Last month marks two years since the Supreme Court held, in Carpenter v. United States, that the Fourth Amendment applies to cell phone company records that detail a cell phone user’s location and movements.  Under Carpenter, police are generally required to use a warrant to obtain seven days or more of a user’s cell-site location information from phone companies.

As we previously reported, Carpenter redefined how the Fourth Amendment applies to information held by technology companies in the digital age.  Prior to Carpenter, the Court applied the third-party doctrine, under which a person who voluntarily revealed information to third parties—such as telephone companies, banks, or technology companies—lacks a reasonable expectation of privacy in that information and therefore forfeits Fourth Amendment protections.  In Carpenter, the Court declined to apply the third-party doctrine to cell-site location information, even though the cell phone user revealed their location information to their phone company.  Despite the significance of this ruling, the Court said that its decision in Carpenter was a “narrow one” that did not “address other business records that might incidentally reveal location information” or “consider other collection techniques involving foreign affairs or national security.”

Following Carpenter, many legal scholars and journalists predicted that the decision would result in significant litigation about whether the Fourth Amendment applied to new forms of non-content data held by third parties.  In a dissent, Justice Alito wrote that the majority opinion in Carpenter “guarantees a blizzard of litigation,” and since then many defendants have relied on Carpenter to argue that police must use a warrant to obtain a variety of types of non-content data from third-parties.

In the two years following the Court’s decision, however, Carpenter has had minimal impact on law enforcement’s ability to obtain non-content information from third parties without a warrant.  For the most part, lower courts have largely heeded the Court’s admonition that its decision was a narrow one, and declined to extend Fourth Amendment protection to a variety of non-content data types, including subscriber records, utility records, financial records, billing records, IP addresses, prescription drug information, cryptocurrency transactions, lists of devices accessing a wireless network, and “cell-tower dumps” in which cell phone service providers list every phone number connected to a particular cell tower during a specified time period.  Earlier this month, moreover, the First Circuit held that Carpenter does not extend to eight months of video surveillance conducted from a pole camera.  The court reasoned in part that unlike the collection of cell-site location information, pole camera surveillance is a “conventional surveillance technique.”

As the First Circuit’s recent decision highlights, lower courts have generally extended Carpenter only to data types that are closely analogous to the historical cell-site location information at issue in Carpenter, including data obtained with cell-site simulators, real-time (as opposed to historical) cell-site location information, historical cell-site location information spanning fewer than seven days, and GPS location data tied to a vehicle and acquired from a third party.  In only a few key circumstances have lower courts relied on Carpenter to expand Fourth Amendment protections:

Continuous pole camera surveillance:  In November 2019, for example, an appellate court in Colorado held that Carpenter merited extending Fourth Amendment protection to continuous pole camera surveillance of the curtilage of a defendant’s home.

Extensive computer monitoring:  In August 2019, the Fourth Circuit held that extensive computer monitoring is sufficiently analogous to the privacy intrusion in Carpenter to merit Fourth Amendment protection.  Relying on Carpenter, the Fourth Circuit held that the continuous monitoring of a defendant’s computer activity as a condition of supervised release “involves a significant liberty intrusion” by “captur[ing] all computer activity regardless of any recidivism risk.”

Lifetime or extensive monitoring of prior offenders:  Also in August 2019, the North Carolina Supreme Court relied on Carpenter to invalidate mandatory lifetime GPS monitoring of sex offenders without an individualized assessment of the reasonableness of the search.  Like cell-site location information, the court held, “GPS monitoring permits a detailed chronicle of a person’s physical presence compiled every day, every moment . . . [and] reveals more than we expect anyone to know.”  This February, a North Carolina appellate court relied on the North Carolina Supreme Court’s decision to strike down a court order imposing thirty years of ankle monitoring on a sex offender as an unreasonable search.

Medical records containing information about alcohol or drug use:  Last month, an Ohio appellate court held that the Fourth Amendment protects medical records containing information about alcohol or drug use following an accident suspected to be caused by driving under the influence.  Relying on Carpenter, the court acknowledged conflicting decisions within the state on this issue.

In recent months, some lower courts have also suggested that they may be willing to extend Fourth Amendment protection to other sensitive data types in the future as data collection through technology becomes even more pervasive.  Last month, the U.S. District Court for the Northern District of Indiana declined to extend Carpenter to Facebook subscriber information, such as registration information and records of session times and duration.  But the court noted: “[t]he evolution of technology may one day change the analysis on this issue . . . . We may one day wake up and find that Facebook or some other social network has become as indispensable as the cell phone and determine, as a society, that the information collected is deserving of constitutional protection.”  This April, the Supreme Judicial Court of Massachusetts held that Carpenter does not extend to data obtained from Advanced License Plate Readers (“ALPR”) placed at four fixed locations on public roads.  In reaching its decision, however, the Massachusetts high court indicated that extensive use of ALPRs could constitute a search.  “If deployed widely enough,” the court reasoned, “ALPRs could tell police someone’s precise, real-time location virtually any time the person decided to drive, thus making ALPRs the vehicular equivalent of a cellular telephone ‘ping.’”

In sum, Carpenter’s reach thus far has been largely limited.  But lower courts have shown some willingness to extend Fourth Amendment protection to sensitive non-content data stored by third parties that reveals extensive, detailed, and intimate private information.  We will continue to monitor how lower courts apply Carpenter to new data types and in new contexts as the case law further develops.