The Fourth Amendment gives the people the right to be free from “unreasonable searches and seizures.” Applying that rule to location data generated by the devices we carry with us 24/7, however, is still very much a work in progress. The question first came up at the Supreme Court only two years ago, in Carpenter v. United States, and the answer was limited to a specific category of data known as cell site location information, or CSLI. To tie Timothy Carpenter to a string of robberies—of cell phone stores, neatly enough—the FBI in 2011 subpoenaed his cell-tower location records, which placed him near the scenes of the crimes. The government argued that it didn’t need to get a warrant because of the so-called third party doctrine, which says that you surrender any expectation of privacy when you share information with a third party.The Supreme Court disagreed. In a landmark ruling, Chief Justice John Roberts sided with the court’s four liberals to hold that the third-party doctrine, which was established in the 1970s, simply doesn’t make sense for information as sensitive and revealing as CSLI. “When the government tracks the location of a cell phone it achieves near perfect surveillance,” Roberts’s majority opinion explained. Despite the sweeping language, however, the ruling was narrow: If the cops want to get seven days’ worth or more of individual location records from the likes of AT&T or Verizon, they need to come up with a warrant. Roberts left open what should happen in other scenarios, including cell-tower dumps, in which cops can request records of every mobile phone at a particular location over a certain time period.
Meanwhile, CSLI is far from the only type of location data available today, and wireless carriers are far from the only entities keeping track of our whereabouts. Software development kits embedded in thousands of apps, even ones that have no obvious need to know where its users are located, are gathering and selling that information across the digital advertising landscape. It comes not from cell tower pings but from things like GPS tracking and IP addresses. It’s purchased in bulk and often “anonymized,” or stripped of identifying info—although, as a recent New York Times report illustrated, it’s trivially easy to connect anonymized bulk location data back to individual cell phone users.The bigger twist here is that, unlike in Carpenter, DHS isn’t subpoenaing location records; it’s buying them from Venntel, a data broker that according to the Journal has ties to Gravy Analytics, a major adtech company. Does the Fourth Amendment, or any other legal protection, even apply to this type of transaction?
Nathan Freed Wessler, the ACLU lawyer who successfully argued Carpenter’s case at the Supreme Court, said there are at least two ways in which this arrangement could violate the law. The first concerns the companies originally gathering location data, rather than the government. Under the Stored Communications Act of 1986, companies that store and transmit user data are generally prohibited from “knowingly” sharing those records with the government. That, Wessler said, probably doesn’t apply to a broker like Venntel that doesn’t deal with consumers directly. But it could apply to the app makers who are passing data along to companies like Venntel, if they know it will eventually end up in the government’s hands.