When the Electronic Communications Privacy Act (ECPA) was passed in 1986, cellular telephone was a fledgling industry. At the time, cellular telephones were mainly limited to car phones, due to the large batteries that powered the phone. Handheld models were extremely expensive, quite large by today’s standards, and did little beyond the ability to make a call to a single person at a time. Very few people actually used the new technology due to the cost.

Today, cellular phone use is pervasive. Units are small enough to take everywhere, and many people now solely use a cell phone and no longer maintain a traditional wired home telephone. Additionally, phones have been joined by an array of devices that utilize the cellular data network connectivity, including portable computers, smartphones, tablets, and wireless hot spots. Hot spot devices connect to the cellular data network and provide wifi access to nearby digital devices.

Cell phones and smartphones are instances of new technologies that are the center of litigation that is being decided based on old laws; they are on the “bleeding edge” of litigation. Courts often interpret slight nuances in cases quite differently.

Cell Tower Data and Location Information

Cellular service is called cellular because a geographic area is broken into a number of overlapping cells; each cell is served by a cellular tower. A digital device connects to the cellular tower to obtain service, and as the digital device moves through the area (i.e., from cell to cell) the device connects to the tower in the new cell for service. The cellular communications companies maintain records of the devices that are served by each cell tower at any given time.

An emerging area is the use of data held by a third-party provider and resultant privacy issues in the area of cell tower dumps. Cell phones and other smart devices, when active, are in communication with nearby cellular towers. The towers include directional antennae that cannot pinpoint the location of the device but the towers and the cellular networks maintain histories of the connection records. A tower dump allows law enforcement to retrieve the connection records of all devices connected to a tower over an interval of time. Law enforcement uses tower dumps to obtain device connection histories from the areas where a crime was committed in the hopes that the perpetrator of a crime had a digital device, and that they can discern the identity of that device. Pragmatically, the dump also produces the connection logs for hundreds of thousands of devices that were not involved with the crime.

The data contained in a cell tower dump is data held by a third-party provider and is subject to the restrictions of the ECPA. However, there is debate about whether production of such data should require a search warrant or just a court order. Obtaining a court order for the production of data requires a far lower standard.

Cell tower data dumps have become a frequent and valuable tool for law enforcement. In the case of the High Country Bank Robbers, cell tower dumps lead to the capture and arrest of the perpetrators. On February 10, 2010, the Federal Bureau of Investigation (FBI) issued a wanted notice for two men described as “the High Country Bank Robbers” and described their method of operation as:

The unknown male identified as suspect number one often enters the banks in rural locations near closing time and brandishes a black semi-automatic handgun. Suspect number one then demands all the money from the teller drawers. He obtains an undisclosed amount of money, puts it in a bag, orders everyone on the ground, then exits the banks with a second suspect. They have been seen leaving the banks on a green or maroon four-wheel ATV with suspect number two driving.¹

The perpetrators wore hoodies and masks that made their identification difficult, despite surveillance photographs and videos. A witness to one of the robberies described a suspicious man hanging around the outside of the bank before the robbery occurred, and noted he was talking on a cellular telephone.

The FBI obtained a §2703(d) court order for a cell tower dump of the cell towers located near four of the robbery locations; the FBI stated they chose the four most remote locations to minimize the extraneous information obtained. Through the use of data analysis software, investigators correlated the device connection records and a single number was located in the tower data of all four locations. Analysis also showed a second phone number that was in contact with the first phone on the date of the robberies, and was identified on two of the cell towers. This was enough for the FBI to obtain additional information about the phone numbers, including the names and addresses of the owners. The suspects were identified as Joel Glore and Ronald Capito. Eventually, the FBI located the individuals, who were arrested for the robberies.

