This post was authored by Eric Pesale, a soon-to-be attorney who recently graduated from the New York Law School. Eric will contribute regularly to the Logikcull blog, focusing on the legal impact of emerging technologies. He can be reached at firstname.lastname@example.org or on Twitter at @ericpesale.
Niantic Labs — the creator of the popular augmented reality (“AR”) apps Pokemon Go and Ingress — is pushing the limits on privacy through its user geolocation data collection practices. Niantic is not the only app developer that collects this information, as the privacy policies of other augmented reality apps like Blippar and WallaMe make clear. What is unique about Niantic, however, is how it sets up public user gathering places such as Portals and PokeGyms at both high-traffic public landmarks and private property. You may have heard stories of players wandering into demilitarized zones and minefields.
This aspect of Niantic’s AR apps has unfortunately opened the door for criminal and tortious user activity and, in turn, raised interesting questions about the evidentiary consequences those games’ invasive practices create.
Specifically, AR apps put an interesting eDiscovery issue into the spotlight: can an AR app user’s geolocational data be lawfully collected, and — if so — to what extent? Recent decisions from the Supreme Court and federal appellate courts suggest that the answer to the first question is “yes,” but it is unclear how much collected data is too much.
A brief history of geolocational data case law
Although cases involving augmented reality apps and their developers’ geolocational data collection policies are only now coming to trial, we can anticipate how these issues might be resolved by revisiting past cases addressing the admissibility of geolocational user data. Most of these cases are brought up in the context of the Fourth Amendment, which forbids unreasonable search and seizures and requires any search or seizure to be authorized by a warrant. The Fourth Amendment’s warrant requirement, however, can be sidestepped under a number of exceptions, and courts often consider whether the data requested falls under an individual’s reasonable expectation of privacy (See e.g. Katz v. United States).
The Supreme Court first had the opportunity to rule on the admissibility of long-term geolocational data monitoring in United States v. Jones in 2012, but declined to do so in a way that helps predict augmented reality app cases. In Jones, police attached a GPS device onto the defendant’s car without his knowledge and monitored his driving activity. Police then used the tracking information from this device to arrest him on drug-related charges. In his majority opinion, Justice Antonin Scalia determined that the police’s geolocational tracking was inadmissible because the placement of the GPS device on the car amounted to trespass against property.
While this holding is not applicable to AR since developers often disclose their data collection practices, Jones did introduce Justice Samuel Alito’s “mosaic theory” of the Fourth Amendment, which argues that warrantless, long-term monitoring of a person’s every movement likely constitutes a breach of privacy under the Fourth Amendment, even when shorter-term, warrantless monitoring may be permissible. While this theory has been supported by some justices and could be revisited in future cases, it is not officially binding law.
The Supreme Court’s majority opinion in 2014’s Riley v. California and the Fifth Circuit’s decision in In re U.S. for Historical Cell Site Data may better hint at the evidentiary implications augmented reality games will pose.
In Riley, which dealt with companion cases involving the police’s seizure and usage of the defendants’ smartphone and flip phone data to incriminate the defendants on various drug charges, Chief Justice John Roberts recognized the evolution of smartphones, categorizing them as mini-computers containing troves of sensitive data subject to Fourth Amendment privacy protections.
In re U.S. for Historical Cell Site Data, on the other hand, held that geolocational data received by a third-party cell phone provider from a smartphone user’s call history can be requested and obtained without a warrant under the Stored Communications Act.
While Riley, which is now the law of the land, has more binding authority than In re U.S. for Historical Cell Site Data, both should be mentioned in any discussion of whether courts will draw boundaries regarding the admissibility of locally-stored and developer-stored app data. It is also worth considering whether ever-eroding user privacy expectations and the increasing integration of apps with users’ smartphones would render Riley’s assumption about the private nature of smartphones dated and, effectively, moot.
The future of geolocational data privacy regulation
Although augmented reality apps are only now starting to become commonplace, the U.S. government is nonetheless starting to address geolocational data collection practices. Much of the case law outlined above—particularly United States v. Jones—has also spurred Congress to consider legislation that would better define the parameters around what geolocational data the government and other entities can collect. In addition, the Federal Trade Commission recently published a report outlining recommended data collection practices for facial recognition data collection and other technologies related to augmented reality. But until legislation matures, courts will continue to rely on older federal laws, such as the Stored Communications Act, that were drafted well before the rise of smartphones and similar devices.
So while the immediate discovery implications of augmented reality apps have yet to be determined, they nonetheless raise important issues to be mulled if you’re, say, out catching Pokemon, testing tattoos, or turning your home into a haunted house. In the meantime, be careful what you disclose while you’re out hunting Mewtwo.