The Privacies of Life
Authored by CDT Summer Intern Dominic Contreras.
In Carpenter vs. United States, the Supreme Court held that law enforcement is required to obtain a warrant to access historical cell-site location information (CSLI). The Court recognized that cell phones are an inescapable part of modern life and that individuals have a reasonable expectation of privacy in the location data they generate, even though that data is disclosed to a third party (the cell service provider). The ruling focused on the potential of CSLI to provide “an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations,’” and on the fact that people cannot realistically avoid using a cell phone and generating CSLI. While Carpenter addressed CSLI in the context of law enforcement investigations, the ruling has implications for commercial privacy rights as well.
Carpenter is the latest in a series of decisions, spanning several decades, that have tried to interpret Fourth Amendment privacy protections for a digital world. Since 2001, the Court has held that the warrant requirement covers (1) information inside the home, even if it can be detected from the outside by surveillance technology; (2) the use of a GPS device to track a vehicle; (3) cell phone searches; and now (4) historical location information generated by a cell phone. In slow but steady progress, the Court has grappled seriously with how to apply traditional notions of privacy – and limits on government intrusion – to a world in which data is much more easily generated, stored, transferred, and accessed by law enforcement. Unfortunately, the same cannot be said for our privacy protections with respect to commercial entities.
Companies hold information about us that is even more revealing than the CSLI in Carpenter, but there are no federal baseline privacy protections for much of the data that companies collect. The few consumer privacy protections we do have do not adequately take people’s reasonable expectations into account. With some exceptions, companies are allowed to collect and use data as they please, as long as they disclose it in a privacy policy. This model ignores the limits of our ability to learn and understand the data practices of each company that accesses our information, and to avoid data practices we object to. Consumers recognize that certain information must be collected to provide a product or service, but are often surprised to learn about the other types of data that are collected, and the purposes for which these data are used.
For example, in 2018, the Federal Trade Commission (FTC) settled an administrative complaint against the Florida-based mobile phone maker BLU, who had been selling text message content and location data to third parties without user notification or consent. One year before that, the FTC fined the smart-TV manufacturer VIZIO $2.2m for collecting and selling information about consumer viewing activities to third parties without their consent. These two examples are by no means the extent of the problem, but rather the tip of the iceberg.
This lack of consumer privacy protections does not only leave people at the mercy of industry practices but can also undermine Fourth Amendment protections. Earlier this year, Sen. Ron Wyden (D-OR), filed a complaint with the FTC detailing how telecommunications companies were providing access to real-time location data about their customers to third parties, some of which in turn provided that information to law enforcement without a verified court order or legal process. Amid mounting public pressure, Sprint, Verizon, AT&T, and Verizon announced that they were ending or significantly curtailing these practices, but the data-laundering loophole which allowed it still exists.
Consumers rightfully expect privacy and security for their sensitive digital data regardless of whether it’s in the hands of the government or a private company. It is time for the federal government to establish baseline privacy protections that honor those expectations. In the absence of strong baseline privacy regulation, it is private entities, not the people, or government, that set the norms by which highly sensitive personal data is collected and used, and their track record in this space is far from stellar.