202002.23
0

Do You Want Law Enforcement to Know Your GPS Data? Think Twice about Your Wi-Fi Connection

In the age of technology, most of us, at some point, have allowed our smartphones or other electronic devices to log onto another’s Wi-Fi network, sometimes even automatically. The Superior Court of Pennsylvania recently addressed the legal implications of doing so.

Robbery at Gunpoint

In Commonwealth v. Dunkins, two men wearing ski masks pretended to be Moravian College campus police to gain access to a dorm room of two Moravian students, one of whom was known to sell marijuana on campus. The masked men held both students at gunpoint and demanded marijuana and the key to a footlocker, from which they stole approximately $1,000 and a jar of marijuana. Before leaving the dorm, the perpetrators hit both students on the sides of their heads.

Several hours later, one of the students reported the robbery to campus police. Campus police had Moravian’s director of systems engineering analyze the college’s wireless network data to compile a list of students logged onto the network near the wireless access point in the dormitory building where the victims resided. Campus officials discovered that at the time of the robbery there were only three individuals logged onto the campus Wi-Fi at that location that did not reside in that building. Two of the three Wi-Fi users were female. The male user, who was also a Moravian student, was Alkiohn Dunkins. Dunkins had his cellphone set to automatically connect to the college’s network whenever it was within range.

After further investigation by law enforcement, Dunkins was arrested and ultimately convicted by a jury for robbery, conspiracy to commit robbery, receiving stolen property, and simple assault. The trial court imposed a sentence of five to 10 years’ imprisonment.

Dunkins appealed, arguing that the campus police conducted an illegal search by accessing Moravian’s wireless internet connection records without first obtaining a warrant. He claimed the officers invaded his right to privacy by tracking his physical movements through cell site location information (CSLI).

Dunkins likened his case to the U.S. Supreme Court decision in Carpenter v. United States, in which the high court found that law enforcement invaded an armed robbery suspect’s privacy by compelling wireless carriers to provide a record of the suspect’s historical CSLI for a four-month period.

On Appeal

In rejecting Dunkins’ argument, the Superior Court of Pennsylvania distinguished the situation at hand from that addressed by the U.S. Supreme Court. Finding that Moravian’s private Wi-Fi network functioned similarly to a security camera, the Superior Court wrote:

Whereas CSLI tracks an individual’s movements at all times of the day regardless of where he travels, the Wi-Fi data in this case is only collected when an individual logs onto the campus wireless network and is present on the Moravian campus.

Additionally, the Superior Court noted that Dunkins chose to have his device automatically log onto the campus Wi-Fi. He specifically consented to Moravian’s internet use policy, which clearly stated that individuals who choose to utilize the campus computer system and wireless network provide authorization for the college to collect and disclose all internet data composed, transmitted, or received through the campus computer system and its network connections. The court wrote:

Appellant was not required to log in or to maintain a constant connection to the campus Wi-Fi network, but could have chosen to have his device access the internet through a wireless carrier or simply signed off the Moravian wireless network temporarily to avoid transmitting location data.

Finally, the Superior Court reasoned that the U.S. Supreme Court did not invalidate “tower dump” requests by law enforcement, which identify all of the devices that were connected to one particular cell site during a particular interval.

Conclusion

Dunkins’ sentence will stand.

Do you want law enforcement to know your GPS data, i.e., where you’ve been? If not, the lesson here is to think twice before you connect.