I have previously posted against categorical prohibition of geofence warrants, worked through the dizzying array of opinions in the Fourth Circuit’s Chatrie en banc, and—in the course of considering a better decision by the Superior Court of New Jersey Appellate Division—reminded us how the ABA Criminal Justice Standards handles location information. It isn’t that all location information ought to receive a Carpenter warrant requirement; instead, courts and legislatures need an algorithm, which the ABA Standards provide, to decide both how private is the particular information requested and then how protected it ought to be.
With all that background, I can be brief in considering the Supreme Court of Ohio’s recent (July 2) decision in State v. Diaw, No. 2024-1083.
What’s to like? The opinion is unanimous (7-0), and an easy read—especially for those already conversant in the Fourth Amendment, for whom it is essentially all review. And the holding makes good sense: “We hold that a person maintains no reasonable expectation of privacy in a single location data point communicated to an online-marketplace app.” I talk more about that in my previous post, but consider how strange things are going to get if a single datum of location is very protected… for example, every physical store receipt implicitly conveys a location at a single point in time.
What’s not to like? The opinion doesn’t use any working algorithm to get there. Instead, the court weirdly—albeit understandably—concludes that conveying location to a marketplace app is “voluntary” in a way that conveying location to a cell phone company is not. That’s just confusing: I can certainly utilize a marketplace app without disclosing my physical location, but I cannot use a mobile phone without so disclosing. But here it’s the talk of the Supremes in Carpenter that is to blame. Similarly, the Ohio high court urges that there was no reasonable expectation of privacy because the location in which the defendant was using his cell phone to interact with the app was a McDonald’s, and so he could be seen there. That’s not going to do good work—even if every datum is ‘public’ in that sense, location over a long period of time is extremely private.
So, again, we need decision-makers (ideally legislatures in the first instance) to first decide how private are various durations of location information, and that privacy determination ought to trigger different access restrictions. Here is, for example, how the ABA Standards handle that first step (Standard 25-4.1):
Types of information maintained by institutional third parties should be classified as highly private, moderately private, minimally private, or not private. In making that determination, a legislature, court, or administrative agency should consider present and developing technology and the extent to which:
(a) the initial transfer of such information to an institutional third party is reasonably necessary to participate meaningfully in society or in commerce, or is socially beneficial, including to freedom of speech and association;
(b) such information is personal, including the extent to which it is intimate and likely to cause embarrassment or stigma if disclosed, and whether outside of the initial transfer to an institutional third party it is typically disclosed only within one’s close social network, if at all;
(c) such information is accessible to and accessed by non-government persons outside the institutional third party; and
(d) existing law, including the law of privilege, restricts or allows access to and dissemination of such information or of comparable information.
The Commentary of course explains more, and includes direction on application to location, albeit written pre-Carpenter. I don’t want to say ‘I told you so,’ but, well, those of us drafting those Standards did… at least still to my satisfaction over a decade later. Isn’t such a reasoned approach better than what we see in practice to date? Improving upon the Standards would be grand, but ignoring them is doing nobody any good.
Leave a Reply