ACLU: Cops should have a tougher time sucking up 7 months of mobile phone data

Filed Under: Featured, Law & order, Mobile, Privacy

Geolocation map. Image courtesy of ShutterstockBetween 10 July and 15 July 2010, the first call of the day and the last call of the night that Aaron Graham made on his mobile phone showed he was probably sleeping at home.

The last call he placed on the night of the 9th and the first call he placed the next morning, however, shows he was a 30-minute drive from his house.

So where was he?

I don't know, and I don't want to know, because it's personal information to which neither you nor I have a right, if you live in the US and the Fourth Amendment to the US Constitution means anything.

Does that hold for the police? Because that's where the information came from: an astonishing 221 days worth of Mr. Graham's cell phone records, all gotten at without a warrant.

On Monday, the American Civil Liberties Union (ACLU) announced it had joined with other legal activist groups to file an amicus brief [click here for PDF download] arguing that the Fourth Amendment requires that the government get a warrant to find out where a person has been for seven months.

The case, United States v. Graham, is now on appeal before the Fourth Circuit Court of Appeals.

According to the ACLU, this case could be pivotal in determining whether the government needs a warrant to track our mobile phones.

Without a warrant, the government was able to track the location of Graham and another suspect at 29,659 specific points over those 221 days.

Typically, the ACLU points out, neither the public nor the person being tracked ever see cell phone location records obtained by law enforcement.

Cell phone tower. Image courtesy of ShutterstockIn this "rare instance," the ACLU says, working with Mr. Graham's assistance and permission, the ACLU and its partner groups received and analyzed the data that the police obtained from his cell phone carrier.

The ACLU - along with the the ACLU of Maryland, Center for Democracy & Technology, Electronic Frontier Foundation (EFF), and National Association of Criminal Defense Lawyers - were given the mobile data by the defendants' legal counsel.

According to Ars Technica, the lawyers got hold of the phone records with a Brady disclosure - a legal procedure that requires prosecutors to share evidence with the accused.

In the groups' amicus brief, they argue that handing over such a huge amount of data constitutes a search as defined under the Fourth Amendment, which would require a warrant.

The case dates back to 5 February 2011, when the defendants - Graham and Eric Jordan -were charged for a series of armed robberies of places that included Burger King and McDonald's restaurants in Baltimore, Maryland.

Police arrested the pair 10 minutes after the McDonald's robbery. The defendants told police their cell phone numbers when asked, and police subsequently found the matching cell phones in the getaway car.

Police were granted a search warrant for the two cell phones. Prosecutors later obtained two court orders, which are a lesser standard than a warrant, that allowed them to get at the defendants' cell site location information (CSLI) data for periods going back to July 2010, with a goal of linking the suspects to robberies that coincided with the dates police wanted to know about.

The pair were eventually charged with 17 counts of robbery.

In court, Graham and Jordan's defense teams filed a motion to suppress [PDF] the evidence, given that "the privacy intrusions available through this type of technology are far-reaching and unconstitutional - allowing the government to retroactively track or survey a suspect through his cellular telephone, a device he likely carries with him at all hours of the day and to constitutionally protected places such as his home or church."

The motion was denied, as a district judge agreed with the government [PDF] when it argued that the defendants have no Fourth Amendment expectation of privacy, given that they voluntarily handed over their information to a third party - i.e., the phone companies.

The ACLU et al. are now pointing to another recent case to underscore their contention that this type of long-term monitoring violates reasonable expectations of privacy.

Judge orders. Image courtesy of ShutterstockIn that case - the Supreme Court case US v. Jones - five justices found that the investigative subject's privacy was violated by long-term monitoring of his car's GPS device.

The reasoning applies all the more forcefully with a case such as Graham, which involves a mobile phone - a device that's with us far more than a car's GPS, the ACLU points out:

People carry their cell phones with them all the time. Each time a cell phone makes or receives a call or text message, the wireless provider logs the cell towers the phone connected to during that communication.

Cell phone tracking therefore allows the government to reach back into the past and pull up a record of where we have been on any given day.

And if the Supreme Court found that 28 days of location tracking violated a reasonable person's expectation of privacy, then surely the 221 days of tracking in this case is beyond the pale.

If the legal activist groups have their way, the Fourth Amendment will no longer be stopped dead in its tracks when US citizens pick up their phones.

Those phones, along other modern technologies, make it easier than ever to track us, the ACLU says.

The data offered up by our mobile phones is highly sensitive. It can also be highly incriminating.

That shouldn't strip us of our rights, however, the groups are arguing.

Thanks go to these activist groups for fighting to ensure that, regardless of how invasive technology gets, the Constitution isn't left burning in the wake of its evolution.

Images of geolocation, cell phone tower and court orders courtesy of Shutterstock.

, , , , , , ,

You might like

8 Responses to ACLU: Cops should have a tougher time sucking up 7 months of mobile phone data

  1. jmk · 391 days ago

    It doesn't sound as though the police have deliberately done anything improper here; they DID get a court order in advance.

