In Carpenter v. United States, the Supreme Court announced that seven days’ worth of historical cell-site location information (CSLI) was a “search” within the meaning of the Fourth Amendment. Scholars and lawyers have argued that this holding reflected the “mosaic theory” of the Fourth Amendment—considering a series of governmental actions in aggregate when evaluating whether a search occurred. But this argument does not capture the full picture. This Note posits that the Supreme Court’s decision in Carpenter reflected a new approach to the mosaic theory. A close reading of Carpenter, when compared to United States v. Jones, shows that the Court focused on the nature of information that CSLI conveys prior to considering the amount gathered in the case. Carpenter’s new mosaic theory has two steps—whether the data, when aggregated, has the potential to violate a reasonable expectation of privacy, then whether the information obtained in the present case did so.
This Note surveys post-Carpenter decisions in federal and state courts, finding that Carpenter’s focus on the nature of information obtained has been adopted by many lower courts. Through this analysis, this Note concludes that Carpenter’s two-step mosaic theory is an improvement on Jones’s one-step approach. The two-step approach allows lower courts to draw bright lines based on the type of data involved. Additionally, the two-step mosaic theory provides a doctrinal means to base Fourth Amendment search inquiries on the nature of the information acquired, rather than the amount obtained.
The Supreme Court’s decision in Carpenter v. United States [1] heralded a new age of Fourth Amendment doctrine. Professor Orin Kerr, for instance, termed it a “blockbuster” decision. [2] Professor Rachel Levinson-Waldman called it a “landmark privacy case.” [3] Professor Paul Ohm argued that it is “likely to guide the evolution of constitutional privacy in this country for a generation or more.” [4] And Carpenter indeed opened up a new avenue for Fourth Amendment analysis of digital data. Prior to Carpenter, the Court had adopted a sequential approach to assessing digital data. Courts considered government actions individually when evaluating whether conduct was a “search” within the meaning of the Fourth Amendment. But the majority in Carpenter rejected that approach. Seven days’ worth of records of historical cell-site location information (CSLI), when considered in aggregate, qualified as a search because it violated a person’s “legitimate expectation of privacy in the record of his physical movements.” [5]
Carpenter’s shift has led to confusion about the place of the “mosaic theory” in Fourth Amendment doctrine. As Professor Kerr defines the concept, the mosaic theory asks “whether a series of acts that are not searches in isolation amount to a search when considered as a group.” [6] In Carpenter, the Court seemed to accept the mosaic theory by considering the data presented as a group. [7] But, at the same time, the Court appeared to reject the mosaic theory: “[W]e need not decide whether there is a limited period for which the Government may obtain an individual’s historical CSLI free from Fourth Amendment scrutiny, and if so, how long that period might be.” [8]
This Note argues that Carpenter did invoke the mosaic theory in its reasoning but added a step to the process. Pre-Carpenter decisions considered the mosaic theory as part of a single multifactor test: Did the information in the present case, when aggregated, violate a reasonable expectation of privacy? The concurrences in Jones reflected this approach, setting the inquiry against the facts of the case—28 days of GPS tracking data. The new mosaic theory has two steps: (1) Does the information obtained, when aggregated, have the potential to violate a reasonable expectation of privacy? (2) Did the information in the present case do so? This reading stems from the majority decision in Carpenter, which considered the potential of what historical CSLI could reveal prior to applying the facts of the case.
This distinction may assist lower courts in applying Carpenter. A survey of lower court decisions reveals a wide array of challenges to digital surveillance in the post-Carpenter era. [9] Courts have adopted varying approaches—some use the Jones model of a single multifactor test, [10] but others have echoed Carpenter and elevated the nature of information obtained to be a dispositive factor. [11] This Note argues that the latter approach is preferable. Prioritizing the nature of information obtained allows courts to draw meaningful lines around the Fourth Amendment’s search requirement, rather than creating arbitrary lines based on the duration of the surveillance in any individual case. Drawing these bright lines would aid both citizens (by allowing the threshold for a search to modulate as technology changes) and law enforcement (by giving notice as to when search warrants are necessary).
This Note begins, in Part I, by examining the mosaic theory’s place in Fourth Amendment doctrine and the “reasonable expectation of privacy” test from Katz v. United States. [12] It continues to define the mosaic theory, discuss criticisms of the mosaic theory, and distinguish between the one-step and two-step approaches. Part II surveys lower court decisions since Carpenter in light of the two mosaic theories. It groups cases by the type of data obtained and suggests that many courts consider aggregated data’s potential to violate a reasonable expectation of privacy when conducting a Katz analysis. This Note concludes by discussing the implications of the two-step mosaic theory. It posits that the two-step approach produces a more effective common law system by requiring lower courts to discuss why they believe a type of data should or should not be private. Finally, it argues that the two-step mosaic theory could serve as a transition to a broader standard based on the type of information obtained by police.
