. In fact, police got two weeks’ worth of the suspect’s historical cell records.

They didn’t get a search warrant that was supported by probable cause. Rather, they relied on federal law. But now, years after the conviction, a different judge has found that the warrantless data grab violated the Massachusetts state constitution. The judge’s reasoning: the state’s constitution says that people have an expectation of privacy in their movements, regardless of the fact that the records were owned by Sprint.

The EFF filed an amicus brief to back up that decision when the state appealed to the Massachusetts Supreme Judicial Court. Along with Kit Walsh of the Berkman Center for Internet and Society at Harvard Law School, the EFF argued that a search warrant is needed before police can track people’s location for an extended period of time.

Details of the Almonor case

In 2012, police had learned the phone number of the suspect, then 24-year-old Jerome Almonor, within about four hours of a murder being committed with a sawed-off shotgun. With the phone number in hand, police next contacted Sprint to ask for Almonor’s phone’s real-time location pursuant to a “mandatory information for exigent circumstances requests” form – i.e., when there’s a threat of imminent harm or the need to protect evidence or property from being destroyed that justifies police acting without a warrant.

Pinging the mobile phone meant surreptitiously accessing its GPS functions so that it sent its coordinates back to the phone carrier and the police. With that real-time location data in hand, police pinpointed Almonor and tracked him down to a bedroom in a private home in Brockton, Massachusetts.

The state’s argument: it could warrantlessly get cell phone location data to find anyone, anytime, at any place, as long as it was less than six hours old. That six-hour window hails back to an earlier case, Commonwealth v. Augustine, in which the court noted that individuals have an expectation of privacy… at least, when the location data is collected for six hours or less, it said in a footnote:

It would be reasonable to assume that a request for historical [cell site location information, or CSLI] of the type at issue in this case for a period of six hours or less would not require the police to obtain a search warrant.

Last week’s decision to reject the “it’s OK if it’s less than six hours” rationale is “heartening news” for location privacy, the EFF said. Absent exigent circumstances, the court held, the police must get a warrant.

This goes beyond Carpenter v. United States

The decision referenced another important, recent decision in the case of phone location data: that of Carpenter v. United States.

In June 2017, the US Supreme Court agreed to take up the case of Timothy Ivory Carpenter: a man who’d been sentenced to 116 years in jail for robbing six cellular telephone stores at gunpoint. The case against him was made at least partly on the basis of months of cellphone location records, turned over without a warrant, which prosecutors said placed Carpenter’s phone within a half mile to two miles of the scenes of the crimes.

In doing so, the Supreme Court took up a slew of questions that arise from the modern era of ubiquitous cellphone usage. The case in question, Carpenter v. United States, is one of many that have arisen when police have used cellphone-derived location data to pinpoint suspects’ whereabouts and whenabouts.

Did the warrantless search violate Carpenter’s Fourth Amendment protection against unreasonable search?

The answer: Yup. That was the decision handed down in June 2018, when the Supreme Court, in a 5-4 decision, ruled that US law enforcement needs a warrant before accessing cellphone location data.

Cellular carriers track our phone location using either built-in GPS data or by triangulating location data between nearby cellphone towers, log it, and can use it to paint a detailed picture of where you were, and when, and who you talk with. The court compared the records to an ankle monitor. Before the June 2018 Carpenter decision, law enforcement officials could check up on anyone they wanted.

Prior to that ruling, the FBI was legally allowed to access this information under a 1994 amendment to the 1986 Stored Communications Act, which enables a judge to grant a court order for access to records if prosecutors can prove that they are “relevant and material to an ongoing investigation”.

So yes, Carpenter is considered a win for location data privacy rights. But the Massachusetts decision from last week addressed an even bigger issue: it goes beyond just getting at our location data, and instead concerns tinkering with our phones in order to track us. Here’s from the Almonor decision:

Manipulating our phones for the purpose of identifying and tracking our personal location presents an even greater intrusion [than that of accessing the historical location data that was at issue in Carpenter]. … by causing the defendant’s cell phone to reveal its real-time location, the Commonwealth intruded on the defendant’s reasonable expectation of privacy in the real-time location of his cell phone.

As it is, the court noted, the state had wanted to set up what would result in “perverse results” and “unduly burden cell phone users,” given that phones are an “indispensable part of modern life.”

Under the Commonwealth’s approach, individuals would face an impossible choice: either reject owning a cell phone, keep it turned off virtually all the time, or subject yourself to warrantless government monitoring at six-hour intervals of the government’s choosing. But this is no choice at all.

Article 14 [of Massachusetts’s state constitution] and the Fourth Amendment exist precisely to protect the privacy interests of people when they are within society, not to require them to opt out of participating in society.

The EFF says that it’s “heartened” at how the Massachusetts court handled these issues, but the fight to protect location data privacy is far from over. As it is, there are multiple cases pending, all of which will also grapple with the scope of the Carpenter ruling, such as State of Maine v. O’Donnell, which concerns how police track and locate people in real time.

The EFF says it continues to actively track O’Donnell as well as other cases playing out across the country.