The extent of the data gathered through cell tower dumps is quite extensive, and allows a fairly detailed reconstruction of movements of a suspect. The FBI released a reconstruction of the events of a single day of a robbery:

On 11/25/2009, both CAPITO’s and GLORE’s mobile telephones begin the day at 6:31 a.m. on the same cell tower in Show Low, Arizona, when CAPITO calls GLORE’s mobile telephone. Both mobile telephones remain in Show Low until CAPITO’s telephone uses a cell tower near Punkin Center, approximately 30 miles south of Payson, Arizona. By approximately 11:00 a.m., both CAPITO’s and GLORE’s phones are using the same cell tower in Star Valley, Arizona, approximately 5 miles east of Payson, Arizona, and likely covering areas of Payson, Arizona. By 11:50 a.m., both CAPITO’s and GLORE’s mobile telephones are using towers in Payson, Arizona, that are almost certainly within the coverage area of the Compass Bank located at 613 S. Beeline Highway, Payson, Arizona. GLORE’s telephone remains on these Payson cell towers and last uses a Payson cell tower located only 1 mile from the Compass Bank at 3:27 p.m. when he receives a call from CAPITO’s cell telephone.

CAPITO’s telephone continues to use the Star Valley and Payson towers through the 3:27 p.m. call, when CAPITO’s telephone is using a cell tower located only 1.7 miles from the Compass Bank. At approximately 3:29 p.m., the High Country Bandits rob the Compass Bank, 613 S. Beeline Highway, Payson, Arizona. The next call on either GLORE or CAPITO’s mobile telephones is at approximately 4:40 p.m. when they are contacting each other and both are using the cell tower near Punkin Center, approximately 30 miles south of Payson, Arizona. Both mobile telephones remain using that cell tower throughout the night and return to Show Low, Arizona, by 11:00 a.m. the next day.²

The breadth of information potentially revealed about innocent digital users through the acquisition of cell tower data is staggering. The FBI chose the four most rural locations for their search, and obtained records relating to over 150,000 registered cell phone numbers. Many civil libertarians are concerned that the government can access such large-scale information about the movements of individuals without a warrant. Cell tower information is covered by the restrictions of the ECPA. However, the information in the cell tower dumps is not believed to fall into the category of “contents” that would require a search warrant to access. Cell tower dumps are performed based on a court order.

Brian Owsley, a former federal magistrate and now a professor of law at Texas Tech University recently published a paper highlighting the concerns with cell tower dumps:

Recently, the American Civil Liberties Union brought to light the popular use of government surveillance of cell phones, including the gathering of all cell phone numbers utilizing a specific cell site location. Known as a “cell tower dump,” such procedures essentially obtain all of the telephone number records from a particular cell site tower for a given time period: “A tower dump allows police to request the phone numbers of all phones that connected to a specific tower within a given period of time.” State and federal courts have barely addressed cell tower dumps. However, the actions by most of the largest cell phone providers, as well as personal experience and conversations with other magistrate judges, strongly suggest “that it has become a relatively routine investigative technique” for law enforcement officials.

No federal statute directly addresses whether and how law enforcement officers may seek a cell tower dump from cellular telephone providers. Assistant United States Attorneys, with the encouragement of the United States Department of Justice, apply for court orders authorizing cell tower dumps pursuant to a provision in the Electronic Communications Privacy Act of 1986. The pertinent provision poses a procedural hurdle less stringent than a warrant based on probable cause, which in turn raises significant constitutional concerns.³

On May 12, 2012, U.S. Congressman Edward J. Markey (D-MA) sent a letter to the chairs of eight major cellular communications providers in the United States based on an article in the New York Times entitled “Police Are Using Phone Tracking as a Routine Tool.” Markey requested data pertaining to the frequency of requests for phone data, and the amounts charged to provide such data.

On July 8, 2012, the New York Times reported on the results of Markey’s request. Seven of the eight companies contacted replied with statistics of their level of data requests; T-Mobile declined to provide statistics. Combined, the companies responded to 1.3 million demands for subscriber information in 2011 alone. This total does not reflect the quantity of numbers released; a single demand for information could be a tower dump involving hundreds of thousands of records. The communications companies noted there was a lack of clarity regarding the proper procedures to authorize disclosure of the requested data, and indicated additional legislation might be helpful.⁴

In 2013, the U.S. Court of Appeals for the Fifth Circuit considered a case involving the required authorization for the production of cell data (In re: Application of the United States of America for Historical Cell Site Data):⁵

In early October 2010, the United States filed three applications under §2703(d) of the Stored Communications Act (“SCA”), 18 U.S.C. §§2701-2712, seeking evidence relevant to three separate criminal investigations. Each application requested a court order to compel the cell phone service provider for a particular cell phone to produce sixty days of historical cell site data and other subscriber information for that phone. The Government requested the same cell site data in each application: “the antenna tower and sector to which the cell phone sends its signal.” It requested this information for both the times when the phone sent a signal to a tower to obtain service for a call and the period when the phone was in an idle state. In re Application of the United States for Historical Cell Site Data, 747 F. Supp. 2d 827, 829 (S.D. Tex. 2010).

The magistrate judge assigned the case opined that the warrantless production of such data was unconstitutional; the United States appealed. On appeal, the district judge issued a single page opinion, noting:

When the government requests records from cellular services, data disclosing the location of the telephone at the time of particular calls may be acquired only by a warrant issued on probable cause. The records would show the date, time called, number, and location of the telephone when the call was made. These data are constitutionally protected from this intrusion. The standard under the Stored Communications Act is below that required by the Constitution.

The United States appealed once again, and the case was reviewed by the Court of Appeals. The contention for the United States’ appeal was that the cell tower data and connection records are records not gathered by the government, they are gathered as the business records of the communications companies.

The court’s opinion was direct: “We are called on to decide whether court orders authorized by the Stored Communications Act to compel cell phone service providers to produce the historical cell site information of their subscribers are per se unconstitutional. We hold that they are not.”

The court agreed that the records sought were business records belonging to the communications company, not GPS or location records. This differentiated the facts of the case from United States v. Jones, in which the Supreme Court of the United States ruled that warrantless GPS tracking of a suspect was unconstitutional:

Under this framework, cell site information is clearly a business record. The cell service provider collects and stores historical cell site data for its own business purposes, perhaps to monitor or optimize service on its network or to accurately bill its customers for the segments of its network that they use. The Government does not require service providers to record this information or store it. The providers control what they record and how long these records are retained. The Government has neither “required [n]or persuaded” providers to keep historical cell site records. Jones, 132 S. Ct. at 961 (Alito, J., concurring in the judgment). In the case of such historical cell site information, the Government merely comes in after the fact and asks a provider to turn over records the provider has already created.⁶

The court also noted that subscribers understood they were providing data to the cell tower, and that the use of cell phones was voluntary:

A cell service subscriber, like a telephone user, understands that his cell phone must send a signal to a nearby cell tower in order to wirelessly connect his call. See United States v. Madison, No. 11-60285-CR, 2012 WL 3095357, at *8 (S.D. Fla. July 30, 2012) (unpublished) (“[C]ell-phone users have knowledge that when they place or receive calls, they, through their cell phones, are transmitting signals to the nearest cell tower, and, thus, to their communications service providers.”). Cell phone users recognize that, if their phone cannot pick up a signal (or “has no bars”), they are out of the range of their service provider’s network of towers. And they realize that, if many customers in an area attempt to make calls at the same time, they may overload the network’s local towers, and the calls may not go through.

Because a cell phone user makes a choice to get a phone, to select a particular service provider, and to make a call, and because he knows that the call conveys cell site information, the provider retains this information, and the provider will turn it over to the police if they have a court order, he voluntarily conveys his cell site data each time he makes a call.⁷

Circuit Judge James L. Dennis, in a dissenting opinion, noted the issue was a statute issue, not a constitutional issue:

In my view, this appeal should be decided by adhering to the Supreme Court’s constitutional question avoidance doctrine and construing the applicable ambiguous provisions of the Stored Communications Act to require that the government must obtain a warrant in order to secure an order requiring an electronic communications provider to disclose data potentially protected by the Fourth Amendment, such as the historical cell site location data sought in this case. Because the government did not apply for a warrant, but instead sought such data based only on a showing of reasonable suspicion, the district court reached the correct result in denying the government’s request for an order for the provider to disclose that data. Accordingly, I would affirm the result reached by the district court, and I respectfully dissent from the majority opinion’s contrary interpretation of the Stored Communications Act and its unnecessary interpretation of the Fourth Amendment as not affording individuals protection of their historical cell site location data.⁸

Privacy advocates are deeply disturbed by the government’s use of cell tower dumps, and are concerned that their use constitutes something of a digital dragnet; it is not always clear what happens to the data that was gathered that was not related to the crime. For example, if a park bench was damaged at a Tea Party rally, or a window was broken at an Occupy movement site, law enforcement could obtain a court order for a cell tower dump for the day of the event. This would reveal the phone numbers and connection records for all the devices present during the event. This could potentially then be used for other purposes or tracking or correlated against other event data.

StingRay and Location Monitoring

Harris Manufacturing Company, a supplier of electronics for government and civil applications, has developed a device called the StingRay, or generically, an International Mobile Subscriber Identifier or IMSI Catcher that can accurately track the location of a suspect. The term stingray has become a generic term for devices of this type.

According to documents obtained by the Electronic Privacy Information Center (EPIC) in October 2013, the Department of Justice’s policy on cellsite simulators is that their use is governed by the Pen Register device statute (18 U.S.C. 3127(3));⁹ much like a pen register, the StingRay collects signaling information. Notably, a cellsite simulator does cause a disruption in service; 18 U.S.C. 3124 requires that a pen register be implemented with a minimum of interference to services.

A StingRay is a portable device that when deployed acts like a cell tower. The StingRay sends out radio signals that make it appear as a cell tower to digital devices in the vicinity. These devices will connect to the StingRay thinking it is a tower on their provider’s network. The devices will continue to operate as the StingRay passes the traffic through. The StingRay, however, can record the call information, much like a pen/trap device. Some devices can capture the packets that constitute contents of a connection. A StingRay can also identify the direction and distance of the connected device, which enables law enforcement to determine the location of the device with a good degree of accuracy. Investigators can take a distance reading, move the device, take another reading, and begin to triangulate the location.

It is believed a StingRay is typically deployed when a law enforcement agency has identified the subject of an investigation and wishes to monitor their communications behavior and their location. However, any digital device within the vicinity of the StingRay could connect to the StingRay, allowing their owners’ communications behaviors and locations to also be monitored by the StingRay, even though they are not the subject of any investigation.

One of the first cases to test the legality of the use of a StingRay device is the case of United States v. Daniel Rigmaiden. Rigmaiden was indicted in 2010 on 74 counts of tax, mail, and wire fraud; he was accused of being a key member of a multistate scheme to obtain illegal tax returns. The FBI press release on the capture of Rigmaiden describes the pursuit and apprehension:

Court documents, including the superseding indictment, and search and seizure warrant affidavits and returns, contain the following additional allegations and evidence. In May 2007, IRS-CI identified a Compass Bank account in Phoenix, Arizona, that was receiving fraudulently obtained tax refunds. From May 2007 through January 2008, the investigation was focused on Carter, who had opened the Compass Bank account under the name Carter Tax & Accounting, LLC. In January 2008, the investigation started to focus on an individual operating above Carter known only as the “Hacker” and another co-conspirator above Carter in the scheme. From January through April 15, 2008, an undercover operation was initiated that sought to identify and locate the Hacker and second co-conspirator. In the course of the operation, the investigators opened an undercover bank account in Arizona into which the Hacker unknowingly caused the deposit of numerous fraudulently obtained tax refunds. The fraudulent returns were filed via computers and IP addresses not directly traceable to the Hacker. During this period, three $9,000 shipments of the tax refunds were made to the second co-conspirator in Utah. On April 15, 2008, the second co-conspirator was arrested. The co-conspirator’s case is under seal.

