In a widely anticipated decision, the Supreme Court held 5-4 that the government must obtain a warrant to acquire customer location information maintained by cellular service providers, at least where that information covers a period of a week or more. The case, Carpenter v. United States, has been closely watched by tech companies and privacy experts. The opinion, authored by Chief Justice John Roberts, immediately enshrines greater protections for certain forms of location data assembled by third parties and represents a growing discomfort on the Court with the so-called “third-party doctrine”—a line of cases holding that a person does not have a reasonable expectation of privacy in records that he or she voluntarily discloses to a third party. In the longer run, there will likely be further litigation over whether the same logic should extend Fourth Amendment protections to other types of sensitive information in the hands of third parties as courts grapple with applying these principles in the digital age.
Anytime a cell phone uses its network, it must connect to the network through a “cell site.” Whenever cell sites make a connection, they create and record Cell Site Location Information (“CSLI”). Cell phones may create hundreds of data points in a normal day, and providers collect and store CSLI to spot weak coverage areas and perform other business functions.
Obtaining CSLI records is a fairly common law enforcement tool and—until now—such information could typically be obtained by court orders issued under the Stored Communications Act. Those orders require the government to make certain types of showings to a court, but they are not warrants and do not require probable cause.
The Supreme Court’s review of this practice stemmed from the arrest and conviction of Timothy Carpenter for (ironically) his involvement in several robberies of cell phone stores. Without obtaining a warrant, the FBI sought and obtained orders directing MetroPCS and Sprint to hand over 152 days of Carpenter’s CSLI generated when his phone placed, received, or ended a call, as well as seven days of overall CSLI records. This evidence was used to help convict Carpenter of various robbery charges.
Carpenter’s case reached the Supreme Court as part of a broader dispute over whether and in what circumstances an individual’s location data is protected by the Fourth Amendment’s warrant requirement. In a 2012 decision involving the use of a GPS tracking device affixed to a vehicle, five Justices had suggested that people generally have a reasonable expectation of privacy in information that would reveal their location and movements over time, but the Court’s majority opinion in that case had not squarely resolved the issue. The key question in Carpenter turned on the applicability of the third party doctrine: Do customers have a reasonable expectation of privacy in their location information when, through their phones, they disclose that information to cellular providers?
The government argued that cell phone users voluntarily “share” their location information by using cell phones that connect with cell sites. As such, it argued that CSLI records should be treated the same way as phone records in the hands of a telephone company or bank records in the hands of a financial institution—both of which the Supreme Court has held can be obtained through a subpoena and without a warrant. The American Civil Liberties Union (ACLU), representing Carpenter, argued that warrantless access to historical CSLI permitted the government to obtain a tremendous amount of revealing information, incomparable to what previous circumstances allowed. The ACLU argued that access to this type of information violates the basic “reasonable expectation of privacy” test.
The Court ruled for Carpenter, holding that individuals have a legitimate expectation of privacy in their locations as captured by CSLI. As such, a warrant based on probable cause is required in order to obtain these records. The opinion made several key observations:
Most obviously, in light of Carpenter, a mobile communications provider should ask to see a warrant if the government requests historical CSLI covering a period of a week or more. (And, undoubtedly, law enforcement agencies will be updating their protocols accordingly.) Slightly less obviously, businesses that possess other types of customer location information (e.g., through GPS tracking) may also expect to see a warrant—or may be able to argue that a warrant is required—if they are asked to turn over such information to law enforcement in aid of an investigation. In fact, the Carpenter decision generally describes GPS data as more precise and therefore more potentially invasive than CSLI.
While the ruling will create some uncertainty, service providers can take some comfort in the fact that the Stored Communications Act precludes plaintiffs from suing providers who comply with court orders or subpoenas. So businesses are unlikely to be successfully sued simply for having complied with a subpoena or court order requesting this type of information.
More broadly, Carpenter continues a trend of recent Supreme Court cases adapting Fourth Amendment rules to account for changing technology. A key refrain throughout the opinion is the ease of compiling CSLI records and the sheer volume of data at stake. The Court’s practical focus on the type and volume of data being obtained creates doubts about the third-party doctrine and its application in other circumstances. Carpenter suggests that this rule cannot function like an on/off switch, eliminating all expectations of privacy if something is shared with a third party.
Notably, several prominent technology companies similarly advocated in an amicus brief for a more practical and less rigid approach—in part because many types of technology require users to “share” data (including sensitive data) with technology companies in order to function. Although the Court’s opinion attempted to limit itself to historical CSLI, emphasizing collection of location information over a week or more at a time, there will almost certainly be future litigation on collections of other types of information, potentially including real-time location information as well as subpoena requests for other types of arguably sensitive data.
 See 18 U.S.C. § 2703(c), (d).
 United States v. Jones, 565 U.S. 400, 413-18 (2012) (Sotomayor, J., concurring); id. at 418-31 (Alito, J., concurring).
 Smith v. Maryland, 442 U.S. 735 (1979) (call records); United States v. Miller, 425 U.S. 534 (1976) (bank records).