For the Fourth Amendment to apply, a government action must be a “search” or “seizure.” [13] Though the doctrine originally focused on physical intrusion into protected spaces, it evolved into a test based on a person’s “reasonable expectation of privacy.” Justice Harlan provides the best explanation of this test in his concurrence in Katz v. United States: If a person has a subjective expectation of privacy that society is prepared to recognize as reasonable, then an action violating that expectation is a search. [14] Some later cases have shortened this test—if government action violates a person’s reasonable expectation of privacy, it is a search. [15]
The key dispute in the expectation-of-privacy test is what makes an expectation “reasonable.” [16] The Supreme Court has never explained which factors should be considered. [17] In some cases, it asks if it is likely that a person or place would be observed or investigated. [18] In another line of cases, the Court asks if the nature of the information obtained is particularly private or personal. [19] In a third set, the Court asks if another source of law prohibited the government’s conduct. [20] And in a fourth set, the Court weighs normative arguments and bases its holding on policy grounds. [21] But the Court often modulates between these rationales, and lower courts have operated similarly. [22]
Because expectations of privacy can change over time, courts have struggled with applying the Katz standard in novel contexts—especially with respect to digital data. After all, public and private actors can now monitor us “in ways that once seemed like science fiction.” [23] Traditionally, courts used a sequential approach to analyze Fourth Amendment issues. [24] Whether a search occurred depends on a “frame-by-frame dissection” of the facts. [25] If an action in any of those frames violated a reasonable expectation of privacy, a search occurred at the moment that the action exposed information. [26] If police opened a door to enter an apartment, moved a couch, and flipped the couch over, each of those three actions would have to be analyzed under the Katz standard.
Government access to digital data challenged the sequential approach. The sequential approach works when discrete steps are involved—opening a door, moving a stereo, entering a backyard. But digital data is made up of small bits of information, which on their own may not convey significant information. Enter the mosaic theory. The mosaic theory suggests that “a series of acts that are not searches in isolation amount to a search when considered as a group.” [27] One court has termed it an aggregation principle for technological surveillance. [28] As the analogy goes, “the color of a single stone depicts little, but by stepping back one can see a complete mosaic.” [29]
The mosaic theory originated in United States v. Jones, [30] a case about tracking a suspect with a GPS device for twenty-eight days. [31] Writing for a four-Justice concurrence, Justice Alito incorporated the amount of data as a factor in the Katz standard. He drew a line between short-term and long-term monitoring of someone driving in public. [32] Society would not expect that police would “secretly monitor and catalogue every single movement” of a car for “a very long period.” [33] Similarly, Justice Sotomayor argued the Court should consider whether an expectation of privacy existed “in the sum of one’s public movements.” [34] Both of these concurrences argued for considering the GPS data in aggregate when applying the Katz test.
The Supreme Court applied the mosaic theory to a different kind of data in Carpenter v. United States. [35] Carpenter concerned historical cell-site location information (CSLI)—data indicating that a cell phone connected to a certain cell tower at a certain time. [36] Police had acquired 12,898 location points cataloguing the defendant’s movements. [37] The Supreme Court held that this action was a search. [38] It focused on the nature of the information obtained—“the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection.” [39] Similarly, it rejected the argument that the third-party doctrine applied to the case. [40] The court reasoned that Smith and Miller required examining the “nature of the particular documents” law enforcement accessed. [41] Because CSLI revealed location information, and revealed it involuntarily, the Court held that the third-party doctrine should not apply. [42] However, the Court cabined its holding to historical CSLI, refusing to evaluate real-time CSLI, “tower dumps,” [43] or “conventional surveillance techniques and tools,” like security cameras. [44] Moreover, the Court declined to answer if acquiring a limited period of historical CSLI would be a search. [45] For the Court, seven days of CSLI was sufficient to violate a reasonable expectation of privacy.
The mosaic theory has faced criticism by both courts and scholars. [46] The most prominent criticisms key in on practical concerns: (1) the scope of the theory’s aggregation principle and (2) the theory’s requirement of case-by-case analysis. First, underlying the mosaic theory is an aggregation principle—data should be considered as an aggregated whole rather than piecemeal. [47] But this premise requires courts to draw lines it may not be equipped to do. [48] Should a court aggregate only one’s individual data? What if the surveillance gathers other peoples’ data as well? [49] Should a court aggregate data even if it is not continuous? [50] Or even if the data is spread across multiple types of surveillance? [51] Most importantly, what is the amount of data that violates a reasonable expectation of privacy? [52] As one court put it, drawing these lines is “arbitrary and unrelated to a reasonable expectation of privacy.” [53]
Second, the mosaic theory would require case-by-case analysis—did the amount of data in the present case violate a reasonable expectation of privacy? [54] The sequential approach is categorical—conduct is either always or never a search. [55] Conversely, the mosaic theory requires courts to evaluate each case individually. This requirement puts law enforcement in a bind. Say that an officer wants to query a database. Under the mosaic theory, officers can only know if they needed a warrant until after they already conducted a warrantless search. [56] It requires officers to make uninformed ex ante judgments about how a court will view the facts ex post.
