Cell phones. They’re so convenient these days, right? Gone are the days of playing Snake on a Nokia flip phone while waiting at the DMV. The average smart phone has dozens of apps installed. I can browse social media, stream movies, check email, and check the status of any of my Internet-connected devices at home. While I’m changing my thermostat from across town, my service provider is routing the data from cell tower to cell tower. With the push notifications that a lot of apps use to stay updated, cell phones are often yelling back and forth at the nearest cell tower, whether we’re using the phone at the moment or not. Smart phones give data more mobility, and in exchange for that mobility, providers know our movements.
This week, Motherboard reported that telecommunications companies have been tricked into giving up cell site location data to people who lied about being police officers. John Letcher Edens worked in debt collection as a skiptracer, which is a person who specializes in tracking people down. One of his methods was to pretend to be a U.S. Marshall and claim that there were exigent circumstances, and that he needed real-time location data for this cell number immediately. The fellow skiptracer who reported him to police posted her own account of the story in 2015.
In January, the same Motherboard reporter exposed the practice of cell service providers selling cell site location data to bounty hunters. So just so we’re clear, some service provider employees don’t need to be tricked into disclosing cell site data; they can also be bribed. But is it really bribery if it’s not illegal to share that data anyway?
This brings me to one of my favorite talking points: The Electronic Communications Privacy Act Is A Hot Mess.
The Electronic Communications Privacy Act has three major parts: the Wiretap Act, the Pen Register Act, and the Stored Communications Act.
The Stored Communications Act addresses the voluntary disclosure of communications under Section 2702, and the compelled disclosure of communications under Section 2703.
In Section 2703, some information can be sought using an order that, in terms of the showing required, is less than a warrant but more than a subpoena. These are often referred to as 2703(d) orders. The general rule in the SCA is that a warrant is needed for most content information. A subpoena is sufficient for some non-content information, like billing address (2703(c)(2)). In Carpenter v. United States (2018), the Supreme Court held that 2703(d) orders are not sufficient for historical cell site location data. So get a warrant.
The idea of selling cell site location data is relevant to the voluntary SCA provisions in 2702. Section 2702(a) reads:
(a)Prohibitions.—Except as provided in subsection (b) or (c)—(1)a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; and
(2)a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service—(A)on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such service;
(B)solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing; and
(3)a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.
You can see that 2702(a)(1) and 2702(a)(2) are limited to content. Section 2702(a)(3), on the other hand, only addresses disclosures made to governmental entities. This disclosure of records is further qualified by exceptions in 2702(c).
(c)Exceptions for Disclosure of Customer Records.—A provider described in subsection (a) may divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by subsection (a)(1) or (a)(2))—(1)as otherwise authorized in section 2703;(2)with the lawful consent of the customer or subscriber;(3)as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;(4)to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency;(5)to the National Center for Missing and Exploited Children, in connection with a report submitted thereto under section 2258A;(6)to any person other than a governmental entity; or(7)to a foreign government pursuant to an order from a foreign government that is subject to an executive agreement that the Attorney General has determined and certified to Congress satisfies section 2523.
But again, those are exceptions to the general rule that customer records cannot be shared with governmental entities. It doesn’t say anything about bounty hunters or debt collectors. If any citizen want to get a full record of where a particular device has been during a particular time period, they can just ask. Because historical cell site location data isn’t content, voluntary disclosure doesn’t put the service provider in any legal jeopardy.
Historical cell site location information thus poses a bit of a problem in the law. Compelled production requires a warrant, and thus probable cause. But voluntary disclosure to private citizens is not addressed by the SCA. John Letcher Edens was indicted on seven counts of impersonating a federal officer, which he did to trick providers into sharing real-time location data. Using stored data and guessing based on patterns might have been easier on his criminal record in the long run. Instead, Edens exploited procedures for obtaining real-time non-content information with the Pen Register Act.
The ECPA needs another look. The content/non-content distinction is overrated and outdated. The Supreme Court’s decision in Carpenter highlights the flaws with the assumption that content data should be entitled to more protection than non-content data. Carpenter also calls into question the assumption that the process for pen registers provides adequate protection for real-time location information.