Focusing public attention on emerging privacy and civil liberties issues

Locational Privacy

Latest News

  • EPIC Urges Court to Uphold Location Privacy in Cell Phone Tracking Case: EPIC filed a "Friend of the Court" brief in the Fifth Circuit urging the court to uphold Fourth Amendment protections for cell phone users. In the case, In re US for Historical Cell-Site Data, the lower court held that the disclosure of historical cell phone location records without a warrant would violate the Fourth Amendment. EPIC argued that this opinion should be upheld in light of the Supreme Court's recent decision in United States v. Jones, because cell phone location records are collected without the knowledge or consent of users. The records in this case, EPIC argued, create a "comprehensive map of an individual’s movements, activities, and relationships, . . . precisely the type of information that individuals reasonably and justifiably believe will remain private." For more information, see In re Historical Cell-Site Location Information, EPIC: State v. Earls, and EPIC: US v. Jones. (Mar. 19, 2012)
  • EPIC Urges Court to Uphold Location Privacy in Cell Phone Tracking Case: EPIC filed a "friend of the court" brief in the New Jersey Supreme Court urging the court to uphold Fourth Amendment protections for cell phone users. In State of New Jersey v. Thomas W. Earls, the lower court held that an individual has no legitimate expectation of privacy in the location of their cell phone. EPIC argued that the lower court opinion should be overturned in light of the Supreme Court's recent decision in United States v. Jones. The cell phone tracking techniques in this case, EPIC argued, "is more invasive than the GPS tracking in Jones." For more information, see EPIC: State v. Earls, and EPIC: US v. Jones. (Feb. 29, 2012)
  • Supreme Court Upholds Fourth Amendment in GPS Tracking Case: Today the Supreme Court unanimously held in U.S. v. Jones that the warrantless use of a GPS tracking device by the police violated the Fourth Amendment. The Court said that a warrant is required "[w]here, as here, the government obtains information by physically intruding on a constitutionally protected area," like a car. Concurring opinions by Justices Sotomayor and Alito urged the court to focus on the reasonableness of the suspect's expectation of privacy because physical intrusion is unnecessary to surveillance in the digital age. EPIC, joined by 30 legal and technical experts,filed a "friend of the court" brief. EPIC warned that, "it is critical that police access to GPS tracking be subject to a warrant requirement." For more information, see EPIC: US v. Jones, and EPIC: Location Privacy. (Jan. 23, 2012)
  • Senator Franken Asks Carrier IQ to Explain Data Collection Activities: Senator Al Franken (D-Minn) has sent a letter to Carrier IQ about reports that it has been collecting sensitive consumer information from millions of smartphone users. The data includes text message content, websites visited, user locations, and detailed call records. This may be an "unlawful intercept" under the Electronic Communications Privacy Act of 1986 (ECPA). EPIC recently asked the FTC to investigate similar practices involving Verizon, For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Locational Privacy. (Dec. 1, 2011)
  • Supreme Court to Hear Arguments in GPS Tracking Case: The United States Supreme Court will hear arguments on November 8 to determine whether the warrantless use of a GPS tracking device by the police violates the Fourth Amendment. EPIC filed a "friend of the court" brief in US v. Jones, urging the Supreme Court to uphold robust Fourth Amendment protections. Along with 30 legal and technical experts, EPIC argued that 24-hour GPS surveillance by law enforcement constitutes a "search" under the Fourth Amendment and requires judicial oversight. Arguing in support of a lower court decision, EPIC warned that, "it is critical that police access to GPS tracking be subject to a warrant requirement." The Supreme Court will consider both whether persistent GPS tracking constitutes a "search" and also whether the installation of a GPS tracking device on a private vehicle is a "seizure." For more information, see EPIC: US v. Jones, and EPIC: Location Privacy. (Nov. 4, 2011)
  • EPIC Urges Supreme Court to Uphold Fourth Amendment in GPS Case: EPIC filed a "friend of the court" brief in the United States Supreme Court urging the Court to limit the scope of pervasive GPS surveillance by upholding robust Fourth Amendment protections. Along with 30 legal and technical experts, EPIC argued that 24-hour GPS surveillance by law enforcement constitutes a "search" under the Fourth Amendment. US v. Jones involves the government's use, without a judicial warrant, of a GPS device to track a person "24/7." The lower court held that "the use of the GPS device violated [Jones'] 'reasonable expectation of privacy,' and was therefore a search subject to the reasonableness requirement of the Fourth Amendment." Arguing in support of the earlier decision, EPIC said "it is critical that police access to GPS tracking be subject to a warrant requirement." For more information, see EPIC: US v. Jones, and EPIC: Locational Privacy. (Oct. 3, 2011)
  • Sen. Schumer Calls for Investigation into “brazen” OnStar Privacy Violation: Senator Charles Schumer (D-NY) wrote a letter to the Federal Trade Commission requesting an investigation into OnStar's announcement that it would track the location of its customers' vehicles even after the customers canceled their service. OnStar also reserved the right to sell such locational information to advertisers. In an interview with FOX News last week, EPIC Executive Director Marc Rotenberg warned that the company would make data of former customers available to third parties. For more information, see EPIC: Locational Privacy. (Sep. 26, 2011)
  • Federal Judge: Locational Data Protected Under Fourth Amendment: A Federal judge has ruled that to law enforcement officers must have a warrant to access cell phone locational data. Courts are divided regarding whether or not this type of data should be protected by a warrant requirement. Judge Garaufis of the Eastern District of New York, found that "The fiction that the vast majority of the American population consents to warrantless government access to the records of a significant share of their movements by 'choosing' to carry a cell phone must be rejected…In light of drastic developments in technology, the Fourth Amendment doctrine must evolve to preserve cell-phone user's reasonable expectation of privacy in cumulative cell-site-location records." EPIC has filed amicus briefs in several related cases. For more information see: EPIC: Commonwealth v. Connolly, EPIC: US v. Jones, and EPIC: Locational Privacy. (Aug. 25, 2011)
  • Judge Rules Google Street View Data Collection May Violate Wiretap Act: In a lawsuit filed by several private citizens, a federal judge has found that Google's purposeful and secretive collection of Wi-Fi data as part of its "Street View" activities could constitute illegal wiretapping. EPIC filed an amicus brief in the case, providing a detailed legislative history of the Electronic Communications Privacy Act (ECPA) and arguing that private Wi-Fi communications are entitled to privacy protection under ECPA. EPIC said that Congress established "a presumption in favor of confidentiality except in those circumstances where the user has knowingly chosen to broadcast communications to the general public." For three years in thirty countries, Google's Street View cars collected data, including the content of personal emails, from wireless routers located in private homes and businesses. Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. In the U.S., the Federal Communications Commission opened an investigation after EPIC filed a complaint, but the Commission has failed to announce a ruling. For more information, see EPIC: Google Street View. (Jul. 1, 2011)
  • Lawmakers Urge Federal Communications Commission to Speed Up Google Street View Investigation: The House of Representatives Financial Services Appropriations bill contains an amendment requiring the Federal Communications Commission to report on its Google Street View Wi-Fi investigation within 180 days. The bill was voted out of committee and is headed for a full House vote. The Commission opened an investigation into Google Street View after EPIC filed a complaint, asking the Commission to investigate possible violations of federal wiretap law and the Communications Act. Several countries, including the U.K., Germany, Spain, and Canada, have conducted similar investigations and determined that Google violated their privacy laws. For more information, see EPIC: Google Street View. (Jul. 1, 2011)
  • Virginia Court of Appeals Authorizes Warrantless GPS Tracking: In Foltz v. Virginia, the Virginia Court of Appeals held that law enforcement may place a GPS tracking device on a vehicle without violating the Fourth Amendment. The Court found that the defendant did not have an expectation of privacy, and therefore attaching the tracking device to the bumper did not require a warrant. The court distinguished its ruling from Commonwealth v. Connolly, a recent Massachusetts case, which held that police must obtain a warrant before using GPS devices to monitor vehicles. The Virginia court explained that Connolly was unpersuasive because the Virginia Constitution is co-extensive with the federal Fourth Amendment while the Massachusetts Constitution is more expansive. EPIC filed an amicus brief in Connolly, urging the court to adopt a warrant requirement. For more information, see EPIC: Commonwealth v Connolly.
  • Federal Appeals Court Requires Warrant for GPS Tracking: The D.C. Circuit Court ruled that police must obtain a warrant before using GPS devices to monitor vehicles. GPS tracking constitutes a seizure under the U.S. Constitution because "prolonged GPS monitoring reveals an intimate picture of the subject‘s life that he expects no one to have," the Court held. In a related case, the Massachusetts Supreme Court recently held that a warrant is required for the use of a GPS tracking device. EPIC filed an amicus brief in that case. For more information, see EPIC Commonwealth v. Connolly.
  • Facebook Uses RFID to Track Users' Locations for Advertising Promotion: At the Coca-Cola Village Amusement Park in Israel, visitors were recently issued bracelets with RFID chips that linked to their Facebook accounts, according to Adland. RFID readers scattered throughout the park updated the users' Facebook pages when the bracelets were scanned. On-site photographers also posted photos that were automatically tagged with the users' identities. Facebook had previously tested the use of RFID for location tracking at the f8 Developer Conference in April. Facebook has also just launched Places, which is designed to make users' location information widely available. For more information, see EPIC Facebook Privacy, EPIC Facebook Places.
  • Facebook "Places" Embeds Privacy Risks, Complicated and Ephemeral Opt-Out Unfair to Users: The recently announced Facebook service Places makes user location data routinely available to others, including Facebook business partners, regardless of whether users wish to disclose their location. There is no single opt-out to avoid location tracking; users must change several different privacy settings to restore their privacy status quo. For users who do not want location information revealed to others, EPIC recommends that Facebook users: (1) disable "Friends can check me in to Places," (2) customize "Places I Check In," (3) disable "People Here Now," and (4) uncheck "Places I've Visited." EPIC, joined by many consumer and privacy organizations, has two complaints pending at the Federal Trade Commission concerning Facebook's unfair and deceptive trade practices, which are frequently associated with new product announcements. For more information, see EPIC In Re Facebook, EPIC In Re Facebook II, and EPIC Facebook Privacy.

Issues

When individuals are moving about in public space, they expect that their movements will be largely anonymous. However, this locational privacy is being challenged in ways that affect individual consumer and constitutional protections.

Fourth Amendment

Law enforcement has stepped up its use of location tracking technologies, such as GPS (Global Positioning System), to monitor the movements of people who may or may not be suspected of a crime. GPS is a space-based radio positioning system that consists of a minimum of 24 satellites configured to provide navigation and timing information worldwide on a constant 24 hour per day basis. As of November 2, 2010, there are 32 satellites in the GPS constellation. The satellites and ground stations comprising the GPS network are run by the U.S. Air Force Global Positioning Systems Wing. GPS satellites are designed to transmit three-dimensional location data (longitude, latitude and altitude) as well as precise velocity and timing information to an unlimited number of users simultaneously. A GPS receiver is all that one needs to access the service.

A GPS receiver is the device that is commonly available through commercial retailers, and used by the general public to assist in navigation. The civilian GPS receivers deliver precise velocity and timing information, and very accurate location information. This device by itself does not transmit the data received from the satellite network to remote locations, nor is it typically capable of storing data regarding its long-term historical movements.

Courts are split on the question of whether using GPS as a primary investigative tool requires the grant of a warrant. The text of the Fourth Amendment provides that the “right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated.” The Constitution requires a warrant when the police want to conduct a search. In order to get the warrant, the police must prove probable cause.

The split rests on the issue of whether that GPS tracking constitutes a search. The constitutional questions asked in search and seizure cases are 1) whether the government has violated an area in which an individual has exhibited an actual expectation of privacy and (2) whether that actual expectation of privacy is one that society is prepared to recognize as reasonable. Thus, courts have to decide whether the GPS tracking intrudes about an area where there is an expectation of privacy and whether that expectation of privacy is reasonable.

The two main cases laying the groundwork for the contemporary Constitutional issue of using location-based tracking devices to conduct surveillance are United States v. Knotts, 460 U.S. 276 (1980) and United States v. Karo, 468 U.S. 705 (1984). These cases examine whether the diminished expectation of privacy in an automobile is expanded when the police use technology to track a suspect and whether the technology is a mere augmentation of the officer's own sense of observation or a more intrusive form of surveillance.

In Knotts, the Court determined that the use by the police of a beeper to track a person did not constitute a search. The police attached a beeper to a container that the suspect then placed in his car. The police used the signal from the beeper to track the container to the suspect’s cabin. Once there, the police set up visual surveillance of the cabin. The Court held that the beeper allowed the police merely to track a suspect on public highways and streets. Consequently, the Court explained, there is a diminished expectation of privacy in an automobile. “The fact that the officers in this case relied not only on visual surveillance, but also on the use of the beeper to signal the presence of [Darryl] Petschen’s automobile to the police receiver does not alter the situation. Nothing in the Fourth Amendment prohibited the police from augmenting the sensory faculties…with such enhancement as science and technology afforded them in this case.”