Scholars have proposed alternatives to the mosaic theory that remedy these problems. Professors Gray and Citron argue that courts should focus on “how information is gathered,” not “how much information is gathered in a particular case.” [57] In their view, the threshold question should be whether an investigative technology “has the capacity to facilitate broad programs of indiscriminate surveillance” that could “raise the specter of a surveillance state” if left to the government. [58] Factors would include: (1) the technology’s surveillance capabilities, (2) the technology’s scale, and (3) the costs of deploying and using the technology. [59] This standard would be categorical—if the technology had the capability to indiscriminately surveil, then using it would be a search. [60]
Professor Kerr makes a similar proposal, which he terms the “Source Rule.” [61] Whether accessing information is a search should be dependent on the “use of a technology that Carpenter covers.” [62] If law enforcement “learned any fact sourced from any Carpenter-covered record, then that information transfer is a search.” [63] Three factors would make data protected under Carpenter: (1) it could not be collected in a pre-digital age, (2) it is created without one’s “meaningful voluntary choice,” and (3) it tends to reveal “an intimate portrait of a person’s life.” [64] This standard would also be categorical—if the data is protected under Carpenter, then revealing the data would be a search. [65]
In Carpenter, the Court adopted a standard that incorporates these criticisms while adhering to past precedent. The term “mosaic theory” refers to two different standards—a one-step and two-step version of the same concept. The one-step mosaic theory reflects the approaches of Justices Alito and Sotomayor in Jones. Whether a government action is a search depends on the nature of information obtained in the present case, which includes amount as a factor. [66] A court should consider multiple factors in its analysis and evaluate new technologies on the facts of the case before it. [67]
Carpenter reflects a different version of the mosaic theory—one in which the type of information obtained is a dispositive factor. The new mosaic theory has two steps: (1) Does the data, in aggregate, have the potential to violate a reasonable expectation of privacy by revealing the “privacies of life?” [68] (2) Did the amount of data obtained in the present case do so?
This two-step mosaic theory stems from a close reading of Carpenter. The majority reasoned that acquiring historical CSLI could violate a reasonable expectation of privacy because of the information it provides:
As with GPS information, the time-stamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his “familial, political, professional, religious, and sexual associations.” . . . . These location records “hold for many Americans the ‘privacies of life.’” [69]
This language accords with the Supreme Court’s focus—from Riley and Jones—on limiting government access to data revealing “associational freedoms and intimate facts.” [70] But Chief Justice Roberts considered the information that historical CSLI could reveal when aggregated. “Mapping a cell phone’s location over the course of 127 days” reveals an “all-encompassing record” of one’s locations. [71] It is this data—collectively—that provides an “intimate window” into one’s life. [72]
The Supreme Court considered the facts of the case only after determining that accessing historical CSLI could violate a reasonable expectation of privacy. It asserted that it “need not decide whether there is a limited period for which” acquiring historical CSLI would not be a search, nor “how long that period might be.” [73] The Court established that accessing historical CSLI could be a search—all that remained was to apply the facts of the present case. This approach errs on the side of dispute resolution rather than law declaration; but, then again, most of Fourth Amendment doctrine does so as well. [74]
Carpenter essentially added a step to the Supreme Court’s use of the “private facts” model. Several Supreme Court cases have focused on the “information the government collects,” and consider whether the nature of that information is so private to be “worthy of constitutional protection.” [75] Professor Kerr terms this approach the private facts model. [76] For example, in Dow Chemical Co. v. United States, [77] taking photographs of a chemical plant was not a search because it was “not so revealing of intimate details as to raise constitutional concerns.” [78] Or consider United States v. Karo, which held monitoring a GPS beeper was a search because it revealed information about the interior of a private home. [79] Carpenter indicated that courts should consider the character of information that data could convey in aggregate. [80] And it added the second step to the inquiry—that courts should consider the amount of information only after considering that information’s nature.
Lower courts rarely distinguish the one- and two-step mosaic theories, but many continue to apply the theory itself. Some courts retain the old mosaic theory’s one-step procedure—considering the nature of the information through the facts before the court. But many courts have adopted the new mosaic theory’s two-step inquiry—considering the nature of the information, in aggregate, then applying the facts of the case. This Note now turns to analysis of these decisions.
