Appeals Court: No Expectation Of Privacy In Credit Card Magnetic Strips

Privacy

from the TIMELY dept

Just as we’re learning of law enforcement’s bold new plan to take travelers’ prepaid debit cards down to a $0 balance without ever leaving the highway, the Eighth Circuit Court of Appeals comes along [PDF] to remind us that swiping (not as in “taking”) a credit card to determine its legitimacy is not a search under the Fourth Amendment. (via Ars Technica)

The court notes a couple of obvious things about the search that isn’t. First, it can’t be a physical search because swiping the card does nothing more than (if it’s legit) return the same information that’s printed on the front of the card.

[S]canning the magnetic strips on the cards was not a physical intrusion into a protected area prohibited by the Fourth Amendment. See Florida v. Jardines, 133 S. Ct. 1409, 1417 (2013). The magnetic strip on the back of a debit or credit card is a type of “external electronic storage device, [that] is designed simply to record the same information that is embossed on the front of the card.” Accordingly, the information embossed on the front of the card and recorded in the magnetic strip will only be different if the card has been tampered with. Credit card readers reveal whether the information in the magnetic strip on the back of the card matches the information on the front. The process of using a credit card reader “is analogous to using an ultraviolet light to detect whether a treasury bill is authentic, . . . [which is not a] . . . ‘search.'” Thus, because “sliding a card through a scanner to read virtual data does not involve physically invading a person’s” space or property, there was no Fourth Amendment violation under the original trespass theory of the Fourth Amendment.

Unfortunately for the defendant, none of the dozens of credit cards and gift cards he was caught with returned information confirming him as the owner. All of the cards (which ranged from gas cards to Subway gift cards to Amex credit cards) contained information linking them to other cardholders. There was a seizure, as the Secret Service took control of the cards after the defendant was arrested and scanned them to determine their legitimacy. There may have been an avenue to challenge the seizure without a warrant, but the defendant never raised the issue.

The court also finds the Third Party Doctrine applies here.

Although DE L’Isle claims he had an actual, subjective privacy interest in the cards, he is unable to make that case. As to the ten American Express credit cards, he could not have had an expectation of privacy simply because his name was embossed on the front of the cards. He also could not have had a subjective expectation of privacy in any of the other cards because the purpose of a credit, debit, or gift card is to enable the holder of the card to make purchases, and to accomplish this, the holder must transfer information from the card to the seller, which negates an expressed privacy interest. […] When the holder uses the card he “knowingly disclose[s] the information on the magnetic strip of his credit card to a third party and cannot claim a reasonable expectation of privacy in it.”

The dissenting opinion is an interesting read, as it starts out by suggesting justice would best be served by the throwing of last-minute wrenches into the gears before stalking off into the weeds for a bit.

This appeal presents a narrow legal issue: Does scanning the magnetic stripe on the back of a credit or debit card to access the data stored on it implicate the protections of the Fourth Amendment? In my view, answering this question requires further factual development, and I would remand the case to the district court to hold an evidentiary hearing.⁵

⁵I recognize the difficult position in which the district court found itself, faced with a motion to suppress almost on the eve of trial. The district court would have been within its rights to deny the motion as untimely. In a commendable effort to grant the defendant a full opportunity to present his defense, the district court instead excused the delinquency of the motion and decided it on the merits. Although I recognize that the district court’s decision not to hold an evidentiary hearing is reviewed deferentially, United States v. Hill, 750 F.3d 982, 986 (8th Cir. 2014), I believe an evidentiary hearing is necessary to resolve this case.

Judge Kelly suggests there may be an expectation of privacy in magnetic strips, but only if this information is easily modified by cardholders at their discretion.

In my view, the answer to this question depends on whether there are significant technological barriers to an individual rewriting information on the magnetic stripe of their cards, and I would remand the case to the district court to develop evidence on this point. If the information on the magnetic stripe can be modified without much difficulty, the cardholder may indeed have a reasonable expectation of privacy in the contents of the stripe, based on the straightforward principle that law enforcement conducts a Fourth Amendment “search” when it reads the contents of rewritable digital storage media.

It’s safe to say no card issuer is going to let end users alter the coding on their cards. It either matches the info on front or it’s not a legitimate credit card. This argument’s attempt to equate credit cards with storage media is more than a bit of a stretch. (For gift cards, though, this is a little murkier. There’s no name to match against the info uncovered by swiping it through a reader. The only thing that can be discovered is whether the card type matches the encoded data.)

The dissent is on sturdier ground when it argues that swiping cards to match them up with the info printed on the front is still a search. Judge Kelly points out that the majority decision allows the results of the search to determine the legitimacy of the search, which is the wrong way around.

The problem with this approach is that it is only possible to determine whether the information on the magnetic stripe is blank or matches the information embossed on the front of the card by scanning the magnetic stripe to determine its contents. And the results of a search cannot be used to justify its legality.

Even if it were to go Judge Kelly’s way, the Third Party Doctrine would undo it, as payments with credit cards are very much a voluntary act in which purchasers know information about them is being relayed to retailers, card processing companies, and the card’s issuer.

However, Kelly does make a good point when suggesting the court shouldn’t be in such a hurry to declare this a foregone conclusion.

Although the stakes may appear small at this stage, technological progress has a way of ensuring that they do not remain so. The Supreme Court has instructed that “the rule we adopt must take account of more sophisticated systems that are already in use or in development.” What advances are likely to be made in this area is a topic that deserves further factual development by the district court, especially because the available evidence suggests that the amount of information storable on a credit card will not long be numbered in the dozens of characters.

Already many newly-issued credit cards in the United States contain chips that have a storage capacity much greater than that of the old magnetic stripes. As cards are able to store more information, the privacy interests they implicate increase.

This is especially important considering the recent development in law enforcement forfeiture tech. Cards will be seized, read and drained — all without warrants because there’s apparently no privacy interest in the cardholder information printed on the front, or any of the information obtained by running the card through a reader. If a court comes to the opposite conclusion — that card swipes are searches — it will make it that much harder for law enforcement agencies with ERAD tech and a fistful of bad incentives to participate in highway robbery.

Filed Under: 4th amendment, credit cards, eight circuit, magnetic strips, privacy