In May 2020, what began as a local protest against the murder of Minneapolis resident George Floyd turned into a global phenomenon.
The world watched as tens of thousands of people demanded racial justice: Rows of people walked together, anonymous individuals blending to form a single group unified in movement and message.
But to data broker Mobilewalla, the masses of anonymous individuals were not so anonymous. Mobilewalla saw a different picture: a sea of mobile phones emitting data, including location data that was ripe to ingest, aggregate, analyze, and sell.
Using location data harvested from protestors’ cell phones, Mobilewalla published a report analyzing the protesters’ demographics.
The analysis shared factors like race, ethnicity, gender, age, and protestors’ hometowns—all sourced from mobile devices.
Mobilewalla aggregates and sells insights based on consumer data by tapping into users’ smartphone activity and online web browsing behavior.
Billing itself as a “consumer intelligence” platform,
the company accesses, stores, and analyzes mobile data across a stunning 1.3 billion devices.
In part, this mobile data includes location data used to track where consumers have been, based on where their cell phones have been.
Mobilewalla then leverages this powerful information to sell location data and services to private-sector companies looking to improve their marketing.
Mobilewalla’s practices echo the broader practices of data brokers—private-sector companies that regularly trade in vast volumes of consumers’ location data, often sourced from mobile devices and spanning long periods, to buyers on the open market.
But in 2018, the Supreme Court decided in Carpenter v. United States that the government requires a search warrant to access seven days or more of certain location data that comes from mobile devices; the government could no longer rely on a mere court order that the Stored Communications Act (SCA) had previously statutorily permitted it to use.
Carpenter, of course, does not impact data brokers’ practices because the Fourth Amendment does not regulate open market transactions. But it is less apparent whether, under Carpenter, the government can now buy location data from the open market like any private actor. This Note addresses that question: whether the government can lawfully buy location data from the open market like any private-sector entity, notwithstanding Carpenter’s holding; in other words, whether the government—which now requires a warrant to acquire seven-plus days of location data from a wireless carrier—can nonetheless “buy” its way around Fourth Amendment requirements by going straight to the open market.
Whether or not it can, it appears the government already has made such purchases: In early 2020, news outlets reported that different government agencies had purchased location data from a commercial data broker.
Federal agencies—including Customs and Border Patrol (CBP),
Immigration and Customs Enforcement (ICE), the Secret Service,
and the Criminal Investigation Unit of the Internal Revenue Service (IRS)—had reportedly purchased location data for law enforcement purposes.
Courts have yet to address whether Carpenter restricts the government’s ability to purchase location data rather than obtain it by a legal instrument. This Note argues that Carpenter restricts such practices when purchased data is functionally equivalent to the location data—cell-site location information (CSLI)—in which Carpenter found individuals have an expectation of privacy; in other words, Carpenter restricts the government from purchasing location data for which it would otherwise require a warrant.
Part I begins by explaining the current landscape of location data. Section I.A provides an overview of location data, explaining its technical components and who wants it, how they get it, and why they sell it. Section I.B lays the foundation of how the law currently treats location data.
Part II argues that while courts have yet to hear cases specifically regarding the constitutionality of the government’s use of commercial location data, commercial location data has certain characteristics that Carpenter’s early progeny is already grappling with—and the way lower courts are approaching these characteristics informs how courts in turn will eventually approach the constitutionality of government purchasing commercial location data. Courts, however, are conflicted on these characteristics, and Part II demonstrates these tensions. Section II.A illustrates the tension around the courts’ treatment of non-CSLI location data; section II.B illustrates the tension around the courts’ treatment of aggregated, pseudonymized location data; and section II.C illustrates the tension around the courts’ treatment of involuntarily shared location data sourced from mobile applications and operating systems.
Finally, Part III proposes how Carpenter should apply to purchased location data. Section III.A argues that Carpenter’s principle indeed applies to restrict the government from purchasing seven-plus days of location data, proposing that the tension around how Carpenter’s early progeny treats proxy characteristics of commercial location data should be resolved to apply Carpenter to the government’s use of commercial location data for law enforcement efforts. Section III.B raises challenges to this resolution and then offers a statutory solution.