The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Crime

Is credit card skimming a Fourth Amendment search?

|

In United States v. Bah, decided July 24th, the U.S. Court of Appeals for the Sixth Circuit handed down the first circuit ruling on whether skimming a credit card - swiping the card through a magnetic reader to find out the number and name stored inside - is a Fourth Amendment search. The court ruled that the answer is "no." I think that's wrong, and that the answer should be "yes."

First, some context. Every credit card, debit card, or gift card has a magnetic stripe on the back of the card. When you use a card at a store, you often swipe the card through a card reader. The card reader picks up the data stored in the magnetic stripe.

The magnetic stripe - often called a "magstripe" - ordinarily stores most of the same information that is printed on the front of the card. With a credit card, for example, the magstripe ordinarily stores the account number, bank identification number, the card expiration date, the three digit "CSC" code, and the cardholder's first and last name. Technically, the magstripe can store more information: It can be used to store up to 79 letters and 147 numbers. But usually it just contains the information on the card front with a few more numbers.

Unlike the front of the card, however, the information stored inside the magstripe can be reprogrammed. And that's important in a lot of credit card fraud cases. If a hacker steals credit card information and sells the stolen card data to someone else, the buyer of the stolen data won't have the physical card. However, the buyer can take an old credit card and reencode the old card with the information from the stolen credit card number. The buyer can then use the old credit card as if it were the stolen card. It works well as long as the store clerk doesn't check the front of the card to see if the information there matches the data read from the magstripe.

In Bah, the police came across a stash of credit cards in a rental car that they had stopped and impounded. The police suspected that the cards might be fraudulent, so they swiped the cards through a card reader to see if they were encoded with stolen credit card data. The card reader showed that the cards contained information from stolen accounts and did not match the information on the card fronts.

The Sixth Circuit held per Judge Rogers (joined by Judge McKeague and District Judge Sargus) that skimming the credit cards was not a Fourth Amendment search. First, it was not a physical intrusion or trespass into the card under United States v. Jones because it did not physically penetrate into the card. Second, it was not a search under the "reasonable expectation of privacy" framework of Katz v. United States:

Because the information on the magnetic strips, with the possible exception of a "few other additional, unique identifiers," mirrors that information provided on the front and back of a physical credit, debit or gift card, and the magnetic strips are routinely read by private parties at gas stations, restaurants, and grocery stores to accelerate financial transactions, such an expectation of privacy is not one that society is prepared to consider reasonable. . . .

Every court to have addressed this question has reached the same conclusion. Some courts have stressed that there can be no reasonable expectation of privacy in an account number-and consequently, magnetic strip-that is routinely shared with cashiers every time the card is used. For instance, in United States v. Medina, No. 09-20717-CR, 2009 WL 3669636 (S.D. Fla. Oct. 24, 2009) (rev'd on other grounds), the court emphasized that "the credit card holder voluntarily turns over his credit card number every time he uses the card," and then found that there is "no expectation of privacy in that number." Id. at *11. The court in United States v. Briere de L'Isle, No. 4:14-CR-3089, 2014 U.S. Dist. LEXIS 151078 (D. Neb. Oct. 24, 2014), likewise suggested that "[s]ociety is not prepared to accept as legitimate an asserted privacy interest in information that any member of the public may see." Id. at *7

Other courts have emphasized the fact that the scan of the magnetic strip reveals little-to potentially nothing-that cannot be viewed on the front and back of the physical card; consequently, these courts have reasoned that once law enforcement personnel have lawful, physical possession of the card, the scan does not constitute a separate "search." . . .

Finally, other courts focus on the fact that a scan of the magnetic strip will usually only disclose the presence or absence of activity that is not legal. The reasonable-expectation-of-privacy test in concept "presupposes an innocent person," Florida v. Bostick, 501 U.S. 429, 438 (1991), and "government conduct that only reveals the possession of contraband compromises no legitimate privacy interests." Briere de L'Isle, 2014 U.S. Dist. LEXIS 151078, at *9 (citing Caballes, 543 U.S. at 408−09).

The Alabi court thus reasoned: "Similar to a drug sniff alerting the handler only to the presence of narcotics- information about illegal activity-scanning credit and debit cards to read the information contained on the magnetic strips, when law enforcement already has physical possession of the cards, will disclose "only the presence or absence of" illegal information: either the information disclosed is the same information on the outside of the credit and debit cards, or is information about a different account, used to commit credit card fraud. . . . Such a limited investigatory technique to quickly and obviously provide information whether the payment form is being used criminally . . . does not violate the Defendant's right to be secure in their person, house, papers, or effects." 943 F. Supp. 2d at 1271, 1273.

I disagree. In my view, skimming a credit card is a search. It is a classic kind of Fourth Amendment search, retrieving information stored inside a storage device. True, the information stored in the magstripe often matches the information on the outside the card. But I don't see how that is relevant. The point of accessing the stored information is to identify when it does not match the outside. Agents don't know what information is inside. They're searching the card to find out.

The fact that the data stored inside the card is pretty limited - usually just a few numbers and a name, up to 79 letters and 147 numbers - is likewise irrelevant. Consider a very similar case, Arizona v. Hicks, 480 U.S. 321, 325 (1987), in which agents came across a very expensive turntable in a shabby apartment. Agents lifted the turntable to read the serial number in an effort to determine if the turntable was stolen. According to the Court, moving the turntable to see the serial number was a Fourth Amendment search:

[T]aking action, unrelated to the objectives of the authorized intrusion, which exposed to view concealed portions of the apartment or its contents, did produce a new invasion of respondent's privacy . . . . It matters not that the search uncovered nothing of any great personal value to respondent - serial numbers rather than (what might conceivably have been hidden behind or under the equipment) letters or photographs. A search is a search, even if it happens to disclose nothing but the bottom of a turntable.

That same principle applies here, I think.

It also doesn't make a difference that the information in the magstripe may sometimes be exposed to others. Sure, if you go to a store and use a credit card, you lose Fourth Amendment rights in the number you have disclosed to the store. But when a card is not in use, the fact that the information might have in the past been disclosed - or might in the future be disclosed - does not eliminate Fourth Amendment protection. If I'm working on a blog post from my laptop at home, the fact that I plan to publish the post eventually doesn't give the police a right to hack in to my laptop and read the post before I do. They can read it when I post it but not before.

Finally, the Sixth Circuit's reliance on the dog sniffing case, Illinois v. Caballes, doesn't work either. Caballes reasoned that a dog sniff from a public place does not violate the Fourth Amendment because it could only reveal the mere presence of contraband (a fact not deserving of Fourth Amendment protection) or the absence of contraband (not a very revealing fact). Here, in contrast, skimming reveals non-contraband data that could be anything. The magstripe is just a small electronic storage device that can be programmed, within its technical parameters, to contain any information the encoder wants it to contain.

Consider the entry in the card for a name. The name entry in the card can contain up to 26 letters. That entry might be the name associated with a stolen credit card. But it also might be a text entry, such as THEGUNISINTHETRUNK, IKILLEDJFKFROMGRASSYKNOLL, or MYEMAILPASSWORDISWAPOROCKS. And that's just the name entry. The card as a whole contains three data strips which can hold 79 letters and 147 numbers. It may only be a Tweet or two of information, but it's still information that could say anything. The police can't know until they skim the card, and that means Caballes can't apply.