From April through August 2008, investigators worked to identify and locate the Hacker. In May 2008, $68,000 in fraudulently obtained refunds were shipped to the Hacker, in the name of Patrick Stout, to Palo Alto, CA. The person who picked up the package was not apprehended. In July 2008, agents located the apartment in Santa Clara rented by the Hacker in the name of Steven Brawner. On July 23, 2008, a 50-count indictment was returned under seal against the Hacker (a.k.a Brawner and Stout). On August 3, 2008, the Hacker was arrested in Santa Clara after a foot and car chase. A key to the Hacker’s apartment was found in his pocket during his arrest. On August 3 and 4, 2008, search warrants were executed in the Hacker’s Santa Clara apartment and a storage unit in San Jose; investigators seized a laptop and multiple hard drives, $116,340 in cash, over $208,000 in gold coins, approximately $10,000 in silver coins, false identification documents, false identification manufacturing equipment, and surveillance equipment.¹⁰

The government eventually revealed that one of the “sources” in this investigation was a mobile tracking device deployed to monitor Rigmaiden’s communications. Rigmaiden used a Verizon aircard (WiFi hotspot) as an Internet connection; the location and communications activities were monitored through the use of the mobile tracking device. The government stated during the case that the use of the equipment to communicate with Rigmaiden’s aircard was authorized by a Rule 41 tracking warrant, application, and affidavit.¹¹

Rigmaiden filed a motion to suppress the admission of any evidence gathered through the StingRay equipment. The American Civil Liberties Union (ACLU) filed an amicus brief asserting that the warrant was not valid because:

1. The StingRay equipment is intrusive; it sends radio signals out that permeate the house, pocket, or purse where a digital device is located.
2. The StingRay equipment gathers information from third parties that are not the subject of the investigation; this equates to a general warrant.
3. The investigators failed to reveal and describe the StingRay technology and the extent of the information gathered to the magistrate when they applied for the warrant.

The court ruled that the use of the equipment to locate the aircard did not violate Rigmaiden’s Fourth Amendment right to privacy given the layers of false identities and fraudulent actions Rigmaiden employed to operate his scheme in the first place.¹²

The court noted that Verizon was clearly a provider of electronic communication services and was therefore subject to the ECPA. However, suppression is not an allowable remedy for ECPA violations.

BYOD Policies and Data Ownership

Bring Your Own Device (BYOD) is a trend in information technology that describes the practice of allowing employees to utilize their own computing devices to perform work for the organization; usually the devices are smartphones or tablet computers. A typical BYOD situation is an employee who purchases an iPad for home use, and then decides to access work e-mail through an application, or even brings the device to the workplace and uses it in place of the company computing asset. BYOD raises various legal issues for the organization, including potential ergonomic issues, compensation issues, and security issues. Relating to cloud computing and electronic discovery, the issue raised is one of data ownership and access.

Similarly, an employee may be provided with a device and access personal account information on that device, such as a Facebook account or personal e-mail account. Smartphones and tablets typically store the login information for applications; computers and laptops may store login information, but the verification to store the information is much more overt. The risk in storing login information on the device is that anyone who accesses the device can then, in turn, access the applications for which login information is stored.

Courts have considered cases where the ownership of the device is different than the ownership of the data contained on the device or accessible by the device. Given the relatively new nature of smartphones and tablets, this is an emerging area of law. Generally, however, courts will look to the identity of the subscriber to a service, the person with the relationship with the third-party provider. For a cloud application, such as a personal Gmail account, the subscriber would be the person that initiated the account with Gmail and that subscriber would be the only person authorized to access the account. Intentionally accessing data in the account without authorization would be prohibited by U.S.C. §2701.

In Lazette v. Kulmatycki,¹³ the court held that a supervisor who had used a company BlackBerry device to access the personal e-mail account of the former employee to which the device had been assigned may have violated the Stored Communications Act.¹⁴ The plaintiff had been an employee of Verizon, and had been issued a BlackBerry device by the company. During her employment, the plaintiff configured the device to allow her to access her personal Gmail account on the device. When the plaintiff left the company, she returned the device after she believed she had removed the Gmail information. She later learned that she had not removed the Gmail information; her former supervisor had been using the device to access the plaintiff’s e-mail information and had shared the contents of the e-mail with others. The plaintiff claimed this access occurred over 18 months, and the supervisor read more than 48,000 personal e-mails.

