A long time ago, in a courtroom far, far away . . . The DC Circuit was locked in an epic struggle between privacy and advancing technology, where GPS tracking looked to spell the doom of civil liberties neith the mighty tred of . . . alright I’ll stop the Star Wars roleplaying. The Mosaic Theory is back in the news again, with the Fourth Circuit’s decision in United States v. Graham resurrecting that presumed dead interpretation of the Fourth Amendment, and I want to talk about it. The ruling involves cellphone cell-site data, (the stuff they talked about in Serial), but really implicates location data generally, and has commentators wondering if the Supreme Court will take a second look at how it treats location data under the Fourth Amendment.
To recap, Mosaic Theory is an interpretation of the Fourth Amendment that says that government activity that doesn’t qualify as a “search” can, in the aggregate, become a search. I’ve discussed this elsewhere, but the important point to remember is that if you don’t have a reasonable expectation of privacy in the searched subject matter, it doesn’t qualify as a “search,” and doesn’t trigger the Fourth Amendment. So a police officer sees you on a public street? Not a search. (You’re in public, so no reasonable expectation of privacy.) That same police officer follows you around for months at a time? That could become a search. Current law says no; but Mosaic Theory says yes. Somewhere in the continuous surveillance, an expectation of privacy emerges. (A Force for Privacy Awakens?) Or at least that’s the theory.
This last came up when the Supreme Court took the case United States v. Jones, where the lower appellate court relied on Mosaic Theory to overturn the defendant’s conviction. While the Supreme Court ultimately said “these aren’t the droids we’re looking for,” (I’m paraphrasing), it also didn’t completely disavow Mosaic Theory, leaving the possibility that it might rise again more powerful than we could possibly imagine. And since the Fourth Circuit’s ruling in Graham is in conflict with at least two other circuits, the Supreme Court is well situated to address the situation once again.
Graham itself involves the police use of cell-site data to track a suspect’s movements, and ultimately tie those movements to a series of robberies that occurred simultaneously. To do so, the police requested over a month’s worth of cell-site data, providing intricate detail into the defendant’s movements for a prolonged period of time. The opinion relies heavily on the prolonged nature of this tracking, pointing out how much additional information can be gleaned from this high volume of data. And while the opinion seems to be pretty clearly going against Supreme Court precedent, many seem to think that circle is now complete and the Supreme Court is ready to change its position.
A New Hope?
So what are the odds Mosaic Theory becomes the law of the land? (“Never tell me the odds!”) I would say not great. While it addresses a very real problem with our Fourth Amendment jurisprudence, I don’t think it does so in a workable manner. The problem is fundamentally one of line-drawing: how many non-searches makes a search? How many cell-site records can the police request before they need a warrant? Does this prevent police from gaming the bright-line, either by repeatedly asking for just under the line, or by just asking for different kinds of data? We might have a bright-line rule for cell-site data, but does that overlap with GPS? Does it matter how far apart these requests are? Does all police activity feed into this analysis? This train of thought eventually devolves back into the reasonable expectation of privacy standard, except now all police activity (even non-searches) are open to legal challenge, undermining the point of the non-search status to begin with. While this might be what the public wants, I don’t think this is the way the Court will rule.
In case that last paragraph was a bit unclear, I’ll try an example. Let’s say the rule is: you cannot request more than 14 days worth of cell-site data on a single person. The first issue is timing. Suppose I ask for 13 days worth, 2 days in a row? Surely that is out. But what if I ask for 13 days twice in one year? That seems less egregious. Or what if I only request 1 day of data, but I do that every week, for 14 weeks. Already our bright-line rule is breaking down. Or maybe it is investigation based: if you are investigating someone for a crime, you get 14 days worth of cell-site data, but no more! But what if I am conducting multiple investigations? Do I get to add up my free surveillance days? And how will this work when multiple agencies are investigating the same person for the same crime? Do they have to share?
And more fundamentally, what data is protected? Even limiting the discussion to location data, there are dozens of potential tracking methods that are readily available. A rule that only applies to cell-site data would just mean police request some other way of tracking location, and a rule that protects your location generally would be incredibly vague. Would that include in-person surveillance? Surveillance from traffic cameras? What about location data you share on your Facebook page? Do the privacy settings matter?
