D.D.C.: No REP in Facebook posting tracking information

There is no reasonable expectation of privacy in the “tracking information” of underlying data in one’s social media accounts or time and location information of postings. Moreover, Facebook post tracking information is more voluntary and not fulltime tracking like CSLI under Carpenter. The tracking information put the defendant in the Capitol during the 1/6 insurrection. United States v. Bledsoe, 2022 U.S. Dist. LEXIS 150326 (D.D.C. Aug. 22, 2022):

2. Defendant Lacks a Reasonable Expectation of Privacy in the UGLI Data Disclosed by Facebook

Defendant attempts to stretch Carpenter’s narrow holding to cover the disclosed information at issue in this case, arguing that the government’s obtainment of non-content information identifying Facebook and Instagram accounts broadcasting video content of a highly public event from a particular place and during a specified time must be considered a Fourth Amendment search under Carpenter’s logic. To leverage Carpenter’s holding to reach the non-content information at issue, defendant, not the government, must establish Carpenter’s applicability. Rawlings v. Kentucky, 448 U.S. 98, 104 (1980) (“[Defendant], of course, bears the burden of proving … that he had a legitimate expectation of privacy ….”); United States v. Sheffield, 832 F.3d 296, 305 (D.C. Cir. 2016) (“[D]efendants always bear the burden of establishing that the government violated a privacy interest that was protected by the Fourth Amendment.”). At every turn, however, defendant fails to offer any factual support, and only sparse briefing, establishing how the requested information presents the same privacy concerns identified in Carpenter that rendered the third-party doctrine inapplicable to the CSLI records at issue in that case. As the burden of establishing a reasonable expectation of privacy in the social media account records requested by the government falls on defendant, these failures are fatal to his motion.

First, defendant does not dispute, nor even address, that he voluntarily conveyed to Facebook the information contained in Facebook’s disclosure to the FBI that he now seeks to suppress. Although Facebook’s voluntary disclosure to the government did not provide personal location data directly to the government, the disclosed User and Object IDs were derived from location records Facebook collects from a variety of user-generated activity. Facebook’s Data Policy informs users of how and when it collects information regarding account activity generated by users of its services. For example, it “collect[s] the content and other information [users] provide when [they] use [its] Services, including when [a user] sign[s] up for an account, create[s] or share[s], and message[s] or communicate[s] with others,” which includes “information in or about the content [the user] provide[s], such as the location of a photo or the date a file was created.” Gov’t’s Opp’n, Ex. B, Facebook Data Policy at 2, ECF No. 192-1. Additionally, “depending on the permissions” granted by the user, Facebook also collects “information from or about the computers, phones, or other devices where [users] install or access [its] Services,” such as “device locations, including specific geographic locations, such as through GPS, Bluetooth, or WiFi signals” and “[c]onnection information such as … IP address[es].” Id.; see also Social Media Warrant Aff. ¶¶ 84-89 (discussing similar policies for Instagram).

Thus, unlike the CSLI data at issue in Carpenter, the only way that Facebook was able to determine when and where a user engaged in account activity on January 6, 2021, is by virtue of the user making an affirmative and voluntary choice to download the Facebook or Instagram application onto an electronic device, create an account on the Facebook or Instagram platform, and, critically, take no available steps to avoid disclosing his location, before purposefully initiating the activity of live-streaming or uploading a video of a highly public event, in a manner that occurs during the normal course of using Facebook as intended. Defendant has not identified a single instance where Facebook logs information concerning his account activity of posting any photo or video content on the Facebook platform without user action.

Not only has defendant failed to show the UGLI collected by Facebook is automatic and inescapable, but he has also failed to show that Facebook usage is essential to modern life. Defendant has not attempted to place into the record any evidence establishing that Facebook “and the services [it] provide[s] are ‘such a pervasive and insistent part of daily life’ that [using] [its social media platform] is indispensable to participation in a modern society.” Carpenter, 138 S. Ct. at 2220 (quoting Riley v. California, 573 U.S. 373, 385 (2014)).

Calling the location information embedded in and associated with, even incidentally, user-generated and posted content “UGLI data,” is not just effective word play. The acronym accurately reflects the inherent and critical difference between the CSLI records in Carpenter and the account-usage information disclosed here: the information at issue here is affirmatively and voluntarily generated by the user, not automatically and unavoidably created simply by powering up a cell phone. The volitional aspect of the UGLI data at issue in this case “places the conduct into the heartland of the third-party doctrine recognized in Smith and Miller.” Gov’t’s Opp’n at 8; see United States v. Cox, 465 F. Supp. 3d 854, 857 (N.D. Ind. 2020) (“Decisions post-Carpenter have noted the volitional aspect of IP address collection as a key point of distinction from CSLI.”); United States v. Kidd, 394 F. Supp. 3d 357, 366 (S.D.N.Y. 2019) (holding that in order for a defendant to meet his burden of showing a reasonable expectation of privacy in application data linked to a defendant’s cell phone, he must establish that “his cell phone [] passively generates [the app activity records] for [the app] to collect in a way similar to CSLI”); Sanchez v. Los Angeles Dep’t of Transp., 39 F.4th 548, 559 (9th Cir. 2022) (distinguishing location data collected by application where the user “affirmatively chose to disclose location data” to the app provider each time he used its services, in particular because the user agreed to the app’s privacy policies which expressly stated that the location data would be collected by the provider and shared with government authorities); Trader, 981 F.3d at 968 (noting that every circuit to consider the question pre- and post-Carpenter has held that subscriber information disclosed during ordinary use of the internet, including IP addresses, falls within the third-party doctrine); id. (collecting cases); cf. Carpenter, 138 S. Ct. at 2220 (noting that the voluntary-exposure rationale of the third-party doctrine did not “hold up when it comes to CSLI”). Much like the disclosure of deposit slips in Miller, showing that a customer utilizing the bank’s services deposited money into an account at a particular bank location on a particular date, defendant, having “voluntarily conveyed” information regarding user-generated account activity, i.e., a video of a highly public event either live-streamed from or uploaded to his Facebook account during the ordinary course of using Facebook’s services, cannot assert a reasonable expectation of privacy in Facebook’s disclosure of that information to the government. Defendant has failed to show that Facebook’s disclosure does not fall within the ambit of the third-party doctrine.

This entry was posted in GPS / Tracking Data, Social media warrants. Bookmark the permalink.

Comments are closed.