Carpenter and the End of Bulk Surveillance of Americans

Writing for the majority in Carpenter v. United States, Chief Justice John Roberts called the court’s momentous Fourth Amendment decision “a narrow one.” The specific holding—that a warrant is required for law enforcement to access historical cell site location information (CSLI)—may indeed be narrow, and the decision rightfully cautions that “the Court must tread carefully” when considering new technologies. Yet, despite its limited scope, the opinion provides a framework for recognizing that the digital trails Americans create through their daily lives are protected by the Fourth Amendment. The decades-old “third-party doctrine,” under which Fourth Amendment rights are extinguished whenever individuals share their information with third parties such as banks and telephone companies, has appropriately been confined to the pre-digital age scenarios in which it arose.

As others have already argued, the Carpenter decision does not provide a clear legal standard for when the Fourth Amendment applies to data shared with a third party, and it raises many questions about the future of Fourth Amendment doctrine. But the decision does offer a resounding declaration that Fourth Amendment analysis must take account of the “seismic shifts in digital technology” and the power of modern surveillance tools. In particular, the Carpenter decision should foreclose, once and for all, any claim that bulk surveillance of Americans—or bulk collection of their digital records—would be constitutional. Through the USA Freedom Act of 2015, Congress ended the government’s bulk telephone records program, known as the Section 215 program, and provided new authority for collection of call detail records using a “specific selection term.” With reauthorization of this act to be considered next year, Carpenter’s analysis should preclude any attempt to retreat from the narrowing of surveillance authorities achieved under the 2015 law.

From the fall of 2013 through January 2017, I served as executive director of the Privacy and Civil Liberties Oversight Board (PCLOB). I was part of a skeletal staff of attorneys who supported the board in its examination of the Section 215 program. The PCLOB’s January 2014 report on the Section 215 program found that the program was illegal; this report was highly influential in the debates in Congress that led to the ultimate demise of the program.

Still, the report stopped short of finding that the program was unconstitutional. The board noted that “[t]o date ... the Supreme Court has not modified the third-party doctrine or overruled its conclusion that the Fourth Amendment does not protect telephone dialing records.” Its recommendation for ending the Section 215 program was based on statutory and policy analyses. When the Second Circuit considered the Section 215 program in ACLU v. Clapper in May 2015, it too found that the program was illegal under the terms of the statute and declined to reach the constitutional questions.

I do not purport to speak for the Privacy and Civil Liberties Oversight Board, nor will I speculate about how many of the board’s five members might have reached a different conclusion about the constitutionality of the Section 215 program had Carpenter already been decided. But as I read the decision, it provides a clear answer to the constitutionality question: Under Carpenter, the third-party doctrine does not extend to the type of collection conducted under the former Section 215 program, and that program would violate the Fourth Amendment. The bulk collection of call detail records, which show over time who calls whom and when, exposing intimate personal details and patterns of association, creates the same privacy risks as the cell site location information that is protected by the Fourth Amendment under Carpenter.

With the third-party doctrine intact, the government had argued that individuals lack any constitutionally protected privacy interest in information they have shared with third parties, such as the numbers dialed on a phone. But the Carpenter decision makes clear that the third-party doctrine cannot be extended to the bulk collection of digital information. First, the court’s descriptions of CSLI as “detailed, encyclopedic, and effortlessly compiled,” and of how it provides “an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations,’” apply equally to other comprehensive digital records. As the Privacy and Civil Liberties Oversight Board explained in its Section 215 report, “aggregation of numerous calling records over an extended period of time can paint a clear picture of an individual’s personal relationships and patterns of behavior.” Carpenter recognizes that people do not abandon their privacy interests in such highly personal information simply because their participation in modern society compels them to share their digital trails with third parties.

Further, Carpenter puts to rest a second aspect of the third-party doctrine, namely the bright-line distinction between the contents of communications and metadata. In addition to the “voluntary disclosure” aspect of the third-party doctrine, the Supreme Court’s opinion in Smith v. Maryland established a rule that mere metadata, like the address on the outside of an envelope, was not protected by the Fourth Amendment. This analysis has also been criticized, both because metadata can be highly revealing, and because, as a technical matter, the line between content and metadata is a blurred boundary. Cell site location information, like telephone calling records, is a type of metadata. Although it did not explicitly say so, the Carpenter court recognized that metadata at scale implicates protected privacy interests, noting that CSLI provides “a detailed chronicle of a person’s physical presence compiled every day, every moment, over several years.”

Some could argue that the fact that CSLI records are compiled “every day, every moment” is critical to the court’s holding in Carpenter, and that because people do not place or receive calls continuously throughout the day, the telephone records gathered under the government’s earlier bulk collection program would fall outside the court’s analysis. However, bulk telephone records “hold the ‘privacies of life’” in a different, and arguably even more revealing, way. The National Security Agency’s database demonstrated which phone numbers called each other, as well as the time and duration of each call, over a period of years, thereby showing patterns of connections among people and the strength of those relationships. Moreover, as the Second Circuit noted in ACLU v. Clapper:

[A] call to a single‐purpose telephone number such as a “hotline” might reveal that an individual is: a victim of domestic violence or rape; a veteran; suffering from an addiction of one type or another; contemplating suicide; or reporting a crime. Metadata can reveal civil, political, or religious affiliations; they can also reveal an individual’s social status, or whether and when he or she is involved in intimate relationships.

Finally, although the court states that the Carpenter opinion “does not consider other collection techniques involving foreign affairs or national security,” its analysis of whether to extend the third-party doctrine focuses on the privacy interest at stake and provides no basis for distinctions premised on the purpose of the search. Collection of digital information for national security purposes implicates the same expectations of privacy as does the acquisition of records by law enforcement. Of course, the determination that the Fourth Amendment applies to bulk collection of digital records for national security purposes would be only the first step of the analysis. Rather than requiring a warrant based upon probable cause, the court might conclude that foreign intelligence surveillance is subject only to the Fourth Amendment’s reasonableness test—a question not yet decided by the Supreme Court. But bulk collection, by definition, is collection without the use of selection terms or discriminants—so it could not satisfy even a lower legal standard like the Section 2703(d) test considered in Carpenter. Thus, after Carpenter, it would be hard to argue credibly that the Fourth Amendment permits the bulk collection of telephone records or other digital records.

The USA Freedom Act required the NSA to end its bulk telephone records program and authorized the government to conduct a more tailored program for the collection of call detail records. The debate over reauthorization of the USA Freedom Act is just around the corner, as the law is scheduled to sunset next year unless Congress acts. The Carpenter decision raises the question of whether even the NSA’s new authorization to collect telephone records using a “specific selection term,” which requires the government to demonstrate only “reasonable suspicion” rather than “probable cause,” can survive a Fourth Amendment challenge. Moreover, the NSA recently announced that since its inception, this new program has been plagued by “technical irregularities” that also caused the NSA to acquire information it was “not authorized to receive.” Consequently, the NSA has begun deleting all the records it acquired from 2015 through May 2018. While the decision to delete the records and to inform the public of the problem is commendable, this revelation suggests that government surveillance authorities may need to be narrowed even further. At a minimum, the Supreme Court’s Carpenter decision should provide a constitutional bulwark against any congressional attempts to authorize the bulk surveillance of Americans.