Cell phone location data not private, Feds argue

Fifth Circuit appellate court hears arguments on warrantless tracking of cellular location data

Individuals have no reasonable expectation of privacy in historical cell phone location data collected and maintained by phone companies, a federal prosecutor said in oral arguments Monday before a three-judge panel from the Fifth Circuit Court of Appeals in New Orleans.

The court is reviewing an appeal from the U.S government in a case pertaining to the government's authority to collect historical cell phone location data from a phone company without obtaining a formal search warrant first.

Federal prosecutors in the case have maintained that the Stored Communications Act (SCA) of 1986 allows them to use a relatively easy-to-obtain court order, called 2703 (d), to force a cellphone company to turn over historical cell-site location information on specific subscribers.

Privacy advocates have insisted that law enforcement authorities should be required to obtain search warrants based on higher reasonable cause standards before they can ask a carrier for cell phone location data. They have argued that any location data collected without such a warrant is a violation of Fourth Amendment rights against unreasonable search and seizure.

The case is an important one and comes at a time when lawmakers and courts around the country are grappling with the issue of warrantless tracking of location data by law enforcement authorities. Many have expressed concern that unbridled cell phone location tracking will let the government conduct extensive surveillance on cell phone owners.

In August, the Sixth Circuit Court of Appeals ruled that Fourth Amendment protections do not in fact extend to cell phone location data. In arriving at the decision, the court maintained that there is little constitutional difference between tracking a suspect physically on public roads and using cellular technology to do the same thing.

The Sixth Circuit's decision was somewhat at odds with one arrived at two years ago by the Third Circuit appellate court which held that law enforcement authorities needed to obtain search warrants to gather customer cellphone location data stored by phone companies.

Meanwhile in California, state lawmakers recently passed legislation that would have required law enforcement to obtain a search warrant for seeking location-tracking data. California Governor Jerry Brown however vetoed that bill last weekend.

The case before the Fifth Circuit goes back to 2010 when law enforcement authorities in Houston, Texas, tried to obtain separate, but similar court orders seeking to compel two phone companies -- T-Mobile and MetroPCS -- to give up 60-days worth of cell-site location data pertaining to criminal suspects in three separate investigations.

Two of the targets of the investigations were suspected drug traffickers while the third was suspected of being involved in gang activity.

A Texas Magistrate judge who reviewed the applications for the 2703 (d) orders denied each one on the grounds that any compelled disclosure of cell-site data would be a violation of Fourth Amendment protections.

A Houston District Court that heard the government's appeal of the decision concurred with the lower court and maintained that a compelled disclosure under a 2703(d) order was not constitutional.

In arguments Monday before the Fifth Circuit, federal prosecutor Nathan Judish reiterated the government's position that the Fourth Amendment allows the U.S. government to obtain a 2703(d) order to force a cell phone company to divulge customer records.

The SCA explicitly allows the government to seek such information without a warrant so long as it can clearly show that the information is relevant to a criminal investigation, he said.

Judish maintained that the information being sought by the government was collected and maintained totally at the discretion of the two phone companies. Neither company had any legal mandate to maintain those records, he said.

Judish characterized the information being sought as business records maintained by a third party and collected as part of doing business. Customers can have no reasonable privacy expectation over such data because the data is part of a third-party's business records, he said.

Judish downplayed the sensitivity of the data being sought and said that the government was only interested in data such as date and time of calls, the telephone numbers involved in a call, whether the call originated or terminated with a call and other such data. The only location information being sought pertains to when the phones were used to make calls or send text messages, he said.

"We would get some limited information on where they were," when making calls or sending text messages over the 60-day period, he said. "These records are the phone company's own observations of its own service made and kept at its own discretion on its own equipment."

From that standpoint the phone company's role is akin to that of a witness in a criminal investigation. "The government has a right to every person's evidence in a criminal investigation," he said.

Hanni Fakhoury, a staff attorney for the Electronic Frontier Foundation (EFF), which has filed an amicus brief in the case, rejected the government's arguments.

"Technology is changing in a way that makes cell-site information a lot more precise and accurate," said Fakhoury who presented the EFFs arguments before the Fifth Circuit judges on Tuesday. The kind of records being sought by prosecutors in the case will help them get an extremely detailed picture of the whereabouts of the targeted individuals over a 60-day period.

"What the technology allows them to do is get 60 days of your every turn, your every move and every place you have gone. Not just where you car has gone but where you yourself have gone. The way the technology has improved that could even be a particular floor or even a particular room in a building," he said.

Such data, regardless of who it is being held by, is constitutionally protected and government access to it should only be via a court-issued warrant based on reasonable cause, Fakhoury said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts