GEOINT Law & Policy: A Poorly Mapped Frontier

Each year, the reach of our electronic senses extends further beyond that of our physical senses—and the law isn’t keeping up. The resulting gap between what geospatial intelligence (GEOINT) can achieve and what the law prohibits isn’t uniform either. While federal lawmakers stall, many state legislatures are passing restrictions of their own—and actions by the European Union and the developers of mobile app platforms are establishing additional limits. In short, with no map to follow, geospatial law and policy is proving increasingly difficult to navigate.

Lost About Location Data

“The law is many steps behind,” said Jennifer Lynch, a senior staff attorney with the Electronic Frontier Foundation. And that’s especially the case, she added, in the realm of geo-location.

Instead of broad federal standards, the United States has laws that predate the concept of GEOINT by decades, plus more recent court rulings that don’t always offer much guidance.

Telecommunications carriers have long been prohibited by section 222 of the Communications Act of 1934 from selling proprietary customer information, a provision that clearly covers location history.

No such law, however, covers the commercial use of location data collected by a smartphone’s operating system or apps.

Law enforcement agencies, meanwhile, are free to request location history without a warrant under the “third-party doctrine” which says once customers provide such data to a company, the authorities no longer need to secure their permission to search that information.

If you build the toll road, you get to decide what the toll gate looks like, what the road is made of, and how fast people get to drive. And that is going to impact innovation.
— Gerry Stegmaier, ReedSmith

The closest the Supreme Court has come to visiting this issue came in 2012, when Justice Sonia Sotomayor wrote in a concurring opinion that location data offers “such a substantial quantum of intimate information about any person” that “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.”

But the case at stake, U.S. v. Jones, covered a much more aggressive form of location tracking: Police surreptitiously attached a Global Positioning System tracker to a suspect’s vehicle for months.

It’s taken another six years for the court to deal directly with access to location history. In Carpenter v. U.S., a ruling as to whether police violated a suspect’s rights by acquiring 127 days of his cellphone location data without securing a warrant will come sometime before the end of June. (Editor’s Note: This article was filed before the Carpenter verdict. Click here to read about the court’s decision)

Some States Go Their Own Way

Meanwhile, location data keeps advancing—even the crudest sort derived by calculating a phone’s position based on signals from nearby cell towers.

“A cell tower might have been five miles from you,” Lynch said. “But now if you go to a city, there are so many towers, the technology can place you in front of a building.”

The discovery in May that LocationSmart, a geo-data aggregator in Carlsbad, Calif., had not only been purchasing cell-site data but inadvertently leaking it via a bug on its site dramatized the risks of this rising tide of cell-site information.

• Interested in learning more about GEOINT Law and Policy? Get involved with USGIF’s Geospatial and Remote Sensing Law Working Group! Email GRSLWG@usgif.org.

Smartphone-based techniques can be far more precise. At its I/O developer conference in May, Google showed how its software will be able to geo-locate a user within a meter or two, indoors and out, by referencing precise time stamps from compatible WiFi access points or matching a phone camera’s view with the company’s enormous Street View database.

Congress doesn’t have to wait on the Supreme Court to set limits on law enforcement use of this data, but it has chosen to do so—the legislative branch has spent nearly a decade failing to pass any reform to the outdated Electronics Communications Privacy Act of 1986.

As a result, some states have grown tired of waiting. In 2013, Montana enacted a law requiring law enforcement to obtain a search warrant before requesting a suspect’s location history. Three years later, California followed suit.

“I think we will continue to see more movement at the state level. This Congress can’t seem to pass anything, and certainly not anything related to privacy,” Lynch said.

The Camera Eye

In addition to location information, remote sensing data has also marched well past existing legal norms.

When satellite and aerial imagery amounted to photography from a few hundred feet or miles up, there was little to worry about—nothing personal was visible.

“Those sorts of uses of geographic data don’t raise any privacy concerns because they’re not being associated with individuals,” explained Kurt Wimmer, a partner with Covington & Burling LLP in Washington, D.C.

But cameras have grown smaller, sharper, and more widespread. And in some situations, courts have held that there’s such a thing as too close. In 2001, the Supreme Court ruled in Kyllo v. U.S. that police use of an infrared camera from the street to peer inside a house’s walls constituted an illegal search.  

Similarly, courts have allowed law enforcement use of aerial surveillance because flight safety principles alone ensure any such flights occur well above an individual’s backyard—at least 400 feet away.

A set of 1980s Supreme Court rulings on helicopter-based surveillance permitted that practice but offer little insight on drone use; Lynch described them as “really bad case law” in the context of unmanned aerial vehicles.

