Governments around the world are finding ways to collect intimate data about their entire population. In many countries, they do it the straightforward way: they simply pass broad surveillance laws and compel companies to hand the data over.
What is supposed to make America different is the Fourth Amendment.
It was designed to stop exactly this kind of overreach. It says the government does not get to intrude into someone’s life just because it wants to see what it can find. It has to get a warrant. It has to show probable cause. It has to justify itself first.
And yet in the United States, the government can get your medical records without a warrant, access your photos without a warrant, see your contacts list, what you’ve watched, read, liked, where you’ve been, whom you’ve met, and what you did… all without a warrant.
How is this possible? How did we end up in a world where law enforcement can get access to the intimate details of our lives, with seemingly no guardrails, even though the Constitution was supposed to prevent exactly that?
The answer lies in a set of outdated legal tests and doctrines built decades ago… before the Internet, before smartphones, before our messages, movements, relationships, and private lives migrated online and were turned into data.
The most destructive of these is something called the third-party doctrine. And it’s powered by a broader legal framework called the “reasonable expectation of privacy” test: a framework that was supposed to protect us, but has instead given the government an ever-expanding ability to access our lives without a warrant.
Together, these outdated legal tools have helped erase the protections that were supposed to shield us from arbitrary government intrusion, and opened the door to a potentially dystopian future of unchecked surveillance and control.
In this article, we’ll unpack how these tests and doctrines work, how they interact to strip away your Fourth Amendment rights, and why they need to go.
To understand the third-party doctrine, we first need to do a quick recap of the Fourth Amendment. We went into detail about the Fourth Amendment and warrant requirements in a previous article.
But here’s a quick TL;DR:
The Fourth Amendment protects people’s persons, houses, papers, and effects against unreasonable searches and seizures. It’s supposed to impose strict warrant requirements—to force law enforcement to slow down, justify themselves, and face a judge before they’re allowed to search your stuff.
This makes sense: we don’t want those in power to have unlimited access to our lives, because that kind of access invites abuse. The whole point of requiring another branch of government to sign off on the intrusion first is to protect people and allow them to feel secure in their lives.
But if that is how the Fourth Amendment is supposed to work, then how did we end up in a world where the government can buy data from brokers, query company databases, and use private firms to search our lives without a warrant?
To answer that, we need to understand two things: a legal test called the “reasonable expectation of privacy” test, and a legal doctrine called the third-party doctrine. The test is the framework courts use to decide whether the Fourth Amendment protects you at all. The doctrine is a rule that operates inside that framework, and it’s the one that has done the most damage. Let’s take them one at a time.
In 1967, in Katz v. United States, government agents placed a microphone on the outside of a public telephone booth to record a suspect’s conversations. Struggling with this use of technology to gather information about people’s communications, Justice Harlan arrived at the “reasonable expectation of privacy” test.
This test basically says it’s a “search,” and protected under the Fourth Amendment, if the police action would invade your reasonable expectation of privacy. In this case, Katz had a reasonable expectation of privacy in the phone booth. It didn’t matter that it was a public space.
It’s a two-pronged test that says you get Fourth Amendment protections if:
1) You personally feel you should have privacy in this thing.
2) Society says this expectation is reasonable.
This became the gatekeeper for all Fourth Amendment cases going forward. If you have a reasonable expectation of privacy, the Fourth Amendment protects you, and the government needs a warrant. If you don’t, the government can do what it wants. No warrant needed. No judge. No probable cause.
That might sound reasonable on its face. But this test has deep problems that have allowed it to be used against the very people it was supposed to protect.
Jim Harper, a constitutional law scholar who specializes in the Fourth Amendment in the digital age, points out a fundamental flaw in this test: individuals themselves don’t necessarily have a fully formed privacy expectation, nor does society at large.
