The Privacy Black Hole: Third-Party Doctrine
When the Founding Fathers framed the United States, they put strict limits on government power. They had just fought a revolution against what they saw as British tyranny under King George III. From this history and Enlightenment thinkers like John Locke and Montesquieu, and from their own hard experience, they understood that power without checks almost always leads to corruption and oppression.
James Madison captured this idea perfectly in Federalist No. 51:
“In framing a government which is to be administered by men over men, the great difficulty lies in this: you must first enable the government to control the governed; and in the next place oblige it to control itself.”
The Founders believed the main job of government was to protect the natural rights and freedoms that belong to every individual. That is why the U.S. Constitution, and especially the Bill of Rights, places clear and strong limits on what the government can do. These limits are meant to stop the government from trampling on personal liberties.
One of the most important protections is found in the Fourth Amendment, often called the right to privacy. The Fourth Amendment was profoundly shaped by colonial experiences with general warrants and writs of assistance. These were blanket search powers that allowed British officials to rummage through homes and businesses without probable cause or specific limits. Here is exactly what it says:
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
In everyday life today, the Fourth Amendment protects you from government intrusions, especially by law enforcement, that would be considered unreasonable. It does not ban every search or seizure, only the unreasonable ones. In most cases, it requires police to get a warrant first. That warrant must be based on probable cause and must specifically describe exactly what or who is being searched or seized.
What Is Not Protected: When You Have No Reasonable Expectation of Privacy
Before addressing the third-party doctrine, we need a foundational rule: Fourth Amendment protection applies only when you have a reasonable expectation of privacy.
Put simply, the government generally does not need a warrant for what you knowingly expose to the public. Walking down the street, standing in your front yard, or driving on a public road are all observable by police without a warrant. The same applies to anything you say loudly enough for others to hear or items left in plain view.
The Supreme Court made this clear in Katz v. United States (1967). The Court famously stated that the Fourth Amendment protects "people, not places," yet it also drew a firm line: what you knowingly reveal to the public is not private. Later cases reinforced this. Police can observe you in public, record license plates on public roads, or conduct aerial surveillance of open fields without a warrant.
In short, anything you do where strangers can easily see it usually falls outside Fourth Amendment protection. This public-exposure rule sets the stage for the next major limit on privacy rights: the third-party doctrine.
The Third-Party Doctrine: When Privacy Protections Seem to Disappear
For many years, courts interpreted the Fourth Amendment to mean that if you voluntarily share information with someone else, you lose any reasonable expectation of privacy in that information. This idea became known as the third-party doctrine.
The doctrine took shape in the 1970s after Congress passed the Bank Secrecy Act. That law required banks and other financial institutions to keep detailed records of customer transactions. The goal was to help the government investigate crimes such as money laundering and tax evasion.
This new requirement soon led to a major Supreme Court case. In United States v. Miller (1976), the government subpoenaed a suspect’s bank records without a search warrant. The suspect argued that this violated his Fourth Amendment rights. The Supreme Court disagreed. It ruled that the suspect had no reasonable expectation of privacy in those records because he had voluntarily shared his financial information with the bank. The bank had to keep the records under the Bank Secrecy Act, but that did not make them protected personal papers.
A few years later, the Court applied the same reasoning in Smith v. Maryland (1979). In that case, police investigating a robbery asked the phone company to install a pen register. This device records all the numbers dialed from a specific phone line. They did this without a warrant. The Supreme Court ruled that the suspect had no legitimate expectation of privacy in the phone numbers he dialed. After all, he voluntarily gave that information to the telephone company every time he made a call.
Together, these rulings established the third-party doctrine. If you willingly share information with a third party such as a bank, a phone company, or later an internet provider, you generally lose Fourth Amendment protection for that information. The government could often obtain these records with just a subpoena or a court order. That required far less justification than a full search warrant based on probable cause.
This created a major gap in privacy rights. In today’s digital world, we constantly hand over huge amounts of personal data to third parties just to use email, shop online, use our phones, or store files in the cloud. According to the third-party doctrine, much of that information had little or no constitutional protection.
