The mileage varies for purchasers. The location data generally isn't as accurate as that obtained directly from service providers. On the other hand, putting a couple of middle men between the app data and the purchase of data helps agencies steer clear of Constitutional issues related to the Supreme Court's Carpenter decision, which introduced a warrant mandate for engaging in proxy tracking of people via cell service providers.

But phones aren't the only objects that generate a wealth of location data. Cars go almost as many places as phones do, providing data brokers with yet another source of possibly useful location data that government agencies might be interested in obtaining access to. Here's Joseph Cox of Vice with more details:

A surveillance contractor that has previously sold services to the U.S. military is advertising a product that it says can locate the real-time locations of specific cars in nearly any country on Earth. It says it does this by using data collected and sent by the cars and their components themselves, according to a document obtained by Motherboard.

"Ulysses can provide our clients with the ability to remotely geolocate vehicles in nearly every country except for North Korea and Cuba on a near real time basis," the document, written by contractor The Ulysses Group, reads. "Currently, we can access over 15 billion vehicle locations around the world every month," the document adds.

Historical data is cool. But what's even cooler is real-time tracking of vehicle movements. Of course the DoD would be interested in this. It has a drone strike program that's thirsty for location data and has relied on even more questionable data in the past to make extrajudicial "death from above" decisions in the past.

Phones are reliable snitches. So are cars -- a fact that may come as a surprise to car owners who haven't been paying attention to tech developments over the past several years. Plenty of data is constantly captured by internal "black boxes," but tends to only be retained when there's a collision. But the interconnectedness of cars and people's phones provides new data-gathering opportunities.

Then there are the car manufacturers themselves, which apparently feel driver data is theirs for the taking and are willing to sell it to third parties who are (also apparently) willing to sell all of this to government agencies.

"Vehicle telematics is data transmitted from the vehicle to the automaker or OEM through embedded communications systems in the car," the Ulysses document continues. "Among the thousands of other data points, vehicle location data is transmitted on a constant and near real time basis while the vehicle is operating."

This document wasn't obtained from FOIA requests. It actually couldn't be -- not if Ulysses isn't currently selling to government agencies. It was actually obtained by Senator Ron Wyden, who shared it with Vice's tech-related offshoot, Motherboard. As Wyden noted while handing it over, very little is known about these under-the-radar suppliers of location data and their government customers. This company may have no (acknowledged) government customers at this point, but real-time access to vehicle movement is something plenty of government agencies would be willing to pay for.

And Ulysses has inroads with the military. Cox/Motherboard have worked with US Special Operations Command in the past to help it track financial transactions made by entities in foreign nations in hopes of better understanding how our enemies convert "buying local" into a weapon against US interests.

Unfortunately, the documents don't explain how Ulysses obtains this data or which car manufacturers/OEM distributors are contributing to the real-time location data pool. But it could be dozens of interoperable parts. Manufacturers gather some data. So does the manufacturer of integrated entertainment systems and Bluetooth-compatible devices, including whoever's combining forces to provide in-car navigation. Then there are services drivers use, like parking garages, which may collect additional data about vehicles in the area. It all adds up to an easy way to track cars. This data may not be able to say for sure who's driving, but information gathered from connected devices may make it easier to determine identity. All of this adds up to a big pile of data that could easily be wielded to do things like engage in drone strikes.

Even if it's not being used to kill people, it can be used to track people. It beats automatic license plate readers which only trigger responses when target vehicles pass cameras. It beats third-party app data because it can be used in real time. And it beats protections we're supposed to have in place following the Supreme Court's Carpenter decision. A car may not be a person, but it's pretty damn close. And data only another data broker away can link cars to people and allow government agencies to make plenty of inferences about their day-to-day activities. This is happening now and it's all under the radar, for the most part. It's an unregulated market that wields useful tools against their users, subverting their expectations of privacy and making it easier for governments to engage in off-the-constitutional-books tracking.

But when it comes to the accused, what's easy for law enforcement is seldom simple for regular citizens. Third parties obtain tons of personal data when interacting with customers and users. But when a regular person asks for this information, third parties apparently feel free to blow them off. That's the case when someone's trying to do nothing more than dispute something on their credit record. And it's also the case when someone's life is literally on the line.

This cavalier approach to record keeping might finally cost a third party some money. A man falsely accused of murder is taking car rental agency Hertz to court for sitting on a receipt that would have cleared him for several years.

A Michigan man was convicted of second-degree murder in 2016, but he didn’t do it. Now, he’s suing the car rental agency that held onto the receipt proving his innocence.

Herbert Alford spent almost five years behind bars for the 2011 shooting death of Michael Adams before his conviction was overturned last year and he was released.

Hertz had the records that would have cleared Alford. But it didn't hand them over until after he had already served five years for a crime he didn't commit.

The rental records would have shown that Alford was miles away from the murder scene six minutes before the crime was committed. But Hertz took its time producing the exonerative evidence.

Alford’s lawyers repeatedly insisted that he was nowhere near the area at the time of Adams’ murder and instead was at Capital Region International Airport in Lansing, approximately 20 minutes away, renting a car from the Hertz station six minutes before the fatal shooting.

“If anybody has ever traveled Lansing from Pleasant Grove to the airport you know that is not possible to accomplish,” Alford’s lawyer, Jamie White, told WLNS. “You couldn’t even do it in a helicopter.”

Hertz got the records request in 2015. It took the company three years to produce it. Once it did, Alford was cleared of all charges. This is all Hertz has to say about its inability to keep Alford out of jail.

“While we were unable to find the historic rental record from 2011 when it was requested in 2015, we continued our good faith efforts to locate it,” spokeswoman Lauren Luster told the Associated Press. “With advances in data search in the years following, we were able to locate the rental record in 2018 and promptly provided it.”

Whatever. If it had meant as much to Hertz as it meant to Alford, the records would have been found much earlier. The problem is it didn't mean much to Hertz. So, it took its time locating records requested by a man facing decades in prison, resulting in him losing a half-decade of his life to the penal system. For Hertz, it's nothing but a very minor PR black eye -- one unlikely to deter renters who have yet to be falsely accused of committing crimes.

But for Hertz renters, records like these matter, even if they have yet to discover how much they matter. A subpoena for records shouldn't be thrown on the back burner, whether it's issued by a law enforcement agency or someone they're trying to prosecute.

But there's more ugliness to this case if Alford's allegations are true. It's more than a missing receipt. It's the deliberate inducement of false testimony by investigators.

Police said that a police informant, Jessie Bridges, reported that he saw the shooting and identified the gunman as 38-year-old Herbert Alford. Bridges would later recant his statement and claimed that police had offered him $1,500 to falsely implicate Alford.

So, that's another lawsuit waiting to happen. Maybe this didn't actually happen, but it's not so far removed from reality it's immediately dismissible. Let's not forget law enforcement thinks criminals who work for them are inherently trustworthy and everyone accused of a crime is inherently dishonest. But sometimes it takes a bit more -- shall we call it "legwork" -- to get informants to agree with the established narrative. And when some coaxing is required to seal a prosecutorial deal, the "good" criminals tend to be enriched. That's what happens when the criminal justice system is more concerned with scoring wins than upholding justice.

Three people were arrested. The ringleader appears to be a 17-year-old Tampa, Florida resident. The other two suspects are a 22-year-old Florida man and a 19-year-old from the UK. The hack was achieved through social engineering, giving the suspects access to an internal dashboard used by Twitter employees. This gave them access to multiple accounts, as well as all any direct messages sent to and from those accounts. That it was all just a bitcoin scam is somewhat of a relief, although not so much for victims who were duped out of nearly $100,000 via 400 transactions.

A rather interesting aspect of the investigation was pointed out by CNET reporter Alfred Ng. There are plenty of places investigators can go to obtain evidence stored on websites. But they don't always need a subpoena or warrant. Sometimes the information is already out in the open, having been harvested by malicious hackers and shared online. No paperwork needed.

If you can't read/see the tweet, it says:

wow, the FBI used a stolen database of OGUsers from April to identify one of the people allegedly involved in the Twitter hack

The information is contained in the criminal complaint [PDF] against 19-year-old UK resident Mason John Sheppard, a.k.a. "Chaewon." Ironically, a forum used by social media account hackers was itself hacked, resulting in a stash of info investigators were able to access without having to approach the site directly. From the complaint:

On April 2, 2020, the administrator of the OGUsers forum publicly announced that OGUsers website was successfully hacked. Shortly after the announcement, a rival criminal hacking forum publicly released a link to download the OGUsers forum database, claiming it contained all of the forum’s user information. The publicly released database has been available on various websites since approximately April 2020. On or about April 9, 2020, the FBI obtained a copy of this database. The FBI found that the database included all public forum postings, private messages between users, IP addresses, email addresses, and additional user information. Also included for each user was a list of the IP addresses that user used to log into the service along with a corresponding date and timestamp.

I reviewed records and communications that are part of this publicly-released database. I also found that on February 4, 2020, Chaewon exchanged private messages on OGUsers with another user of the forum during which Chaewon made a purchase of a video game username and was instructed to send bitcoin to address 188ZsdVPv9Rkdiqn4V4V1w6FDQVk7pDf4 (hereinafter, “the Chaewon purchase address”).

From there, the FBI was able to track bitcoin transactions, locate Sheppard's email address, and use that additional information to obtain information from virtual currency exchanges, Binance and Coinbase. With all of this information, the FBI was able to connect "Chaewon" and other usernames to Mason Sheppard to locate him and charge him with assisting in the hacking and bitcoin scam.

No warrants were needed. The info from the forum hack was already in the public domain. Bitcoin transactions are considered financial records, standing outside of the Fourth Amendment's protections. Even if it would possibly be more prudent to directly approach websites with subpoenas or warrants to obtain records, it appears to be far easier to just access data obtained from malicious hacking. And there are companies out there compiling information from data breaches and malicious hackings and selling access to law enforcement agencies who feel judges and additional paperwork will just slow them down.

But it's not enough that the CBP has an unknown number of plate readers in operation. The information captured by its camera network apparently isn't comprehensive enough. So it's been buying access to other license plate image databases. As Joseph Cox reports for Motherboard, the CBP is making use of plate images gathered by private companies to round out its surveillance of Americans.

The PIA [Privacy Impact Assessment] did not name the specific commercial database. But a source in the private investigator industry, which makes use of commercial license plate databases, suggests the supplier is likely Vigilant Solutions and its sister company DRN which collects the license plate data in the first place.

"DRN is the only one I know that collects the data. The other companies that advertise this service as a search buy from DRN," Igor Ostrovskiy, principal at private investigator firm Ostro Intelligence, who has used the DRN system, told Motherboard. With the consent of the target, a source previously tracked a target for Motherboard using DRN's vast license plate reader system.

Vigilant is home to what is likely the largest database of plate images in the business. The company sells access to an unknown number of law enforcement agencies. Some agencies get free access in exchange for a cut of any fines and fees collected by law enforcement as the result of plate reader hits. As of a half-decade ago, Vigilant was home to two billion license plate photos, with 100 million more being added daily by its network of cameras.

But Vigilant's network isn't just its hundreds of law enforcement owned plate readers. It's also the hundreds run by private companies that allow Vigilant to sell access to the plate images they've collected. As Cox reports, this has turned two billion images (as of 2015) to nine billion images -- much of this "crowd-sourced" from hundreds of repo men using Vigilant equipment.

So, the CBP's Privacy Impact Assessment isn't accurate. It may be accurate as far as suggesting not driving is the only way to prevent your license plate from ending up in the CBP's database. But to suggest staying out of areas "impacted" by CBP activity might allow you to elude this collection is patently false. If the CBP has access to this database, plate/location info from drivers nowhere near the CBP's enforcement areas is still making its way to the CBP via Vigilant's numerous private company contributors.

And this collection isn't subject to the CBP's rules, which limit searches to five years of plate/location data and removes cached, non-hit searches within 24 hours. The CBP may not have control of this collection -- it remains solely in the hands of Vigilant -- but claiming (as the CBP does in Cox's article) that query-only access is somehow a completely different thing is disingenuous. While it may make exploitation of the database more difficult for the CBP, it's still access to billions of plate records the CBP hasn't shown it should legally or logically have access to. The CBP can dip into it whenever it wants and operate outside of its own ALPR guidelines while doing it. There are no downsides. The CBP gets access to billions more plate images without having to deal with the infrastructure side of it. More plates, lower costs, fewer headaches. Win win win.

The argument against protection is that guests give up this information voluntarily to private companies. But you can't get a room without giving up this information, so it's not nearly as voluntary as the government portrays it. This came to head in the US Supreme Court back in 2015. The nation's Supreme Court decided -- very narrowly -- that a Los Angeles ordinance giving police officers warrantless access to guest records violated hotel owners' rights by not giving them any way to challenge demands (other than going to jail).

The Minnesota Supreme Court does not rely on this decision despite reaching a conclusion that results in better protections for hotel guests. The difference between the two cases is the entity petitioning the court. In the US Supreme Court case, it was motel operators arguing warrantless access violated the Fourth Amendment, if not California's own Constitution. In this case, it's a guest arguing against the warrantless access to his records -- something the Minnesota court points out in a footnote. From the decision [PDF]:

The court of appeals also concluded that Leonard erroneously relied on City of Los Angeles v. Patel, 576 U.S. 409, 135 S. Ct. 2443 (2015). State v. Leonard, 923 N.W.2d 52. Patel involved a challenge by hotel operators, not hotel guests, concerning the operators’ constitutional rights, therefore avoiding the issue of the third-party doctrine.

Nevertheless, the Third Party Doctrine is explored by the state court, leading it to a conclusion that narrow that doctrine's reach. The resulting conviction for check forgery began with nothing but a fishing expedition.

Law enforcement officers arrived at a Bloomington hotel on August 14, 2015, for a hotel interdiction. The officers were not responding to a particular call. Without a warrant and without any individualized suspicion of criminal activity, the officers told the clerk on duty that they wanted to examine the guest registry and to be provided with the name of any guest who paid in cash.

State law says all hotel operators must collect this information and make it available to law enforcement. If they don't (like in the city of Los Angeles), the hotel operators can be charged with a crime. But this isn't about the hotel operator, who wasn't involved in this challenge of a law enforcement search. It's about the defendant, who argued a warrantless, suspicionless search of hotel records violated the state's Constitution.

This was the end result of the officers' perusal of hotel records.

