In Commonwealth v. Dunkins, No. 1003 EDA 2019 (Super. Ct. Feb. 12, 2020), the Pennsylvania Superior Court held that law enforcement did not need a search warrant to obtain from Moravian College cellphone tracking information that helped both college and Bensalem police identify the appellant as one of two masked men who entered the dormitory room of two other Moravian students, assaulted them and robbed one at gunpoint. The Superior Court distinguished the instant matter from Carpenter v. United States, 138 S.Ct. 2206 (2018), where the U.S. Supreme Court had held that law enforcement violated the Fourth Amendment when it obtained Timothy Carpenter's cellphone tracking information from his wireless carriers by using a court order under the Stored Communication Act supported only by "reasonable grounds," not the higher standard of probable cause demanded by the Fourth Amendment. Supporting the Bensalem Police Department's actions in Dunkins, the Superior Court reasoned that the police could adhere simply to the lower, "reasonable grounds" standard because, as the information was specific to the college campus and so "owned," in a sense, by the college, and because the appellant had consented to the college using the tracking information as it deemed proper, the appellant had no reasonable expectation of privacy in the tracking information.

In this month's article, I examine the Superior Court's reasoning in Dunkins and compare it to the U.S. Supreme Court's reasoning in Carpenter. As with so many Fourth Amendment decisions, I review the underlying facts that the courts believed did or did not give rise to any expectation of privacy, what such expectation would be and how it would follow from interpreting those facts in light of the Fourth Amendment and precedential case law. Here we will conclude that the aforementioned underlying facts do not support the Superior Court's conclusion or support it only by regarding those facts based upon very different assumptions made by the Supreme Court when it assessed those facts in deciding Carpenter.

Background

At  2 a.m. on Feb. 17, 2017, on the Moravian College campus in Bethlehem, Pennsylvania, two men wearing ski masks pretended to be campus police to gain access to the dorm room shared by Greg Farina and William Reilley (the victims), the latter a student known to sell marijuana on campus. When Farina opened the dorm door, one of the masked men punched him, causing him to fall. The masked men held the students at gunpoint and demanded marijuana and the key to Reilley's footlocker. The masked men accessed the footlocker and took approximately $1,000 in cash as well as a jar of marijuana. Before leaving the dorm, the perpetrators hit the victims on the sides of their heads.

Seven hours later, Reilley reported the robbery to campus officials. Campus police officer Thomas Appleman requested that Moravian's director of systems engineering, Christopher Laird, analyze its wireless network data to compile a list of the students logged onto the network near the wireless access point in the dormitory where the victims resided. Laird explained at trial that Moravian utilizes approximately 1,100 wireless network access points placed throughout the campus in order to offer its students and faculty nearly seamless internet connection. Campus officials discovered that at the time of the robbery there were only three individuals logged onto the campus WiFi at that location who did not reside therein, and two of them were female. The male user was the defendant, also a Moravian student.

Appleman provided this data to Det. James Ruvolo of the Bethlehem Police Department, who took over the investigation. Reilley told Ruvolo that the defendant previously took marijuana from him without payment in return.

When the defendant was interviewed, he denied being in the Hassler dormitory since October 2016. In addition, however, to securing the WiFi information placing the defendant at that dormitory, police interviewed Colin Zarzecki, who lived next door to the defendant in a different dormitory. Zarzecki told police that the defendant came to his room after midnight on Feb. 3, 2017 (i.e., an hour or so after the robbery), "fanned out" a display of cash, and boasted that he and another individual posed as campus police officers to gain access to the victim's room and subsequently stole drugs and the aforementioned cash from the victim's footlocker.

When moving to suppress the WiFi information, the defendant argued that the search to obtain the information was illegal because police did not first obtain a warrant. At one of the suppression hearings, Laird explained that, in order to utilize Moravian campus WiFi, each student must either log onto the network with their individual username and password or, at their initial log-on, choose to have his device automatically log onto the campus WiFi without entering credentials again. The parties also noted that the defendant had signed the Moravian Student Handbook when enrolling at the college, indicating that he accepted and understood Moravian's policies, including the technology rule that Moravian users, such as the defendant, "cannot and should not have any expectation of privacy with regard to any data … or other computer files created or stored on computers within or connected to the institution's network," which would include the WiFi information at issue, as such data "is considered part of the institution's records and, as such, subject at any time to disclosure to institutional officials, law enforcement, or third parties." Signing the student handbook "implies acceptance of this …policy" and the user again accepts it each time he or she logs onto the network.

The trial court denied the defendant's motion and the jury convicted him of robbery, conspiracy, receiving stolen property and assault. The court sentenced the defendant to five to 10 years imprisonment. The defendant appealed and the Superior Court affirmed.

The Superior Court's Reasoning

The defendant argued that Moravian campus police "conducted an illegal search" when it accessed "Moravian's wireless internet connection records without first obtaining a warrant." Such accessing, the defendant contended, "invaded his right to privacy in his physical movements through cell site location information (CSLI)." In rejecting that argument, the court noted that the defendant claimed the matter was controlled by Carpenter, where the United States "found law enforcement officials" had "improperly acquired Carpenter's CSLI without a warrant" by compelling his "wireless carriers to provide a record" of his "historical CSLI for a four-month period, allowing the officers  to track Carpenter's movements during the time when the robberies had occurred." The Carpenter court "recognized that modern cell phones generate[d] time-stamped records known as CSLI when the phone continuously scanned for the best signal from the closest cell site and connected to that cell site," that such information was "collected by wireless carriers for business purposes to improve their network and to bill customers" who incurred 'roaming' charges through another carrier's network," and that "an electronic device will log CSLI simply through the user's operation of the phone on the carrier network without any affirmative act on the part of the user beyond powering up." Emphasizing that "'cellphones and the services they provide are such a pervasive and insistent part of daily life that carrying one is indispensable to participation in modern society,'" the Carpenter court concluded that the officers violated Carpenter's Fourth Amendment rights because they "invaded" his "reasonable expectation of privacy in his physical movements by collecting the historical CSLI without a warrant as the search provided 'a comprehensive chronicle' of his physical movements over a four-month period." In other words, because the CSLI could provide a detailed record of Carpenter's movements, in public, over a prolonged period of time, his right of privacy was violated. The Carpenter court noted and discussed in detail that because the CSLI collection was performed under the Stored Communications Act, 18 U.S.C. Section 2703, which required only a showing of "reasonable grounds," and not the more demanding showing of "probable cause," to obtain the collection order, while the search in Dunkins required a search warrant supported by probable cause, law enforcement in Dunkins acted counter to the Fourth Amendment.

The Dunkins court found two key differences between the search in its case and that in Carpenter. One was that, as discussed above, Moravian had a policy that any and all internet data "composed, transmitted or received through the internet's computer system is considered part of the institution's records and, as such, subject at any time to disclosure to institutional officials, law enforcement, or third parties," and that logging into the campus network, as the defendant in Dunkins did, "implies acceptance of this … policy." The second was that there was an important difference between law enforcement's request from a private party for a "compilation of an individual's historical CSLI," which did require probable cause, and a "general request for 'tower dump' information or similar data from a particular cell or wireless access point for a particular time." Because the defendant waived his right of privacy to his phone's CSLI when he logged into Moravian's network, and because law enforcement made only a general request for tower dump information, the defendant's Fourth Amendment rights were not violated by the collection of the data by law enforcement.

Analysis

Close scrutiny of Carpenter and Dunkins reveals that the distinctions the Superior Court in Dunkins drew between the facts therein and those in Carpenter and the legal meaning of those fact patterns are not valid. First, the Dunkins court set forth that, because law enforcement in Carpenter collected data which created a "comprehensive chronicle" of the Carpenter defendant's "physical movements over a four-month period" (which the Dunkins court characterized as a "prolonged period of time"), while law enforcement in Dunkins simply collected the data of a "tower dump" from a "particular cell or wireless access point for a particular time," the relatively complex data in Carpenter was protected by the Fourth Amendment while the relatively simple, straightforward data in Dunkins was not. The distinction, here, is incorrect on the digital level.