Doesn’t Sharing Information with a Business Keep It Private?
This raises an obvious and important question that many people ask:
“Just because I share my information with a business like my bank, phone company, or email provider, shouldn’t that information still be private between me and the company? After all, I am trusting them to handle my data responsibly as part of our normal relationship. Why should handing it over to a business automatically strip away my Fourth Amendment protections?”
For decades, the Supreme Court answered that question with a clear “no” under the third-party doctrine. The Court reasoned that when you voluntarily give information to someone else, even a business you deal with every day, you assume the risk that they might turn it over to the government. You no longer have a reasonable expectation of privacy in that information as far as the Constitution is concerned.
The logic went like this: Banks keep records because the law (the Bank Secrecy Act) requires it, and customers know employees will see their checks and deposits. Phone companies must record the numbers you dial to connect your calls. By using these services, you are knowingly exposing that information to the company. Therefore, the police can usually get it from the business with far less legal process than a search warrant.
Importantly, the Court treated these as the business’s own records, not yours. In United States v. Miller, for example, the justices emphasized that the subpoenaed bank documents were business records of the banks themselves. The government was simply asking the bank for its own documents, not searching your private papers. Your personal privacy expectations, the Court said, largely ended once the information left your hands and became part of the company’s files.
Businesses do have their own Fourth Amendment rights. They can challenge unreasonable government demands for their records. But when it comes to customer information they collect in the ordinary course of business, courts have generally allowed the government to access it from the company without giving the customer strong constitutional protection. The business’s privacy rights do not automatically shield the customer’s data from government access under the old third-party doctrine.
This view made some sense in a pre-digital world of paper checks and landline phones. But it created real tension with everyday life. We have to share sensitive details with businesses just to function: our financial habits, who we call, where we go, what we search online. Most people reasonably expect these companies to keep that information confidential except when legally required otherwise.
What Information Can Authorities Often Access Without a Full Warrant?
Even after the Supreme Court began limiting the third-party doctrine in cases like Carpenter v. United States (2018), significant gaps remain. In many situations today, law enforcement can still obtain certain types of information with far less legal process than a traditional search warrant based on probable cause. Here are some practical examples that affect everyday life:
Data from brokers and ad networks (including location data):
Many smartphone apps collect precise location information and other personal details to show targeted ads. They often share or sell this data - sometimes tied to your phone’s advertising ID - to data brokers. Law enforcement and federal agencies can simply purchase access to these massive datasets with taxpayer money, often without needing a warrant or subpoena. This practice, sometimes called the “data broker loophole,” allows authorities to track movements, habits, and even sensitive visits without going to a judge.
Phone location information (historical cell-site location information or CSLI):
The Carpenter ruling requires a warrant for long-term historical location data from cell phone companies because it reveals so much about a person’s private life. However, shorter periods of data, real-time location in emergencies, or data bought through brokers may still allow access with less process.
Automated license plate readers (ALPRs):
These systems photograph license plates on public roads and create records of where and when vehicles appear. Courts across the country have generally ruled that police can access this data without a warrant. The reasoning is that driving on public streets means you have no reasonable expectation of privacy in your vehicle’s movements in public view. Many police departments use networks of these cameras for investigations.
Loyalty program or retail purchase history:
When you use a supermarket loyalty card, credit card, or online shopping account, stores and payment processors keep detailed records of what you buy. Law enforcement can often obtain these records through a subpoena (which requires far less justification than a warrant) or sometimes with even less formal process, because the information is considered business records shared with the company.
Search engine queries and browsing history:
In many states, including a recent Pennsylvania Supreme Court ruling in Commonwealth v. Kurtz, 348 A.3d 133 (2025), police can access unprotected Google search records tied to an IP address without a full probable-cause warrant. The court treated the queries as information voluntarily shared with the search engine. “Reverse keyword” searches (where police ask Google for everyone who searched a specific term near a crime scene) are also used, though their legality is still being challenged in other courts.
Other common examples:
- Pen registers and trap-and-trace devices: These record phone numbers dialed or received (but not the content of calls). They usually require only a court order based on relevance to an investigation, not probable cause.
