Fault Lines
15 August 2018

There Is No Reasonable Expectation Of Privacy In A Credit Card’s Magnetic Stripe

October 18, 2016 (Mimesis Law) – Some of us have more credit cards than others. And some of us use gift cards in daily life, rather than merely purchasing them as gifts. The spouse of a former co-worker would buy restaurant gift cards, like Subway, from the local grocery store to get fuel points on the sandwich purchases. If you’re particularly creditworthy and obsessed with fuel rewards, then you might have a lot of cards on you. On the other hand, someone who has more than 50 cards of them might be a credit card skimmer.

Credit card skimming is essentially when someone unlawfully gets your credit card information and re-programs the magnetic stripe, or magstripe, on the back of an older card to reflect that stolen information. In a legitimate card, the information on the front of card is the same information encoded on the magstripe.

Oftentimes, this is done with a skimming device attached to a legitimate payment device, such as a gas pump. Also, besides the old method of just writing down credit card information, there are handheld versions that employees can use to duplicate the magstripe when you hand them your card. Plus, there are online methods used to get the credit card number, such as phishing.

With the credit card information, old credit cards, and a magstripe re-programmer, a thief can create hundreds of fake credit cards in a short period of time. From this point, these cards can either be sold or used to purchase expensive items directly, particularly consumer electronics. The fun continues until the fraud department figures it out and shuts down the number.

As you might imagine, if an officer sees a bag full of credit or gift cards in car during a traffic stop, then it will arouse suspicion. Chances are that the driver with 50 or more cards is skimming, rather than an aggressive deal seeker. In the case of legitimate credit cards, the information on the front matches what is on the magstripe. There usually is a mismatch between the face of the card and the stripein the case of fraudulent cards. So, the easiest way to determine whether the mountain of cards are legitimate is to swipe the card and read the information on the stripe.

This sort of mismatch would be obvious to a store clerk who compared the data on the screen with the information on the card. While there are Starbucks on every corner, there isn’t one at the roadside stop. So, the officer would have to swipe the card in a reader to look for a mismatch, but without any purpose to sell a pumpkin spice latte. Predictably, the issue of whether officers need a warrant for this swipe has been litigated.

The Sixth, Eighth, and Fifth Circuits have all concluded that swiping the magstripe does not need a warrant. Specifically, they concluded that the swipe is not a search and thus is without Fourth Amendment protection. This result was based on the reasonable expectation of privacy standard.

The Katz approach is really more normative and explanatory rather than predictive. In other words, a “search” is whatever appellate judges think it is. Orin Kerr has described it as judges and justices mostly worried about physical intrusion and its virtual equivalent. Even then, for policy reasons, they deem certain intrusions too minor as to be worthy of protection. This may be driven, in part, by the harshness of the exclusionary rule. Overall, it’s messy and it’s opaque, but it generally gets the job done.

Here’s what the Sixth Circuit concluded:

Given the magnetic strip’s limited storage capacity, a reading of it—even assuming it had been re-encoded—would not allow officers to reconstruct an individual’s private life. Further, the evidence stored on the strip—which, unless re-encoded, would more or less match that provided on the front and back of the card—is not the highly personal information an individual would expect to keep private, especially after the physical card is in the lawful possession of law enforcement or a cashier. * * *

It is true, as Bah contends, that warrants are required to listen to the contents of cassette tapes and “magnetic storage media” requests are often included in warrant applications; Bah, however, fails to appreciate that the magnetic strip on a credit, debit, or gift card, given its limited storage capacity and tendency to contain only that information that would already be known to an individual in lawful possession of the physical card, is readily distinguishable from storage media where the contents are often truly unknown.

Our holding today is limited in scope—addressing only the ability of police enforcement to conduct warrantless searches of the magnetic strips on credit cards, gift cards and debit cards—and we do not address hypothetical magnetic strips of the future that may have greater storage capacity and tend to store more private information.

The Eighth and Fifth reached the same conclusions.  In sum, all three courts distinguished the magstripes from cell phones based on the difference in use, capacity, and who views the information contained on each. In that light, there is a vast difference between the two. Moreover, unlike other magnetic and electronic media, where a warrant would still be required, magstripes are distinguishable because of those three facts; plus, when legitimately used, the information on the stripe and printed on the card should match.