People don’t walk around with a running internal monologue about privacy. You don’t pick up your phone and think, “I am now comfortable with Verizon knowing my location.” You don’t open your banking app and think, “I accept that this transaction will be recorded and stored.” You don’t think about it at all. You just live your life.
And that’s the problem with the test. It asks courts to determine what “society’s reasonable expectation of privacy” is. But society doesn’t have one. Not because people have decided they’re fine with surveillance, but because the question itself never crosses their mind. People aren’t making a judgment call about privacy hundreds of times a day. They’re making dinner, picking up their kids, checking their email.
So when a court tries to answer “Does society consider this information private?” they’re trying to measure an opinion that was never formed. The court is forced to invent an answer to a question nobody is asking. And courts are filling that silence with whatever answer suits the case in front of them.
But there’s another huge issue with this test: our privacy expectations aren’t fixed; they constantly shift downwards. Every time a new form of surveillance is introduced and people get used to it, that becomes the new normal. And once it’s normal, people stop thinking of it as an intrusion. And once they stop thinking of it as an intrusion, a court can point to that and say, “See? Society doesn’t consider this private.”
So the test doesn’t just measure the current state of privacy expectations. Instead it absorbs every erosion of privacy into itself. Each new surveillance practice that goes unchallenged becomes part of the baseline against which the next one is measured.
That process only goes one direction because surveillance technology doesn’t get rolled back. And society becomes desensitized to it. So as the baseline of what society “reasonably expects” keeps drifting towards less privacy, our constitutional protections drift with it. Under this test, the Fourth Amendment can only shrink.
Justice Gorsuch said something similar in a dissenting opinion in a case called Carpenter v. United States (which we’ll talk more about later). He argued that the Katz “reasonable expectation of privacy” test has been a mess from the start because it’s circular: it allows the government to erode protections simply by making surveillance so pervasive that no one can reasonably “expect” privacy anymore.
So that’s the framework—a broken test that asks courts to guess at expectations people never formed, and that can only ever drift in one direction: toward less protection.
Now let’s look at what was built on top of it.
The third-party doctrine is a rule that operates inside the Katz framework. It provides a specific answer to the “reasonable expectation of privacy” question: if you shared information with a third party, then the courts say that by definition you don’t have a reasonable expectation of privacy in it. The doctrine plugs into the Katz test and says, “No, you gave it away.”
In other words, if you give your information to a company, you no longer have a reasonable expectation of privacy for that information. Fourth Amendment protections don’t apply.
It’s a catastrophic legal loophole that lets officials get at your data without the safeguards most people think they still have.
It grew out of many Supreme Court cases from decades ago (that had basically no relation to how modern technology works), and continues to be the standard used to judge privacy rights of that tech today.
One of the earliest cases that started to establish this precedent can be traced to Hoffa v. United States in 1966.
Jimmy Hoffa (president of the International Brotherhood of Teamsters and one of the most powerful union bosses in America) was on trial in Nashville in 1962 for violating the Taft–Hartley Act. During the trial, he was regularly visited in his hotel room by a fellow Teamsters official named Edward Partin.
What Hoffa didn’t know was that Partin had begun serving as a confidential informant for law enforcement. Over the course of the trial, Hoffa made numerous statements to Partin indicating that he was attempting to bribe members of the jury. Partin reported everything back to the feds.
Hoffa’s defense argued that because Partin never disclosed that he was a government informant, Hoffa’s consent to let him into his hotel suite was essentially void, and that this was a warrantless intrusion into a constitutionally protected space.
The Supreme Court disagreed. They said that the Fourth Amendment does not protect a wrongdoer’s misplaced belief that a person to whom he voluntarily confides his wrongdoing will not reveal it.
In other words: Hoffa chose to talk, so no warrant needed.
In the context of that specific case, the logic isn’t crazy. Hoffa literally confessed to jury tampering in front of someone. That’s closer to gossiping to a bystander.
The problem is that this premise was then applied to later cases, where banks, phone companies, and other institutional relationships were treated as the same thing as gossiping to a bystander.
