LAUNDERING DATA: HOW THE GOVERNMENT’S PURCHASE OF COMMERCIAL LOCATION DATA VIOLATES CARPENTER AND EVADES THE FOURTH AMENDMENT

Introduction

In May 2020, what began as a local protest against the murder of Min­neapolis resident George Floyd turned into a global phenomenon. 1 1 See Derrick Bryson Taylor, George Floyd Protests: A Timeline, N.Y. Times (Nov. 5, 2021), https://www.nytimes.com/article/george-floyd-protests-timeline.html (on file with the Columbia Law Review). ... Close The world watched as tens of thousands of people demanded racial justice: Rows of people walked together, anonymous individuals blending to form a single group unified in movement and message. 2 2 Id. ... Close

But to data broker Mobilewalla, the masses of anonymous individuals were not so anonymous. Mobilewalla saw a different picture: a sea of mo­bile phones emitting data, including location data that was ripe to ingest, aggregate, analyze, and sell. 3 3 See Caroline Haskins, Almost 17,000 Protesters Had No Idea a Tech Company Was Tracing Their Location, Buzzfeed News (June 25, 2020), https://www.buzzfeednews.com/article/carolinehaskins1/protests-tech-company-spying [https://
perma.cc/B3F4-GGT6] (detailing a report released by Mobilewalla regarding pro­testors such as their age, gender, and race). ... Close Using location data harvested from protes­tors’ cell phones, Mobilewalla published a report analyzing the protesters’ demographics. 4 4 Id. Mobilewalla’s CEO, Anindya Datta, also admitted that his company “didn’t pre­pare the report for law enforcement or a public agency, but rather to satisfy its own employ­ees’ curiosity about what its vast trove of unregulated data could reveal about the demonstrators.” Id. ... Close The analysis shared factors like race, ethnicity, gender,  age,  and  protestors’  hometowns—all sourced  from  mobile  devices. 5 5 The company has since taken down the previously publicly available report, but other sites maintain screenshots. See, e.g., New Report Reveals Demographics of Black Lives Matter Protesters Shows Vast Majority Are White, Marched Within Their Own Cities, PR Newswire (June 18, 2020), https://www.prnewswire.com/news-releases/new-report-reveals-demographics-of-black-lives-matter-protesters-shows-vast-majority-are-white-marched-within-their-own-cities-301079234.html [https://perma.cc/W9LK-GSEX]. Further, actual identities were likely not plainly shared, but deanonymizing a device’s identity is fairly sim­ple. See infra section III.A.2. ... Close

Mobilewalla aggregates and sells insights based on consumer data by tapping into users’ smartphone activity and online web browsing behav­ior. 6 6 Consumer Data, Mobilewalla, https://www.mobilewalla.com/consumer-data [https://perma.cc/97EP-E7HH] (last visited Jan. 11, 2021); Guide to Third-Party Data, Mo­bilewalla, https://www.mobilewalla.com/third-party-data [https://perma.cc/T3B5-PZZF] [hereinafter Mobilewalla, Guide to Third-Party Data] (last visited Jan. 11, 2021) (“Much of the current third-party data activity centers around smartphones. . . . [E]very phone has a Mobile Advertiser ID (MAID) that effectively creates a persistent customer identity, uniting online activity (through app and web browser behavior) and offline activity (through device location).”). ... Close Billing itself as a “consumer intelligence” platform, 7 7 See Mobilewalla, Mobilewalla, https://www.mobilewalla.com [https://perma.cc/EU7E-BYRV] (last visited Jan. 11, 2021). ... Close the company ac­cesses, stores, and analyzes mobile data across a stunning 1.3 billion devices. 8 8 Mobile Data, Mobilewalla, https://www.mobilewalla.com/mobile-data [https://
perma.cc/JG5X-4JPW] (last visited Jan. 11, 2021); see also Mobilewalla, Guide to Third-Party Data, supra note 6 (offering a broader discussion of the company’s explanations of third-party data and location data specifically); Improve Advertising and Build Effective Consumer Profiles With Mobile Data, Mobilewalla (July 2, 2018), https://www.mobile
walla.com/blog/improve-advertising-build-effective-consumer-profiles-mobile-data [https://perma.cc/ZF67-NUEZ] (discussing mobile data to build consumer profiles, Mobilewalla asks, “Where are they located? Do they travel? What are patterns in their mobile behaviors?”). ... Close In part, this mobile data includes location data used to track where consumers have been, based on where their cell phones have been. 9 9 Location-Based Marketing, Mobilewalla, https://www.mobilewalla.com/location-based-marketing [https://perma.cc/9SS2-BYYZ] [hereinafter Mobilewalla, Location-Based Marketing] (last visited Jan. 11, 2021). ... Close Mobilewalla then leverages this powerful information to sell location data and services to private-sector companies looking to improve their market­ing. 10 10 See Mobilewalla, Guide to Third-Party Data, supra note 6 (“[T]hird-party data is a mainstay of marketing strategy and will become increasingly essential in maintaining a com­petitive advantage.”). ... Close