Distinguishing between the one-step and two-step mosaic theories is important because they lead lower courts to focus on different forms of reasoning. Katz provided a multifactor standard; but by considering the amount of information gathered as part of this standard, courts miss Carpenter’s focus on the nature of information conveyed. Further, distinguishing these two theories would help courts determine how to apply Carpenter. As of March 26, 2021, only fifteen Fourth Amendment cases since Carpenter have used the word “mosaic.” [81] And confusion continues regarding what the term “mosaic theory” actually means. [82]
This Part synthesizes Carpenter’s reasoning with lower court cases that have applied it over the past two years. It surveys the types of surveillance that litigants have challenged under Carpenter: (1) cell-site location information (CSLI), (2) cell-site simulator data, (3) GPS location data, (4) automated license plate reader (ALPR) databases, (5) pole cameras and long-term video surveillance, and (6) internet protocol (IP) address data. This Part explains the salient factors for each type of surveillance and predicts how a court applying the new mosaic theory would treat each type. And overall, this Part shows that courts have shifted from Jones’s one-step mosaic theory toward Carpenter’s two-step approach.
Whenever a cell phone connects to a cell tower, it creates a time-stamped record known as cell-site location information (CSLI). [83] Historical CSLI refers to large amounts of CSLI records kept in databases. Officers can request these records for specific cell towers for a range of dates. [84] These records allow officers to connect people to certain locations at certain times. After all, people “compulsively carry cell phones with them all the time.” [85]
Historical CSLI is likely a search under the two-step mosaic theory. Carpenter established that historical CSLI could violate a reasonable expectation of privacy. Historical CSLI can track people over long periods of time, give information about constitutionally protected places (like churches, homes, and offices), and be produced without the cell phone user realizing it. No surprise that the Court focused on these factors, then—historical CSLI’s “depth, breadth, and comprehensive reach” and its “inescapable and automatic” collection. [86] Whether a search occurred would depend on the facts of the case, but seven days apparently reveals enough to reach this invasive potential. [87] Courts have generally dismissed these challenges under the good-faith exception to the exclusionary rule. [88] Some simply apply Carpenter when the CSLI covers more than seven days. [89]
Under the one-step mosaic theory, a court would have to consider when aggregated CSLI changes character. For example, in People v. Edwards, [90] the court considered the nature of aggregated CSLI with the amount of data incorporated as a factor. In its view, long-term CSLI data is “the modern day electronic equivalent of sending a government spy out to follow the defendant.” [91] Short-term CSLI data “is like taking a single snapshot of that person on the street.” [92] Because two days of data fit in the short-term CSLI bucket, acquiring the data was not a search. [93] Conversely, People v. Simpson [94] accepted Carpenter’s holding that historical CSLI could violate a reasonable expectation of privacy. [95] Since the difference between three days and seven days of CSLI was de minimis, acquiring three days’ worth was a search requiring a warrant. [96] The Edwards court drew a line at how much data to aggregate; but the Simpson court considered historical CSLI in aggregate when evaluating its nature. [97]
Real-time CSLI refers to tracking a suspect in real time by using their cell phone. One method is to triangulate the cell phone’s location using the nearest cellular towers. [98] Alternatively, officers can signal a suspect’s cell phone (termed a “ping”), to which the cell phone responds with its location information. [99] In Carpenter, the Court expressly declined to rule on real-time CSLI. [100] But real-time CSLI can track individuals into private locations, and long-term tracking could likely reveal one’s “political and religious beliefs,” among other private information. [101] So, under the two-step mosaic theory, it would seem likely that real-time CSLI could violate a reasonable expectation of privacy. [102]
However, lower courts have split over how to evaluate real-time CSLI. In Sims v. State, [103] the court did hold that aggregated real-time CSLI could violate a reasonable expectation of privacy. [104] It reasoned that real-time CSLI records “show location information” and “are generated solely at the behest of law enforcement.” [105] The court then moved to the second step of the new mosaic theory. Because the case concerned “less than three hours” of real-time CSLI, the court held that the information aggregated did not meet this threshold. [106] State v. Muhammad contains similar analysis at the first step but rejected the second step of Carpenter altogether. The court first noted that real-time CSLI can “generate a comprehensive record of a person’s public movements” reflecting a “wealth of detail” about her personal life. [107] However, the Muhammad court rejected the second step of the new mosaic theory—in the court’s view, case-by-case analysis would create “practical problems” because “[t]here is no rational point to draw the line” of how much data is too much. [108] Thus, the court held that accessing real-time CSLI was a search, categorically. [109]
A “tower dump” is a one-time download of information for the devices that connected to a cell tower during a particular interval. [110] Tower dump CSLI differs from historical and real-time CSLI because a tower dump collects data for all users within the radius, not one user specifically. In one FBI investigation, for example, a series of tower dumps produced more than 150,000 registered cell phone numbers. [111] Tower dump requests are fast becoming a part of the law enforcement toolbox, [112] potentially because Carpenter expressly declined to hold whether accessing tower dump data is a search. [113]
Tower dumps highlight the difference between Carpenter’s two-step mosaic inquiry and the old one-step mosaic inquiry. Individually, tower dumps might not reveal enough about one’s life to violate a reasonable expectation of privacy. As the court in United States v. Walker [114] reasoned, tower dumps “capture [CSLI] for a particular place at a limited time.” [115] And they are akin to “conventional surveillance techniques . . . which capture data from every individual” in the relevant area. [116] So, because tower dump CSLI does not implicate “the whole of [an individual’s] physical movements,” the court in Walker held that no search had occurred. [117]
Under Carpenter, however, the question is whether the information obtained could violate a reasonable expectation of privacy in aggregate. Tower dump CSLI, when aggregated across multiple tower dumps, could reveal an individual’s location just as historical CSLI does. [118] Moreover, tower dumps can reveal information from within constitutionally protected places—like a cell tower close to a defendant’s private residence. [119] To be sure, Carpenter’s two-step mosaic theory might produce the same result as in Walker, depending on how many tower dumps occurred. But the one-step mosaic theory fails to consider tower dump CSLI in aggregate. And in doing so, the one-step mosaic theory misrepresents the investigative potential of the technology.
