The Fourth Amendment’s Third-Party Exposure Doctrine in the New Age of Data

By: Kyle Kennedy

The Fourth Amendment protects US citizens from unreasonable searches and seizures by creating an administrative barrier between citizens and investigating authorities. In addition to the Fourth Amendment, the lack of government resources also serves to protect individual privacy because investigative authorities can neither afford nor validate surveillance of citizens past a certain cost-benefit tradeoff. Together, the intended effect of these protections is to sufficiently guard against invasions of citizen’s privacy by government authorities in pursuit of evidence. However, the interaction of modern-day technology and the increased availability of data as a result of the Third-Party Exposure Doctrine leaves US citizen’s personal information exposed to the government in unprecedented ways.

The Supreme Court has held that the Fourth Amendment provides protections to citizens based on a reasonable expectation of privacy. However, the Third-Party Exposure Doctrine states that information willingly revealed to third parties is not subject to Fourth Amendment protections. As an example, in U.S. v. Miller, the Supreme Court held that there is no reasonable expectation of privacy for information shared in bank records. However, in the landmark case of Carpenter v. United States, the Supreme Court limited the Third-Party Exposure Doctrine by holding that collecting seven days worth of cell phone location information was a violation of the Fourth Amendment. However, it is worth noting that the holding in Carpenter was cabined to its facts, therefore leaving significant questions about the application of the Third-Party Exposure Doctrine to consumer data and electronic records unanswered.  

In addition to the privacy protections afforded by the Fourth Amendment, the Stored Communications Act (SCA) protects against searches of electronically stored information. Under the SCA, the government can access content information of emails that have been unopened and in storage for over 180 days or of email that have been opened and undeleted with a mere administrative subpoena or 2703(d) court order. The SCA provides even less protection to non-content data like account information or metadata. The weak protections this statute provides for electronically stored information demonstrates that the statute does not fit the modern state of technology and data privacy and is clearly outdated.

Given the exponential increase in internet use and data creation in recent years, consumer data has never been as plentifully available as it is today. According to Forbes, Americans send 188 million emails, 18.1 million texts, and 4.5 million Google searches every minute. Further, Americans download 390,030 third-party apps every minute, all of which seek consent from the user to collect their data. Under the landmark Carpenter case, the Fourth Amendment protects against the unwarranted collection of seven days of cell phone records. This precedent could ostensibly be extended to consumer data shared on third-party apps. However, the Supreme Court has so far declined to determine whether a shorter period of data collection would be permissible or whether data consensually shared with third-party apps triggers a lower expectation of privacy than automatically collected cell phone records. 

The SCA does not provide any better answers than the current body of case law. Overall, the SCA tends to create a relatively low administrative hurdle for searches of electronic data.  The SCA categorizing of digital records based on content, whether the records are opened, and the time in storage is an ineffective approach to balancing privacy protections against the government’s investigative need. A wide variety of individual data is not cleanly divided by the SCA’s categories of the content or whether it has been opened or deleted.  Furthermore, the efficacy of providing lower protections to older records is reduced by the government’s need for timely investigative data as well as individual’s continued privacy interest in that older data.

The lack of clear Fourth Amendment (or other statutory) protections for electronic data weakens the barrier of privacy between individuals and the government. This barrier is further weakened by the relatively low cost of investigation through the searching of electronic data and records. For example, advanced saliency algorithms and deep learning techniques allow authorities to process visual data and access information at quicker speeds and lower costs than ever before. These same algorithms and techniques are easily applied to non-visual user data generated by third-party applications. Individuals using third-party applications on their personal devices store messages, locational data, and other consumer data on these platforms which potentially exposes this data to the government under the Third-Party Exposure Doctrine.  Although the majority in Carpenter limited the Third-Party Exposure Doctrine as it relates to cell phone data, it remains unclear what level of privacy the Fourth Amendment provides to data shared with third-party applications. Although Carpenter discussed the pervasive nature of cell phones in everyday life, the Court also specifically mentioned that the cell phone data in that case was tracked and recorded without any affirmative action by the user. Data shared through third-party apps often requires the user’s consent to data collection. It could be argued that the user’s consent is a voluntary exposure to a third party, thus leaving room for a distinguishing argument by the government. While the precise nature of the privacy protections provided by the Fourth Amendment to electronic data are unclear, there is a clear tension between the modern state of technological surveillance and the current rule of law protecting US citizens’ individual information. 

The implications of insufficient protection of consumer data are wide-reaching.  For example, there is serious concern that data from third-party apps tracking menstrual cycles or location data could be used in criminal prosecution in states that have recently instituted abortion bans or restrictions. Given the current political climate, the relative powers of the branches of the federal government, and the slow-moving and unpredictable nature of the Supreme Court, the most ideal path forward would be for Congress to pass new nation-wide privacy protection legislation. There are many advantages to a clearcut, nation-wide framework of law which balances the need for privacy with the need for government investigation while providing technologically relevant protection to personal data. A question for future research would be whether Congress’s scope of power would allow it to regulate the use of consumer data by investigative authorities, specifically at the state level. Assuming the power is within their scope, an act of Congress would provide the most effective solution to closing the gap between modern technology and current law. Absent such congressional action, US citizens will be forced to rely upon the legislating bodies of their individual states to provide increased personal data privacy protections.