Then comes one of the main cases people cite with reference to the third-party doctrine, from 1976, called United States v. Miller, and it dealt with financial information. Miller was accused of running a distillery without paying taxes on it, and the government needed his financial records to prove that he wasn’t paying his taxes. He was already under suspicion, and they could have easily gotten a warrant, but instead they went straight to the bank and asked for things like bank statements and copies of checks directly, bypassing the warrant requirement.
Miller challenged the use of those as evidence, saying that those were his papers, and that the government couldn’t get them without a warrant. But the Court disagreed. It said Miller had no legitimate expectation of privacy in those bank records, because they were the bank’s business records and the information had been voluntarily conveyed to the bank.
The next major case that people cite as having established this doctrine is Smith v. Maryland in 1979. Police suspected that Smith was making threatening phone calls to someone, and asked the phone company to install a pen register to record the numbers dialed from his home phone. Again, because Smith was already under suspicion, law enforcement could have easily gotten a warrant for the pen register, but they chose not to. Smith challenged the evidence because of this. But, again, the Court disagreed. It said that the numbers he dialed were voluntarily conveyed to the phone company, so he had no legitimate expectation of privacy in that information.
You can see how the Katz framework and the third-party doctrine work together here. The Katz test asks: “Does this person have a reasonable expectation of privacy?” The third-party doctrine answers: “No, because he shared the information with someone else.” And just like that, the Fourth Amendment steps aside. No warrant required.
Now, the reason the law calls your bank a “third party” is that in any legal dispute or investigation, the two parties are you and the government. Everyone else (your bank, your doctor, your phone company) is technically a “third party” because they’re not one of the two parties to the legal matter.
But that framing obscures what’s actually happening. The relationships of modern life are not casual gossiping to a bystander. They’re often direct, necessary, contractual relationships that we enter into to participate in society. They include things like your bank, your doctor, your phone company, your email provider. Lumping this essential infrastructure into the broad category of “third parties” flattens the distinction between confiding a secret to a stranger and using a bank account to participate in the economy and receive your paycheck.
You didn’t “choose” to share your financial records with your bank the way you might choose to tell a friend something. You were required to in order to have a bank account, get paid, pay rent, exist in society. You didn’t voluntarily gossip about your medical history to your doctor. You disclosed it because that’s how medicine works. You didn’t “share” your location data with your phone company as some optional act. Your phone has to ping cell towers to function. The information is generated as a byproduct of using the thing.
Reformers and civil liberties advocates have been making this same argument for decades.
And the huge issue with this third-party framing is that everything in modern life is routed through a third party.
Your email provider stores your messages. Your bank has your transactions. Your phone company has your location. Your cloud account holds your files. Your apps know where you go, what you search, what you buy, who you talk to, and what patterns your life follows.
The entire Internet runs on third parties.
With so much of our lives now stored by third parties, the third-party doctrine has deeply undermined our privacy, and law enforcement has shown little interest in getting warrants when they can simply avoid them.
Instead of needing probable cause to intrude into someone’s life, and having a judge sign off first, governments just go directly to companies and demand this data. And increasingly, they don’t even need to do that; they can just buy the data outright. That’s a huge hole in our rights.
Since these precedents in the Supreme Court were established, the courts have been struggling to make them work in the modern world. Essentially trying to judge every new piece of technology separately, slowly, to see how each fits. It seems that courts are increasingly uncomfortable with the implications of the third-party doctrine. But as Rob Frommer, co-director of the Fourth Amendment Project at the Institute for Justice, put it: the problem is the court doesn’t know how to get out of it, and so it’s creating one-off exceptions rather than really grappling with the rule itself.
For example, in Carpenter v. United States in 2018, the courts created a carve-out for certain cellphone records, arguing that you have a reasonable expectation of privacy for your location information, and so getting this information from cell providers requires a warrant.
