That point was illustrated in the wake of the Capitol riot, when the authorities pulled cell phone records to see who was present. "In the hours and days after the Capitol riot, the FBI relied in some cases on emergency orders that do not require court authorization in order to quickly secure actual communications from people who were identified at the crime scene," The Intercept reported this week. "Investigators have also relied on data 'dumps' from cellphone towers in the area to provide a map of who was there, allowing them to trace call records — but not content — from the phones." The data collected by people's phones and the apps they use, often compiled by marketing firms, is amazingly detailed. An individual "outraged by the events of Jan. 6" supplied data on participants in the day's events to The New York Times, whose writers were thoroughly creeped out by the information.
"While there were no names or phone numbers in the data, we were once again able to connect dozens of devices to their owners, tying anonymous locations back to names, home addresses, social networks and phone numbers of people in attendance," Charlie Warzel and Stuart A. Thompson wrote. Marketing databases have become a favorite resource for government agencies, which purchase the information as an attempted end-run around Fourth Amendment protections. The theory has been that, since the data is "voluntarily" provided to a third party there's no privacy from the government required. "The Trump administration has bought access to a commercial database that maps the movements of millions of cellphones in America and is using it for immigration and border enforcement," The Wall Street Journal reported last year. "The location data is drawn from ordinary cellphone apps, including those for games, weather and e-commerce, for which the user has granted permission to log the phone's location."
The FBI also made use of phone location data, which led to a legal challenge that went all the way to the Supreme Court. In Carpenter v. United States (2018) the justices noted that "A majority of the Court has already recognized that individuals have a reasonable expectation of privacy in the whole of their physical movements. Allowing government access to cell-site records … contravenes that expectation." As a result, the court ruled in the opinion written by Chief Justice John Roberts, "the Government will generally need a warrant to access CSLI [cell-site location information]." You'd think that would be the end of it as far as government agencies accessing the location beacon features of cell phones go, but you'd be mistaken. Cell phones track us in two ways: through CSLI generated when phones contact cell towers, and through GPS data collected by the apps installed on phones. CSLI isn't yet as accurate as GPS location data, but it's keyed to specific phone numbers, while GPS data is connected to mobile advertising IDs that are, supposedly, anonymous. Since it's not directly connected to individuals and wasn't addressed in Carpenter, government agencies maintain they can still gather cell phone GPS data.
But could the government require a similar application in the United States or would it be a violation of the Fourth Amendment’s guarantee against “unreasonable searches?” Generally, the Fourth Amendment may be invoked when a search infringes on a reasonable expectation of privacy, or the government’s activity amounts to a trespass, per the Supreme Court’s holding in Katz v.
"[I]t is our understanding that the Carpenter decision concerned historical Cell Site Location Information which is distinct from the opt-in app data available on the Venntel platform," the Internal Revenue Service (IRS) recently told the Treasury Inspector General for Tax Administration (TIGTA) in response to a query about the use of commercial databases such as Venntel. The TIGTA query was prompted by Sen. Ron Wyden (D-Ore.) and Sen. Elizabeth Warren (D-Mass.), after reports of the IRS engaging in warrantless tracking of suspects. Tax collectors, just like the FBI and immigration officials, appreciate the use of third-party location data. The IRS argument didn't convince the inspector general. "The Carpenter decision did not directly address the use of GPS data, but future courts may apply the same logic to limit the use of GPS data without a warrant," the TIGTA letter, first reported by The Wall Street Journal, noted. "Our concern is that the Supreme Court rejected the Government's argument in Carpenter that CSLI is truly voluntarily provided to the phone carriers. The Court's rationale was that phone users do not truly voluntarily agree to share the information given the necessity of phones in our society. Courts may apply similar logic to GPS data sold by marketers, particularly if the Government identifies ways to translate the alphanumeric code to identify the phone's owner or has other means of identifying the phone's owner."
That's a well-placed concern as the report in The New York Times demonstrates. "The supposedly anonymous ID could be matched with other databases containing the same ID, allowing us to add real names, addresses, phone numbers, email addresses and other information about smartphone owners in seconds," Warzel and Thompson pointed out. Advertising IDs can be disabled, theoretically making it harder to track a cell phone through app-gathered GPS data. But CSLI data pinpoints a phone's location every it pings a tower. That data is now subject to warrant requirements, but it exists—the FBI gathered it after the Capitol riot. And GPS data will continue to be available without a warrant until the courts weigh in on the issue.
That means that anybody who wants to participate in a protest unmonitored, engage in clandestine meetings, or travel untracked has to, at a minimum, leave behind all cell phones and other modern electronic devices connected to their names and identities. A burner phone purchased with cash and free of social media accounts is probably fine, but that's as far as it goes. The conveniences of the connected modern world come with a steep price: our anonymity.