This means there is no expectation of privacy regarding the data because it’s already visible. All the more so because the re-coding equipment is not widely purchased and typically only done for illegal reasons. One the other hand, cassette tapes, CDs, and video tapes were likely to be used to capture audio visual that is not apparent from the surface. And those recordings were made with ubiquitous equipment. Also, re-encoding a credit card makes it invalid and worthless. That is not the case with other types of electronic storage devices.

But Orin Kerr has thrice denied the expectation of reasoning employed by the reviewing courts, here, here, and here. After the first case, Kerr objected, arguing that the essence of swiping the card was the same as picking up a stereo to view the serial number, which was held to be a search. Later, he expanded on this objection.

Kerr mainly focuses on how the information communicated by both the serial number and stripeis small, arguing that this either flirts with or actually creates a de minimis doctrine. In that vein, he suggests that the courts are wrong to factor in the strip’s capacity into their analysis.

They are indeed analogous in how the information itself is limited. Both the serial numbers and magstripedata are short alphanumeric sequences. But the information capacity of the card is related more to the courts’ conclusion that the intrusion is too small to require protection, especially when compounded with how cards are used. Thus, it’s not so much the scope of the intrusion is small, rather that the scope of the information that the intrusion can reveal is small, already visible on the card, and voluntarily surrendered at each purchase. Thus, there really is no protected privacy interest into which the officer is intruding by swiping the card. Conceivably, this analysis could change if it becomes customary to use magstripes on old credit cards for legitimate personal reasons.

The manner and place of intrusion between the two cases is also significant. In Hicks, the police had entered an apartment after the occupant had apparently fired a shot through the floor and saw new stereo equipment. There is a significant difference between walking into someone’s house, grabbing property, and manipulating it, compared to swiping a magstripe of cards found bundled in a car during a traffic stop and lawfully seized. And the information on the card will almost always be of the sort used to make electronic payments.

Kerr points out that the Third Circuit has prohibited opening a wallet during the sweep of someone’s home. This demonstrates the sanctity of home and the objects therein, as compared to a traffic stop.

A lawful roadside or inventory search of the car or person would conceivably allow the officer to swipe the cards, particularly gift cards, at the roadside or later. Arguably, swiping the cards in this context would be like opening a container during an inventory search or a lawful warrantless search. Especially during a lawful inventory search, it would be prudent to record the value of gifts cards along with the cards themselves would avoid later claims of misuse of the gift cards. Similarly, to recall the stereo example from earlier, during either of those searches, an officer could flip over a stereo and gather the serial number.

While Kerr’s concern about the sweep of the language is understandable, putting magstripes outside the scope of the Fourth Amendment will have little practical impact on protecting privacy interests. For example, this exception would not obviate other doctrines such as Terry. So, it’s not like officers can start swiping all your credit cards, during roadside or sidewalk encounters. Officers will have to rely on some doctrine to make the stop and seize the property in the first instance. Those obstacles should generally be sufficient to avoid overreach.

Likewise, if the magstripe cases can be understood that the magnitude of intrusion into electronic storage is what matters, then these cases might represent the beginning of a slippery slope. But the facts of these cases should and do matter. Illegally seizing credit cards from a person or a home would probably end up differently than swiping the cards after a legal roadside search and seizure.

11 Comments on this post.

Leave a Reply

*

*

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.

  • CLS
    18 October 2016 at 11:21 am - Reply

    The only question I have out of your entire post is if Orin has attempted to take you to task for it.
    Your rationale is uncomfortable for me, but definitely rooted in reason and logic that’s tough to argue.

    • Donald
      18 October 2016 at 2:36 pm - Reply

      Not really. Andrew is a prosecutor. He spins statist crap into palatable presentations for a living.

      He’s leaving out the bits where the exclusionary rule has been eviserated and the restrictions set by Terry have been shrugged off more times than a Mother-in-law’s suggestions. “Don’t worry about the coming flood, we have a fine dike (that I’ve been punching holes in for 20 years)”.

      He also (characteristically) ignores how easily an “inventory search” can be manufactured, and that his analogy of mag stripes to containers in said searches is laboured at best. For the purposes of inventory, the contents of a bag or a box is relevant. It could be a knife, it could be a mouse, it could be $100 cash, hence the need to document it. A mag stripe contains (and can contain) exactly 1 thing, roughly 150 characters of text.

      His appeals to authority are just as empty. “Hey now, of course it’s OK, look at what these promoted prosecutors thought about it!”

      • Andrew King
        18 October 2016 at 3:15 pm - Reply

        Donald,

        Three out of four of the paragraphs has nothing to do with the merits of the argument. You missed that the point of discussing warrantless searches of cars is to contrast the lesser level of protection a vehicle receives compared to a home.

