This article was written by Center Scholar Jordan A. Brunner. Jordan is a 3L at the Sandra Day O’Connor College of Law and Senior Executive Editor of Jurimetrics: The Journal of Law, Science, and Technology.
In approximately a month, the U.S. Supreme Court will hold oral argument in Carpenter v. United States. The case, which involves whether law enforcement went too far in collecting cell-site location information (CSLI) over the course of 127 days, has potentially explosive consequences for the “third-party” doctrine in Fourth Amendment jurisprudence. I have written with a colleague at Lawfare about Carpenter within the context of potential implications for NSA surveillance under Section 215. Yet the impact of Carpenter on the Internet of Things (IoT), and its use by law enforcement, has thus far largely eluded the review of experts. I attempt to provide such a review below.
To briefly recap for those who have not been following the case, Timothy Carpenter and three other suspects was arrested and convicted of robbing a series of Radio Shack and T-Mobile stores in Detroit, Michigan. Crucial evidence during the trial came from cell phone data indicating that Carpenter and his co-conspirators were in the near vicinity of the victimized stores each time a robbery occurred. These records were obtained under the Stored Communications Act, which provides for an evidentiary standard below the probable cause necessary for an ordinary warrant. Using the third-party doctrine articulated in Smith v. Maryland―if a defendant communicates information, like telephone numbers dialed, to an third-party, they have no reasonable expectation of privacy in that information―the Sixth Circuit declined to suppress the CSLI evidence on appeal, despite the long-term nature of the surveillance.
The Supreme Court, in deigning to review the case, has sparked discussions over how its decisions could impact surveillance policy for decades to come. Much of the controversy centers around whether the third-party doctrine has run off the rails in the face of a society where people give away sensitive personal data to third-party corporations as a matter of course, from signing up for Facebook to purchasing items on Amazon. Justice Sotomayor raised these concerns in her concurrence in United States v. Jones, which echoed Justice Thurgood Marshall’s dissent in Smith.
Yet this issue is exacerbated by the increasing ubiquity of devices connected to the Internet known as the IoT. There is no uniform definition of the IoT (and indeed, the term itself may be useless according to some). The plain English version goes something like this:
Simply put, this is the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other). This includes everything from cellphones, coffee makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of.
The IoT, represented by smart homes and hackable jeeps, is already commonplace, but it is only in its beginning stages. Currently, there are more connected devices than the world population (8.4 billion connected devices vs. 7.6 billion people). Conservative projections put the number of connected devices at 20 billion by 2020, while more generous estimates put it at 50 billion or more (over six times the world population). Such an environment would so blur the distinction between online and offline activity that such a difference may cease to exist.
The security of the IoT has been a topic of intense discussion in many fora, including this particularly concerning post about its vulnerability by Paul Rosenzweig. Senator Warner and others have even proposed the “Internet of Things Cybersecurity Improvements Act” to address some of these vulnerabilities in government-purchased devices (see here and here). But with the third-party doctrine potentially in peril, there is more at stake than just the security of the myriad devices connected to the Internet.
One of the most valuable commodities for law enforcement is evidence. The greater quantity and quality of the evidence, the more airtight the case against a suspect. As has been seen with cases like “the Tell-Tale Heart” and Carpenter, the IoT provides a potentially foolproof means to create a mountainous volume of evidence, which can be used to both (1) prevent a terrorist attack or crime before it happens―through the use of warrants or other mechanisms to arrest the development of a plot; and (2) prosecute those who have committed crimes or perpetrated attacks.
But perhaps more importantly, the use of the IoT has ramifications for the “going dark” debate that played out very publicly in 2016 between the FBI and Apple. To quote a report published by Harvard University’s Berkman Center for Internet & Society entitled Don’t Panic. Making Progress on the “Going Dark” Debate, the “plethora of devices” that make up the IoT, “are prime mechanisms for surveillance: alternative vectors for information-gathering that could more than fill many of the gaps left behind by sources that have gone dark―so much so that they raise troubling questions about how exposed to eavesdropping the general public is poised to become.” These sensors and devices “will open up numerous avenues for government actors to demand access to real-time and recorded communications.”
Not that the intelligence community and law enforcement haven’t already thought of this. Former CIA Director David Petraeus said during his tenure that the IoT was “transformational” in terms of “clandestine tradecraft”; former DNI James Clapper listed a variety of uses valuable to the intelligence community, and the NSA has made clear it sees the IoT as both “a security nightmare [and] a signals intelligence bonanza.” Such surveillance in the domestic sphere relies at least in part on the expansive reading of the third-party doctrine provided by the Supreme Court.
So then, as others have pointed out, “the stakes are high,” when it comes to the decision in Carpenter, one way or the other. We await the Supreme Court’s judgement with great anticipation. The Court would be wise to heed the words of one of their own, Justice Kennedy, in City of Ontario v. Quon:
[The] judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear. . . . Prudence counsels caution before . . . establish[ing] far-reaching premises that define the existence, and extent, or privacy expectations. . . .