There Is No Reasonable Expectation Of Privacy In A Credit Card’s Magnetic Stripe
October 18, 2016 (Mimesis Law) – Some of us have more credit cards than others. And some of us use gift cards in daily life, rather than merely purchasing them as gifts. The spouse of a former co-worker would buy restaurant gift cards, like Subway, from the local grocery store to get fuel points on the sandwich purchases. If you’re particularly creditworthy and obsessed with fuel rewards, then you might have a lot of cards on you. On the other hand, someone who has more than 50 cards of them might be a credit card skimmer.
Credit card skimming is essentially when someone unlawfully gets your credit card information and re-programs the magnetic stripe, or magstripe, on the back of an older card to reflect that stolen information. In a legitimate card, the information on the front of card is the same information encoded on the magstripe.
Oftentimes, this is done with a skimming device attached to a legitimate payment device, such as a gas pump. Also, besides the old method of just writing down credit card information, there are handheld versions that employees can use to duplicate the magstripe when you hand them your card. Plus, there are online methods used to get the credit card number, such as phishing.
With the credit card information, old credit cards, and a magstripe re-programmer, a thief can create hundreds of fake credit cards in a short period of time. From this point, these cards can either be sold or used to purchase expensive items directly, particularly consumer electronics. The fun continues until the fraud department figures it out and shuts down the number.
As you might imagine, if an officer sees a bag full of credit or gift cards in car during a traffic stop, then it will arouse suspicion. Chances are that the driver with 50 or more cards is skimming, rather than an aggressive deal seeker. In the case of legitimate credit cards, the information on the front matches what is on the magstripe. There usually is a mismatch between the face of the card and the stripein the case of fraudulent cards. So, the easiest way to determine whether the mountain of cards are legitimate is to swipe the card and read the information on the stripe.
This sort of mismatch would be obvious to a store clerk who compared the data on the screen with the information on the card. While there are Starbucks on every corner, there isn’t one at the roadside stop. So, the officer would have to swipe the card in a reader to look for a mismatch, but without any purpose to sell a pumpkin spice latte. Predictably, the issue of whether officers need a warrant for this swipe has been litigated.
The Sixth, Eighth, and Fifth Circuits have all concluded that swiping the magstripe does not need a warrant. Specifically, they concluded that the swipe is not a search and thus is without Fourth Amendment protection. This result was based on the reasonable expectation of privacy standard.
The Katz approach is really more normative and explanatory rather than predictive. In other words, a “search” is whatever appellate judges think it is. Orin Kerr has described it as judges and justices mostly worried about physical intrusion and its virtual equivalent. Even then, for policy reasons, they deem certain intrusions too minor as to be worthy of protection. This may be driven, in part, by the harshness of the exclusionary rule. Overall, it’s messy and it’s opaque, but it generally gets the job done.
Here’s what the Sixth Circuit concluded:
Given the magnetic strip’s limited storage capacity, a reading of it—even assuming it had been re-encoded—would not allow officers to reconstruct an individual’s private life. Further, the evidence stored on the strip—which, unless re-encoded, would more or less match that provided on the front and back of the card—is not the highly personal information an individual would expect to keep private, especially after the physical card is in the lawful possession of law enforcement or a cashier. * * *
It is true, as Bah contends, that warrants are required to listen to the contents of cassette tapes and “magnetic storage media” requests are often included in warrant applications; Bah, however, fails to appreciate that the magnetic strip on a credit, debit, or gift card, given its limited storage capacity and tendency to contain only that information that would already be known to an individual in lawful possession of the physical card, is readily distinguishable from storage media where the contents are often truly unknown.
Our holding today is limited in scope—addressing only the ability of police enforcement to conduct warrantless searches of the magnetic strips on credit cards, gift cards and debit cards—and we do not address hypothetical magnetic strips of the future that may have greater storage capacity and tend to store more private information.
The Eighth and Fifth reached the same conclusions. In sum, all three courts distinguished the magstripes from cell phones based on the difference in use, capacity, and who views the information contained on each. In that light, there is a vast difference between the two. Moreover, unlike other magnetic and electronic media, where a warrant would still be required, magstripes are distinguishable because of those three facts; plus, when legitimately used, the information on the stripe and printed on the card should match.
This means there is no expectation of privacy regarding the data because it’s already visible. All the more so because the re-coding equipment is not widely purchased and typically only done for illegal reasons. One the other hand, cassette tapes, CDs, and video tapes were likely to be used to capture audio visual that is not apparent from the surface. And those recordings were made with ubiquitous equipment. Also, re-encoding a credit card makes it invalid and worthless. That is not the case with other types of electronic storage devices.
But Orin Kerr has thrice denied the expectation of reasoning employed by the reviewing courts, here, here, and here. After the first case, Kerr objected, arguing that the essence of swiping the card was the same as picking up a stereo to view the serial number, which was held to be a search. Later, he expanded on this objection.
Kerr mainly focuses on how the information communicated by both the serial number and stripeis small, arguing that this either flirts with or actually creates a de minimis doctrine. In that vein, he suggests that the courts are wrong to factor in the strip’s capacity into their analysis.
They are indeed analogous in how the information itself is limited. Both the serial numbers and magstripedata are short alphanumeric sequences. But the information capacity of the card is related more to the courts’ conclusion that the intrusion is too small to require protection, especially when compounded with how cards are used. Thus, it’s not so much the scope of the intrusion is small, rather that the scope of the information that the intrusion can reveal is small, already visible on the card, and voluntarily surrendered at each purchase. Thus, there really is no protected privacy interest into which the officer is intruding by swiping the card. Conceivably, this analysis could change if it becomes customary to use magstripes on old credit cards for legitimate personal reasons.
The manner and place of intrusion between the two cases is also significant. In Hicks, the police had entered an apartment after the occupant had apparently fired a shot through the floor and saw new stereo equipment. There is a significant difference between walking into someone’s house, grabbing property, and manipulating it, compared to swiping a magstripe of cards found bundled in a car during a traffic stop and lawfully seized. And the information on the card will almost always be of the sort used to make electronic payments.
Kerr points out that the Third Circuit has prohibited opening a wallet during the sweep of someone’s home. This demonstrates the sanctity of home and the objects therein, as compared to a traffic stop.
A lawful roadside or inventory search of the car or person would conceivably allow the officer to swipe the cards, particularly gift cards, at the roadside or later. Arguably, swiping the cards in this context would be like opening a container during an inventory search or a lawful warrantless search. Especially during a lawful inventory search, it would be prudent to record the value of gifts cards along with the cards themselves would avoid later claims of misuse of the gift cards. Similarly, to recall the stereo example from earlier, during either of those searches, an officer could flip over a stereo and gather the serial number.
While Kerr’s concern about the sweep of the language is understandable, putting magstripes outside the scope of the Fourth Amendment will have little practical impact on protecting privacy interests. For example, this exception would not obviate other doctrines such as Terry. So, it’s not like officers can start swiping all your credit cards, during roadside or sidewalk encounters. Officers will have to rely on some doctrine to make the stop and seize the property in the first instance. Those obstacles should generally be sufficient to avoid overreach.
Likewise, if the magstripe cases can be understood that the magnitude of intrusion into electronic storage is what matters, then these cases might represent the beginning of a slippery slope. But the facts of these cases should and do matter. Illegally seizing credit cards from a person or a home would probably end up differently than swiping the cards after a legal roadside search and seizure.