Your bank records. Your medical records. Your bills. Your phone records. Your college grades. What do all these things have in common? None of them are YOURS.
The United States Court of Appeals in Atlanta reinforced this concept when it allowed the government to get access to what is called “historical cell site data” without a subpoena, without a warrant, without probable cause, and even without reasonable suspicion to believe that you – or anyone you know – has committed a crime.
In doing so, the Court reversed a previous decision of a panel of the same Court, which had ruled that these records were, in fact, entitled to legal protection under the Fourth Amendment.
One of the reasons that the Court permitted government access to these records was because the records don’t belong to the customer. The records are simple business records of the telephone company. Just like your medical records of the diagnosis and treatment are the provider’s records of what they have done. Or the bank’s records are their records of how much you have deposited into their bank, and how you have spent them. It’s called “third party data.”
Problem is, at the end of the day, almost all data can be seen as “third party” data. And that ain’t good for privacy. Or security.
The decision focused on the provisions of the Stored Communications Act, 18 USC 2703 which provides that records of phone companies are mostly secret (it’s called CPNI – Consumer Proprietary Network Information) except that the government may, by statute get certain “non content” information with a court order. The statute provides that:
“A court order for disclosure  may be issued by any court that is a court of competent jurisdiction and shall issue only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation…”
The Court held that the records of where you are when you make a phone call (or even have the phone) are not YOUR records, but are records that the phone company itself creates, relying on a previous decision of a Court of Appeals in Texas. The Atlanta court noted:
“The telephone company, not the government, collected the cell tower location information in the first instance and for a variety of legitimate business purposes. Id. at 611-12. The Fifth Circuit emphasized:
The Government does not require service providers to record this information or store it. The providers control what they record and how long these records are retained . . .. In the case of such historical cell site information, the Government merely comes in after the fact and asks a provider to turn over records the provider has already created.”
The Fifth Circuit reasoned these are the telephone company’s “own records of transactions to which it is a party.” The telephone company created the record to memorialize its business transactions with the customer.
And that’s part of the problem. A whole bunch of entities collect data about you for their own purposes. They capture your image on cameras. They image your license plate numbers and keep that data. In fact, most of the data about you – your purchases, desires, wishes, searches, etc. is collected for the purpose of fulfilling your desire.
Google (and Bing) collects your data to deliver the right website. They keep that data to sell you stuff. But that’s a simplistic approach, which would lead to personal “ownership” of virtually nothing except handwritten notes. The Courts make the distinction between “content” information and non-content information. But in a modern, information driven society, non-content information can be mined to get a total profile of the individual. If we follow a person into an AIDS clinic (on a repeated basis) it’s reasonable to assume a medical diagnosis.
By focusing on who owns data, it misses the point of actual privacy. I don’t care that St. John’s hospital OWNS my medical records – I care that they protect and don’t disclose it.
The Eleventh Circuit also relied on the fact that, hey – people have no expectation of privacy in their cell tower records or location. Again relying on the previous case, the court noted that: “(1) the cell user has knowledge that his cell phone must send a signal to a nearby cell tower in order to wirelessly connect his call; (2) the signal only happens when a user makes or receives a call; (3) the cell user has knowledge that when he places or receives calls, he is transmitting signals through his cell phone to the nearest cell tower and thus to his service provider; (4) the cell user thus is aware that he is conveying cell tower location information to the service provider and voluntarily does so when he uses his cell phone for calls.”
No they don’t. Well, at least most people don’t know that. Most people know that they are making a phone call. That’s it. They don’t think that they are transmitting their physical location to the phone company. They don’t know that they aren’t. They don’t think about it at all. Most people, I suspect think that when they are using their car’s GPS, they are revealing their location to someone. In most cases, that’s not true. This puts the onus on consumers to know what data is being collected by whom and for what purposes. And they just don’t know.
Think about this. Microsoft recently released an app that would guess your age. Take a pic and an icon shows up telling you what age the Redmond giant thinks you are. So people who use the app MIGHT know that the picture is sent to Microsoft. They may not. They may think that the app scans the picture locally on the device.
But what people don’t know is that they license the picture to Microsoft. So by asking the app to guess your age, you give Microsoft the right to use your picture any way THEY want, or any way any of their partners want. So you can find your picture being used in an ad for constipation remedies, or a diarrhea medicine. Who knows?
Also, you have given permission for Microsoft to, at their discretion, give your picture to the Iranian secret police, or the US Secret Service. But people don’t actually KNOW they have given that consent. They might know if they think about it. But now we have to think about it. Or lose privacy.
So you have no privacy rights in your cell location data, which isn’t your data anyway. At the end of the day, consumers seem to have two choices. Use their cell phones and give up any right to privacy in their location, or protect their privacy and give up the convenience of having a phone. The Court did say that if people wanted the kind of protection offered by the Fourth Amendment (that is, a recognition that they have some privacy rights) their recourse is to go to Congress, not the Courts. And we all know how efficient Congress is.