A Maryland court last week ruled that the government does not need a warrant to force a cell phone provider to disclose more than six months of data on the movements of one of its customers. Two defendants had been accused of armed robbery, and a key piece of evidence against them was data about the movements of the pair's cell phones. The defendants had sought to suppress this location evidence because the government did not get a warrant before seeking the data from network providers. But last Thursday, Judge Richard D. Bennett ruled that a warrant is not required to obtain cell-site location records (CSLR) from a wireless carrier.

Courts all over the country have been wrestling with this question, and the government has been on something of a winning streak. While one court ruled last year that such information requests violate the Fourth Amendment, most others have reached the opposite conclusion.

The Obama administration laid out its position in a legal brief last month, arguing that customers have "no privacy interest" in CSLR held by a network provider. Under a legal principle known as the "third-party doctrine," information voluntarily disclosed to a third party ceases to enjoy Fourth Amendment protection. The government contends that this rule applies to cell phone location data collected by a network provider.

While this may be a plausible reading of previous precedents, the practical implications are alarming. While CSLRs are not as detailed as data that can be gathered via GPS, months of data can still reveal a host of sensitive information about a person's movements. If the third-party doctrine allows the government to obtain such information without a warrant, that's a strong argument for re-considering the third-party doctrine.

Limited precision

The Obama administration made its argument in a Texas case being heard by the Fifth Circuit Court of Appeals. The government had applied for a subpoena compelling MetroPCS and T-Mobile to turn over sixty days of cell phone location data for two phones believed to belong to suspects in a drug case. A judge denied the request, ruling that the government needed a search warrant to obtain such location data.

In a lengthy opinion, Magistrate Judge Stephen Smith, who has emerged as a leading advocate for stricter judicial oversight of electronic surveillance, concluded that "compelled warrantless disclosure of cell site data violates the Fourth Amendment."

Judge Smith's opinion drew heavily on testimony that Matt Blaze, a prominent University of Pennsylvania computer scientist, gave to Congress in 2010. Blaze argued that as the number and technical sophistication of cellular towers increases, cell phone companies are able to collect increasingly precise information about the location of their customers. "Under some circumstances, the latest generation of this technology permits the network to calculate users' locations with a precision that approaches that of GPS," Blaze said.

In its brief, the Obama Administration faulted Judge Smith for relying on Blaze's testimony without holding a hearing that would have allowed it to present contrary evidence. And it argued that Blaze's observations do not apply to the data it is seeking in the Texas case. According to the government, T-Mobile and MetroPCS only retain information about a phone's location at the beginning and end of a phone call, not when the phone is idle. And the data T-Mobile and MetroPCS have collected is much less precise than the theoretical maximum Blaze described.

Contacted by Ars Technica, Blaze told us that he wasn't able to comment on the specifics of the T-Mobile or MetroPCS networks. But he questioned the wisdom of making potentially precedent-setting decisions based on the low precision of location data held by a particular wireless firm. Other firms may have more precise data, and all firms' data is likely to get more accurate as towers become denser and more sophisticated.

Blaze also noted that the growing use of picocells and femtocells, which are designed to provide coverage to an individual building or even an individual floor within a building, meant that CSLRs could sometimes provide extremely precise information about a customer's location. And whether such fine-grained location data is available for a particular customer will only be known after a cellular provider discloses its customer's location data.

Re-thinking the third-party doctrine

In addition to arguing that the location data it was seeking was too coarse-grained to raise privacy concerns, the government also argued that it was legally irrelevant. That's because under the third-party doctrine, customers give up privacy rights in any location data they voluntarily disclose to a third party. And the government believes that customers do this every time they allow their cell phones to communicate their location to cell phone towers.

"As business records in the possession of a third party, cell-site records should not be judged under standards applicable to surreptitiously-installed tracking device," the government's brief argues.

This argument has a puzzling circularity to it. After all, it's equally true that customers "voluntarily" disclose the contents of their phone calls to the phone company when they make a call using a cell phone. And yet the contents of voice communications are protected by the Fourth Amendment.

Phone calls currently enjoy Fourth Amendment protection, but that wasn't always true. In 1928, the courts had held that the Fourth Amendment only barred physical trespassing by government agents. Since wiretapping could be accomplished without entering the suspect's property, the Supreme Court held that it didn't raise Fourth Amendment issues.

Fortunately, the Supreme Court re-thought this reasoning in 1967. The high court reversed its previous reading of the Fourth Amendment and found that the government needs a warrant any time it violates a target's "reasonable expectation of privacy."

The arguments the government makes about CSLRs are reminiscent of the claims the Supreme Court accepted in 1928 and then rejected in 1967. In both cases, the government focused on the technical details of how the information is collected. Because the information could be accessed without physically intruding on the suspect's property, the government argued, the suspect's privacy was not violated.

The Supreme Court wisely rejected this over-literal reading of the Fourth Amendment in 1967. And it ought to do the same thing when the CSLR controversy inevitably reaches the Supreme Court. Seeking months of data about a suspect's whereabouts is at least as invasive as other surveillance techniques the government has ruled unconstitutional.

Indeed, the high court should consider ditching the third-party doctrine altogether. A growing share of our personal communications and documents are stored with the assistance of third parties. Snooping through someone's Hotmail or Google Docs account is the 21st Century equivalent of rifling through an 18th century citizen's "papers and effects." The Fourth Amendment protects the privacy of the latter; in our view, it should do the same for the former.

At least one Supreme Court justice seems to realize the danger the third-party doctrine poses to privacy. In a concurrence to the high court's Janunary decision on the constitutionality of GPS tracking, Justice Sonia Sotomayor wrote that the doctrine was "ill-suited to the digital age." The third-party doctrine was not directly at issue in the case. Her decision to bring it up anyway suggests a high level of concern.