A cell-site simulator—sometimes called a “Stingray,” “Hailstorm,” or “TriggerFish”—is “a device that locates cell phones by mimicking the service provider’s cell tower (or ‘cell-site’) and forcing cell phones to transmit ‘pings’ to the simulator.” [120] Federal and local law enforcement use cell-site simulators indiscriminately in investigations from violent felonies to low-level crimes. [121] The Katz inquiry rarely comes up in cell-site simulator cases, perhaps because government agencies tend to get a warrant before using the device. [122]
Cell-site simulators share characteristics with tower dumps. Both receive data from a collective group of people at a single moment. Considering this location data collectively is irrelevant in a Fourth Amendment analysis—what matters is how the surveillance affected the individual defendant. But cell-site simulators still have intrusive characteristics. They can obtain individuals’ locations through data that cell phones passively generate. Additionally, cell-site simulators can gather information about constitutionally protected places, like homes and places of worship. Courts have found arguments based on these characteristics persuasive. [123] For example, the court in State v. Sylvestre [124] held that using cell-site simulators is always a search. [125] It focused on the invasiveness of a cell-site simulator compared to historical CSLI, especially because cell phones can enter into “private residence[s]” and “other potentially revealing locales.” [126] Even if the court did not consider the mosaic theory in its analysis, the Sylvestre court’s focus on the nature of information obtained reflects Carpenter’s two-step approach.
GPS tracking devices have been around for decades—from the primitive GPS beeper in Knotts and Karo to the sophisticated version in Jones. [127] As the concurrences in Jones noted, GPS tracking devices provide detailed location information about an individual over a span of time. [128] Lower courts have applied Carpenter to GPS data under both versions of the mosaic theory. In United States v. Diggs, [129] tracking the defendant “over the course of a month” was a search because of the “duration and level of the GPS data” in the specific case. [130] And in Kinslow v. State, [131] a state court found the use of a GPS tracker not to be a search because the tracking “lasted only approximately six hours” and because GPS data “[does] not provide an intimate window into a person’s life.” [132] In both these cases, the courts incorporated case facts when evaluating the nature of GPS location data.
United States v. Howard adopted the two-step mosaic inquiry, though, despite stating that its conclusion “[did] not rest on the mosaic theory.” [133] Accessing GPS location data, the court reasoned, was not intrusive enough to violate a reasonable expectation of privacy. GPS location data does not allow police to “reconstruct a person’s movements,” nor does it follow people “into homes and other constitutionally protected spaces.” [134] In addition to considering the overall nature of GPS data, the court evaluated the amount of data collected. [135] But its analysis of the nature of GPS data reflects the two-step mosaic theory—what the aggregated data could reveal when accessed.