The officers then ran a background check and found that Leonard had prior arrests for, among other things, drugs, firearms, and fraud. Based on this information, the officers developed an individualized suspicion that Leonard was involved in criminal activity and decided to conduct a “knock and talk” at the door of Leonard’s hotel room. When Leonard heard the officers knock, he opened the door and gave them limited consent to search the room, but withheld access to his laptop, cell phone, and a file folder where several checks were visible. The officers subdued Leonard through a physical struggle after he tried to flee. After securing a search warrant, the officers discovered over $2,000 worth of suspicious checks paid to the order of “Spencer Alan Hill,” over $5,000 in cash, and check-printing paper.

Paying in cash shouldn't be treated as reasonable suspicion of criminal activity. Perfectly innocent people often engage in this activity, if only to lower their digital footprint. Here's another excellent footnote from the court:

The dissent contends that Leonard did not exhibit a subjective expectation of privacy in his sensitive location information. We disagree. In a world of electronic money transfers using debit cards, credit cards, and other electronic means of payment, Leonard’s cash payment evidences an intent to conceal his presence at the hotel.

Both the trial court and the state appeals court found in favor of the government. They said warrantless, suspicionless searches of hotel guest records did not violate the state's Constitution, which prohibits "unreasonable searches." The top court disagrees.

First off, the officers had no compelling reason to show up at the hotel to demand records.

The Bloomington Police officers had never heard of Leonard when they arrived at the hotel. They had not procured a warrant to search anything. Nor were they called to the hotel by its employees because of concerns regarding any particular guest. Thus, it is undisputed that they acted without individualized suspicion when they conducted the hotel interdiction and examined the guest registry.

The court goes on to say that even though this fishing expedition resulted in the discovery of criminal activity, there are several reasons for people to conceal their identity from hotel operators and several reasons one's privacy might be unreasonably invaded by a suspicionless search of hotel records.

Imagine instead that Leonard had stayed overnight at the hotel to attend a political or religious conference in the hotel ballroom, or that he had stayed overnight before a medical appointment in hopes of keeping a diagnosis private. In these examples, the guest’s highly sensitive location information is revealed, regardless of what actually occurred in the hotel room. That such information would be accessible to the government through a fishing expedition, where the hotel guest was a stranger to law enforcement before the officers’ random search, offends our core constitutional principles.

The court says guest records are sensitive information. As such, they cannot be swallowed up by the Third Party Doctrine. The court doesn't create a warrant requirement, but does say officers need to have something more than an excessive amount of free time on their hands before demanding access to guest records.

We hold that the law enforcement officers conducted a search under Article I, Section 10 of the Minnesota Constitution when they examined the guest registry. We hold further that law enforcement officers must have at least a reasonable, articulable suspicion to search a guest registry.

Part of the underlying discussion pits society's view of the term "reasonable" versus the government's very liberal interpretation of this term. The government comes out on the losing end here.

Simply put, we think that most Minnesotans would be surprised and alarmed if the sensitive location information found in the guest registries at hotels, motels, or RV campsites was readily available to law enforcement without any particularized suspicion of criminal activity.

The court further points out that its declaration that access to guest records does not mean "access without any articulable suspicion" will not keep cops from busting criminals.

Nothing about our decision prevents law enforcement from partnering with hotels to help staff members recognize signs of trafficking or other crimes. And nothing about our decision prevents hotel operators from contacting law enforcement to relay suspicious observations. If such observations provide the officers with reasonable, articulable suspicion of criminal activity, they may examine the sensitive location information found in a guest registry.

The conclusion is this: the state's Constitution prohibits suspicionless searches, even when read in conjunction with ordinances regulating the hotel/motel industry. While this industry may be subject to more law enforcement scrutiny than most, that fact does not eliminate Constitutional protections granted to residents and visitors. The evidence disappears, along with this source of law enforcement fishing expeditions. Staying somewhere other than your own home does not eliminate privacy protections.

But that only applies to location info gathered from cell service providers utilizing the data they collect from cell tower connections. When the government wants to track the movement of individuals, it can do it, but it needs a warrant. When it just wants a bunch of location data on everyone in an area, somehow the warrant requirement disappears.

That's what CBP and ICE are doing. According to a report by the Wall Street Journal [paywall], the agencies are buying location info in bulk from third-party vendors. No warrant required.

The Trump administration has been using commercial data that tracks millions of smartphone users' locations to help enforce its policies on immigration and deportation, according to a report Friday from the Wall Street Journal.

The database, owned by a company called Venntel Inc., collects information from run-of-the-mill games, weather and shopping smartphone apps where users have agreed to share their location, according to the report.

This isn't cell-site location info, technically. But a lot of this location data wouldn't exist without cell towers. The CBP believes this is all very legal, as it does not target any one person and, in a rather stupid assertion, claims the data is "pseudonymized." This means the location data isn't linked to identifying info about the cell phone's owner. But that word means even less than the usual "anonymized." The application of analytic tools can strip this anonymization away, even without additional data pulled from other sources.

If the data were truly anonymized, it would be worthless: just a bunch of data points unrelated to anything. But it obviously isn't anonymized -- or at least isn't that way for long after the agencies obtain it -- or the government wouldn't be saying things like this:

Sources told the Journal that Immigrations and Customs Enforcement (ICE) and Customs and Border Protection (CBP), two divisions under the Department of Homeland Security (DHS), have used the location data to help them identify and locate those who may have entered the country unlawfully, whom they later arrested.

Both agencies have been using this data since 2017, according to contract info obtained by the Wall Street Journal. For now, it's still legal to obtain this data from third parties without a warrant. It's unlikely this data will see a successful challenge any time soon, not if it's coming from third parties that have been given explicit permission to collect location data.

But that doesn't mean current protections for cell-site location info won't eventually expand to cover third parties like Venntel. Voluntarily sharing location info with a company isn't the same thing as voluntarily sharing data with the government, no matter how much the government argues there's no expectation of privacy in records freely given to third parties. Many people feel more comfortable sharing data with companies, since the end result tends to be things like targeted ads, rather than targeted investigations.

Oddly, CBP claims the data is not "ingested in bulk," which seems to run counter to how this data is purchased. If it's truly anonymized, the CBP has no choice but to obtain it in bulk and work from there to determine who it's targeting for removal. Perhaps the CBP's definition of "bulk" is different than the common definition of "bulk." Maybe the agency believes that throwing up a couple of geofences prevents this from being a "bulk" collection. If so, the government is wrong. Anything that provides massive amounts of data from multiple sources is a, by definition, a "bulk collection."

This is working for the government right now. But sooner or later, this haystack-building method will likely find itself on the wrong side of the Constitution, especially when courts are informed of just how meaningless the word "anonymized" is in the context of bulk location data.

The decision shook the foundation of the Third Party Doctrine, suggesting a new "reasonable expectation of privacy" standard that threatens warrantless access to a number of third party records. It also suggested long-term surveillance of citizens shouldn't be a warrant-free activity, even if much of what's surveilled occurs out in the open.

To date, courts have applied the Carpenter decision to cover things like car crash data from a vehicle's black box and GPS data pulled from third party services. In this case, via FourthAmendment.com, a Massachusetts federal court says the Carpenter decision covers long-term surveillance of someone's home.

The evidence being challenged in this case is actually unknown. But the defendants raising the challenge assume the government will be introducing evidence derived from video recordings of the front door and driveway of their home, captured by a camera mounted to a nearby utility pole. Law enforcement -- without a warrant or stated probable cause -- surveilled the home for over eight months.

