Privacy and Wi-Fi Location Data
- September 30, 2020
- Clayton Rice, K.C.
The Internet and the smartphone are essential to meaningful participation in modern life. But accessing the Internet often requires using Wi-Fi networks, particularly by students, travellers, businesses and low-income people. The use of Wi-Fi generates precise location data that reveals core biographical information about its users and identifies where they were at a particular time. A case pending before the Supreme Court of Pennsylvania is at the forefront of unravelling the privacy implications of the warrantless search and seizure of Wi-Fi data under the Fourth Amendment to the Constitution of the United States. Here’s the story.
On February 2, 2017, during the early morning hours, two masked men posing as campus police gained access to the dormitory room shared by Greg Farina and William Reilley on the Moravian College campus in Bethlehem, Pennsylvania. Reilley was a student and a known marihuana dealer. When Farina opened the door, the masked men held them at gunpoint and demanded the key to Reilley’s footlocker. The intruders accessed the footlocker and made off with approximately $1,000 in cash and a jar of marihuana, striking Reilley and Farina on their heads during the robbery.
Reilley reported the robbery to campus officials and a campus police officer requested that the Director of Systems Engineering analyze the college’s wireless network data to compile a list of students logged on to the network near the wireless access point in the dormitory building where Reilley and Farina lived. It was discovered that only three people were logged on at that location who did not reside in the building. Two of the three users were women. The male user was also a student, Alkiohn Dunkins. The data was provided to the Bethelem Police Department.
Colin Zarzecki, another student, told the police that Dunkins came to his room the night after the robbery and “fanned out” a display of cash bragging that he and another person got the money in a recent robbery. Dunkins told Zarzecki they posed as campus police and stole drugs and money from the victim’s footlocker. Dunkins was charged with robbery, conspiracy to commit robbery, receiving stolen property and assault. He moved to suppress.
2. Motion to Suppress
Dunkins argued that the campus police violated the Fourth Amendment when they obtained the Wi-Fi data without a warrant. At one of the suppression hearings, the Director of Systems Engineering testified that, in order to use the campus Wi-Fi, each student must log on to the network with their individual username and password. However, at the time of the initial log-on, the students may choose to have their devices automatically log on to the Wi-Fi in the future without re-entering their credentials.
On April 26, 2018, the Northhampton County Court of Common Pleas (the trial court) denied Dunkins’ suppression motion. On September 5, 2018, a jury convicted him on all counts and, on January 4, 2019, he was sentenced to five to ten years imprisonment. On February 12, 2020, his appeal was dismissed by the Superior Court of Pennsylvania in a ruling reported as Commonwealth v. Dunkins, 229 A.3d 622 (2020). (here) Dunkins then filed a further appeal that is now pending before the Supreme Court of Pennsylvania, Middle District, in Harrisburg. On September 28, 2020, an amici curiae brief was filed by the American Civil Liberties Union (ALCU) and the Electronic Frontier Foundation (EFF) that will be the focus of my remaining comments. (here)
3. How Wi-Fi Networks Collect Data
The amici curiae brief contains an informative summary of: (a) how Wi-Fi networks collect information about the devices of users as they connect to the Internet; (b) how networks can log the locations of devices as their users move through physical space; and, (c) how location information can tie devices to the identities of their users. Here are three important extracts from the brief on how location information, derived from a Wi-Fi network, can provide law enforcement with precise location data:
- Wi-Fi networks use radio technology to connect user devices like cell phones, tablets, and laptops to physical devices called Wi-Fi “access points”, which in turn connect to the Internet. The radio contained within each phone, laptop, or other device is manufactured with a unique identifier called a “MAC address”, which is a code made up of letters and numbers. Access points use these unique codes to identify and log information about which devices are communicating with them at any given time. (at p. 4)
- Wi-Fi networks can be used to track the locations and movements of users through physical space. Because network administrators know where access points are physically located within a Wi-Fi network, and because networks log the exact time and date each device connected to each access point, administrators also know that the devices connecting to those access points are in the nearby vicinity and know when they connected. […] The more access points a network has within its geographic area, the more detailed and specific the location information it can generate. […] Once a device connects to a Wi-Fi network, a user’s location information is collected automatically. […] This continuous data collection occurs even if a user leaves the coverage network and returns later, once connected, a user’s device automatically re-joins the Wi-Fi network without having to log in […]. (at pp. 5-7)
- It is a short step from obtaining location information about devices using the network to identifying the device user. […] When users connect to “authenticated” Wi-Fi networks, such as Moravian’s, the network data can connect a particular device to a particular person. Many different entities use authenticated Wi-Fi networks, ranging from hotels […] to municipal Wi-Fi networks like New York City’s LinkNYC Program. […] Administrators of authenticated networks are not only able to identify which devices are connected to Wi-Fi, but also whom those devices belong to based on their login information. (at p. 8)
This kind of location data may be extraordinarily useful to law enforcement. The review of multiple access point logs can provide an intimate portrait of a user’s locations as he or she moved from one place to another. This kind of review may also reveal every user who was in a particular vicinity at a particular time. Although the amici curiae brief addresses a number of other issues, I will narrow my comments to: (1) the Carpenter analysis; and, (2) the overbroad search.