    And it does sound as though the data was relevant and useful in placing the suspects at the scene of many crimes.

    The question seems merely to be: what level of rigour (sorry, "rigor") is appropriate ? order versus warrant ? Probably a fair technical question to argue in court and of proper concern to those in the civil liberties arena.

    If this is the basis on which Graham is appealing against conviction, however, I am less impressed. Isn't that called "trying to get off on a technicality" ?

    • david · 390 days ago

      given that they voluntarily handed over their information to a third party - i.e., the phone companies.........I would be arguing I did not voluntarily hand the info over for any other reason than should the phone company need to contact me, aside from the fact such information is needed to get a phone...

  2. JJA · 390 days ago

    The article does NOT state that the police got the court order in advance. They got the court order after the fact, then RETROACTIVELY went back in time to obtain all of the call location data--7 months worth. The precedent this sets is that there is nothing private about your phone, therefore nothing private about any of your communications, which is something the 4th amendment was specifically meant to protect.

  3. Jack Wilborn · 390 days ago

    As a retired Law Enforcement Officer, I understand the pressure, but our legal system dose not allow laws to be passed retroactive (who would know what they are doing will be illegal) but our outreaching Government seems to deem everybody guilty until proven innocent. I steadfast believe that court orders should not include information from the past on a potential suspect.

    Next I wonder why a company would keep such records for 220+ days? It must cost them and there could be no reasonable use of this data.

    Even today, if I were called in on a crime, I would ask for a lawyer. It's only sensible.

    • Stuart · 389 days ago

      I'm based in the UK and work for a financial firm, we have regulations which state we must retain all customer data/contact information for 5 years as a minimum. The reason is if there is ever a problem and the client needs to recover any information, it actually falls to my company to provide it, rather than the client. I would assume the phone companies have similar regulations to maintain a users data. there are pros and cons to this, the obvious cons are you have your privacy breeched if the phone company gets hacked or law enforcements agencies request the data. but the main pro I can think of is if you had your phone stolen you would be able to track it down again. But at the very end of the day - If you don't have anything to hide, you shouldn't worry who looks at your data. (If someone does decide falsely accuse you of something, you have at least got some hope of being able to prove them wrong. by gaining access to the data that's been recorded.)

      • JRD · 389 days ago

        "If you don't have anything to hide, you shouldn't worry who looks at your data."

        I'll be damned if that isn't the most ignorant thing I've read today.
        http://falkvinge.net/2012/07/19/debunking-the-dan... has a few points on why this thinking is wrong.

        1) The rules may change - You've got nothing to hide *today* but what if they change the law in ways you don't like or can't abide and suddenly you've been a criminal all along. Too late, they already have the evidence against you. And even if they don't retroactively charge you, they already have the infrastructure in place to watch you and catch you when you do slip up.

        2) It's not you who determine if you have something to fear - If they look hard enough, if you trigger a red flag, your life can be put under a microscope so powerful that they *will* find something that you did illegal or questionable or that just looks questionable and it will be used against you.
        Note that this assumes that the data is accurate because maybe they get you mixed up with someone else and how in the world will you extricate yourself from that situation when the machines don't lie.

        3) Laws must be broken for society to progress - In the US, a surveillance state could have killed Civil Rights by stopping "criminals" from congregating and planning protests. Homosexuality would still be considered a crime and "the privacy of your own home" would be meaningless. All those sodomy laws that have been on the books for 200 years? Think of the people who could be put in jail just for having oral sex with their legal spouse. Thankfully many of those laws have finally be taken off the books, but with a surveillance state, what would have stopped law enforcement from arresting all the "criminals" throughout the years.

        4) Privacy is a basic human need - This should be self-evident, but apparently it isn't. Do you want someone standing next to you while you are having a sit down in the bathroom? Do you want someone examining how you make love to your spouse? Do you want someone tabulating how often you drive by a bar or stop for coffee or buy donuts or waste a buck on the Lotto?
        I don't.

        Here is a link to another, longer essay about the same thing: http://papers.ssrn.com/sol3/papers.cfm?abstract_i...

  4. John Doe · 390 days ago

    Agreed. Even they obtained a warrant the retroactively went back 7 months. Meaning that someone is just randomly collecting your data all the time?

    Goodbye freedom. Hello military state. Enjoy all

    • James Ford · 386 days ago

      A awesome source of revenue would be for those of us with nothing to hide to write a check to service providers who for what ever reason keep data more than 365 days to delete it - "services rendered". Additionally, customers should also be able to obtain by "writing a check" to get a copy of said data in electronic form again, for "services rendered." Doing so in both instances remind us all, "we are the customer", "we are being tracked" good, bad or indifferent. We can all change our behavior, develop a crack that makes the data useless? I see no reason why the data can't be seasoned with spoof information, again- a good service would also be to signup for a service that adds spice to our tracking data, making it virtually useless it might seem.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.