- Public surveillance footage or doorbell camera video: Companies like Ring have policies allowing them to share footage with police in certain situations without a warrant or even user consent.
- Basic subscriber information from internet or phone providers: This includes your name, address, and account details, which can often be obtained with a subpoena.
These examples show that while Carpenter and later cases strengthened privacy protections for highly revealing data like long-term location tracking, much of the digital trail we leave every day still falls under older third-party rules, public-exposure principles, or commercial purchase loopholes. The exact requirements can vary by state and by the specific type of data, and courts continue to debate where the lines should be drawn.
Recent Developments: FBI Confirmation of Purchasing Commercially Available Data
This issue gained renewed attention during the March 18, 2026 Senate Intelligence Committee Worldwide Threats hearing. When questioned by Sen. Ron Wyden about the FBI's purchase of commercial data that includes location information, FBI Director Kash Patel stated:
“We do purchase commercially available information that’s consistent with the Constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us.”
This public confirmation indicates the FBI is acquiring datasets from commercial sources - often the same granular location histories and movement patterns that the Supreme Court’s Carpenter v. United States (2018) decision requires a warrant to obtain directly from cell phone providers.
Privacy advocates argue that buying this data from brokers creates a loophole, effectively bypassing traditional Fourth Amendment protections for highly sensitive information that can reveal intimate details of a person’s life. Others maintain that because the data is already commercially available to the public, law enforcement should be able to purchase it like any other investigative tool, provided the acquisition complies with existing statutes like the Electronic Communications Privacy Act (1986).
The practice remains an active point of debate in Congress, with bipartisan proposals such as elements of the Government Surveillance Reform Act seeking to impose stricter requirements (including warrants) on government purchases of certain sensitive data from brokers.
Regardless of the differing legal interpretations, this exchange highlights a core tension in the third-party doctrine: once individuals share data with private companies (often with limited real choice or awareness), it can flow to government agencies with fewer procedural safeguards than direct compelled collection.
The Tide Begins to Turn: Courts Push Back on Digital Surveillance
It is easy to feel that Fourth Amendment protections have been rendered almost meaningless in the digital age. Yet the courts, especially the Supreme Court and a growing number of federal district courts, are beginning to push back. They are recognizing that digital data is qualitatively different from the paper records of the 1970s.
Carpenter v. United States (2018): A Narrow but Significant Limit on the Doctrine
The Supreme Court’s 5-4 decision in Carpenter v. United States (2018) delivered the most important judicial pushback yet against the third-party doctrine in the digital era. Writing for the majority, Chief Justice John Roberts held that police must generally obtain a warrant supported by probable cause before acquiring extended historical cell-site location information (CSLI) from wireless carriers.
The Court explicitly declined to extend the logic of United States v. Miller and Smith v. Maryland to this context. Roberts explained that CSLI is “qualitatively different” from the limited records at issue in those older cases: it provides a detailed, encyclopedic, and effortlessly compiled chronicle of a person’s past movements, effectively allowing the government to “travel back in time” and reconstruct someone’s whereabouts with near perfect surveillance.
“A cell phone faithfully follows its owner beyond public thoroughfares and into private residences, doctor’s offices, political headquarters, and other potentially revealing locales,” the opinion noted. These location records “hold for many Americans the ‘privacies of life.’” Because carrying a cell phone is indispensable to participation in modern society, the location data it generates is not truly “voluntarily shared” in the sense contemplated by the old third-party cases.
Importantly, the Court described its ruling as narrow. It did not overrule Miller or Smith, nor did it call into question conventional surveillance tools or other categories of business records. Lower courts have since split on how far Carpenter’s logic extends, for example to shorter-term CSLI, geofence warrants (which query location data for everyone near a crime scene), or other highly revealing digital records. The Supreme Court is scheduled to hear arguments in the key geofence case Chatrie v. United States on April 27, 2026, which could provide further clarity.