As the court notes in its decision [PDF], surveillance of publicly-viewable areas generally isn't a Fourth Amendment issue.

Casual observations of a person's forays in and out of her home do not usually fall within the Fourth Amendment's protections. Here, the defendants ask the Court to consider whether a precise video log of the whole of their travels in and out of their home over the course of eight months, created by a camera affixed to a utility pole that could also read the license plates of their guests, raises Fourth Amendment concerns.

The court says the test for applying the Fourth Amendment to government surveillance efforts comes down to a "reasonable" expectation of privacy. Here, the court finds the defendants' privacy expectations are both subjectively and objectively reasonable.

The Court ALLOWS Moore-Bush and Moore's motion to suppress because they have exhibited an actual, subjective expectation of privacy that society recognizes as objectively reasonable. See Morel, 922 F.3d at 8. First, the Court infers from their choice of neighborhood that they subjectively expected that their and their houseguests' comings and goings over the course of eight months would not be surreptitiously surveilled. See Moore Mot. 7. Second, the Court rules that the Pole Cameras collected information that permitted the Government to peer into Moore-Bush and Moore's private lives and constitutionally protected associations in an objectively unreasonable manner. See United States v. Jones, 565 U.S. 400, 415 (2012) (Sotomayor, J., concurring).

The government, of course, disagreed. It argued the defendants had no privacy interest in the front of their house, considering it was viewable by anyone passing by it. The court says if that were the extent of the privacy interest asserted by the defendants, the government would be correct.

Yet that is not the narrower privacy interest that Moore-Bush and Moore assert here. Instead, Moore-Bush and Moore claim that they expected privacy in the whole of their movements over the course of eight months from continuous video recording with magnification and logging features in the front of their house. The Court infers from Moore-Bush and Moore's choice of neighborhood and home within it that they did not subjectively expect to be surreptitiously surveilled with meticulous precision each and every time they or a visitor came or went from their home.

The government may have prevailed if it weren't for the Carpenter decision, though. The issue isn't a camera pointed at a publicly-viewable area. The problem is what that camera collected over the course of eight months.

In Bucci, the First Circuit reasoned that the "legal principle" that "[a]n individual does not have an expectation of privacy in items or places he exposes to the public" disposed of the matter… If that principle remains an accurate depiction of the law, Moore and Moore-Bush lack an objectively reasonable expectation of privacy in the activities just outside their home, regardless of the camera's unique capabilities.

The Court reads Carpenter, however, to cabin -- if not repudiate -- that principle. There, the Supreme Court stated that: "A person does not surrender all Fourth Amendment protection by venturing into the public sphere. To the contrary, 'what [one] seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.'" [...] What's more, the Supreme Court recognized that long-term tracking of a person's movements "provides an intimate window into a person's life, revealing not only his particular movements, but through them his 'familial, political, professional, religious, and sexual associations.'"

The government argued the Carpenter decision was "narrow," applying only to cell-site location info. The court disagrees, saying the reasoning behind the Supreme Court's decision -- that people do have some reasonable expectations of privacy in public areas -- is the driving force here, not the method of surveillance.

Additionally, long-term surveillance tends to do damage to other rights as well. Tracking a person's movements over weeks and months allows the government to surveil a wealth of activities protected by the First Amendment. In addition, it allows the government to observe dozens of activities it has no business observing.

What's more, people use their homes for all sorts of liaisons. For example, the Government has no business knowing that someone other than the occupant's spouse visited the home late at night when the spouse was away and left early in the morning… Nor does the Government have any business tracking a homeowners' hobbies or regular trips for appointments. Perhaps people would hesitate to have supporters of opposition political parties visit if they knew that the Government might be monitoring their driveway. The continuous video taken by the Pole Camera thus threatens to chill these religious, political, and associational activities.

The court wraps up its decision by pointing out it is not declaring all surveillance camera use a search under the Fourth Amendment. Instead, it's saying that this set of circumstances makes it a search that interferes with the defendants' reasonable expectation of privacy. The camera setup used here could focus on multiple areas, zoom in close enough to read license plate numbers, and -- perhaps most importantly -- create a searchable set of recordings the government could browse at its leisure and use to reconstruct the lives of the home's occupants over the court of several months. That exceeds what the court -- and the defendants -- find reasonable. Under Carpenter's standard, this type of surveillance can no longer be executed without a warrant.

So I didn't finish installing it, although to Flywheel's credit, a January update to the app seems to have re-architected it so that it no longer demands that permission. (On the other hand, the privacy policy appears to still be from 2013.) But the same cannot be said for other apps that insist on reading all my contacts, including, conspicuously, Whatsapp.

Whatsapp has been in the news a lot lately, particularly in light of Facebook's announcement that it planned to merge it with its Messenger service. But the problem described here is a problem even as the app stands on its own. True, unlike the old Flywheel app, Whatsapp can currently be installed without demanding to see the contact information stored on my phone. But it can't be used effectively. It can receive an inbound message from someone else who already knows my Whatsapp number, but it refuses to send an outbound message to a new contact unless I first let Whatsapp slurp up all my contacts. Whatsapp is candid in its privacy policy (last updated in 2016) that it collects this information (in fact it says you agree to "provide us the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts."), which is good, but it never explains why it needs to, which is not good. Given that Signal, another encrypted communications app, does not require slurping up all contacts in order to run, it does not seem like something Whatsapp should need to do in order to provide its essential communications service. The only hint the privacy policy provides is that Whatsapp "may create a favorites list of your contacts for you" as part of its service, but it still isn't obvious why it would need to slurp up your entire address book, including non-Whatsapp user contact information, even for that.

The irony is that an app like Whatapp should be exactly the sort of app that lawyers use. We are duty-bound to protect our clients' confidences, and encrypted communications are often necessary tools for maintaining a meaningful attorney-client relationship because they should allow us to protect the communications secrecy upon which the relationship depends. But that's exactly why I can't use it, didn't finish installing the old Flywheel app, and refuse to use any other app that insists on reading all my contacts for no good, disclosed, or proportionally-narrow reason: I am a lawyer, and I can't let this information out. Our responsibility to protect client confidences may very well extend to the actual identity of our clients. There are too many situations where if others can know who we are talking to it will be devastating to our clients' ability to seek the counsel to which they are Constitutionally entitled.

I wrote about this problem a few years ago in an amicus brief on behalf of the National Association of Criminal Defense Lawyers for the appeal of Smith v. Obama. This case brought a constitutional challenge to the US government's practice of collecting bulk metadata from Verizon Wireless without warrants and without their incumbent requirements of probable cause and specificity. Unfortunately the constitutional challenge failed at the district court level, but not because the court couldn't see how it offended the Fourth Amendment when so much personal information could be so readily available to the government. Instead the district court dismissed the case because the court believed that it was hamstrung by the previous Supreme Court ruling in Smith v. Maryland. Smith v. Maryland is the 1979 case that gave us the third-party doctrine, this idea that if you've already disclosed certain information (such as who you were dialing) you can no longer have a reasonable expectation of privacy in this information that the Fourth Amendment should continue to protect (and thus require the government to get a warrant to access). Even in its time Smith v. Maryland was rather casual about the constitutionally-protected privacy interests at stake. But as applied to the metadata related to our digital communications, it eviscerates the personal privacy the Fourth Amendment exists to protect.

