Carpenter’s Implications for Foreign Intelligence Surveillance

Like nearly everyone else, I have a few thoughts on the Supreme Court’s decision Friday in Carpenter v. United States. In that case, the court held that obtaining from a telephone company seven or more days’ worth of retrospective cell site location information (CSLI)—information about the location of a cell phone based on its periodic radio connections to cell phone towers—is a Fourth Amendment “search.” My main interests here are in assessing how the Supreme Court explained itself, which I think will be key to how the decision is understood and applied by the lower courts, and in noting some of the questions the court left unanswered, particularly with respect to foreign intelligence surveillance.

1. The Supreme Court in Carpenter, speaking through Chief Justice Roberts, pretty clearly understood itself as applying the Fourth Amendment to the 21st century, and in particular to digital network technology of the 21st century. It explained the 20th century largely in terms of a shift from a pure property-based theory of the Fourth Amendment, in which government activity constituted a “search” only if it trespassed or otherwise infringed on private property, to a theory that included the protection of persons and privacy. This is the familiar line that runs from Olmstead v. United States, 277 U. S. 438, 464 (1928), which held that telephone wiretapping was not a Fourth Amendment “search” because there “was no entry of the houses or offices of the defendants,” to Katz v. United States, 389 U. S. 347, 353 (1967), which reached the opposite conclusion when “FBI agents . . .attached an electronic listening and recording device to the outside of the public telephone booth from which [the defendant] had placed his calls.” The Supreme Court in Katz explained that in light of intervening events, Olmstead’s “‘trespass’ doctrine . . . can no longer be regarded as controlling.”

Just as the court in Katz applied the Fourth Amendment to the new challenges of the 20th century, the court in Carpenter explained that it was doing so for the 21st century. It drew a line from Kyllo v. United States, 533 U. S. 27 (2001), which held that the use of a thermal imager to detect heat radiating from a home was a search; to United States v. Jones, 565 U. S. 400 (2012), in which five justices concluded that long-term monitoring by technical means of a person’s precise location would constitute a search; to Riley v. California, 134 S. Ct. 2473, 2480 (2014), which held that the police may not, “without a warrant, search digital information on a cell phone seized from an individual who has been arrested.”

The key finding in Carpenter, I think, is that retrospective, comprehensive, long-term CSLI is a “new phenomenon,” a “qualitatively different category,” both “novel” and “unique.” It is a product of “seismic shifts in digital technology” and “the digital age,” in which phones are almost “a feature of human anatomy.” (I am with Matt Tait in wondering whether I know any of the 12 percent of surveyed smartphone users mentioned in the court’s opinion who admit “that they even use their phones in the shower”).

The finding of CSLI’s “unique” nature gives rise to the key holding that the government must obtain a warrant before obtaining CSLI from the telephone company. In reaching this result, the court acknowledged its prior decisions in United States v. Miller, 425 U.S. 435 (1976), and Smith v. Maryland, 442 U.S. 735 (1979), which held that it was not a “search,” and that a warrant was therefore not required, to obtain a person’s financial records or toll records from a third party like a bank or a telephone company. But the court in Carpenter distinguished Miller and Smith, explaining that seven days’ worth of CSLI is “an entirely different species of business record” because it is ubiquitous and necessary for participation in modern life—and because, unlike a “nosy neighbor” who might watch you through the rear window and later report your comings and goings to the police, a cell phone company is “ever alert” with a “nearly infallible memory” going back years for every single subscriber. The court therefore announced a limit on third-party doctrine from Miller and Smith: “Given the unique nature of cell phone location records, the fact that the information is held by a third party does not by itself overcome the user’s claim to Fourth Amendment protection.”

(Of course, we have had to deal with some limit on third-party doctrine at least since United States v. Warshak, 631 F. 3d 266 (6^th Cir. 2010), which held that the doctrine doesn’t allow warrantless access to email messages. From reading the various opinions in Carpenter, it seems that no justice wants to leave email unprotected even if it is turned over to a third party for transmission. But Warshak and its ilk have generally been understood to distinguish between “contents”—the substance, meaning, or purport of a communication—and metadata or other non-contents business records. The court in Carpenter had a different theory in mind, treating certain CSLI, which are not “contents,” as specially deserving of protection.)

In its reasoning and result, Carpenter strongly resembles the prior decision in Riley, which required a warrant for the search incident to an arrest of a cell phone. Acknowledging the rule permitting warrantless searches of arrestees, Roberts’ opinion for the court in Riley rejected the government’s claim that “a search of all data stored on a cell phone is ‘materially indistinguishable’ from searches of” paper address books and other pocket litter: “That is like saying a ride on horseback is materially indistinguishable from a flight to the moon.” 134 S. Ct. at 2488-89. The gravamen of the decision in Carpenter is that retrospective, comprehensive, long-term CSLI is materially distinguishable from old-school business records traditionally obtained without a warrant from third parties.