A year after Knotts, the Court heard United States v. Karo. Karo shifts the discussion to whether the police may use beepers to monitor suspects in private residences without a warrant. In this case, the DEA installed and monitored a beeper into a can of ether in the possession of the suspects. The DEA relied on the signal from the beeper (as the can was moved from two private residences and a storage facility) to track the suspects. The Court held that this was an impermissible search. “Indiscriminate [electronic] monitoring of property that has been withdrawn from public view would present far too serious a threat to privacy interests in the home to escape entirely some sort of Fourth Amendment oversight.”

Recent cases in the federal circuit and at the state level, such as United States v. Garcia, and Foltz v. Virginia, follow the reasoning in Knotts. The Virginia court found that the GPS tracking device relayed no private information to the police and served as a technological supplement to the police officers’ own sensory capabilities. The device allowed police to track Foltz in real time. The court concluded that it was not a search subject to Fourth Amendment expectations of privacy issues.

Other recent cases at the federal and state level challenge the presumption in Knotts that the GPS provides only sensory augmentation. These cases, notably United States v. Maynard and Commonwealth v. Connolly, are very privacy protective. The courts held that GPS tracking does require a warrant because the tracking capabilities of GPS technology results in extensive and intrusive surveillance.

Consumer Privacy

Individuals are using location-based services that provide incentives for sharing where a person is at any given point in time. These location-based services are generally run on software applications found on GPS-enabled devices such as smartphones. The application requests the latitude and longitude of the user’s phone or other GPS enabled device or from cell tower and WiFi information.

The Pew Internet and American Life Project found that 35% of U.S. adults use phones able to run apps. Location-based apps are focused on social-networking, consumer, and gaming activities. The Pew project also estimates that at least 1% of Internet users and 6% of all male Internet users are regularly taking advantage of location-based apps.

Foursquare, with approximately 3 million users, is a service that “lets users ‘check in’ to a place when they’re there, tell friends where they are and track the history of where they’ve been and who they’ve been there with.” Businesses are taking advantage of the service by offering discounts and coupons to individuals who “check in” to their location. Foursquare also has an API that allows developers to build on its platform.

An application programming interface (API) enables software programs to interface or interact with other software. Social networking sites, like Facebook and Twitter, provide a platform for APIs and are increasingly opening up their APIs to developers. Facebook Places now allows developers to store their own check-in data in Facebook Places database and to search that database. Developers can access the database for free and are no longer limited by having to build their own database. Facebook has more than 200 mobile users, making its Places database larger than that of any other service currently available.

Search engines are opening up their API to developers. Google is turning its attention to the location-based services with its Places service by focusing on check-in applications because these applications are ones that "the API currently caters to well."

Even with its own strong privacy policy, a company may nonetheless share your information with a company that does not have as robust a privacy policy. For example, Foursquare revamped its privacy policy after a website called PleaseRobMe aggregated information from Foursquare and other location based services such as Gowalla, and published a list “of all those empty homes out there” waiting to be robbed because owners had revealed no-one was home. If that is the case, then a user will be wrong in thinking that by checking into a location that information is being kept private and ultimately not being used in ways that the user did not agree to. A report from the International Computer Science Institute examined the "cybercasing" threat exemplified by the Foursquare example and the increasing adoption of location-enabled photo and video capturing devices. The researchers urged the security and privacy community "to ensure that users (i) are put into a position where they can make informed decisions; and (ii) are sufficiently protected unless they explicitly opt-in to potentially risky exposure."

A study by AT&T research found that 19 out of 20 social networking sites shared information with third parties in a way that would allow third parties to associate online activities with actual identities. The researchers tracked privacy leakage (including presence and location data as well as the unique device identifiers on mobile devices) to determine whether existing privacy protection measures are still adequate. The report states that even if a company provides a range of privacy settings, "the multi-dimensional nature of the issue makes the problem of protecting information significantly harder." The researchers found leakage of personally identifiable information (PII) from all twenty social networking sites. They conclude that "[t]he combination of location information, unique identifiers of devices, and traditional leakage of other PII all conspire against protection of a user's privacy."

Case Law

Federal Cases

State Cases

Legislation

Resources

News Items