The reality is that metadata is revealing. And as I wrote in this amicus brief, the way it is revealing for lawyers not only violates the Fourth Amendment but the Sixth Amendment right to counsel relied upon by our clients. True, it is not always a secret who our clients are. But sometimes the entire representation hinges on keeping that information private.

Thus metadata matters because, even though it is not communications "content," it can nevertheless be so descriptive about the details of a life. And when it comes to lawyers' lives, it ends up being descriptive of their clients' lives as well. And that's a huge problem.

As the brief explained, lawyers get inquiries from uncharged people all the time. Perhaps they simply need advice on how to comport their behavior. Or perhaps they fear they may be charged with a crime and need to make the responsible choice to speak with counsel as early as possible to ensure they will have the best defense. The Sixth Amendment guarantees them the right to counsel, and this right has been found to be meaningful only when the client can feel assured of enough privacy in their communications to speak candidly with their counsel. Without that candor, the counsel cannot be as effective as the Constitution requires. But if the government can easily find out who lawyers have been talking to by accessing their metadata, then that needed privacy evaporates. Who a lawyer has been communicating with, especially a criminal defense lawyer, starts to look like a handy list of potential suspects for the government to go investigate.

And it's not just criminal defense counsel that is affected by metadata vulnerability. Consider the situation we've talked about many times before, where an anonymous speaker may need to try to quash some sort of discovery instrument (including those issued by the government) seeking to unmask them. We've discussed how important it is to have procedural protections so that an anonymous speaker can find a lawyer to fight the unmasking. Getting counsel of course means that there is going to be communication between the speaker and the lawyer. And even though the contents of those communications may remain private, the metadata related to the communications may not be. Thus even though the representation may be all about protecting a person's identity, there may be no way to accomplish it if it turns out there's no way for the lawyer to protect that metadata evincing this attorney-client relationship from either the government helping itself to it, or from greedy software slurping it up – which will make the app maker yet another third party that the government can look to demand this information from.

Unfortunately there is no easy answer to this problem. First, just as it's not really possible for lawyers to avoid using the phone, it is simply not viable for lawyers to avoid using digital technology. Indeed, much of it actually makes our work more productive and cost effective, which is ultimately good for clients. And especially given how unprotected our call records are, it may even be particularly important to use digital technology as an alternative to standard telephony. To some extent lawyers can refuse to use certain apps or services that don't seem to handle data responsibly (I installed Lyft and use Signal instead), but sometimes it's hard to tell the exact contours of an app's behavior, and sometimes even if we can tell it can still be an extremely costly decision to abstain from using certain technology and services. What we need, what everyone needs, is to be able to use technology secure in the knowledge that information shared with it travels no farther and for no other purpose than we expect it to.

Towards that end, we – lawyers and others – should absolutely pressure technology makers into (a) being more transparent about how and why it is accessing metadata in the first place, (b) enabling more gradated levels of access to it, and use of it, so that we don't have to tell any app or service more than it needs to know about our lives for it to run, or that it might ever have to ask for any more than it needs in order to run, and (c) being more principled in both their data sharing practices and resistance to government data demands. Market pressure is one way to affect this outcome (there are a lot of lawyers, and few technologies can afford to be off-limits to us), and perhaps it is also appropriate for some of this pressure to come from regulatory sources.

But before we turn to regulators in outrage we need to aim our ire carefully. Things like the GDPR and CCPA deserve criticism because they tend to be like doing pest control with a flame thrower, seeking to ameliorate harm while being indifferent to any new harm they invite. But the general idea of encouraging clear, nuanced disclosures of how software interacts with personal data, as well as discouraging casual data sharing, is a good one, and one that at the very least the market should demand.

The reality of course is that sometimes data sharing does need to happen – certain useful services will not be useful services without data access, and even data sharing among partners who together supply that service. It would be a mistake to ask regulators to prevent it altogether. Also, it is not private actors who necessarily are the biggest threat to the privacy interests we lawyers need to protect. Even the most responsible tech company is still at the mercy of a voracious government that sees itself as entitled to all the data that these private actors have collected. Someday hopefully the courts will recognize what an assault it is on our constitutional rights for metadata access not to be subject to a warrant requirement. But until that day comes, we should not have to remain so vulnerable. When we turn to the government to help ensure our privacy, our top demand needs to be for the government to better protect us from itself.

Law enforcement has taken note of these developments, creating fake accounts to submit samples from crime scenes in an effort to close out cases. Whether or not we agree with law enforcement's misrepresentation, there's very little standing in the way of the government accessing your DNA sample via a third party. The thing that makes people unique becomes little more than a third party record -- only a subpoena away from being in the government's possession.

But even subpoenas aren't necessary if DNA companies decided to partner up with law enforcement by giving agencies access to their databases. That's what's happening with Family Tree, a company specializing in in-home DNA testing kits, as Salvador Hernandez reports for BuzzFeed.

Family Tree DNA, one of the largest private genetic testing companies whose home-testing kits enable people to trace their ancestry and locate relatives, is working with the FBI and allowing agents to search its vast genealogy database in an effort to solve violent crime cases, BuzzFeed News has learned.

Federal and local law enforcement have used public genealogy databases for more than two years to solve cold cases, including the landmark capture of the suspected Golden State Killer, but the cooperation with Family Tree DNA and the FBI marks the first time a private firm has agreed to voluntarily allow law enforcement access to its database.

The company says the FBI cannot freely browse its databases, but this partnership suggests its not asking the FBI to run anything past a court before running a search. The company feels the potential PR hit is worth it because it's "helping" the FBI "solve violent crimes." This is a bit discouraging. We're used to government agencies excusing incursions into people's privacy with statements about "violent crime" or "terrorism" or "the War on…" or whatever. It's disheartening when a private company does it, thinking it's somehow serving the public better by turning their DNA samples into investigation fodder.

Here's the full extent of the program so far, at least according to Family DNA:

While Family Tree does not have a contract with the FBI, the firm has agreed to test DNA samples and upload the profiles to its database on a case-by-case basis since last fall, a company spokesperson told BuzzFeed News.

This at least spares the FBI the trouble of creating fake profiles to do the same thing. Still, there's little PR or societal value in allowing a government agency to do something it was probably doing already. We see it all the time at the federal level where law enforcement/national security abuses are greeted with codification rather than criticism. Sure, we don't expect all companies to give the government the cold shoulder, but we should at least expect them to demand a bit more from the government when it starts asking for access to millions of DNA records.

There's a way to opt out of the FBI's co-opting if you're a Family Tree customer. Unfortunately, this option makes Family Tree a complete misnomer.

Officials at Family Tree said customers could decide to opt out of any familial matching, which would prevent their profiles from being searchable by the FBI. But by doing so, customers would also be unable to use one of the key features of the service: finding possible relatives through DNA testing.

If someone objects to the FBI's access, the service is useless. And this access was put into place without customers being informed ahead of time or given an option to opt out prior to the government's access. No matter how enthused Family Tree may be about being part of the FBI's posse, this is a terrible way to treat customers who expected their personal info would be given a bit more privacy.