A reasonable summary of Carpenter, therefore, is that third-party doctrine remains in force for what we might loosely refer to as 20th Century business records, such as telephone toll records, financial records, and (Roberts says) security-camera footage. But warrants are now required for records held by third parties that involve 21st Century technology, like seven or more days of continuous CSLI. Orin Kerr made a similar point, though less focused on the technological and temporal aspects of the court’s decision: he summarized Carpenter as holding that “you now have a right not to be monitored too much without a warrant.”

2. The decision in Carpenter leaves a lot of open questions. The first and most important of these concerns the scope of 21st Century technology, the use of which I am saying would establish a “search.” Much of the majority and dissenting opinions refer to types of records, such as CSLI, GPS, and (in Justice Gorsuch’s thoughtful dissent) DNA data. These all seem to be very modern types of information and therefore within the scope of the Carpenter rule as I am describing it.

But the government might argue that DNA should still be treated as a 20th Century record, not subject to Carpenter, because the user of services like 23andMe must be quite aware of the information she is giving up. There are elements of Chief Justice Roberts’ opinion that seem still to rely on the idea that CSLI “is not truly ‘shared’” with the phone company “as one normally understands the term” because it is generated “without any affirmative act on the part of the user beyond powering up” the phone. If the Supreme Court concludes that a key element of 21st century technology is that it involves sharing information that is both necessary for modern life and not fully evident to the person whose information is being shared, then personal DNA testing, in which the user orders a kit and submits a sample for laboratory analysis, probably won’t qualify—at least until genetic engineering or the like is so routine that not having a DNA profile effectively excludes one from modern life, or genetic testing (e.g., for cancer) occurs automatically in the background whenever you touch your cell phone.

A related question is whether Carpenter extends not only to the type of data obtained, but to the purpose of the collection, the quantity of data collected across multiple users, and/or the methods used to collect or process the data. In particular, does Carpenter extend to any or all of (1) single-user collection of long-term, retrospective CSLI under the business-records provision of the Foreign Intelligence Surveillance Act (FISA), 50 U.S.C. § 1861; (2) bulk collection of non-location telephony metadata under FISA; or (3) the procedure for ongoing production of non-location call detail records (CDRs) approved by Congress in the USA Freedom Act of 2015?

As to the first question, the issue is unlikely to arise because FISA allows production of business records on a showing of relevance only if the records “can be obtained with a subpoena duces tecum issued by a court of the United States in aid of a grand jury investigation or with any other order issued by a court of the United States directing the production of records or tangible things.” 50 U.S.C. 1861(c)(2)(D). After Carpenter, a grand jury or administrative subpoena cannot be used to obtain long-term, retrospective CLSI. To be sure, the Supreme Court in Carpenter went out of its way to eschew comment on foreign intelligence surveillance: “our opinion does not consider other collection techniques involving foreign affairs or national security.” But courts will likely avoid the constitutional question and conclude that Congress meant to foreclose under FISA what Carpenter forbade in ordinary criminal cases.

Bulk collection presents a different issue because it could involve precisely the same type of non-location data at issue in Smith, but acquired on a truly vast scale, for all subscribers of several telephone companies. (My detailed discussion and analysis of bulk collection is available here.) There is no way to collect, store, and process that quantity of data using 20th century technology as understood in Carpenter—regardless of whether NSA was sufficiently ahead of the curve that some version of bulk collection would have been possible some time before the year 2000. If Carpenter is understood to depend on the use of modern technology in general, beyond the type of data collected, then bulk collection—even of non-location information—could qualify as a “search” despite Smith. To be sure, foreign intelligence searches can be upheld under standards lower than those applicable to ordinary law enforcement searches. But the definitional question, of whether certain government activity qualifies as a search, has generally been the same in both contexts. And treating bulk collection as a Fourth Amendment “search” could tend to support a claim that a judicial order authorizing the collection, on any standard, is a prohibited general warrant.

A similar analysis might even apply to the iterative process for ongoing collection of non-location call detail records (CDRs) under the USA Freedom Act. The CDR process required by the act is in many ways far more technologically complex and challenging than bulk collection conducted by NSA alone. Again, therefore, even if the types of CDR data collected are within the scope of Smith because they exclude location, see 50 U.S.C. §1861(k)(3)(B), the modern technology required to conduct the production and analysis could qualify as a “search” under Carpenter. Even if the CDR process, which requires only “reasonable suspicion,” were upheld because it involves foreign intelligence, there remains the question whether requiring telephone companies to rummage through their holdings would amount to a prohibited general warrant or writ of assistance.

3. I have written previously on how digital network technology augments and threatens both privacy and security at the same time. Carpenter extends Jones and Riley in explaining how digital network technology challenges privacy and in effecting legal change to address that challenge. But this technology is also challenging for security, as Justice Kennedy’s dissent recognizes. An interesting question for the longer term is whether the Court will grant certiorari in a case that requires it to address modern technology’s challenges to security—and, if it does, what sorts of legal changes may result.