In one of those older rulings, Florida v. Riley, however, Justice Sandra Day O’Connor wrote a prescient concurring opinion: “Imagine a helicopter capable of hovering just above an enclosed courtyard or patio without generating any noise, wind, or dust at all—and, for good measure, without posing any threat of injury.”

Today, cameras can also document the threshold of a private residence from a motor vehicle—as Google’s Street View photography demonstrates.

Since roads and sidewalks are public thoroughfares, there hasn’t been much debate surrounding Google’s right to collect these images. In 2010, Google agreed to pay a token settlement of one dollar to two Pennsylvania homeowners—but only because its Street View car went down their driveway.

Not long after launching Street View in 2008, however, Google began blurring out faces and license plates in Street View.

“Initially they didn’t blur out anything,” said Gerry Stegmaier, a partner with ReedSmith in Washington, D.C., whose then-employer Wilson Sonsini Goodrich and Rosati has long represented Google. But, he added, most of the credit for this move comes from outside the U.S. “The real pressure came from Europe, and it was just easier to have it work one way.”

The real driver has been the Apple and Android developer terms, which require true opt-in consent prior to collection of specific geo-location data.
— Kurt Wimmer, Covington & Burling LLP

A decade later, automatic license plate readers have become commonplace tools for police departments—but laws governing their use are not. In April, Virginia’s Supreme Court suggested in a ruling that while merely recording a plate number in a database could be permissible under state laws, the actual images collected “of the vehicle, its license plate, and the vehicle’s immediate surroundings” required a lower court to revisit an earlier ruling approving the Fairfax County police department’s use of this technology.

It remains rare for a company or government to work upfront to minimize the personal data harvested from public sensors. But in Toronto, Google’s Sidewalk Labs smart-city project—an ambitious plan to transform a section of the city’s waterfront—is championing the principle of data minimization.

“Our goal has been to ensure that any data that are collected from sensors or IoT or whatever are de-identified at source,” said Ann Cavoukian, a Google Sidewalk advisor and former Ontario privacy commissioner, in May at a conference in Toronto. She added this would, “render the risk of re-identification to less than .03 percent.”

Outside Factors: Apple and Google’s Rules and EU Regulations

In the absence of clear guidance from federal or state laws, other stakeholders can influence the use of geospatial data. In particular, the rules of Apple’s App Store and Google’s Play Store might as well be the law when it comes to mobile apps.

“For the more routine types of geo-location data that we’re all familiar with, the real driver has been the Apple and Android developer terms, which require true opt-in consent prior to collection of specific geo-location data,” said Wimmer. “Because this data is far more valuable on devices that are running iOS or Android, the gatekeeping function of these operating systems has been the ‘law’ that has created a prior consent requirement.”

In May, for instance, Apple removed a round of applications from its App Store—a death sentence for the app providers since iPhones allow no other way for customers to install these apps—because they shared location data with third parties without first acquiring user permission.

As Stegmaier put it: “If you build the toll road, you get to decide what the toll gate looks like, what the road is made of, and how fast people get to drive. And that is going to impact innovation.”

Across the Atlantic, the European Union’s General Data Protection Regulation (GDPR), a sweeping bundle of restrictions on corporate use of data, may compel further changes in U.S. apps that deal in geo-location data. As Google found with Street View, it’s often easier to maintain the same set of features worldwide.

What’s Next?

Privacy advocates point to the advent of facial recognition technology as the most alarming application of sensors to identify and track people—dubbing the technology far more intrusive than using cameras to spot license plates on a car that could be driven by any of a few people in a household.

“Facial recognition allows for the identification of individuals without their consent,” said Jeramie D. Scott, national security counsel at the Electronic Privacy Information Center, adding that this “poses a special risk to the [U.S.] First Amendment rights of free association and free expression.”

But technology vendors are moving quickly to build this feature into law enforcement gear—both because such U.S. agencies as the Department of Homeland Security want to deploy it in airports and at borders, and because countries such as Russia and China are even more keen on applying this technology.

When these facial recognition cameras operate in public, opting out becomes tricky if you don’t want to look like you’re about to rob a bank. As Scott observed, “Participation in society generally involves exposing one’s face.”

Lynch voiced a wish for more transparency. EFF and others support state laws requiring, as she said, “that all of the purchasing be conducted out in the open, and that law enforcement agencies have strict auditing requirements and reporting requirements.”

Maybe enough states will step in. Maybe the Supreme Court will counteract Congressional inertia. Maybe the next Congress will change course—with some tech-industry leaders like Salesforce CEO Marc Benioff now calling for a U.S. equivalent of the GDPR, the political climate is changing.

But without thoughtful and concerted oversight at the federal level, the risk for the entire U.S. is the same as for individual users who install a new location tracking app on their smartphones: Putting a technology into service first and asking questions later can lead down paths without a U-turn.