Mike Masnick is taking on the First Amendment implications of Kavanaugh's seat on the Supreme Court bench (Karl Bode has also taken a shot here), so I'll be taking a look at Kavanaugh's record on the Fourth. The most famous case Kavanaugh delivered a ruling on pertaining to the Fourth Amendment also pertains to the Deep State NSA and its bulk collection of phone records.

In denying Larry Klayman's challenge of the Section 215 program, Kavanaugh wrote:

I vote to deny plaintiffs' emergency petition for rehearing en banc. I do so because, in my view, the Government';s metadata collection program is entirely consistent with the Fourth Amendment.

Why is it "entirely consistent?" Because Third Party Doctrine.

The Government's collection of telephony metadata from a third party such as a telecommunications service provider is not considered a search under the Fourth Amendment, at least under the Supreme Court's decision in Smith v. Maryland...

Also, because National Security:

[T]he Government's metadata collection program readily qualifies as reasonable under the Supreme Court's case law. The Fourth Amendment allows governmental searches and seizures without individualized suspicion when the Government demonstrates a sufficient "special need" – that is, a need beyond the normal need for law enforcement – that outweighs the intrusion on individual liberty.

This take on the Third Party Doctrine is now outdated, thanks to both the restructuring of the Section 215 program via the USA Freedom Act and the Supreme Court's recent Carpenter decision. All third party records are not created equal. While the Supreme Court did not roll back the Third Party Doctrine established with Smith v. Maryland, it did remove its coverage of cell site location info, ruling that warrantless acquisition of these records allows law enforcement to use citizens' cellphones as government tracking devices via records collected and stored by service providers. This is going to cause a bit of friction is national security is implicated again, given Kavanaugh's past ties to President Bush II and natsec program authorization as in-(White)house counsel.

It's not all bad news. This paper by Orin Kerr, discussing the "mosaic" approach to privacy expectations and the Fourth Amendment, notes Justice Scalia borrowed language from another rehearing denial by Kavanaugh to determine the placing of a GPS tracking device on someone's vehicle was a trespass necessitating the use of a warrant.

The Supreme Court unanimously agreed that Jones had been the subject of a Fourth Amendment search but divided sharply on why. Writing for a five-justice majority, Justice Scalia followed Judge Kavanaugh's suggestion and held that the installation of the GPS device was a search because it was a trespass on the "effects" of the car.

This perhaps suggests Kavanaugh will follow the other Trump appointee, Justice Gorsuch, in viewing Fourth Amendment issues dealing with tech advancements in a more traditional manner. Not necessarily a bad thing and definitely an interesting tack to take -- terming records generated by devices (but stored by third parties) as "property" still at least partially owned by device users. This approach could continue to carve away at the Third Party Doctrine in the coming years if adopted in other cases.

Other than that, Kavanaugh's position in the DC Court of Appeals gave him the chance to handle a number of cases dealing with the Fourth Amendment, but there doesn't appear to be many pertaining to issues the Supreme Court hasn't already addressed. PoliceOne did hunt down a few of his takes on Terry stops. In both cases, Kavanaugh came down on the side of law enforcement.

In a 2007 case, U.S. v. Bullock, 570 F. 3d 342, Judge Kavanaugh wrote the majority opinion upholding the frisk of a motorist who was stopped for an illegal U-turn and could not produce a vehicle registration or provide the name of the vehicle's owner. The driver was ordered to step out of the vehicle and when the officer frisked him for weapons, he felt a hard object in the driver's pants that the officer believed to be a weapon. When the officer searched the pants, he found crack cocaine and a scale. Judge Kavanaugh's majority opinion considered the nature of the initial stop, the officer's founded belief that the vehicle was stolen and the risk factor involved in vehicle stops to uphold the initial frisk and subsequent search of the driver.

In a subsequent stop-and-frisk case before the D.C. Circuit Court of Appeals, U.S v. Askew, 529 F. 3d 1119 (2008), Judge Kavanaugh wrote a dissenting opinion when the court held that police officers violated the Fourth Amendment when they unzipped a suspected armed robber's jacket and found a gun. The police action of unzipping the coat was done to facilitate eyewitness identification, but Judge Kavanaugh wrote that the unzipping of the coat could be justified as a protective measure under the contours of Terry v. Ohio.

While these are a concern, various courts have already tangled with stop-and-frisk policies, finding it's not so much the stop itself that's problematic, but how the programs are carried out. In every case, courts (and the DOJ itself) have determined the programs disproportionately target minorities. Without reasonable suspicion, these stops are unconstitutional. That's been the crux of the issue. The tendency to engage in biased policing only compounds the problem.

Kavanaugh's appointment probably won't stack the deck in favor of law enforcement on these issues. He's not going to be anyone's idea of a black-robed civil liberties activist, but he's also headed to a court that has surpassed expectations on Fourth Amendment protections in recent years. Old precedent on tech-focused Fourth Amendment issues is no longer undisturbable, thanks to the far-reaching implications of the Supreme Court's Riley decision. Hints of a property-based rationale in a Kavanaugh decision suggests he may find alternate ways to protect privacy without having to disturb the Third Party Doctrine. That would be unfortunate, but better than allowing prior Doctrine-based precedent to remain undisturbed along with the doctrine itself.

The defendant challenged the government's warrantless acquisition of 127 days of CSLI, arguing that the constant location records generated (without proactive assistance from phone users) by cell providers raised enough of a privacy issue the Fourth Amendment was implicated. Somewhat surprisingly -- given the long history of expansive readings of the Third Party Doctrine -- the Supreme Court agrees.

[W]hile the third-party doctrine applies to telephone numbers and bank records, it is not clear whether its logic extends to the qualitatively different category of cell-site records. After all, when Smith was decided in 1979, few could have imagined a society in which a phone goes wherever its owner goes, conveying to the wireless carrier not just dialed digits, but a detailed and comprehensive record of the person’s movements.

We decline to extend Smith and Miller to cover these novel circumstances. Given the unique nature of cell phone location records, the fact that the information is held by a third party does not by itself overcome the user’s claim to Fourth Amendment protection. Whether the Government employs its own surveillance technology as in Jones or leverages the technology of a wireless carrier, we hold that an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CSLI. The location information obtained from Carpenter’s wireless carriers was the product of a search.

The court notes simply venturing out into the public does not erase all privacy expectations. The pervasive tracking engaged in by phone companies for business reasons should not undo a person's reasonable expectation of privacy. While the government tried to compare it to tracking vehicles with GPS devices, the court notes that cars cannot go everywhere people go. Long-term tracking -- made possible by provider recordkeeping -- provides the government with detailed depictions of cellphone users' lives. And all of this was -- up until this decision -- only a subpoena away.

[H]istorical cell-site records present even greater privacy concerns than the GPS monitoring of a vehicle we considered in Jones. Unlike the bugged container in Knotts or the car in Jones, a cell phone—almost a “feature of human anatomy,” Riley, 573 U. S., at ___ (slip op., at 9)—tracks nearly exactly the movements of its owner. While individuals regularly leave their vehicles, they compulsively carry cell phones with them all the time. A cell phone faithfully follows its owner beyond public thoroughfares and into private residences, doctor’s offices, political headquarters, and other potentially revealing locales.

[...]

Accordingly, when the Government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user.

The ubiquity of cellphones has changed the Third Party Doctrine dynamic. The court isn't willing to give the government warrant-free access to the personal lives of millions of Americans.