ALPRs are video cameras connected to a central database that log the license plates in their field of vision, as well as the location, date, and time. [136] Because they can capture this time-stamped location information, ALPRs would seem analogous to the government’s access of historical CSLI from Carpenter. ALPRs do only reveal information about people driving on public roadways. But enough ALPR data points could reveal patterns that become an “intimate window” into an individual’s life. [137]
One group of cases has adopted the one-step mosaic inquiry—the amount of data is a factor when considering the nature of the information obtained. The court in Chaney v. City of Albany [138] held that using “fixed cameras” that “indiscriminately recorded 24-hours a day” was not a search. [139] This specific use captured only information about people “traveling on public roads,” and people have no reasonable expectation of privacy in this public space. [140] Similarly, the opinion in Uhunmwangho v. State [141] used the case facts to define the nature of the information obtained. Because police had retrieved “a single photograph” of the defendant “driving on a public roadway,” the case did not raise the privacy concerns of Carpenter. [142]
Another line of cases has applied the two-step mosaic theory to ALPRs. Take United States v. Yang, [143] in which police queried an ALPR database to find a fugitive. [144] Though a Ninth Circuit panel declined to hold this query a search on standing grounds, Judge Carlos Bea wrote a concurrence reflecting the two-step mosaic theory. [145] ALPRs “may in time present many of the same issues” as in Carpenter, Judge Bea reasoned, as they can “effortlessly, and automatically, create voluminous databases of vehicle location information.” [146] But even though ALPRs could violate a reasonable expectation of privacy, they did not do so in the present case—the database query “did not reveal the whole, or even any, of [the defendant’s] physical movements.” [147]
Commonwealth v. McCarthy also embraced the two-step mosaic inquiry of Carpenter. In the McCarthy court’s view, “[a] detailed account of a person’s movements, drawn from electronic surveillance,” could violate a reasonable expectation of privacy because “the whole reveals far more than the sum of its parts.” [148] If an ALPR system had “enough cameras in enough locations,” then accessing it could be a search. [149] After establishing that the nature of ALPR data could violate the Katz standard, the court then turned to the facts of the case. Because the record indicated there were only “four cameras at fixed locations on the ends of two bridges”—basically, telling police when people entered or left Cape Cod—the court held that accessing this data was not a search. [150]
Carpenter has also led to challenges to long-term video surveillance. Specifically, pole cameras—fixed video cameras that police attach to utility poles. Pole cameras can record video continuously, can zoom, pan, and tilt, and can be operated remotely. [151] And they are not limited to surveillance of specific persons. Cities have begun creating video surveillance systems for public spaces as well. [152] Challenges to pole-camera surveillance reflect concerns over new video technology—drone cameras, [153] facial-recognition technology, [154] and software that can analyze “volumes of video that would otherwise be impossible.” [155]
Pole cameras present a close case under the two-step mosaic inquiry. They record footage of people in public; not in their homes, their places of worship, or other constitutionally protected places. [156] Moreover, pole cameras are not a technological innovation. They are, basically, security cameras—which the Supreme Court excluded from its holding in Carpenter. [157]
In United States v. Moore-Bush, for example, the district court applied the one-step mosaic inquiry, considering the nature of the surveillance in the specific case before it. Eight months of video data “captured every single second that passed . . . in a digitally searchable form,” and could “[impair the defendants’] freedom to retreat” into their home. [158] Thus, the court held that the “intrusive, constant surveillance” over this eight months violated a reasonable expectation of privacy. [159] The First Circuit reversed. [160] A pole camera “tak[es] images of public views and not more,” and “does not track the whole of a person’s movement over time.” [161] In the First Circuit’s view, then, pole cameras could never violate a reasonable expectation of privacy by their very nature. [162] There was no need to address the facts of the specific case; the court disposed of the issue at the first step of the two-step mosaic theory.
In contrast, the court in Commonwealth v. Mora held that two months of pole-camera surveillance was a search, applying the two-step mosaic theory. [163] Though the court analyzed only a state constitution, it noted that the surveillance “well may have been a search” under the Fourth Amendment as well. [164] First, the court reasoned that “targeted long-term pole camera surveillance” of a residence “has the capacity to invade the security of the home.” [165] Long-term surveillance “has the potential” to capture the “revealing interactions at the threshold of a person’s private and public life.” [166] After establishing that long-term pole-camera surveillance could violate a reasonable expectation of privacy, the court applied the facts—five months and two months’ surveillance of the defendants’ homes sufficed to be a search. [167]
The reasoning in Moore-Bush and Mora could hold sway for other types of video surveillance as well. Leaders of a Beautiful Struggle v. Baltimore Police Department is a case about a city police department using airplanes to surveil citizens in public. [168] The district court held that this surveillance was not a search. It reasoned that the program “cannot produce a running log” of peoples’ whereabouts; and because the surveillance would only occur for twelve hours a day, the “gaps in the data” would prevent long-term, continuous tracking. [169] Moreover, it only tracks people in public spaces—not their activities in the “home, shower . . . or daily sauna and bath.” [170] But this reasoning overlooks that aggregated location data—as in Carpenter—can still paint a picture even if it is not continuous. Regardless, Leaders shows that these factors—location, duration, and continuous collection—could be dispositive in a two-step mosaic analysis.