The Dunkins court found two key differences between the search in its case and that in Carpenter. One was that, as discussed above, Moravian had a policy that any and all Internet data "composed, transmitted, or received through the Internet's computer system is considered part of the institution's records and, as such, subject at any time to disclosure to institutional officials, law enforcement, or third parties," and that logging into the campus network, as the defendant in Dunkins did, "implies acceptance of this … policy." The second was that there was an important difference between law enforcement's request from a private party for a "compilation of an individual's historical CSLI," which the Carpenter court characterized as a "comprehensive chronicle" of the defendant's "physical movements over a four-month period" (which the Dunkins court characterized as a "prolonged period of time") and the request for the data obtained in Dunkins, which the court saw as "akin to a 'tower dump' request" for which law enforcement did not need a search warrant supported by probable cause to obtain such data sought. (A "tower dump" is defined as "a download of information on all the devices that connected to a particular cell site during a particular interval.") For the reasons set forth below, however, neither "difference" is a valid one.

First, when a student sends or receives data through Moravian's internet, it is very hard to see that such actions should be viewed as an acceptance by the student of Moravian's policy that such data "is considered part of the institution's records and, as such, subject at any time to disclosure to institutional officials, law enforcement or third parties." Although there is certainly no discussion in the opinion of the following, it should be obvious to all that a student today at Moravian, or any other college, would simply not be able to function as a student without access to the internet. Research that was once performed exclusively at the library is now performed online, and internet access has led to the creation of numerous ways of studying that were not available prior to the digital age. As well, because Moravian's campus is the size of a typical college, and since students use many different internet suppliers (meaning that each must supply its own access points on campus to allow for its student and faculty clients to gain access to the internet), Moravian's decision to provide "approximately 1,100 wireless network access points placed throughout the campus in order to offer its students and faculty nearly seamless internet connection" means that, in order to gain internet access (and so function as a student) the Moravian student has no practical choice other than to use those access points and thus allow Moravian to search the student's data as it wishes. It is very hard, then, to see a student's usage of Moravian's internet connectivity as a free acceptance of the college's policy regarding the student's waiver of privacy in data accessed by the student when he uses the internet or produced when the student uses the internet connection.

Second, it is hard to see how the technology of Moravian's provision of internet access illustrates any important difference between law enforcement's request from a private party for a "compilation of an individual's historical CSLI" and a "general request for 'tower dump' information or similar data from a particular cell or wireless access point for a particular time," the latter of which may be provided absent probable cause under the Fourth Amendment. The Dunkins court reasoned that because the "campus police did not target a specific individual or attempt to track an individual's movements but instead merely sought to compile a list of all the devices signed on to the WiFi in the Hassler dorm at the time of the robbery" and identified the defendant through "process of elimination," the police's actions was far more akin to a general request for tower dump information. The court's reasoning, however, is flawed.

The court criticized the defendant for not appreciating "the difference between the CSLI obtained in Carpenter and the WiFi data obtained in" the instant matter. The former, the court reasoned, "tracked an individual's movements at all times of the day regardless of where he traveled," whereas in the instant matter, WiFi data was collected only when "an individual logged onto the campus wireless network and was present on the Moravian campus." Because, then, the data in Carpenter tracked the movements of an individual regardless of where he or she went, while the data obtained from the Moravian WiFi network was "confined to the college campus," the latter was akin to "a security camera that may exist at the college" to protect the security of students, faculty and others allowed on campus. Thus, the Dunkins Court reasoned, the data obtained in the instant matter was properly obtained despite the police not having obtained a warrant to secure that data.

