Senator Al Franken and Representative Ed Markey, inspired by last week’s news that Apple iPhones and iPads store a year’s worth of your location information on the handset and on any synced computer, have demanded that Apple answer questions about whether and how it uses that data. Franken and Markey should also ask the Department of Justice the same questions. While the public is only recently discovering that their personal devices create this footprint map, law enforcement and the digital forensics companies that serve them have known for quite some time. The public has a right to know what legal process, if any, the police are using before they find out where you’ve been for the past 12 months.
If the collected location data is sent back to Apple and stored there, then the Electronic Communications Privacy Act (“ECPA”) is the best candidate for protecting that information from warrantless snooping by the police. (Same with Google, which is reportedly collecting the same kind of information, but storing it for less time.) As for the data kept on your phone or personal computer, the Fourth Amendment should protect that, but there are gaping loopholes that will open your travel data up to law enforcement eyes.
ECPA was passed on 1986 and it’s safe to say that Congress wasn’t thinking about protecting data generated by smartphones that fit in your pocket and can store a year’s worth of cell tower and wifi access points, not to mention text messages, email, photos and the like. And yet, that is the law we rely on to protect our data stored with third party service providers.
As security researcher and computer scientist Chris Soghoian noted last week, not all data stored with a third parties is protected by ECPA. Rather, the data must be generated by the provision of one of two kinds of computing services:
An “electronic communication service” (“ECS”) is “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. 2510(15).
A “remote computing service” (“RCS”) is a “provision to the public of computer storage or processing services by means of an electronic communications system.” 18 U.S.C. 2711(2).
ECPA protects communications content from and information pertaining to an ECS or RCS customer. But, if the service being utilized is neither an ECS, nor an RCS, law enforcement agencies could obtain the information with a mere subpoena, or the provider may voluntarily disclose it.
So the first question is whether the location data Apple and Google may be collecting from your handset is generated through the provision of either an ECS or RCS service. Modern communications technologies change so quickly that there aren’t a lot of cases defining how ECPA applies to the data those services generate. However, when you use your phone’s GPS or triangulation information to send a message about your physical location to your friends (i.e. to “check in” somewhere), that should be the content of a communication passed through an ECS. Officers will need a search warrant to get that data if it is not already publicly available.
When the phone company collects location data automatically generated in the process of your phone connecting to cell towers to make calls, that’s not content, but it is information pertaining to your use of an ECS service. Law enforcement needs at least some kind of court order to get that information. 18 U.S.C. 2703(c); In re The Application of the United States for an Order Directing a Provider of Electronic Communication Service to Disclose Records to the Government, 620 F.3d 304 (3d Cir. 2010).
What about when the phone automatically generates data merely by virtue of being turned on, and the provider collects that data? If the provider is collecting the data as part of the provision of the cellular service, then that data is ECS information pertaining to the customer, and covered by ECPA. It doesn’t have to be content to be ECPA protected, it just has to be generated as part of the provision of the service.
But this doesn’t necessarily answer the ECPA question with regard to Apple or Google, who are not providing a communications service, but merely selling a handset that can connect to such a service. Ars Technica cites the companies’ reasons for collecting this data as useful when GPS data isn’t available, or to more quickly narrow down a location while GPS services are being polled (known as “assisted” or aGPS), as well as building and maintaining databases of known cell tower and WiFi basestation locations. So, if the handset manufacturers are collecting location information, not as part of providing you with cellular service, but in order to generate their own databases of information, is that an ECS service such that the data generated is covered by ECPA?
If the information would not fall under the protections of ECPA, law enforcement agencies might be able to obtain it with just a subpoena. While one court has held that your location information is Fourth Amendment protected, the primary privacy protection here has to be for the companies to collect the information in a manner that could not be traced back to a specific user. But, if this data can tell you where I’ve been, then Congress should ask what legal process, if any, the companies are requiring for law enforcement before disclosure.
A second privacy problem is whether any legal process is required to obtain the data directly from the handset or from your computer. ECPA doesn’t apply to data stored on your personal devices, but the Fourth Amendment does. Generally, that means law enforcement needs a warrant based on probable cause to get that data. However, there are two exceptions to the warrant requirement which the government has been using to get access to computer data. One the border search exception and the other is the search incident to arrest doctrine. Both doctrines are getting a work over in the context of computer searches, and not in favor of privacy.
The border search exception holds that agents do not need any cause or judicial approval to search the body or personal effects at the border, but do need reasonable suspicion for invasive techniques like a strip search. When I was at EFF, we filed an amicus brief in the case of United States v. Arnold, arguing that laptop searches are so revealing and invasive that the Fourth Amendment requires agents to have some reasonable suspicion at the border to justify the intrusion. We lost that case. The Ninth Circuit panel rejected our argument that the privacy invasion resulting from searching computers is qualitatively different from, and requires higher suspicion than, searching luggage or other physical items.
This latest information about the kind of historical location data that the average laptop or smart phone holds is additional factual support for the proposition that EFF was right to argue that phone and laptop searches are categorically different types of privacy invasions than luggage searches.
The search incident to arrest doctrine is another exception to the general requirement that police obtain a warrant before conducting a search. The purpose of this exception is to protect the officer by locating and seizing any weapons the person has and to prevent the destruction of any evidence on the person. Thus, if an arrest is valid, officers may conduct a warrantless search of the arrestee and the area and objects in close proximity — i.e. the “grab area” — at about the same time as the arrest.
There aren’t many cases considering whether officers can search the data stored on phones (or laptops) as a search incident to arrest, and the rulings we have go both ways. Given the rationale behind the search incident to arrest exception, courts have generally looked to the volatility of the data to see whether there’s a threat of spoliation of evidence, which is clearly not an issue with the iPhone location log which stores information for a year. However, the most recent case on the issue, from the California Supreme Court earlier this year, took a different approach. That Court ruled in People v. Diaz that police didn’t need any exigency to search text messages incident to arrest because searching data on the phone is the same as searching the arrested person and thus the Fourth Amendment doesn’t require a threat to officer safety or of evidence destruction. (That ruling will probably be appealed to the federal courts.)
Finally, even where police are getting warrants for cell phone and computer searches, are they are telling the Courts about the kind of data that’s available? Once agents have a warrant, do they refrain from looking to see where the suspect has been fi that information is not relevant to the investigation of the crime at issue?
While congressional inquiries and lawsuits have so far focused on Apple , the Department of Justice and other law enforcement agencies are keeping their heads down. As Congress considers whether and how to amend ECPA, and as courts rule on the Fourth Amendment’s applicability to device searches, the public needs to know more about how law enforcement accesses and uses our personal travel histories.