In today's digital world, an individual's reasonable expectation of privacy is constantly under the microscope. So much of our lives are conducted through our phones, tablets, and computers and we rely on these devices for our professional, personal, and financial needs. Society has become so normalized to this digital culture that individuals rarely think about who has access to their content. In today's digital age, many people do not realize how much of that content is stored by third-parties (cell-phone carriers, Apple, Google, etc.).
The storage of data by third-parties is significant because the U.S. Supreme Court has historically held that information or content that an individual voluntarily hands over to a third-party is not protected by the Fourth Amendment. Smith v. Maryland, 442 U.S. 735 (1979). This year, the Court in Carpenter v. United States, 138 S. Ct. 2206 (2018), updated the so-called "third-party doctrine" to reflect the digital age. Carpenter held that because of how personal some information can be, third-party stored data can still be protected by the Fourth Amendment. The question is, what other types of third-party held information is protected by the Fourth Amendment? For instance, would Carpenter protect genealogical information that an individual voluntarily shared with an information business such as ancestry or genetic tracing websites?
A collision of the privacy of an individual's location and the third-party doctrine occurred recently in the Carpenter case. The Court was presented with the issue of whether an individual has a reasonable expectation of privacy in certain data that they turn over to a third-party or data collector. In a 5-4 ruling, the Court decided in Carpenter, that the government's acquisition of cell-site location information ("CSLI") was a search under the Fourth Amendment and that an individual had a reasonable expectation of privacy even though these records were held by a third-party. Timothy Carpenter was a target in a federal investigation into a series of robberies at a number of electronic and mobile telephone stores in Detroit. In order to determine whether Carpenter was involved in the robberies, law enforcement applied for and received several court orders for Carpenter's CSLI from his wireless carrier, obtaining 12,898 location points in total, tracking Carpenter over 127 days, with four hits indicating Carpenter was near the robbery sites. This information showed Carpenter's location during call origination and termination for incoming and outgoing calls during the four-month period corresponding to the string of robberies. The government used this data to charge Carpenter with six counts of robbery and an additional six counts of carrying a firearm during a federal crime of violence. Id.
Prior to trial, Carpenter moved to suppress the CSLI provided by the wireless carriers, claiming that the government's seizure of these records violated his Fourth Amendment rights. The district court denied the motion and the Sixth Circuit affirmed. The U.S. Supreme Court agreed with Carpenter that he had a reasonable expectation of privacy in the CSLI data even though the data was held by a third-party. The Court followed two distinct lines of reasoning in order to come to its decision.
First, the Court addressed an individual's expectation of privacy in his or her physical location and movements. The Court carefully distinguished between a rudimentary tracking of an individual and more invasive modes of surveillance, explaining that limited, visual surveillance does not constitute a search because a person traveling in public has no reasonable expectation of privacy in his movements from one place to another. Carpenter, 138 S. Ct. at 2215, citing United States v. Knotts, 460 U.S. 276, 281 (1983). However, the Court acknowledged a difference between this type of limited tracking and more sweeping modes of surveillance. Because GPS monitoring of a vehicle, for example, tracks every movement a person makes, the Court held that this kind of long-term monitoring in investigations impinges on an individual's expectation of privacy.
Secondly, the Court noted that a discussion of the third-party doctrine was crucial in this case, explaining that historically, courts have not recognized a reasonable expectation of privacy for information that an individual turns over to third-parties. Id., citing Smith v. Maryland, 442 U.S. 735, 743-744(1979); United States v. Miller, 425 U.S. 435 443 (1976) (the court held that there is no reasonable expectation of privacy in an individual's bank records). As a result, the government is typically free to obtain such information from the recipient without triggering Fourth Amendment protections. The Carpenter Court used the example of a pen register used by a phone company to tell law enforcement what numbers an individual dialed, and noted that because of the register's "limited capabilities," it was unlikely that people had an actual expectation of privacy to the numbers they dial. Carpenter, at 2216, citing Smith, 442 U.S. at 743.
