An armed robber’s Supreme Court case could affect all Americans’ digital privacy for decades to come

Police want to track suspects’ movements
It is in the public’s interest for police to be able to track, catch and convict criminals. But to protect innocent citizens from harassment, the Bill of Rights established a process requiring investigators to get a judge’s signoff before conducting most searches for evidence.

Early in the twentieth century, courts thought phone wiretaps didn’t require a warrant as long as the physical wiretap equipment was placed outside a target’s home. Over time, the importance of the telephone as a communications medium and the rise of the internet led to the increased protections provided by the 1986 Stored Communications Act. That law clarified constitutional procedure for the telephone age.

Under the law, police need a warrant to tap a person’s phone and listen to all his conversations. Without a warrant, officers can see what numbers a phone called, what numbers called that phone and when and how long the conversations lasted – but cannot eavesdrop on what was said.

Those rules have not been updated for the age of the mobile phone. As a result, a legal principle called the “third party doctrine” applies in Carpenter’s case – and in dozens, if not hundreds, of others. It says that if a person gives someone else a piece of information, that knowledge is no longer considered private.

In practice, it seems straightforward: If you tell a friend what you did last night, you can’t later stop your friend from telling the police what you said. And in fact, the Supreme Court has held that your friend could wear a “wire” so that the police can listen in, without a warrant and without informing you.

The way this plays out regarding the location of a cellphone is the assumption that by carrying a cellphone – which communicates on its own with the phone company – you have effectively told the phone company where you are. Therefore, your location isn’t private, and the police can get that information from the cellphone company without a warrant, and without even telling you they’re tracking you. This assumption is what Carpenter’s appeal is challenging.

Technology intrudes on privacy
I have been at the leading edge of data science for over thirty years. Based on my work on the ethics of data science, I believe the assumptions that were safe in 1986 – when almost nobody had cellphones and nearly all telephones were landlines serving fixed locations – are no longer reasonable. Back then, the information a phone user revealed to a phone company was very limited. Today, people disclose their location all the time, for routine, law-abiding activities, by carrying around cellphones.

Cellphone companies can know not only whom you call and for how long you speak, but where you are when you make the call, where you go in between calls and much more. They can deduce even more information, such as individuals’ religious affiliations and any number of personal habits that might be better kept secret – including how often an employee uses the restroom during a workday.

It makes no practical sense to claim a person could protect the privacy of their location and movements by not carrying a cellphone: The social and economic burden that would impose on each person would be too high.

This threat to privacy goes well beyond mobile phones: Automated license plate readers on bridges, roadsides and even police cars can easily record the identity of every vehicle, confirming its presence at a specific location at a particular time. A privacy-conscious person might give up driving, and instead rely on walking and taking public transportation. Cameras on the streets, at bus stops and in transit vehicles – coupled with tremendous recent advances in face recognition technology – can still track every move you make.

Personal health devices collect a great deal of information about users to help them achieve fitness goals, and may even be useful to provide early diagnosis of diseases. But information from a pacemaker has already been used to charge an alleged arsonist, and a Fitbit helped solve a murder.

Companies that provide internet service can learn a great deal about their customers simply by observing what websites users connect to, even if they don’t read the contents of each web page or email message. As electronic personal assistants (like Siri and Alexa) and home devices (like Nest) become more common and used more heavily, they will soon learn even more intimate details about people’s lives.

Declining to provide information to these “third party” service providers would require people to opt out of normal life – which isn’t really a choice.

Privacy extends to companies too
Most Americans don’t want their mobile phone companies to just hand over to police the enormous amount of information cellphones can reveal – at least not without getting a warrant first. But Americans’ privacy problem goes much deeper. Most people also don’t want their mobile phone companies to sell these data to others.

Many companies may seek that information to try to persuade more customers to buy their products, but nefarious uses are also possible. A person could be blackmailed with a threat of publicizing their (completely lawful) secrets – such as a particular health condition, religious affiliation or sexual preference.

Today, the protection people get goes only as far as the fine print of each service’s privacy policy. When a company goes out of business, its creditors try to make money from its assets – including data collected from and about its users. That is why I have called for companies to take the Data Destruction Pledge, promising that all customer data will be destroyed if the company ceases operation.

The FBI found Timothy Carpenter because one of his accomplices told them about him. I believe the FBI could have obtained a search warrant to track Carpenter, if agents had applied for one. Instead, federal agents got cellphone location data not just for Carpenter, but for fifteen other people, most of whom were not charged with any crime. One of them could be you, and you’d likely never know it.

The more people rely on external devices whose basic functions record and transmit important data about their lives, the more critical it becomes for everyone to have real protection for their private data stored on and communicated by these devices.

H. V. Jagadish is Bernard A. Galler Collegiate Professor of Electrical Engineering and Computer Science, University of Michigan. This article is published courtesy of The Conversation (under Creative Commons-Attribution / No derivative).