The Third-Party Doctrine Meets the Cloud
How decades-old precedent on bank records and phone logs is straining against a world where everything personal lives on someone else’s server.
The third-party doctrine once seemed tidy. Under Smith v. Maryland and United States v. Miller, information voluntarily handed to a bank or a telephone company carried no reasonable expectation of privacy, and the government could obtain it without a warrant. For forty years that logic governed.
The premise is harder to sustain when nearly every record of a modern life — location history, message archives, search queries, draft documents — sits on a server owned by someone else. The Supreme Court signalled as much in Carpenter v. United States, holding that seven days of cell-site location data was a search requiring a warrant, even though a carrier held the records.
What Carpenter left open
The majority took pains to call its holding narrow. It did not overrule the third-party doctrine; it carved out an exception for a particular kind of pervasive, automatically generated record. The opinion declined to extend its reasoning to “conventional surveillance techniques and tools” or to ordinary business records, and it expressly reserved questions about real-time location tracking and shorter periods of data. Lower courts have since spent years arguing over which other records are Carpenter-like and which remain ordinary business records.
That ambiguity is not academic. The same reasoning that shielded long-term location histories is now pressed in disputes over reverse-location (geofence) warrants, keyword-search warrants, cloud email and backup archives, ride-hailing and financial-app logs, and the telemetry generated by smart-home and connected-car devices. Each asks the same question in a new setting: when a third party holds a record that exposes the intimate details of a life, does handing it over count as the kind of voluntary disclosure Smith and Miller had in mind?
The records now in dispute
Courts drawing the line have leaned on two earlier markers. Riley v. California held that the data on a modern cell phone is so vast and revealing that police need a warrant to search it incident to arrest — a recognition that quantity and intimacy can change the constitutional calculus. United States v. Jones reached a similar instinct from a different direction, treating prolonged GPS tracking as a search.
Read together, the cases suggest that the doctrine is migrating away from a simple question of who holds a record toward a harder one about what the record reveals and how knowingly it was surrendered. A bank ledger of cancelled checks looks little like a continuous, machine-generated map of a person’s movements, even though both technically rest in a company’s files.
Courts now sort digital records by how revealing and how voluntary they are. The further a record sits from a deliberate, knowing disclosure, the more likely it is to attract Fourth Amendment protection.
Two ways the doctrine could resolve
One path is incremental: courts keep the third-party doctrine as a default and carve out exceptions case by case, asking each time whether a record is pervasive and automatically generated enough to resemble the location data in Carpenter. The virtue is caution; the cost is years of inconsistent results across the circuits while the technology keeps moving.
A second path would rebuild the analysis on different footing. Writing separately in Carpenter, Justice Gorsuch sketched a property-based approach: digital records entrusted to a provider might be treated as the user’s own “papers and effects,” held by a bailee, rather than as the company’s business records to surrender at will. Years earlier, Justice Sotomayor had questioned in Jones whether the voluntary-disclosure premise still fits an age in which people must share data simply to function. Either route would shrink the doctrine well beyond the narrow exception the majority drew.
What it means for providers and users
Until the line settles, the uncertainty falls first on the companies that hold the data. The Stored Communications Act already forces a rough sort — a warrant for the content of communications, lesser process for non-content records — but it predates the services most people now rely on, and it maps awkwardly onto cloud storage that blurs the content/non-content divide. Providers responding to law-enforcement demands must guess how a future court will classify a given record, whether to insist on a warrant, and when to notify the user whose files are at stake.
The trend points toward a doctrine organised less around who holds a record and more around what the record exposes. Whether the Court formalises that shift, or leaves it to accrete case by case, is the question the next decade of search-and-seizure law will answer.
Questions readers ask
Did Carpenter overturn the third-party doctrine?
No. It created a narrow exception for pervasive location data while leaving the older bank- and phone-record cases in place.
Does a warrant now cover all cloud data?
Not automatically. Courts still distinguish between records a user knowingly shares and data generated passively about them.
Why do Riley and Jones matter to a cloud question?
Both recognised that the sheer volume and intimacy of modern digital records can demand Fourth Amendment protection even where older doctrine would not — the same instinct courts apply when sorting cloud records.
What is the property-based alternative to the doctrine?
It would treat records a user entrusts to a provider as the user’s own “papers,” held by a bailee, rather than the company’s business records — an approach Justice Gorsuch outlined in Carpenter.
How does the Stored Communications Act fit in?
It requires a warrant for the content of communications but lesser process for non-content records. Written before modern cloud services, it maps imperfectly onto storage that blurs that divide, leaving providers to anticipate how courts will classify each record.