The reasoning of the Dunkins court is doubly flawed. First, it is simply hard to see the gathering and searching of the data in Dunkins as particularly akin to a "tower dump." In Dunkins, Moravian College had approximately 1,100 "wireless network access points placed throughout the campus." The data from all of those access points was assembled in a database which could be searched for those devices that accessed the network at any given point or points at any given date and time; as well, it could be searched for the movements of a particular device across time. Searching this database for the former might be akin to a "tower dump," but searching it for the latter is akin to CSLI tracking. If the data gathering and searching in Dunkins, then, is both akin to and different from what Carpenter found to require a search warrant supported by probable cause, it is hard to see Carpenter either supporting or refuting the defendant's position in Dunkins. That the data gathering can be seen as similar to "a security camera that may exist at the college" is an interesting observation, but advances neither position.

Second, per Dunkins, the key to the distinction between the searches in it and Carpenter is that, per Dunkins, the former is a search of property owned by the user and so protected by the Fourth Amendment, while the latter is a search of property to which the user/owner has given full access to Moravian College, thus giving the user no protection under the Fourth Amendment should Moravian choose (as it did in Dunkins) to provide the user's data to law enforcement. Because, however, as has been discussed, the realities of being a college student today make it very hard to regard a student's usage of Moravian's Internet connectivity as a free acceptance of the College's policy regarding the student's waiver of privacy in data accessed by the student using the Internet, the use of the Internet in both cases must be viewed as being protected by the Fourth Amendment. There being, then, no true difference between the realities of Internet usage in the two cases, the Superior Court's assessment that the matter in Dunkins was not controlled by Carpenter must be rejected.

Conclusion

Those who see digital advances as speedily helping to perfect a world will discuss what benefits those advances bring, regardless of any negative consequences of bringing them, while those suspicious of anything resembling "power" and who see every change as another chapter of Orwell's 1984 will discuss how "Big Brother" is taking over our lives. Of course, those who see perfection dismiss all problems attendant to the changes at issue, while those who fear Totalitarianism overstate both the freedoms of society before the world became digital and the losses of those freedoms brought by digital advancements.

In Carpenter, the Supreme Court found that the defendant's reasonable expectation of privacy was violated because the government had collected, without a warrant supported by probable cause, CSLI that tracked his movements in public. How the tracking of public movements violates a right of "privacy" is not explained well in Carpenter or in any opinion that holds similarly. Instead, underlying the opinions and referenced from time to time them is the fear of "Big Brother" which, once referenced, appears from the tones of the opinions not to require any explanation, much less justification. Similarly, the Superior Court in Dunkins could distinguish the facts therein from those in Carpenter by noting that because Moravian College was a private institute and its WiFi network was "confined to the college campus," the network, like "a security camera that may exist at the college" to protect the security of those allowed on campus, was a private network and so fell outside of the Fourth Amendment demands discussed in Carpenter. Thus, both courts justified their holdings by pointing to the similes they used to understand the facts underlying the cases: if CSLI was collected by a private company, obtaining that CSLI without a search warrant supported by probable cause violated the Fourth Amendment because the CSLI  was private, even if the movements it tracked in public were not; if, however, the movements at issue were on a private college campus, then a valid search warrant need not be obtained for that private college to provide the CSLI to the police. It appears, then, that the philosophy of the court, and not the facts underlying the matter and the relevant laws and caselaw, dictates the outcome.

The contradictory interpretations discussed here are by no means the first example of conflicting interpretations of the Constitution, laws or anything else for that matter. Usually, such conflicts are resolved when one side is, de facto, "outvoted" by the other, meaning that, after enough courts and other voices weigh in in favor of one approach and the time period for the matter at hand to be "the next big thing" ends, the popular approach prevails. How the instant matter will be resolved can be guessed at or assumed, then, but reason alone will not lead to the answer; rather, what appears to the majority to be "public" or "private" will control, and if that appearance changes, so then will the answer.

Leonard Deutchman is a legal consultant retired from one of the nation's largest e-discovery providers, KLDiscovery, where he was vice president, legal. Before joining KLDiscovery, he was a chief assistant district attorney at the Philadelphia District Attorney's Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses.