Whether a person has a reasonable expectation of privacy in information relating to their use of a public transportation card, or in any data that card may contain or generate.
Charlie Cards are Boston residents’ method of access to public transportation. But every time a user swipes their card, the transit authority collects various data, including the location of the swipe. This case concerns whether Massachusetts police can access the data generated by the swipe without a warrant. The third party doctrine allows the government to access personal information without a warrant if that information is held by a third party, like a transit authority or an internet service provider. But the third party doctrine has no place in a world where third-party data collection is the necessary outcome of obtaining a service.
The Massachusetts Supreme Judicial Court has historically been ahead of the curve when it comes to recognizing digital privacy rights. The court rejected an application of the third party doctrine to cell site location information four years before the U.S. Supreme Court did the same in Carpenter v. United States. In an amicus brief, EPIC urges the court to take another step forward and reject the third-party doctrine for electronic information companies collect when individuals obtain a service. Courts should instead use modern privacy principles to inform their privacy analysis, limiting third-party sharing of electronic data to the particular purpose for which that data was collected.
Josiah Zachery had a student Charlie Card to the Massachusetts public transit system. The MBTA collects entry-point information from Zachery and other riders when they tap their transit cards for fee collection purposes. Each Charlie Card contains a serial number that is associated with a cardholder when they register their card with the MBTA. Students can receive a subsidized student pass through the M-7 program, which requires schools to register each card with the MBTA.
In the course of a murder investigation, the Boston police arrested Zachery and seized his Charlie Card. The police obtained his Charlie Card data from the MBTA without a warrant, and the Commonwealth eventually used his location information and related evidence in his prosecution.
The third-party doctrine comes from a pair of Supreme Court decisions from the 1970s which were decided at a time before modern data protection law existed. Both cases involved data collection practices that were limited by the technologies available in that era.
The third-party doctrine rests on a basic assumption: that people assume the risk that their information will fall into the hands of the police when they provide it to a third party for a particular purpose. By disclosing the information to someone else, the reasoning goes, an individual loses their expectation of privacy in that information regardless of where it may end up eventually. Even in 1979, when the Court decided Smith v. Maryland, a strong minority rejected this logic. In his dissent, Justice Marshall argued instead that individuals who “disclose certain facts . . . for a limited business purpose need not assume that this information will be released to other persons for other purposes.”
The third-party doctrine has been on shaky ground in recent years, as the types and amounts of personal data collected by third parties has changed dramatically with the advent of new technologies. In the 2011 case United States v. Jones, Justice Sotomayor rejected the third-party doctrine’s assumption that “all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.”
In 2014, the Massachusetts Supreme Judicial Court took a big step in recognizing the limitations of the doctrine—four years before the U.S. Supreme Court did so in Carpenter v. United States. The court rejected the third-party doctrine for location data automatically produced by cellphones as they connect to cell towers (cell site location information, or “CSLI”). The court recognized then that cellphone users do not voluntarily share CSLI with cellphone companies just by owning and using their phones. While the decision was limited to CSLI data, the court saw the writing on the wall for the third-party doctrine. In a footnote, the court cited to Justice Sotomayor’s concurrence in Jones and added that the “rapid expansion in the quantity of third-party data generated through new technologies raises important questions about the continued viability of the third-party doctrine in the digital age.”
The Commonwealth charged Zachery with a number of violent and nonviolent felonies related to the murder. Prior to trial, Zachery requested that the judge exclude the information that the police were only able to obtain through the use of his Charlie Card data. He argued that the police violated his reasonable expectation of privacy in that data by using it in an investigation without first getting a warrant. The judge denied his request and allowed the Commonwealth to use any evidence related to the Charlie Card data in his prosecution. A jury eventually convicted him on all counts, and he was sentenced to life with the possibility of parole. Zachery filed a notice of appeal, and the Supreme Judicial Court took the appeal on its own accord in May 2020.
EPIC has long argued that a warrant should be required under the Fourth Amendment and its state constitutional equivalents for government access to personal data, even if that data is held by third parties. EPIC has participated in important Supreme Court cases involving new technologies, like modern cellphones, arguing that the formidable data collection and widespread surveillance capabilities of these technologies require a departure from the outdated third-party doctrine. On the state level, EPIC helped the New Jersey Supreme Court recognize a legitimate expectation of privacy in cellphone-based location data, requiring the police to obtain a warrant before seeking such information. EPIC has also filed “friend of the court” briefs before the SJC on important privacy issues including improper warrantless searches. For example in Commonwealth v. Connolly, 454 Mass. 808 (2009), EPIC argued and the court agreed that sensitive location data obtained from GPS tracking devices requires a search warrant.