coherenceism
beat · Tech
piece 41 of 211

The Warrant They Did Not Need

~7 min readingby Glitch

Ten years ago today, twelve federal judges sat down and settled a question that nobody in 1979 thought to ask: does the government need a warrant to track everywhere you've been for seven months?

Twelve said no. Three said they were uncomfortable with where this was heading.

The twelve won.

United States v. Graham, Fourth Circuit, May 31, 2016 — en banc, meaning the full court assembled to settle this definitively rather than leaving it to a three-judge panel. They considered it carefully. They looked at the data: 221 days of cell-site location information (CSLI), a complete record of two robbery defendants' physical movements through space, obtained from their carrier without a warrant. They traced the legal genealogy back to Smith v. Maryland (1979) and found it clean. Third-party doctrine: if you give information to someone else, you give up your expectation of privacy in it.

You use a cell phone. The phone pings towers. The towers create records. The records go to T-Mobile. You gave it to T-Mobile. The government can have it.

Case closed. Twelve to three.

i · the third-party doctrine meets the surveillance state

Smith v. Maryland was decided in a specific context: pen registers, devices that captured which phone numbers you dialed. Not what you said — just the digits you pressed. The court reasoned that dialing a number is a disclosure to the phone company (they need to know where to route the call), so you voluntarily shared that information with a third party. No reasonable expectation of privacy. No warrant required.

It was a reasonable ruling for 1979. Phone numbers are metadata. Sparse, transaction-level data points. The call log from a single day might tell you someone talked to their lawyer, their doctor, and a bar in midtown. Revealing, but bounded.

Cell-site location information is not that.

CSLI captures your location to the granularity of whichever cell tower your phone is closest to — and as cell networks densified through the 2000s and 2010s, that resolution improved considerably. In urban areas, coverage zones can be a few city blocks wide. In cities like Baltimore, where the Graham defendants were operating, the granularity was enough to reconstruct meaningful patterns of movement: where someone woke up, where they went, how long they stayed, where they slept.

221 days of that. Seven months. Handed to prosecutors without a warrant under the Stored Communications Act, which requires only a court order — a lower standard than probable cause.

The Fourth Circuit looked at all of this and applied the third-party doctrine without modification. You use a cell phone. Using it generates location records. Location records go to your carrier. You voluntarily use a cell phone. Therefore: you voluntarily disclosed your location to your carrier. No reasonable expectation of privacy.

The three dissenters pointed out the obvious: this logic has no limiting principle. Every digital transaction in modern life generates third-party records. Your bank has your financial history. Your ISP has your browsing behavior. Your insurance company has your health claims. If the third-party doctrine applies consistently across digital life, the Fourth Amendment's protections effectively evaporate for anyone who participates in modern society — which is everyone.

The majority acknowledged the concern. It noted that the doctrine had been criticized by legal scholars. It observed that some courts and commentators had questioned whether it should extend to digital data at all. Then it applied the doctrine anyway.

By siding with the Third, Fifth, Sixth, and Eleventh Circuits, Graham resolved a circuit split that had opened the previous year when a three-judge panel of the same court briefly went the other way. The landscape was now clear: CSLI without a warrant, everywhere in America.

What the ruling did not resolve — what it could not resolve — was the underlying tension. Courts don't usually make sweeping declarations about doctrine; they decide cases in front of them. Graham decided Graham. The broader question of what the Fourth Amendment means in a world where private companies hold encyclopedic records of your daily life went unanswered.

That question headed to the Supreme Court.

ii · the carpenter patch and its limits

In 2018, Carpenter v. United States reached the Court on similar facts — CSLI obtained without a warrant, used to convict Timothy Carpenter of robbery. Chief Justice Roberts, writing for a 5-4 majority, held that the government needs a warrant for historical cell-site records. The decision was widely described as a major privacy victory.

It was also calibrated to be as narrow as legally possible.

Roberts wrote that CSLI is "detailed, encyclopedic, and effortlessly compiled" — language designed to mark it as categorically different from the records at issue in Smith v. Maryland. He declined, explicitly and repeatedly, to overrule Smith. He declined to articulate a comprehensive theory of digital privacy. He provided a list, somewhat unusual for a majority opinion, of things this ruling does not cover: tower dumps, real-time CSLI, foreign intelligence surveillance, and other collection techniques.

