Wi-Fi is Another Way We Can Be Tracked 24/7
Wireless internet has become essential to modern life, enabling us to use our smartphones, tablets, and laptops as we move about in the world. Easy internet connectivity that comes from having Wi-Fi access points spread through office buildings, transit systems, parks, businesses, college campuses, and city streets is a public good. But Wi-Fi networks also collect information about when and where our devices connect to them, information that can precisely reveal our locations and movements. This is revealing data that shouldn’t carelessly end up in the hands of police.
That is why today, the ACLU, along with the ACLU of Pennsylvania and the Electronic Frontier Foundation, filed a friend-of-the-court brief in the Pennsylvania Supreme Court explaining why warrantless police access to people’s Wi-Fi-derived location information violates the Fourth Amendment.
The case, Commonwealth v. Dunkins, involves a police investigation into a 2017 robbery of marijuana and cash from a student’s dorm room on a Pennsylvania college campus. After receiving a report of the robbery, police went to the college IT department and got a list of all smartphones and other devices that were connected to the 80-90 different Wi-Fi access points spread across the residence hall around the time of the robbery. Because those access points each have a small broadcast radius, knowing which Wi-Fi access point a phone was connected to provides precise information about where that phone was.
Using that information, the police identified several dozen students who were in the building at the time, and then narrowed down the list to three students who lived in other dormitories. Two of those students were women, and were excluded because the suspected robbers were described as male. Police focused on the remaining student, Dunkins, and requested information about all his Wi-Fi connections on campus during a five-hour period on the night of the robbery, a detailed account of his movements over time.
The Wi-Fi location information was essential evidence at trial, tying Dunkins to the scene of the robbery. But it’s not hard to see how invasive the searches were for other students as well. By learning that two women were in someone else’s dorm rooms in the wee hours of the morning, police could infer private information about where they were sleeping and with whom. That’s none of the government’s business.
That’s why the ACLU is arguing that this sensitive location data is protected by the Fourth Amendment. And we have powerful Supreme Court precedent behind us.
In 2018, in an ACLU case called Carpenter v. United States, the U.S. Supreme Court ruled that police need a warrant to request a person’s historical cell phone location information from their cellular service provider. We have argued in other cases, including in a brief we filed in another Pennsylvania case last week, that the rule in Carpenter should apply to real-time cell phone tracking, automated license plate reader databases, long-term surveillance of homes with pole cameras, pervasive aerial surveillance, and requests for sensitive digital medical information. Today, we are arguing that this protection should apply to Wi-Fi-derived location information as well. Like the location information at issue in Carpenter, the data created whenever a phone connects to a Wi-Fi access point paints a detailed picture of a person’s “privacies of life,” and therefore deserves Fourth Amendment protection.
The prosecution argues that because Carpenter involved location information spanning days and months about one particular suspect, the shorter-term data about many people in the Dunkins case should be unprotected. But even short-term location data can reveal deeply private information about where a person goes and what they do there. And requesting information about all people who were in a particular building at a particular time will almost certainly sweep in bystanders who had nothing to do with any crime, making the search dangerously overbroad. Here, for example, two non-resident female students and their hosts were caught in the net, illustrating the privacy interests at stake.
The implications of the Dunkins case extend far beyond privacy on college campuses. Cities across the country, from Boston to New York to El Paso, have built free municipal Wi-Fi networks spanning significant geographic areas. Comcast has deployed “millions of hotspots” as part of its Xfinity service. On many of these networks, after a person connects their device the first time, they will automatically connect and reconnect to any Wi-Fi access point that is within range, generating a great deal of location information going back weeks, or even years.
Like the cell phone location data in Carpenter, Wi-Fi location information is “detailed, encyclopedic, and effortlessly compiled.” As we explain to the Pennsylvania court, it is dangerous to allow police access to this information without probable cause, narrow tailoring, and judicial supervision — in other words, police should have to get a warrant. And the Fourth Amendment might never allow a request that sweeps in precise location information about many bystanders. This case provides an important opportunity to ensure strong protections for privacy in the digital age.