Internet metadata provides another close case for applying Carpenter. The internet is, at bottom, a way for various devices to communicate with each other. To do so, computers and cell phones have internet protocol (IP) addresses—unique numbers that represent every device connected to the internet. [171] Internet service providers (ISPs) assign these addresses to users that purchase internet connections from them. [172] Because ISPs facilitate internet connections, they can collect data on the websites and content that users visit. [173] Collecting this user information could reveal intimate personal details, like what their personal hobbies, sexual orientation, or political beliefs are. [174]
Courts have been hesitant to hold that accessing IP address information is a search. Many apply the third-party doctrine because users must affirmatively act to generate IP address data. [175] This rationale follows pre-Carpenter decisions holding the same. [176] Other courts distinguish IP address data because it does not track a user’s location. [177] These courts’ reasoning adheres to the two-step mosaic theory—it focuses on what aggregated IP address data could reveal rather than what it does reveal in the present case. For example, in United States v. Hood, the First Circuit considered the nature of IP address information to be dispositive. IP address data “does not itself convey any location information” and requires an “affirmative decision” by the user. [178] And in United States v. Monroe, the court reasoned that IP address data “does not, in and of itself, reveal a particular user’s identity or the content of the user’s communications.” [179]
Against this trend, the Southern District of New York has indicated receptiveness to requiring a warrant to access IP address data. In United States v. Kidd, [180] agents had subpoenaed 581 days and “nearly 1,800 pages” of IP address data from a cell phone. [181] First, the court considered the nature of IP address information, reasoning that it “may convey location information with similar degrees of specificity . . . as CSLI does.” [182] “Passive collection of IP address information” could violate a reasonable expectation of privacy, but only if it “provides geographically accurate information that follows a defendant’s day-to-day movements.” [183] Since the defendant had failed to include facts about this issue in the record, the court denied his motion to suppress. [184] But it cautioned against the “categorical approach” of the post-Carpenter cases involving IP addresses—especially with respect to the amount of data involved. [185] Similarly, in United States v. Hernandez, [186] the court accepted Kidd’s reasoning that IP address information could violate a reasonable expectation of privacy. But because the data in the case contained “significantly fewer data points” than in Carpenter, and because the facts did not indicate that the data conveyed “geographically accurate information,” the court denied the defendant’s motion to suppress. [187] In both Kidd and Hernandez, the courts reasoned that IP address data could violate a reasonable expectation of privacy. The data in the present cases just did not reach that potential.
“Smart” devices are ordinary objects that can communicate data over the internet. [188] Together, they make up the “Internet of Things” (IOT)—a network of once-ordinary devices communicating data with each other over the internet. [189] Because smart devices are quickly becoming pervasive in homes, [190] the large quantities of data they produce raises privacy concerns. So, in Naperville Smart Meter Awareness v. City of Naperville, [191] the Seventh Circuit held that the use of “smart meters” that recorded homes’ energy consumption every fifteen minutes was a search. [192] But the court in Naperville did not adopt either mosaic theory—rather, the court considered only the nature of the information that smart meters provided. Data on energy consumption, the court reasoned, can indicate “when people are home, when people are away, [and] when people sleep and eat,” among other information. [193] Because this recordkeeping “reveal[ed] details about the home” that agents could not see otherwise, it was a search. [194]
Because of Carpenter’s sweeping language, courts have faced Fourth Amendment challenges to acquisition of data in a variety of other contexts. Peer-to-peer file-sharing networks, [195] cryptocurrency transactions, [196] and social media posts, [197] among others. These cases tend to reject analogies to Carpenter based on the nature of the data involved. The court in United States v. Sigouin distinguished peer-to-peer networks because the data “communicates nothing” about the file’s content or the sender’s information. [198] In United States v. Gratkowski, the court emphasized that cryptocurrency ledgers convey “limited” information, require an affirmative act, and are publicly available. [199] And in United States v. Chavez, the court held that accessing nonpublic Facebook data was always a search because the information could “create a ‘revealing montage of the user’s life.’” [200] Though these courts did not consider the amount of information—i.e., neither mosaic theory—they accept Carpenter’s shift in focus to the nature of information conveyed. Courts should consider what the information could potentially reveal prior to considering what the information in the case actually revealed.
If anything, this review of lower-court decisions demonstrates the incoherence of the mosaic theory as a reasoning tool. The doctrine surrounding the Fourth Amendment’s search requirement should be focused on drawing lines for law enforcement. After all, any of the above-mentioned cases would not have been at issue had the police gotten a warrant. The one-step mosaic theory undermines this rationale. Courts applying the one-step approach draw lines around the amount of information obtained, rather than the nature of the information itself. These decisions threaten to ossify Fourth Amendment doctrine through precedential decisions on categories of surveillance, with reasoning based on case-specific facts. In this regard, the two-step mosaic theory has advantages over its one-step counterpart. Digital data encompasses a wide spectrum of different types of information, and the modes of digital surveillance are changing by the day. By applying the new mosaic theory, judges can resolve the disputes in front of them while leaving the door open for future technological developments—exactly what the Court did in Carpenter. Additionally, the new mosaic theory would provide an avenue to transition the mosaic theory into a truly categorical approach to data. If a lower court holds that accessing any amount would violate a reasonable expectation of privacy, then it has both adhered to Carpenter’s new mosaic theory while creating a bright-line rule for law enforcement to follow.