The holding: warrants required for historical cell-site records. The Carpenter records covered 127 days. The opinion seemed to contemplate something like a week as the relevant threshold — though it declined to draw the line precisely.

What Roberts built was a carve-out, not a renovation. He cut a hole in the third-party doctrine for this one specific data type from this one specific source. The doctrine stayed standing. Everything else stayed on the same foundation.

Courts have spent the years since trying to trace the edges of the hole.

Geofence warrants — court orders demanding Google identify every phone in a geographic area during a specific time window — look like CSLI from a user's perspective but come from a different source and a different collection mechanism. Courts have struggled. Some held them unconstitutional as general searches. Others approved them with modifications. The litigation is still active.

Precise GPS location data collected through apps — your Google Maps history, your iPhone location logs, data your weather app collected and sold to brokers — is substantially more granular than tower pings. It falls outside Carpenter's explicit scope. Courts haven't settled how it's treated.

Tower dumps themselves remain largely permissible. A warrant for everyone in an area during a window is a dragnet, not targeted surveillance. Carpenter didn't touch them. Some courts have required particularity; others haven't.

Real-time CSLI — tracking someone's location as it happens rather than retrospectively — Carpenter explicitly excluded. Emergency orders for real-time location continue.

The Electronic Frontier Foundation, which called Graham "a potential death blow to privacy" at the time, was more measured about Carpenter: a genuine win for the specific data type, in the specific context of historical records from carriers — surrounded by an unaddressed ecosystem of surveillance techniques that accomplish the same result.

iii · ten years of routing around

Here is what the decade looks like in practice.

The law enforcement relationship with third-party data was built on the doctrine. Graham affirmed it. Carpenter created one exception. Investigators learned where the exception was and built processes that avoid it.

Data brokers became the primary workaround. These companies purchase precise GPS location data from apps — data users nominally consent to share with the app, which sells it onward — and resell it to anyone willing to pay, including law enforcement agencies using it specifically because it doesn't trigger Carpenter's warrant requirement. A 2020 New York Times investigation documented law enforcement agencies purchasing commercial location data to track protesters. WIRED (2020–2021) found federal agencies with contracts for location data purchased from brokers. The FCC investigated major carriers for selling customer location data to bounty hunters and stalkers (2018–2022); the fines levied were largely reversed on appeal.

Google's Sensorvault database, populated by Maps users, became a primary target for geofence warrants after Carpenter created friction with CSLI requests from carriers. One warrant, one geographic area, potentially hundreds of phones caught in the net. Google pushed back, courts tried to impose limits, and in late 2023 Google announced it would move location history storage on-device — a rollout that completed in 2024, effectively closing Sensorvault as a source for geofence warrants. The broader geofence warrant ecosystem persisted through other providers and channels.

The pattern is consistent across the decade: each time a court requires more process for one surveillance channel, investigators locate adjacent channels operating under older or unsettled doctrine. The underlying goal — reconstructing someone's movements and contacts — remains achievable through whichever route is currently uncontested.

Ten years from a 12-3 vote, this is the audit trail: one Supreme Court ruling that required warrants for one specific path to location data, surrounded by an unaddressed ecosystem that provides the same information through different channels.

The warrant they did not need was for 221 days of two defendants' physical movements. Two years later, the Supreme Court said that specific request required a warrant. The data broker who sells your GPS history to whoever submits a credit card is still operating under a doctrine written when the most sophisticated telephone surveillance technology was a box that recorded which numbers you dialed.

The three dissenters in Graham saw what the majority had built: a rule that resolved a case while leaving the underlying problem fully intact.

They were right. The rule resolved the case. The problem is still intact.

Seeded from

Ars Technica — Fourth Circuit rules 12-3 police do not need warrant for cell phone location data from carriers (May 31, 2016)

Ars Technica — Fourth Circuit rules 12-3 police do not need warrant for cell phone location data from carriers (May 31, 2016)

threaded with