S.D.Ind.: IU’s CrimsonCard key card system has no REP in user movements

Indiana University’s CrimsonCard, a key card, that tracks movement into University buildings and facilities, does not carry a reasonable expectation of privacy. This case arose from an investigation of a hazing incident, and the University was corroborating alleged alibis. There is also video surveillance around the campus. Gutterman v. Indiana University, 2021 U.S. Dist. LEXIS 165841 (S.D.Ind. Sept. 1, 2021):

The Court first considers Plaintiffs’ status and privacy expectations. Plaintiffs allege that they were students at IU when their Swipe Data was accessed, and when they became IU students, they received their CrimonCards and had access to the CrimsonCard Terms and Conditions. The CrimsonCard itself states on the back that the user of the card accepts its terms and conditions, and that the card is the property of IU. [Filing No. 20 at 11.] The CrimsonCard Terms and Conditions state that the CrimsonCard is used “to verify [a student’s] identity and manage access to [IU] services and facilities.” [Filing No. 20-1 at 2.] Given that Plaintiffs were on notice that the CrimsonCard was used to access IU’s services and facilities, and that IU owned the card, it is not reasonable to conclude that Plaintiffs expected their use of the CrimsonCard – which, in turn, reflected which IU facilities and services they accessed – to be private. The Court finds that this is particularly true in today’s day and age, when Plaintiffs were likely carrying cell phones which also could be used to track their locations to some extent, and where cameras on buildings, traffic lights, and businesses were likely to capture many of Plaintiffs’ public movements. While the CrimsonCard does not explicitly state that Plaintiffs were agreeing to IU using the Swipe Data to verify their whereabout at a specific point in time, Plaintiffs were certainly on notice that the CrimsonCard would reflect their movements to some degree.

As for the context in which the search occurred, Plaintiffs allege that IU retains “historical records” of Swipe Data, and “retained the [Swipe Data] for several months and used it to check the alibis of several students – including Plaintiffs.” [Filing No. 1 at 3-4.] But Plaintiffs only allege that Defendants accessed their personal Swipe Data for a limited time period, and for the purpose of checking Plaintiffs’ whereabouts at the time of the hazing incident for which the Beta Theta Pi house was ultimately disciplined. See Naperville Smart Meter Awareness, 900 F.3d at 528 (finding that collection of energy use data was a reasonable search and noting “[c]ritically, Naperville conducts the search with no prosecutorial intent. Employees of the city’s public utility – not law enforcement – collect and review the data”). Plaintiffs do not allege that IU used the Swipe Data to track their movements all around campus, or to track their locations for an extended period of time. The collection of Swipe Data is “far less invasive than the prototypical Fourth Amendment search of a home.” Id. Moreover, the limited nature of Defendants’ use of the Swipe Data, as alleged in the Complaint, indicates that the Swipe Data does not provide “an intimate window into [a student’s] life, revealing…his familial, political, professional, religious, and sexual associations” to the degree the United States Supreme Court has recognized as unreasonable. Carpenter v. U.S., 138 S.Ct. 2206, 2217 (2018). Finally, according to Plaintiffs’ own allegations, the Swipe Data was used to verify Plaintiffs’ whereabouts at the time of the alleged hazing incident, and “as freshmen pledges, [Plaintiffs] would have been far more likely to be the victims of any hazing activity, rather than the perpetrators.” [Filing No. 1 at 4.] In other words, as Plaintiffs allege, the Swipe Data was used to ensure Plaintiffs’ safety by confirming that Plaintiffs were not subjected to hazing – an interest the Court finds to be plainly legitimate. In short, the Court finds that, assuming a search occurred in the first instance, such a search was reasonable based on Plaintiffs’ status as IU students who agreed to the Terms and Conditions of the CrimsonCard, and based on IU’s limited, non-prosecutorial use of the Swipe Data to confirm that Plaintiffs were not present during a hazing incident. The Court GRANTS Defendants’ motion to Dismiss Plaintiffs’ constitutional claims against President Whitten to the extent that they seek prospective injunctive relief.

Remember the students who plastered hate graffiti around a Maryland high school were ratted out by their cell phones connecting with the school wireless noted here.