        • Donald
          18 October 2016 at 6:35 pm - Reply

          Forgive me for losing the thread, I couldn’t follow all the knots you twisted it into to justify the garbage your seniors crap out. I’ll just hop in my visa card and drive it home.

          Your point is (as always) “it’s totally cool for the state to search whatever they feel like”
          Anything that requires a special device to search, should require a warrant. Full stop.
          It’s not even hard, robed prosecutors hand them out like pamphlets.

    • Andrew King
      18 October 2016 at 3:10 pm - Reply

      Orin tweeted that he disagreed and just restated he believed in his position.

      As a gentleman, I did not make him concede defeat.

  • Pedantic grammar police
    18 October 2016 at 7:03 pm - Reply

    The problem with cop credit card readers is not just a privacy problem. Sure, the info on the card is not very personal; that makes it a useful step down the “we own all your data” slope, but those readers are already being used to seize funds and that is the first step into a smorgasbord of abuse and corruption.

    • Andrew King
      20 October 2016 at 5:03 pm - Reply

      That is basically Orin’s slippery slope argument. I can understand it, but I disagree.

      The stripe is unique, and these cases come after other electronic data storage cases. So, I don’t think this will undermine them.

      Plus, if the circumstances were to change relating to the stripes, the analysis would change. I think Riley (the cell phone case) is instructive. Eventually the facts and circumstances changed so much, the old search incident to arrest rules just didn’t quite fit.

  • Patrick Maupin
    20 October 2016 at 6:40 am - Reply

    “Conceivably, this analysis could change if it becomes customary to use magstripes on old credit cards for legitimate personal reasons.”

    Yet another ratcheting mechanism. Who in their right minds will use mag stripes to store private info when the info will not deemed unprotected simply because nobody uses mag stripes to store private info?

    Sorry, but all the cool legal analyses are going to shun this one, because it’s shortsighted and has a low IQ, and its mother is ugly. It’s sweet of you to defend the poor thing from bullying, though.

  • maz
    20 October 2016 at 11:48 am - Reply

    What need does this address? The hypothetical extremely small-scale carder who only travels with a few stolen cards cloned over top of otherwise valid cards in his name, and who otherwise might escape the clutches of justice? Because I would think the typical carder would usually have probable cause up the ass, either because he or she would have (a) a stack of blank cards, typically with a number written on the back; a stack of repurposed, expired credit cards in assorted names [is this even a thing?]; a large number of expired credit cards in the carder’s name; or a large number of gift cards.

    I would think only the last scenario would ever be encountered in the non-illegal wild; it’s also the only one where I could imagine possible issues on PC. (It’s also the one offering the lowest hurdle to clear, as a gift card should contain no personally identifiable information. And then there’s that ‘inventory’ ruse…)

    Maybe it’s just me, but I can’t see how equipping police with nifty magstripe decoders and the blessing to use them could conceivably lead to a significant increase in carders apprehended or decrease in CC fraud. However, I *can* think of a dozen ways doing so could go terribly wrong.

    • Andrew King
      20 October 2016 at 5:11 pm - Reply

      Maz,

      I thought about this issue and addressed it above. I think your first statement is basically right. If you’re small time or simply in possession, I don’t think this case is going to let the patrol officer dump your wallet and swipe all your cards.

      The practical issue, I think, lurking here is the unlike drugs and most paraphilia, merely seeing a bunch of cards is not always going to be probable cause. For example, most people don’t travel with tens of thousands of dollars on them in cash. If the patrol officer sees a bag full of cash in the backseat, it’s probably related to drugs but not necessarily. Same would go with the a bag full of cards.

      So, it’s almost always going to be the bad guy that gets the cards scanned. And in some rare case, it will be some honest motorists who just loves gift cards. But the innocent motorist have very little intrusion into a privacy interest, because the data on the stripe is the same that’s visible on the card. If the magstripe was more like a thumb drive, where anything could be on it, then the analysis would be different.

      • Greg Prickett
        20 October 2016 at 8:09 pm - Reply

        So it’s OK to violate someone’s rights if they are a “bad guy?”

        I don’t know about you, but the information that’s on a card’s mag stripe is financial, and that information is private. Track 1 may contain the PIN number associated with the account. That allows much wider access to related information. The police have no need to get it, and if they need it, they can get a subpoena or a warrant.