The court ruled that the employer and supervisor did not have the authority to read the plaintiff’s personal e-mail. The court held that the mere fact that the plaintiff used a company-owned device to access her personal e-mail account did not grant automatic access to her employer. Further, Verizon was held to be vicariously liable for the supervisor’s actions in this case.

It is important to note that the supervisor had accessed the e-mail content on the Gmail server using the login credentials stored on the BlackBerry. The SCA prohibits accessing “a facility” without authorization; the Gmail server would be such a facility. In the case of Garcia v. the City of Laredo, Texas,¹⁵ the court held that a cell phone is not a facility as defined by the SCA.

Fannie Garcia was a police dispatcher for the City of Laredo, Texas. She claimed the defendants (who included the City of Laredo, the deputy city manager, the chief of police, and several other police officials) accessed the contents of her cell phone without permission in violation of the SCA. On November 15, 2008, a police officer’s wife removed Garcia’s cell phone from an unlocked locker in a substation of the Laredo Police Department and accessed text messages and images found on Garcia’s phone. Believing she had discovered evidence of violations of department policies, she set up a meeting with the deputy assistant city manager and the interim assistant police chief. At the meeting, she utilized Garcia’s cell phone to access and to share the text messages sent from and received by the phone and the photographs stored on the phone.

Later, investigators successfully downloaded one video recording and 32 digital images from the cell phone; they were unable to download any of the text messages. A subsequent internal investigation concluded, based in whole or in part upon images and text messages retrieved from her cell phone, that Garcia had violated department policies. Garcia was terminated and filed suit.

The district court granted summary judgment for defendants and denied Garcia’s motion for partial summary judgment on the SCA, finding that the statute did not apply to the defendants’ actions in the case. The U.S. Court of Appeals for the Fifth District affirmed the lower court’s decision.

The Court of Appeals, in a de novo review, likened a cell phone to a local drive on a computer to determine if it should be considered a facility:

The Eleventh Circuit’s decision in United States v. Steiger provides useful guidance. 318 F.3d 1039, 1049 (11th Cir. 2003). In Steiger, when a hacker accessed an individual’s computer and obtained information saved to his hard drive, the court held such conduct was beyond the reach of the SCA. The court found that “the SCA clearly applies . . . to information stored with a phone company, Internet Service Provider (ISP), or electronic bulletin board system,” but does not, however, “appear to apply to the source’s hacking into Steiger’s computer to download images and identifying information stored on his hard drive.¹⁶

Even if Garcia’s cell phone were somehow considered a facility, this stops short of demonstrating that storage of text messages and pictures on Garcia’s cell phone fits within 18 U.S.C. §2510(17)’s definition of electronic storage. Electronic storage as defined encompasses only the information that has been stored by an electronic communication service provider.¹⁷ Thus, information that an Internet provider stores to its servers or information stored with a telephone company—if such information is stored temporarily pending delivery or for purposes of backup protection—are examples of protected electronic storage under the statute. But information that an individual stores to his hard drive or cell phone is not in electronic storage under the statute.¹⁸

An individual’s personal cell phone does not provide an electronic communication service just because the device enables use of electronic communication services, and there is no evidence here that the defendants ever obtained any information from the cellular company or network. Accordingly, the text messages and photos stored on Garcia’s phone are not in electronic storage as defined by the SCA and are thus outside the scope of the statute.¹⁹

This concept is important for electronic discovery purposes as it removes local copies of documents or communications from the control of the SCA. While e-mails, pictures, documents, and voicemails are stored in the cloud, they are controlled by the restrictions of the SCA. If a user saves a local copy of an e-mail, picture, or document, or saves a voicemail file on a local hard drive, the restrictions on production placed by the SCA no longer apply to the files; they are subject to discovery as any other file on a local computer would be.