4. Carpenter Analysis
The ACLU and EFF assert that the warrantless access to Moravia College’s Wi-Fi location data violated Fourth Amendment privacy rights for “much the same reason” as GPS monitoring of vehicles and the warrantless seizure of cell site location information did in United States v. Jones, 565 U.S. 400 (2012) and Carpenter v. United States, 138 S. Ct. 2206 (2018) that I discussed in previous posts to On The Wire. (here and here) The amici curiae conclude, at p. 16, that the confluence of three factors – detailed, indiscriminate, and pervasive location data collection enabling highly efficient retrospective searches – explains why the Superior Court erred in concluding that a search of Wi-Fi location data “functions similarly to a security camera.” (Dunkins, at p. 629)
The amici curiae argue that Wi-Fi networks collect “rich chronicles of peoples’ lives” similar to the “privacies of life” that received constitutional protection in Carpenter. First, Wi-Fi location data allows the government to track people inside constitutionally protected spaces. In this case, access points blanketed the college’s campus – in dormitories, bedrooms and classrooms. While the college campus is a defined geographical area, “it does not make an individual’s movements within that area any less private from the government than the movements in Carpenter.” Second, cell phone location information allows the government to access patterns of movement of essentially any person at any time. Similar to the “tireless and absolute” surveillance enabled by cell site location data, Wi-Fi is both “pervasive and essential.” Third, the “retrospective quality of the data” creates a “time machine” that permits law enforcement to see a person’s past movements that “would be physically impossible without the aid of technology.” (at pp. 12-4)
5. Overbroad Search
The ACLU and EFF also assert that the Dunkins search was incompatible with the Fourth Amendment’s prohibition of overbroad searches by hoovering information about a large number of people who had nothing to do with the crime under investigation. The search of the Wi-Fi location information of every student in a dormitory in the hope it would turn up the identity of a criminal suspect “is akin to a search of every house in an area of a town – simply on the chance that the suspect might be located inside one.” The dragnet collection of private information, and the ability to retrospectively create a compendium of everyone in a particular place, at a particular moment in time, “imperils privacy and threatens to chill freedom of association in ways the Founders could not have imagined.” (at p. 21) Retrospective digital dragnet searches fail the Fourth Amendment requirements of particularity and individualized suspicion that I discussed in a recent post to On The Wire about geofence warrants. (here)
The capacity of Wi-Fi location data to create an historical record of a person’s whereabouts – a veritable time capsule – is only limited by the data retention policy of the service provider. As with GPS information, the time-stamped data opens an intimate window on a person’s private life revealing familial, political, professional, religious and sexual associations. The ability to “travel back in time”, as the ACLU and EFF emphasize, “only enhances the threat to privacy.” The amici curiae remind us that Dunkins therefore raises a poignant issue inherent in the threat created by data dragnets. Wi-Fi data collection enables an “unprecedented and chilling police power” – the potential to identify everyone, in a particular place, at a particular time – thus upending the balance of power between the citizen and the state.