Warrantless Searches of Travelers' Phones at U.S. Airports and Borders: Growing Judicial Skepticism
A second front of judicial pushback concerns the warrantless search of electronic devices at ports of entry, including international airports. For decades the "border search exception" has permitted Customs and Border Protection (CBP) agents to inspect travelers' belongings without a warrant or even individualized suspicion. In recent years, however, federal district courts have begun to hold that this exception does not automatically extend to the contents of smartphones and laptops.
In cases such as United States v. Smith, 706 F.Supp.3d 404 (S.D.N.Y. 2023) and follow-on rulings in the Eastern District of New York (including United States v. Sultanov, 2024), judges have ruled that warrantless searches, whether manual or forensic, of travelers' cell phones at the border violate the Fourth Amendment absent exigent circumstances.
These courts drew directly on Carpenter and Riley v. California (2014), emphasizing that a modern phone is not analogous to a suitcase or a wallet. It contains an "intimate window" into a person's life: private messages, photographs, medical records, browsing history, location data, and financial information. Copying or searching that data is, in the words of one court, "nonroutine" and demands the traditional safeguard of a probable-cause warrant.
Appellate courts remain split. Some circuits require reasonable suspicion for forensic (deep) searches but allow cursory manual reviews; others have not yet imposed meaningful limits. Litigation is active, with groups like the Electronic Frontier Foundation and ACLU urging appellate courts to adopt a warrant requirement.
The Supreme Court has not yet resolved the conflict, but the trajectory is clear: more judges are unwilling to treat a smartphone as just another piece of luggage simply because its owner happens to be crossing an international border.
While the Supreme Court has begun drawing important lines, recognizing that some digital records reveal the “privacies of life” in ways the third-party doctrine never anticipated, progress remains incremental and incomplete. Lower courts continue to split on the doctrine’s reach, and recent admissions from FBI Director Kash Patel confirm that federal agencies are still purchasing vast amounts of commercial data to bypass traditional warrant requirements. In the face of slow judicial and legislative reform, meaningful protection often starts with the choices we make as individuals. By deliberately reducing the data we voluntarily entrust to third parties, we can shrink the privacy black hole the government currently exploits.
What You Can Do
You do not have to accept the slow erosion of Fourth Amendment protections in the digital age. While courts have begun to push back, meaningful change also depends on the daily choices we make as individuals.The most effective way to shrink your personal privacy black hole is to reduce the amount of sensitive data you voluntarily hand over to third parties in the first place. By choosing privacy-preserving tools and services that either never collect your data or protect it with strong end-to-end encryption that even the provider cannot access, you can limit what is available to data brokers, advertisers, and government agencies alike.
Protect your online activity
- Use a privacy-first browser such as Brave. It blocks ad trackers and third-party cookies by default and greatly reduces the digital trail you leave behind.
- Switch to a privacy-focused search engine such as Brave Search. Because it does not store your search history, there is nothing for anyone to hand over.
Secure your communications
- Use encrypted messaging with apps like Signal. End-to-end encryption means even the company cannot read your messages, making casual surveillance far more difficult.
- Switch to encrypted email services such as Proton or Tuta. These tools keep your messages private so that even the provider cannot access the content and turn it over in response to legal requests.
Limit what you share with third parties
- Pay with cash whenever possible and skip loyalty cards at stores. Every card or app-linked purchase creates a detailed record of your habits. Cash leaves no digital trail.
- Review and limit location sharing in your phone and app settings.
Protect sensitive conversations
- Prompts you type into most AI services are recorded and can be accessed by law enforcement. Consider a privacy-first option such as Proton Lumo.
Take civic action
- Support legislation that requires warrants for sensitive data and closes the data broker loophole. Key bills include the Government Surveillance Reform Act (introduced March 2026 by Senators Wyden and Lee and Representatives Davidson and Lofgren) and the Fourth Amendment Is Not For Sale Act.
- Contact your representatives and urge them to strengthen Fourth Amendment protections in the digital age, especially as part of any FISA Section 702 reauthorization. The law has not kept pace with technology, but informed citizens can help close this privacy black hole.
Remember: we may not have anything to hide, but everything to protect.
