Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Monday, September 20, 2010

Questions to consider about GPS data, location tracking, and privacy expectations

The previous post looked at some of the variable and as yet unresolved factors that may help determine how and under what circumstances GPS location data may be used for investigations by law enforcement personnel, with or without a warrant. As should be abundantly clear to anyone reviewing the recent and often conflicting or inconsistent judicial rulings on the collection and use of location data (GPS-based or otherwise), privacy expectations and the corresponding applicability of the 4th Amendment or any of the variety of statutory regulations relevant to such data may depend on the specifics of a given situation. One way to think through these scenarios is to consider key characteristics that incorporate (or exclude) current regulations or legal precedents, by asking questions such as the following.

Is the collection and use of GPS data a search?
The accepted legal standard for determining the applicability of the 4th Amendment protections against unreasonable search and seizure was established in a concurring opinion by Justice Harlan in United States v. Katz. Under this standard courts can determine whether an asserted expectation of privacy is reasonable by considering both the extent to which the individual's exhibits an expectation of privacy, and whether society recognizes this expectation of privacy as reasonable. In many formulations this two-part test addresses both subjective (the individual's) and objective (society's) expectations, and unless there is agreement between the two, no reasonable expectation of privacy can be said to exist. When considering GPS data in particular and location-related information about an individual in general, there is still some debate as to whether an individual's assertion of privacy regarding their own movements is reasonable. In the recent 3rd Circuit finding that rejected a magistrate judge's refusal to approve a government request for cell site location information, the court decided (contrary to the magistrate judge's finding) that the location of cell towers to which an individual's cell phone connects could be considered to be a part of the wireless service provider's record, and was therefore information that cell phone users willingly disclose to third parties (wireless providers) and hence could not be considered private information.

What sort of GPS device is in use?
There are two contexts in which the nature of the GPS device becomes relevant. Most important is whether the GPS device can be used to track the location of an individual, rather than an object (such as a car or container), but a related consideration is whether the device itself can be considered to be a tracking device. While it may seem obvious that the use of GPS would be consistent with the use of a tracking device, there are plenty of GPS receivers on the market that do not communicate the user's location beyond displaying it on the device's screen. In contrast, GPS location capabilities associated with cellular phone handsets or, for example, auto industry services such as LoJack or OnStar operate in such a way that they first receive geographic positioning information for a given location, then communicate that location data either to the service provider or directly to law enforcement personnel. The reason the distinction is important is because there are existing legal restrictions on gathering data from tracking devices — most generally, rule 41 of the Federal Code of Criminal Procedure requires a showing of probable cause in order to issue a warrant so that a tracking device can be used. The Supreme Court's ruling in United States v. Knotts was a departure from this procedural standard, but one which the court justified because the placement of the GPS tracking device and the movement that was tracked occurred in public settings. For law enforcement personnel to gain access to GPS location information about a cell phone, without obtaining a warrant, presumably the location data being sought could only correspond to public locations — that is, places where visual surveillance would be feasible.

Who is collecting the GPS data?
The discussion about who is on the receiving end of the data as it is gathered boils down to whether the data being sought (typically by the government, with or without a court order) will be transmitted directly to government agents such as law enforcement personnel, or whether the data is already collected by a third party, typically in the course of routine business operations. Generally speaking, current attention is focused on "electronic communication service" providers (there is a specific legal definition for that term established by the Electronic Communications Privacy Act), who are the explicit subject of the Stored Communications Act (Title II of ECPA). The legal history is longer and a bit harder to navigate than ECPA alone, as ECPA served to amend the Ominibus Crime Control and Safe Streets Act of 1968, and the statutory provisions such as §2703 codified in Title 18 of the U.S. Code were further modified in 1994 by the Communications Assistance for Law Enforcement Act (CALEA). The general intent of these provisions is to provide legal assistance for law enforcement investigations in the form of communications records held by service providers. The net result where location data is concerned (if in fact location data is considered to be part of service provider records) is that it is generally more straightforward — in the sense that they need to satisfy less stringent legal requirements — for law enforcement personnel to get data in records maintained by service providers than it is for them to act as the primary collector of the data.

In what locations is the individual when GPS data is collected?
Supreme Court precedents focus specifically on whether location data can be used to pinpoint individuals within their homes, as gathering data related to just about any type of communications within the confines of a private residence ordinarily requires a warrant. In United States V. Karo the Court held that the use of a tracking device (a beeper of the same sort used in the scenario involved in Knotts) to determine the presence of the device (in this case, placed inside a chemical drum) inside a residence was an unreasonable search and therefore required a warrant. With somewhat similar reasoning, in Kyllo v. United States the Court ruled that the use of a thermal imaging device that allowed law enforcement personnel to gather information (in this case, temperature) inside the home violated the occupants' reasonable expecation of privacy. There has been some technical debate as to just how accurate GPS tracking data (and, for that matter, cell site location information when triangulation is used) is in terms of pinpointing the location of an individual, as well as the effectiveness of GPS tracking when the device in question is indoors. Technical questions aside, it seems logical based on past legal precedent that using cellphone-based GPS data to track individuals is likely to require a warrant if the historical or future monitoring timespan will include periods when the subject will be in their home.

What type of data is being sought?
There is an important legal distinction between the contents of communication and the data in the records about the communication. Where contents are sought, the legal requirement is clear that a warrant is needed, whether for historical or prospective communications. In contrast, various laws and legal interpretations have held not only that record data about communications should be considered separately from the contents, but in many cases that individuals can have no reasonable expectation of privacy about the information contained in such records, because they willingly share that information with service providers or other third parties who enable the communications to take place. Examples often cited for telecommunications services include the originating and terminating telephone numbers at either end of a call (wired or wireless), or sender and receiver of a text message or email. The privacy analogue is postal mail, where the destination address (and by convention if not requirement the sender's return address) on an envelope are disclosed to the postal service in order to enable successful delivery of the mail, but the contents inside the envelope remain private, even from the postal service personnel to whom they are entrusted. Where GPS location data is concerned, it's not that anyone has argued that location data is communication contents and therefore should remain private, but neither is there agreement that location data is unarguably among the information that the service provider needs, especially given that providers do not only use location data in order to enable communication transmissions, but store historical location data over time. It might be interesting to see the response to an argument that concedes that cell site location information is necessary for routine telecommunications operations, but challenges the relevant or need for GPS data collection in addition to cell site data.

What period of time does the GPS data cover?
The D.C. Circuit in its Maynard ruling is the only court so far that has drawn a distinction between short-term and long-term GPS tracking. The investigation in question in that case relied on first placing a GPS tracking device on the suspect's vehicle and they following his movements over four weeks to establish patterns indicative of his participation in drug trafficking. Given the appellate court's ruling, it seems likely that law enforcement personnel would be wise to seek a warrant before engage in prolonged monitoring or tracking using a GPS device. It is not at all clear that the government could succeed at all in a §2703(d) application to a magistrate judge or other authority seeking historical GPS information — such as from a wireless service provider — but if the request sought data covering more than a very short period of time, the precedent set by the D.C. Circuit would strongly suggest that a warrant is needed.

1 comment:

  1. Thanks for providing the great information about GPS Tracking and i think this device is useful when it use in proper way because it can exploit the privacy of someone by tracking his/her movement.

    ReplyDelete