In the majority opinion, the Court wrote:
…[T]here is a world of difference between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of location information casually collected by wireless carriers.
…[S]eismic shifts in digital technology that made possible the tracking of not only Carpenter’s location but also everyone else’s, not for a short period but for years and years.
So you start to see some pushback by courts against this categorical third-party adoption approach. But the problem is that courts are litigating every type of tech piecemeal.
We can’t wait for the Supreme Court to judge every new piece of technology slowly, one by one. We need to throw out the third-party doctrine and reasonable expectation of privacy tests and take a fundamentally new approach to Fourth Amendment protections in the digital age.
Here are two different approaches.
The Fourth Amendment doesn’t say “the right of the people to be secure in their reasonable expectations of privacy.” It says “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.”
The courts need to stop asking, “Did this person expect privacy?” and start asking, “Did the government conduct a search?”
These are two very different questions. The first is squishy, requires courts to make huge guesses about things that society isn’t even thinking about, and allows giant carve-outs for intrusion into our lives.
The second allows for robust protection of what the framers of the Constitution actually intended: that for the government to get access to your life, they need judicial oversight.
Governments are conducting mass warrantless searches on the population by searching the databases of companies or simply buying that data. Shouldn’t Fourth Amendment warrant requirements for a “search” include any purposeful investigative act of someone, regardless of how the government got that data? Whether by querying a database, buying data from a broker, subpoenaing a platform, or scraping the Web through a contractor, shouldn’t that trigger the same constitutional scrutiny as any other search?
The word search isn’t special, and it had the same meaning back when the Constitution was written as it does now. A search of someone or his/her things is any purposeful investigative act of that person or those things. If it’s a search, it’s in the Fourth Amendment bucket. And once it’s firmly in that bucket, then we can have courts try to figure out what kind of search it is, how invasive it is, and whether it would undermine the people’s security if we let officers do this whenever they wanted.
So when the government goes to your bank and demands all your financial records, or collects months of your location data from a cell provider, or buys your browsing history from a data broker—is that a search? It certainly looks like one. The government is actively seeking out and obtaining detailed personal information about you. The fact that some intermediary held the data along the way doesn’t change what the government is doing.
This framing is more faithful to the text of the amendment and harder for the government to game.
Is the government obtaining detailed information about a specific person’s life? If yes, that’s a search, and you need a warrant.
The Fourth Amendment was written to constrain what the government does, not to punish people for participating in modern life.
The challenge is that reframing things this way would require courts to rework decades of Fourth Amendment precedent, substantially. And courts are generally reluctant to do that, even when the existing framework is producing absurd results. That’s why it would be helpful for the legislature to step in here, and this is exactly what the “Surveillance Accountability Act” would do—codify that if the government is performing a search, under the accepted mainstream definition of search that has existed for hundreds of years, it needs a warrant. And if the government doesn’t get a warrant, individuals should be able to hold them accountable.
The second solution would be to reframe this whole issue in terms of property rights and bailment.
Bailment is the most important property rights concept that you’ve never heard of, and it solves this dispute in the digital age of who actually owns your data.
Third-party doctrine says that if you give your data to a company, it’s not yours, but rather the company’s. Whereas bailment says that someone can hold information for you, and they have to protect it and treat it well, but it’s ultimately still yours.
This was how Justice Gorsuch suggested the Carpenter v. United States case should have been argued.
As the majority opinion characterized his position: “[Justice Gorsuch] would have us abandon Katz and return to an exclusively property-based approach.”
Bailment is obviously how we view data in the digital age.
When you give your photos to Google Cloud, they’re your photos. You just consider Google to be holding them for you.
When you store your files in Microsoft’s OneDrive, they’re YOUR files that Microsoft is looking after.
When you take your dog to the kennel, the dog is still yours. The kennel’s taking care of it but will ultimately give your dog back. That’s a bailment.