First, lower courts have centered the Carpenter analysis around the nature of information conveyed. If the digital data in the case does not reveal information about the “privacies of life,” then it should not be considered a search. This standard does lead to problems—namely, when should the amount of data factor in? Professor Ohm, for example, interprets Carpenter to require a one-step analysis, with the amount of information in the case being a factor. [201] This Note has argued that Carpenter separates this analysis into two steps. When considering the nature of information conveyed by data, courts should ask whether that data could violate a reasonable expectation of privacy when aggregated. Only then should they consider the amount of data in the case. In the en banc rehearing of Moore-Bush, counsel for the ACLU advocated for a line-drawing in a similar manner:
I think that if this court wishes to draw a line, or a principle, it should be tied to what people’s expectation is, based on the practical abilities of police and any member of the public. People expect and understand that their activities in public, including in the curtilage of their home, may be observed in bits and pieces. Nobody expects the whole of those movements, over a long period, to be seen and recorded. [202]
Several lower courts that have engaged with the mosaic theory have adopted similar two-step approaches. [203]
By providing a two-step process, the new mosaic theory allows lower courts to draw lines based on the type of information obtained by law enforcement. When facing a new kind of technology, courts can analogize to past technologies when assessing its nature. This process allows courts, effectively, to declare law about certain types of surveillance while still allowing case-by-case evaluation. Consider Commonwealth v. McCarthy, in which the court reasoned that an ALPR system could potentially violate a reasonable expectation of privacy. [204] Though the ALPR system did not reach that level in McCarthy, the court’s reasoning stands ready in case the system eventually does. This process will provide increased accuracy and certainty when lower courts conduct a reasonable-expectation-of-privacy analysis. [205]
Recognizing the two different mosaic theories also allows lower courts to be explicit about which test they are applying. The new mosaic theory has two steps: Carpenter applied a multifactor test, but only at the first step (when considering the nature of information). Moreover, Carpenter waited to apply case facts until after assessing the nature of data obtained. Incorporating case facts into the first step clouds the common law—reasoning by analogy is far harder when the factors are case-specific. [206]
Second, lower courts are divided over whether Carpenter mandates a categorical approach to digital data or a case-by-case analysis. The courts applying either mosaic theory have accepted a case-by-case approach. [207] Other courts identify this concern and reject a case-by-case analysis altogether. [208] This analysis differs based on the type of mosaic theory applied. Under the one-step mosaic theory, case-by-case analysis is mandatory. It is the amount of data in the present case that factors into the Katz analysis. The two-step mosaic theory differs.
Because the two-step mosaic theory asks what information aggregated data could reveal, it provides an off-ramp for courts wishing to draw bright-line rules. As the Court itself said: “It is sufficient for our purposes . . . to hold that accessing seven days of CSLI constitutes a Fourth Amendment search.” [209] The court cast no judgment on whether a smaller amount of CSLI would be a search—rather, it simply applied the facts of the case to the determination that historical CSLI could violate a reasonable expectation of privacy. [210] Nothing about Carpenter or the new mosaic theory prevents courts from holding that accessing any amount of a certain type of data would be a search.
Several courts have, accordingly, applied Carpenter’s two-step process while holding that accessing a type of data is always a search. Consider Naperville Smart Meter Awareness—because data from smart meters “reveal[ed] details about the home,” accessing any amount of that data would be a search. [211] In United States v. Chavez, as well, the court reasoned that nonpublic Facebook information could create a “revealing montage” of a user’s private details. [212] Because this information is so private, accessing any amount would violate a reasonable expectation of privacy. And in Muhammad, the court engaged in a two-step process. After finding that real-time CSLI could violate a reasonable expectation of privacy, the court then applied its finding to real-time CSLI generally. [213] But if it had incorporated the amount of data into its analysis of real-time CSLI’s nature, this reasoning would not be possible.
This reading of the new mosaic theory arguably may not reflect the “mosaic” concept at all. If even a single piece of information could reveal one’s privacies of life, then it is less like a mosaic and more like a Rothko painting. [214] But this concept reflects the importance of the shift in Carpenter. By separating out the application of case facts, the Court in Carpenter reframed the mosaic theory to better allow courts to draw normative considerations. It allowed for equilibrium-adjustment between police power and individual privacy while incorporating the concept of aggregated digital data. And it enabled lower courts to draw lines, even categorical ones, if the normative considerations bear enough weight. In short, recognizing the new mosaic theory would promote consistency and efficient equilibrium-adjustment in the lower courts. And applying a categorical approach through the two-step mosaic theory provides a means to do so.
Digital data has become ubiquitous in our daily lives. Carpenter’s two-step mosaic theory provides one way of assessing this data—and it does so better than Jones’s one-step process. An analysis of lower court decisions shows that they have largely adopted this two-step approach: considering the type of information revealed, then applying the facts of the case. Finally, Carpenter’s two-step process has several benefits over the one-step mosaic theory. It allows courts to provide reasoning about why certain information should be protected or not. It prevents ossification of Fourth Amendment doctrine in the rapidly changing field of digital surveillance. And it provides a doctrinal means to incorporate policy factors when considering digital data.