Mobilewalla’s practices echo the broader practices of data brokers—private-sector companies that regularly trade in vast volumes of consum­ers’ location data, often sourced from mobile devices and spanning long periods, to buyers on the open market. 11 11 See infra section I.A. ... Close But in 2018, the Supreme Court decided in Carpenter v. United States that the government requires a search warrant to access seven days or more of certain location data that comes from mobile devices; the government could no longer rely on a mere court order that the Stored Communications Act (SCA) had previously statuto­rily permitted it to use. 12 12 138 S. Ct. 2206, 2212, 2217 (2018). Under section 2703(d) of the SCA, the govern­ment could require electronic communication services or remote computing services to dis­close customer records if the government offered “specific and articulable facts showing that there are reasonable grounds to believe that . . . the records or other information sought are relevant and material to an ongoing criminal investigation.” 18 U.S.C. § 2703(d) (2018). ... Close

Carpenter, of course, does not impact data brokers’ practices because the Fourth Amendment does not regulate open market transactions. But it is less apparent whether, under Carpenter, the government can now buy location data from the open market like any private actor. This Note ad­dresses that question: whether the government can lawfully buy location data from the open market like any private-sector entity, notwithstanding Carpenter’s holding; in other words, whether the government—which now requires a warrant to acquire seven-plus days of location data from a wire­less carrier—can nonetheless “buy” its way around Fourth Amendment re­quirements by going straight to the open market. 13 13 See Gilad Edelman, Can the Government Buy Its Way Around the Fourth Amend­ment?, WIRED (Feb. 11, 2020), https://www.wired.com/story/can-government-buy-way-around-fourth-amendment/ [https://perma.cc/XX8L-FDPE]. ... Close

Whether or not it can, it appears the government already has made such purchases: In early 2020, news outlets reported that different govern­ment agencies had purchased location data from a commercial data bro­ker. 14 14 See, e.g., Byron Tau & Michelle Hackman, Federal Agencies Use Cellphone Loca­tion Data for Immigration Enforcement, Wall St. J. (Feb. 7, 2020), https://www.wsj.com/
articles/federal-agencies-use-cellphone-location-data-for-immigration-enforcement-11581078600 (on file with the Columbia Law Review). ... Close Federal agencies—including Customs and Border Patrol (CBP), 15 15 DHS, Privacy Impact Assessment Update for the Border Surveillance Systems (BSS) 6–7 (2018), https://www.dhs.gov/sites/default/files/publications/privacy-pia-cbp022-bss-september2018.pdf [https://perma.cc/Z533-F4FF] (noting CBP “may use commercial location data acquired from a data provider to detect the presence of individuals in areas between Ports of Entry where such a presence is indicative of potential illicit or illegal activ­ity”). ... Close Immigration and Customs Enforcement (ICE), the Secret Service, 16 16 Tim Cushing, Secret Service Latest to Use Data Brokers to Dodge Warrant Require­ments for Cell Site Location Data, Techdirt (Aug. 24, 2020), https://www.techdirt.com/
articles/20200820/13395145155/secret-service-latest-to-use-data-brokers-to-dodge-warrant-requirements-cell-site-location-data.shtml [https://perma.cc/GAA4-PAA5] [hereinafter Cushing, Secret Service]. ... Close and the Criminal Investigation Unit of the Internal Revenue Service (IRS)—had reportedly purchased location data for law enforcement purposes. 17 17 Tau & Hackman, supra note 14; see also Byron Tau, IRS Used Cellphone Location Data to Try to Find Suspects, Wall St. J., https://www.wsj.com/articles/irs-used-cellphone-location-data-to-try-to-find-suspects-11592587815 (on file with the Columbia Law Review) (last updated June 19, 2020). ... Close

Courts have yet to address whether Carpenter restricts the govern­ment’s ability to purchase location data rather than obtain it by a legal in­strument. This Note argues that Carpenter restricts such practices when purchased data is functionally equivalent to the location data—cell-site lo­cation information (CSLI)—in which Carpenter found individuals have an expectation of privacy; in other words, Carpenter restricts the government from purchasing location data for which it would otherwise require a war­rant. 18 18 See Carpenter v. United States, 138 S. Ct. 2206, 2217 (2018) (“[W]e hold that an individual maintains a legitimate expectation of privacy in the record of his physical move­ments as captured through CSLI.”). ... Close

Part I begins by explaining the current landscape of location data. Section I.A provides an overview of location data, explaining its technical components and who wants it, how they get it, and why they sell it. Section I.B lays the foundation of how the law currently treats location data.

Part II argues that while courts have yet to hear cases specifically re­garding the constitutionality of the government’s use of commercial loca­tion data, commercial location data has certain characteristics that Carpenter’s early progeny is already grappling with—and the way lower courts are approaching these characteristics informs how courts in turn will eventually approach the constitutionality of government purchasing commercial location data. Courts, however, are conflicted on these char­acteristics, and Part II demonstrates these tensions. Section II.A illustrates the tension around the courts’ treatment of non-CSLI location data; sec­tion II.B illustrates the tension around the courts’ treatment of aggre­gated, pseudonymized location data; and section II.C illustrates the tension around the courts’ treatment of involuntarily shared location data sourced from mobile applications and operating systems.

Finally, Part III proposes how Carpenter should apply to purchased lo­cation data. Section III.A argues that Carpenter’s principle indeed applies to restrict the government from purchasing seven-plus days of location data, proposing that the tension around how Carpenter’s early progeny treats proxy characteristics of commercial location data should be resolved to apply Carpenter to the government’s use of commercial location data for law enforcement efforts. Section III.B raises challenges to this resolution and then offers a statutory solution.