Critically, because location information is continually logged for all of the 400 million devices in the United States—not just those belonging to persons who might happen to come under investigation— this newfound tracking capacity runs against everyone. Unlike with the GPS device in Jones, police need not even know in advance whether they want to follow a particular individual, or when.

That's the substance of the decision, but the whole thing is worth reading in full. Even the dissents are worth a read, if only to see how many justices would prefer the government treat long-term tracking as no different than bank records people voluntarily create with every transaction. The court will extend the Third Party Doctrine to cover historical CSLI. However, it does not extend that coverage to cover tower dumps, real-time CSLI (ping orders/Stingray use) or any other records otherwise covered by the Third Party doctrine. But this is still a significant Fourth Amendment win -- and law enforcement agencies using CSLI subpoenas to cover Stingray use will now need to craft warrant requests specifying what they're doing, which will make just a little bit tougher to engage in parallel construction.

More than half the page total is given over to the dissent. Justices Kennedy and Alito have written separate dissents that say pretty much the same thing:

1. The records were obtained from a third party so no warrant should ever be needed.

2. This will law enforcement's work more difficult.

Even if the latter is true, Constitutional protections protect the citizens from their government. If they're an obstacle, they're meant to be. The court isn't there to ensure easy government access. It's there to act as a check against any government overreach it observes.

Justice Thomas' dissent is perhaps the most infuriating read. Much like his dissent in other law enforcement-related cases, Thomas sides with the government while claiming he's siding with the Constitution. His main argument here is that the Fourth Amendment says nothing about privacy or reasonable expectations, therefore the court's decision is wrong. It guards people and papers, not stuff obtained from third parties, no matter how invasive these records can potentially be.

Justice Gorsuch's dissent, however, is an entertaining read. It's really not even a dissent. He agrees with the majority's decision but doesn't think it goes far enough. If Gorsuch had his way, he would also return to a more originalist view of the Fourth Amendment -- the property rights theory he pitched during oral arguments. But unlike Thomas, his would eliminate the court-erected Third Party Doctrine and grant privacy to records created by customers/users and held by third parties. These decisions (Smith, Miller, Katz) would instead be replaced with a property-based treatment of records, giving customers/users more ownership rights to third-party records they create, making them part of the "houses and papers" Fourth Amendment interpretation even if the the "papers" are held by others.

I cannot fault the Sixth Circuit for holding that Smith and Miller extinguish any Katz-based Fourth Amendment interest in third party cell-site data. That is the plain effect of their categorical holdings. Nor can I fault the Court today for its implicit but unmistakable conclusion that the rationale of Smith and Miller is wrong; indeed, I agree with that. The Sixth Circuit was powerless to say so, but this Court can and should. At the same time, I do not agree with the Court’s decision today to keep Smith and Miller on life support and supplement them with a new and multilayered inquiry that seems to be only Katz-squared. Returning there, I worry, promises more trouble than help. Instead, I would look to a more traditional Fourth Amendment approach. Even if Katz may still supply one way to prove a Fourth Amendment interest, it has never been the only way. Neglecting more traditional approaches may mean failing to vindicate the full protections of the Fourth Amendment.

This is a big ruling and it will definitely affect how law enforcement approaches investigations. It will not be well-received by those used to tracking people via subpoena (rather than tail cars and surveillance teams). But it likely won't do much for Carpenter, who will almost certainly find good faith awarded to law enforcement's acquisition of his CSLI records. It will help going forward, but Carpenter will not be a beneficiary.

The government immediately requested an en banc hearing by the Appeals Court. The hearing was granted and the court has patched up its split with the other circuits by finding in favor of the government and the Third Party Doctrine. [PDF link]

We now hold that the Government’s acquisition of historical CSLI from Defendants’ cell phone provider did not violate the Fourth Amendment.

Supreme Court precedent mandates this conclusion. For the Court has long held that an individual enjoys no Fourth Amendment protection “in information he voluntarily turns over to [a] third part[y].” Smith v. Maryland, 442 U.S. 735, 743-44 (1979). This rule -- the third-party doctrine -- applies even when “the information is revealed” to a third party, as it assertedly was here, “on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.” United States v. Miller, 425 U.S. 435, 443 (1976).

All of our sister circuits to have considered the question have held, as we do today, that the government does not violate the Fourth Amendment when it obtains historical CSLI from a service provider without a warrant. In addition to disregarding precedent, Defendants’ contrary arguments misunderstand the nature of CSLI, improperly attempt to redefine the third-party doctrine, and blur the critical distinction between content and non-content information.

The Supreme Court may in the future limit, or even eliminate, the third-party doctrine. Congress may act to require a warrant for CSLI. But without a change in controlling law, we cannot conclude that the Government violated the Fourth Amendment in this case.

The nod to 1979's Smith v. Maryland is back in place, setting this decision firmly in Third Party Doctrine territory. If it's "voluntarily conveyed" to a third party, the government doesn't need a warrant to access it. The key, though, is the "voluntary" part. While the majority finds the collection of cell site location data by service providers to be somehow a "voluntary" conveyance by customers, the three dissenting judges aren't as impressed by this argument.

The dissenting opinion (starting at p. 47) goes through the majority decision's citations and sees a whole lot more voluntary effort being made by citizens than what happens during the automatic acquisition of cell site info by phone companies.

The Supreme Court, then, has intentionally employed the “voluntary conveyance” concept in every relevant case to limit the reach of an otherwise sweeping per se rule that denies Fourth Amendment protection. It seems therefore crucial here to ask: what, precisely, did the Court mean when it chose those words, in the context of those cases?

Here is what those various defendants actually did to “voluntarily convey” information. One used his finger to dial, one by one, the numerical digits of a telephone number. Smith, 442 U.S. at 741 (highlighting that pen registers disclose “only the telephone numbers that have been dialed” (quoting United States v. N.Y. Tel. Co., 434 U.S. 159, 167 (1977))). Another submitted multiple checks and deposit slips—each presumably bearing a date, a dollar amount, a recipient name, and a personal signature. Miller, 425 U.S. at 442. The others actually spoke. White, 401 U.S. at 746–47 (conversations with a bugged government informant related to narcotics transactions); Hoffa, 385 U.S. at 296 (statements to an associate “disclosing endeavors to bribe [jury] members”); Lewis, 385 U.S. at 210 (conversations with an undercover law enforcement agent in the course of executing a narcotics sale).

In all of these cases—the only cases that can bind us here— “voluntary conveyance” meant at least two things. First, it meant that the defendant knew he was communicating particular information. We can easily assume Miller knew how much money he was depositing, that Smith knew the numbers he was dialing, and that Hoffa, Lewis, and White knew about the misconduct they verbally described to another.

Second, “voluntary conveyance” meant that the defendant had acted in some way to submit the particular information he knew. Crucially, there was an action—depositing, dialing, speaking— corresponding to each piece of submitted information. And where many data pieces were compiled into records—financial records in Miller, phone records in Smith—there was presumptively a discrete action behind each piece of data. The Court never suggested that the simple act of signing up for a bank account, or a phone line, was enough to willingly turn over thousands of pages of personal data.

The dissent goes on to point out that CSLI -- unlike other "voluntarily conveyed" third-party records -- isn't even made available to the customers that generate it. Customers have access to call records, bank statements, and other information collected under the Third Party Doctrine, but there's no easily-accessible way for citizens to view the location records they're conveniently generating for the government. This lack of access to information strongly suggests the collection of cell site location data by phone companies has nothing to do with voluntary conveyance.