When you hand your keys to the valet, and the valet parks your car, it’s still your car. The valet has possession, but it’s still yours. That’s bailment.
Jim Harper has even worked on legislation in New Hampshire to push this exact idea into law.
We already understand property rights in terms of tangible things, and we’re on the cusp of recognizing information the same way: that personal information is a form of property in common law, and that people can own information about themselves and simply bail it with service providers.
This would recognize, legally and culturally, that our information is still ours even when a company is holding it for us. And it would stop the government arguing that we abandoned our privacy rights with this information, allowing the government to seize it without any warrant.
This should already be the case due to contract law, but the government considers these agreements irrelevant when deciding whether we have an expectation of privacy. This is ridiculous.
If I have a contract with a company and that contract says, “I’ll give you access to my data, and you will protect my privacy and not share this information with anyone,” and the company signs this contract, and I sign this contract, I SHOULD have a reasonable expectation of privacy for that data.
However, the government says that I have no reasonable expectation of privacy despite having a contract saying I can expect privacy, simply because it’s a contract with a third party. It’s shocking that the third-party doctrine has been allowed to persist as long as it has in the face of contracts.
We literally have privacy policies spelling out what expectations of privacy we can expect with each service provider, and yet we’re told that these are irrelevant in Fourth Amendment litigation. It ignores any kind of private ordering that we have in our society. This absolutely needs to change.
We should not be afraid to participate in the modern world by interacting with companies because the government has told us we have to give up all privacy rights to do so.
The Fourth Amendment was written to limit the government’s power to intrude on people’s lives. It says you have the right to be secure in your person, your house, your papers, and your effects. That protection was never meant to be conditional on living as a hermit.
But that’s essentially what the third-party doctrine demands. The only way to preserve your Fourth Amendment rights under this doctrine, it seems, is to opt out of modern life entirely, because the moment you use a bank, car, phone, or the Internet, you are treated as having volunteered your information to the government.
That framing fundamentally misunderstands what the Fourth Amendment was about. The founders weren’t concerned with whether you shared information with your bank or your doctor. They were concerned with whether the government could come and take it. Those are two entirely different relationships. Choosing to entrust your records to a company is not the same as consenting to government access. You entered into an agreement with your bank, not with the state. The Fourth Amendment was supposed to mean that the government needs a warrant to come get your things, and it shouldn’t matter where you keep them.
The lie at the heart of these legal frameworks tells us that participating in modern life means surrendering the protections we were supposed to have against government searches. If we keep building the digital world on that lie, the end point is obvious: a surveillance state where everything about us is searchable by those with the most power.
That’s not freedom. The third-party doctrine has to go. At the end of the day, what we need is a massive public debate about this that we just haven’t had yet. I’m hopeful that the “Surveillance Accountability Act” being introduced to the House will help ignite this conversation.
Naomi Brockwell is the President and Founder of the Ludlow Institute, a research and media institute dedicated to advancing freedom through technology. Their media arm, NBTV, creates educational content to help people reclaim their privacy and autonomy online. They have over 1 million subscribers across platforms and over 100 million views on their videos.
From 2013 to 2015, Naomi worked as a policy associate at the New York Bitcoin Center. From 2015 to 2021, she worked as a producer for 19-times Emmy-Award-Winning Journalist John Stossel. From 2021 to 2022, she hosted the CoinDesk series “Break It Down,” and the CoinDesk daily show The Hash.
Naomi was a producer for the 2015 feature documentary Bitcoin: The End of Money as We Know It (Best International Documentary, Anthem Film Festival; Winner of Special Jury Prize, Amsterdam Film Festival), and producer of the 2018 award-winning documentary The Housing Bubble.
Naomi is the co-founder of “The Soho Forum,” a NY debate series. She is on the Advisory Council at the Mannkal Economic Education Foundation, and is author of Beginner’s Introduction to Privacy and the children’s book Billy’s Bitcoin.