Cybercrime Investigations Post Carpenter v. United States: What’s Next?
Decided June 22, 2018, Carpenter is the US Supreme Court’s most recent application of the Fourth Amendment in the digital age. In Carpenter the Court held that the government’s acquisition of cell-site location information (CSLI) was a Fourth Amendment search and therefore generally requires a warrant. CSLI is information maintained by cellular carriers relating to a specific cell phone’s interaction with cell sites. Each time a phone connects to a cell site, it generates a time-stamped record of that phone’s interaction with the tower. This data can in turn be used to estimate the location of a cell phone, with varying levels of precision, at specific points in time. CSLI is heavily relied upon in a significant number criminal prosecutions in cases ranging from murder to drug trafficking to terrorism.
Very significantly, the Court in Carpenter declined to extend the third-party doctrine to CSLI. The third-party doctrine establishes that records voluntarily provided to a third party are not entitled to Fourth Amendment protections because there is no reasonable expectation of privacy in those records. The classic application of the third-party doctrine to bank records was established in United States v. Miller, 425 U.S. 435 (1976), a prosecution for tax evasion in which the Government obtained the defendant’s bank records by subpoena. In Miller, the Court declined to provide Fourth Amendment protection to documents that were “business records of the banks.” Id. at 440. In Smith v. Maryland, 442 U.S. 735 (1979), the Court extended the application of the third-party doctrine to information provided to telephone companies, holding that the Government’s use of a pen register — a device that records the outgoing phone numbers dialed on a landline telephone — was not a search.
In his opinion, Chief Justice Roberts cautions that the Carpenter decision “is a narrow one,” citing a litany of applications not contemplated or affected by the Court’s decision. However, one of my favorite law professors has said, “a flood of further cases will seek to widen the meaning of [Carpenter].”
So, where does that leave us? What types of cases will we see bringing challenges under Carpenter?
It seems most logical that we will start to see Internet-based challenges under Carpenter, for example data collected by Internet Service Providers (ISP’s), (e.g., source and destination IP address information for data packets transmitted by ISP’s, transmission port information, etc.).
However, days after Carpenter was decided, the Court refused to grant certiorari in two cases raising potential Carpenter issues, United States v. Ulbricht (2d Cir) and United States v. Caira (7th Cir.). In Caira, the Seventh Circuit held that the defendant voluntarily shared his IP address information with his ISP, the third-party doctrine controls and that information could be obtained by Government subpoena and was not entitled to Fourth Amendment protection. In Ulbricht, the Court declined to grant cert. on the question of whether web traffic passing through a router should be afforded Fourth Amendment protection, leaving intact the Second Circuit’s decision applying Smith v. Maryland to internet traffic data gathered by the Government without a warrant.
There will undoubtedly be similar challenges to the application of the third-party doctrine under Carpenter, and it is only a matter of time before the Court grants cert. on the next case involving the application of the third-party doctrine in the digital age.
What about other areas? Data generated by Internet Of Things (“IOT”) hardware and stored by third parties? Does the Government need a warrant to obtain that information? For example, alarm sensors that detect every time a door or window is open or closed and stored by an alarm company on their own servers, does that data fall into the Smith camp or the Carpenter camp?
What about cryptocurrency trading information maintained by exchanges? At first glance that data would seem to fall within Miller bank records application of the third-party doctrine. However, there are a number of important differences between the way crypto currency exchanges operate distinct from traditional banking.
The point is, there are hundreds of combinations and permutations of facts and investigative techniques in the modern world which may give rise to Carpenter issues. While the Court stated that Carpenter will be narrowly applied, it marks an important beginning in Fourth Amendment jurisprudence — limitations on the third-party doctrine in the digital age — giving us a new leg to stand on as defense counsel.