The Geolocation Privacy and Surveillance (GPS) Act is one of several pieces of legislation that would require law enforcement to obtain a warrant based on probable cause whenever it seeks location information. The term “location information” is very broadly defined, and the proposed law would make no distinctions based on the level of precision or the length of time for which the information is sought, or whether the information is historical or prospective.
As a general matter, this is an area where legislation is needed. Federal prosecutors already routinely obtain warrants based on probable cause when seeking precision-location information from cellphones, but the law is less clear regarding what standard must be met in order to obtain less-precise cell site information. Under the Electronic Communications Privacy Act (ECPA), for historical cell site information, prosecutors are generally required to obtain court orders based on a showing of “specific and articulable facts,” pursuant to 18 U.S.C. § 2703(d). But for prospective cell tower records, courts are split on whether a so-called “hybrid order” based on “specific and articulable facts” or a warrant based on “probable cause” is required. In some instances, that split involves judges in the same circuit, or even the same courthouse. That lack of clarity and consistency is not fair to anyone – law enforcement, providers, or the public. Moreover, recent reporting suggests that local and state law enforcement officers may not be adhering to the same standards required by ECPA, which are supposed to be the law of the land. So legislation clarifying the confusion over cell tower records, and making clear that the law binds law enforcement at all levels, is a good thing.
But having clear rules does not mean having only one rule, and this is one place where the GPS Act is off the mark. The bill’s “one size fits all” approach presents potential risks to public safety and privacy. Our system of privacy laws have historically provided a continuum of protection, with a greater evidentiary showing required as the degree of intrusion increases. For instance, to obtain historical telephone toll records, law enforcement uses a subpoena. To obtain call records prospectively, law enforcement must get a court order known as a “pen register.” But to listen to the content of calls – a far greater degree of intrusion – law enforcement must obtain a wiretap, which requires a showing of probable cause. This continuum balances the strong interests in privacy and public safety by allowing law enforcement – which typically does not begin investigations with probable cause – to use less-intrusive techniques to gather evidence that forms the building blocks necessary to develop criminal cases or to satisfy the stricter standards required for using more intrusive techniques.
The same principle applies to location information. There is a greater privacy interest in real-time, GPS information about a suspect’s movements than there is in the location of a nearby cell tower that served a call the suspect made on a particular day six months ago. But the GPS Act would obliterate any such distinctions. In doing so, the Act would have the unintended consequence of impairing many different types of law enforcement investigations – including investigations of cyber criminals and others who threaten our privacy. Truly protecting privacy requires not only that we keep personal information from criminals who seek to steal it, but also that we ensure that law enforcement can get the data it needs to catch and prosecute those criminals – using appropriate legal process at every stage.
But the GPS Act is not limited to the question of law enforcement access to location data. The bill also seeks to prohibit commercial service providers from sharing customers’ geolocation information with outside entities without customer consent. This is an area where legislation is not needed, but where meaningful self-regulation is critical.
In a recent speech at the Network Advertising Initiative (NAI) member summit, FTC Commissioner Maureen Ohlhausen expressed support for an industry-created mechanism to allow consumers to opt out of online tracking, as opposed to new legislation mandating such steps. Commissioner Ohlhausen stated:
“Self-regulation can offer benefits because it is nimble, and is able to keep pace with rapid changes in technology in ways that legislation and regulation cannot.”
These remarks were as on-target as, well, a GPS. Transparency and consumer trust regarding the collection and use of personal information are critical to a vibrant Internet economy, but these are best achieved through the market. Industry stakeholders have already demonstrated the ability to develop self-regulatory programs with meaningful compliance regimes. For instance, the NAI, a coalition of online advertising providers, has a Code of Conduct for collection, use, and transfer of personal data by Internet advertisers that is backed by a strong compliance program. That Code requires clear notice to consumers about the way in which data will be collected and used and about their choices regarding targeted ads, and it requires opt-in consent for the use of particular types of more sensitive data, including precise geolocation data.
Contrary to popular belief, providers care about privacy too, and not just because the FTC or Congress tells them to. And now more than ever, privacy is becoming a competitive issue, as companies are increasingly highlighting their commitment to privacy protection to try to gain an advantage in the marketplace.
Regimes such as NAI’s provide consumers with the information necessary to make informed choices about the use of their information, without new regulatory burdens that can stifle innovation.