Because the question at the heart of this debate is extremely challenging: when do we reasonably expect our location to be private? While it may be tempting to just say “always” and head off for lunch at the Death Star Canteen, that doesn’t jive with how the modern world works. Anyone with a smartphone is pretty much guaranteed to share their location with a host of apps, ISPs, and other intermediaries just as an incident of using the phone. The case at issue is a perfect example: cellphones need to know where you are in order to get the other side of the conversation back to you. And smartphone apps increasingly rely on location data to provide you with localized services: Tinder, Yik yak, Foursquare – location data is integral to these apps’ appeal. And this isn’t limited to phones: credit cards, automobiles, surveillance cameras – location data is everywhere. Can we say we have a reasonable expectation of privacy in our location when so many others clearly already have this information?
And I don’t think the premise of mosaic theory – that the quantity of information determines our expectation of privacy – jives with how we typically think about privacy. No one is going to be thrilled that their movements can be tracked, no matter how briefly, and a single data point at a risqué location is arguably more private than a whole month of mundane driving to and from work. While tracking more data certainly increases the likelihood that you’ll hit something really private, I don’t think people view their privacy as hitting some trigger point where suddenly the surveillance has “gone too far.” Is the quantity of data really the primary concern?
“No, there is another.”
It may be that the problem is with the underlying premise: the third party doctrine. The third party doctrine says that we have no expectation of privacy in information we share with third parties, and is the reason that cell-site data is currently considered a non-search. This makes sense at first glance: if I tell you a secret, (say, that I actually kind of liked the Star Wars prequels), I can’t stop you from blabbing my secret to whomever you want. I can get mad at you, but I can’t do much about the person you told my secret to. Yet many commentators, including Justice Sotomayor, have suggested that this ideology might not adequately reflect the modern era, where some degree of information sharing is a practical necessity to interact online. Data sharing is everywhere: it surrounds us, penetrates us, it binds the Galaxy to – I’ll stop.
A ruling against the third party doctrine strikes me as more likely than one for Mosaic Theory, if for no other reason than Justice Sotomayor’s concurrence in Jones. While I doubt the Court would outright overturn the doctrine, it could substantially narrow its scope. The simplest solution would be to create a categorical exception for location data (i.e. we still have a reasonable expectation of privacy in location data we share with third parties), but they could also more fundamentally rework how the third party doctrine applies.
One option is to place more weight on a “voluntarily” requirement. This would ask if you are sharing the information because you don’t think of it as private, or if you are forced to share the private information to achieve some other end. We could then classify data as “involuntarily shared,” and therefore require the government to get a warrant. After all, we share medical information with insurance companies and the like, yet we still recognize that information as private. But then again, medical information is protected by HIPAA, whereas there is no statute for location data.
The Fourth Circuit also suggested that the advanced nature of the technology should be a factor (albeit without specifically invoking the third party doctrine). Sharing my name doesn’t require advanced technology, but sharing my cell-site data? If the information requires advanced technology to track, maybe it is inherently more private. It wasn’t clear what the underlying principle for this technology distinction was, however; perhaps advanced technology is less likely to be understood by the user, or is more difficult for the user to control? These are basically just extensions of the “voluntarily” argument, but the Supreme Court has referred to “technology not in public use” in the Fourth Amendment context, so the Fourth Circuit is probably just searching for precedent.
“All too easy”
Ultimately I think this is a problem of convenience. When the third party doctrine was first articulated in United States v. Miller (regarding bank records), it was difficult to use in bulk. That was an analogue world, and requesting a hardcopy for everything was simply impractical. But with Big Data, private companies recording and analyzing our every digital move is the norm, and by extension police requests for that high-volume data is incredibly easy. I like to joke that the underlying principle of the Fourth Amendment is really that law enforcement’s job cannot be too easy: we want police officers to do things the hard way. If police can just ask Google for all the data they have on us, that makes their job too easy. The fact that Google has all of that data is . . . not the question at hand.
Then again, this case in some ways suggests that our current system isn’t working so badly. While the police didn’t need to obtain a warrant, they still had to follow statutory provisions in the Stored Communications Act. So its not quite Mos Eisley for the police right now, and if we want to impose more stringent quantity limitations for SCA requests, Congress could impose those without implicating the Fourth Amendment at all. I’ve also suggested some other solutions in previous posts, whether it be stricter individualization requirements, greater police oversight, or even just a better understanding of the information we share. And of course what I’m saying might only be true from a certain point of view. My interpretation of Mosaic Theory is that its a trap filled with uncertainty and ideological inconsistencies, but some very smart people disagree.
Until next time: may the Fourth (Amendment) be with you.