Carpenter revealed the inevitable tension between an individual's right to privacy, the fact that we share significant amounts of data with third-parties, and the third-party doctrine. CSLI data closely resembles the qualities of GPS monitoring due to how detailed the information is and how effortlessly it can be compiled. At the same time, the fact that the individual continuously reveals his location to a wireless carrier implicates the third-party doctrine. For the first time, the Court in Carpenter acknowledged that some third-party data still requires the protections of the Fourth Amendment:
While the third-party doctrine applies to telephone numbers and bank records, it is not clear whether its logic extends to the qualitatively different category of cell-site records. After all, when Smith was decided in 1979, few could have imagined a society in which a phone goes wherever its owner goes, conveying to the wireless carrier not just dialed digits, but a detailed and comprehensive record of the person’s movements.
Id. at 2216-17 (emphasis added). The Court declined to extend the third-party doctrine in Carpenter given the nature of the CSLI data, explaining that the fact that information is held by a third-party does not by itself overcome the user's claim to Fourth Amendment protection. Id. at 2217. The Court held that Carpenter did have a reasonable expectation of privacy in the record of his physical movements and location and that the government was required to get a warrant. Id. at 2223.
Despite holding that the third-party doctrine is still alive and well, Carpenter would seem to open the door for other types of third-party stored data to be protected by the Fourth Amendment, because the Court distinguished some types of third-party data as just "qualitatively different" than others. At a minimum, the Court determined that an individual's physical movements and constant, non-visual location tracking was constitutionally protected because individuals have a reasonable expectation of privacy to this information. Such data could provide an "intimate window into a person’s life, revealing not only his particular movements, but through them his familial, political, professional, religious, and sexual associations.” Id. at 2222.
So, with the advent and popularity of genealogy and ancestry data-tracking websites, Carpenter would seem to support the expectation that personally identifiable genealogical information is a type of highly-personal third-party stored data that would be protected under the Fourth Amendment. This protection will prove significant as individuals are increasingly sharing personal data with online genealogical sites. There have already been instances of law enforcement agencies using information from genealogical sites to assist in their investigations.
In recent years, companies like Ancestry.com and 23andMe.com have become immensely popular for their ability to connect people with their family heritage. These companies collect various types of personally identifiable information as well as biological material in some instances and return information about an individual's historic background and even the individual's genetic code. While an individual may be able to find out more about their genetic code, they may not consider the kinds of data they are handing over to a third-party, and fully understand what becomes of that data thereafter.
Ancestry.com and 23andMe state in their privacy statements that they will not share their user's data without a valid court order, subpoena, or search warrant. As was the case in Carpenter, the government may choose to pursue access to someone's personally indentifying and/or genetic information via court order, and may not go to the trouble of obtaining a search warrant supported by probable cause. As it stands, the government could hypothetically subpoena 23andMe or Ancestry, just like they would a bank or phone company, and obtain an individual's genetic information for an investigative purpose. While these genealogy sites state that they will do everything possible to protect your personal information, there is ready acknowledgement that there are circumstances where they may be required to turn over such data.
Carpenter recognized the idea that certain third-party data such as a pen register is distinguishable from something such as CSLI. Likewise, personally identifying information is an example of other third-party held information that is, arguably, "qualitatively different." An individual's genealogical information shows a person's DNA, including potentially their medical conditions. Privacy advocates assert that this type of information requires the highest protection, and the Fourth Amendment should apply. Given the holding in Carpenter, it appears the government would have a difficult time asserting that such data being held by a third-party is undeserving of Fourth Amendment protections.
Time (and the inevitable court challenges) will tell whether an individual's reasonable expectation of privacy in their personal genetic data – voluntarily handed over to a third party -- is deemed "qualitatively different" information that deserves zealous protection under the Fourth Amendment.