The majority believes that if a "fix" is required, it should be left to legislators.

The legislative branch is far better positioned to respond to changes in technology than are the courts.

This is said with a straight face before using the Electronic Communications Privacy Act as an example of legislators' prowess: a law gives the government access to the contents of any electronic communications older than 180 days -- and which has yet to be updated in any serious form by legislators over the past 30 years, even as the tech landscape surrounding it has experienced monumental changes.

The majority maintains Congress "has not been asleep at the switch" since the ECPA's institution. And it's somewhat correct. Attempts have been made to rewrite the law in reaction to the explosion of electronic communications since the mid-80s, but forward motion has been stalled by government agencies unwilling to cede ground to shifting expectations of privacy. So, yes, Congress can fix it, but it needs to run a gauntlet of agencies it's in no hurry to anger and administrations that overwhelmingly oppose any minimal contractions of government reach or power. And if Congress hasn't made any significant progress towards trimming back the Third Party Doctrine's overgrowth since 1979's Smith v. Maryland decision, it's tough to believe that this is the decade where it will finally make its move.

To provide you the Voice Recognition feature, some voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service that converts speech to text or to the extent necessary to provide the Voice Recognition features to you. In addition, Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features. Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

The telescreen received and transmitted simultaneously. Any sound that Winston made, above the level of a very low whisper, would be picked up by it, moreover, so long as he remained within the field of vision which the metal plaque commanded, he could be seen as well as heard. There was of course no way of knowing whether you were being watched at any given moment…

You had to live--did live, from habit that became instinct--in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.

I agree that LG Electronics Inc. ("LGE") may process Voice Information in the manner set out in the Privacy Policy and below.

Voice Information refers to the recording of voice commands and associated data, such as information about the input device that is used to record commands (e.g., Magic Remote or built-in microphone), OS information, TV model information, content provider, channel information and service results.

I understand and agree that Voice Information may be use for the purpose of powering the voice activation feature when used to control, receive, and improve LG Smart TV Services and as described in the Privacy Policy.

I further understand and agree that LGE may share Voice Information with third parties, including providers of voice analytics.

I understand and agree that Voice Information may be transferred to, and used by, third party service providers on LGE's behalf in various countries around the world (including Korea), some of which may not offer the same level of data protection, for the purposes set out in the Privacy Policy.

Critical to Kyllo’s holding, however, was the fact that the defendant sought to confine his activities to the interior of his home. He justifiably relied on the privacy protections of the home to shield these activities from public observation. See Kyllo, 533 U.S. at 34 (characterizing the thermal imaging scan as a “search of the interior of [Kyllo’s] home[],” which it considered to be “the prototypical . . . area of protected privacy”). See 13 also id. at 37 (“In the home, our cases show, all details are intimate details, because the entire area is held safe from prying government eyes.”) (emphasis in original).

Stanley can make no such claim. Stanley made no effort to confine his conduct to the interior of his home. In fact, his conduct—sharing child pornography with other Internet users via a stranger’s Internet connection—was deliberately projected outside of his home, as it required interactions with persons and objects beyond the threshold of his residence. In effect, Stanley opened his window and extended an invisible, virtual arm across the street to the Neighbor’s router so that he could exploit his Internet connection. In so doing, Stanley deliberately ventured beyond the privacy protections of the home, and thus, beyond the safe harbor provided by Kyllo....

Were we to hold that Stanley exposed his “signal” under Smith by transmitting it to a third-party router, we might open a veritable Pandora’s Box of Internet-related privacy concerns. The Internet, by its very nature, requires all users to transmit their signals to third parties. Even a person who subscribes to a lawful, legitimate Internet connection necessarily transmits her signal to a modem and/or servers owned by third parties. This signal carries with it an abundance of detailed, private information about that user’s Internet activity. A holding that an Internet user discloses her “signal” every time it is routed through third-party equipment could, without adequate qualification, unintentionally provide the government unfettered access to this mass of private information without requiring its agents to obtain a warrant. We doubt the wisdom of such a sweeping ruling, and in any event, find it unnecessary to embrace its reasoning.

The presence of Stanley’s signal was likely illegal. A large number of states, including Pennsylvania, have criminalized unauthorized access to a computer network. A number of states have also passed statutes penalizing theft of services, which often explicitly include telephone, cable, or computer services. We need not decide here whether these statutes apply to wireless mooching, but the dubious legality of Stanley’s conduct bolsters our conclusion that society would be unwilling to recognize his privacy interests as “reasonable.”

In light of the importance of the national security programs that were set to expire, the Executive Branch and relevant congressional committees worked together to ensure that each Member of Congress knew or had the opportunity to know how Section 215 was being implemented under this Court's Documentation and personnel were also made available to afford each Member full knowledge of the scope of the implementation of Section 215 and of the underlying legal interpretation.

The Supreme Court's more recent decision in United States v. Jones... does not point to a different result here. Jones involved the acquisition of a different type of information through different means.

• CNET: Google filing says Gmail users have no expectation of privacy
• Time: Google Says Gmail Users Have ‘No Legitimate Expectation of Privacy’
• The Guardian: Google: Gmail users shouldn't expect email privacy
• Gizmodo: Google: Non-Gmail Users Have No Legitimate Expectation of Privacy
• Huffington Post: Google: Email Users Can't Legitimately Expect Privacy When Emailing Someone On Gmail
• Business Insider: GOOGLE: If You Send To Gmail, You Have 'No Legitimate Expectation Of Privacy'

Non-Gmail users who send emails to Gmail recipients must expect that their emails will be subjected to Google's normal processes as the [email] provider for their intended recipients.

On the question of whether surveillance of every American's phone calling is constitutional, Lee notes how the government and its defenders will rely on a 1979 case called Smith v. Maryland. In that case, the government caused a telephone company to install a pen register at its central offices to record the numbers dialed from the home of a suspected robber. Applying doctrine that emerged from Katz v. United States (1967), the Court found that a person doesn't have a "reasonable expectation of privacy" in phone calling information, so no search occurs when the government collects and examines this information.

It takes willfulness of a different kind to rely on Smith as validation the NSA's collection of highly revealing data about all of us. Smith dealt with one suspect, about whom there was already good evidence of criminality, if not a warrant. The NSA program collects call information about 300+ million innocent Americans under a court order.

And the Supreme Court is moving away from Katz doctrine, having avoided relying on it in recent major Fourth Amendment cases such as Jardines (2013), Jones (2012), and Kyllo in 2001.

As much as one might be personally appalled by the notion of the NSA collecting everybody's call records, disgust doesn't make something unconstitutional. Rather, the real scandal here is what's legal -- namely, how the surveillance powers enabled by modern technology have been embraced and expanded by Congress and a succession of presidents, and how the Court has failed to develop a robust system for applying the Fourth Amendment meaningfully to the questions of the 21st century.

In a weird twist, the best-case scenario is that the NSA's surveillance programs are legal -- or, at least, that the NSA believes that they are. The administration has certainly expanded its powers to fill every crack available, but it seems not to have broken any bricks, hewing assiduously to the letter of the law (as far as we know). It may be of small comfort, but overly broad laws are an easier problem to solve than that of a government that does whatever it wants, regardless. Let's hope that that is not what we have.