The Fourth Amendment, the Third-Party Doctrine, and Cloud-Stored Data: Do Terms of Service Undermine Our Privacy Expectations in the Digital Age?

Marisa Mendoza | Posted on May 05, 2025

Introduction

I. Introduction

The Fourth Amendment to the United States Constitution is perhaps the most prominent amendment, reflecting the early notion that the “Crown could not intrude on the sanctity of the home without a warrant.”^[1] The Amendment stems from long-held frustration with British general warrants allowing law enforcement limitless authority to rummage through homes. In response to technological advancements, application of the Fourth Amendment has evolved significantly. While the framers envisioned the amendment in relation to physical spaces, the landmark case of Katz v. United Statesaltered the focus from physical trespass to privacy protections. Justice Harlan established the occurrence of a search through a two-prong test requiring “first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ‘reasonable.’”^[2]

Shortly thereafter, the Supreme Court adopted the third-party doctrine in United States v. Miller.^[3] This caveat to the Katz test stands for the proposition that what we willingly disclose to others undermines any expectation of privacy we may have in that information. In a world where reliance on third-party cloud services has increased exponentially, the bounds of the doctrine seem unclear. This uncertainty is only intensified by the fact that usage of third-party cloud services oftentimes requires users to enter into complicated and non-negotiable terms of service agreements. Whether such agreements legitimately nullify privacy protections in third-party stored data is certainly worth examining. For purposes of this blog, "cloud-stored data" refers to personal digital content that is stored remotely by third-party providers, such as Google, Microsoft, and Apple, which can be accessed through the internet or other secure private network.^[4]This personal data includes, but is not limited to, emails, documents, photos, videos, calendar entries, messages, and location history.

The Supreme Court’s ruling in Carpenter v. United States marked a significant shift in the application of the third-party doctrine by recognizing heightened privacy interests in digital location data. While courts have not fully addressed whether such protection extends to data stored in cloud services, this blog argues that contractual formalities in terms of service agreements should not diminish users’ reasonable expectations of privacy in their cloud-stored data. Instead, Fourth Amendment protections recognized in Carpenter should extend to cloud stored information, limiting warrantless government access based solely on complex and often unread terms of service agreements that do not genuinely reflect user consent.

II. Analysis

A. The Rise of the Third-Party Doctrine

Every time we swipe a credit card, make a phone call, or run a new google search, information is shared with someone.^[5] Such interactions lie at the core of the third-party doctrine. The doctrine was first recognized in the Millercase, where no Fourth Amendment violation was found when the government subpoenaed bank records.^[6] The Court reasoned that there can be no reasonable expectation of privacy in “information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose.”^[7] The doctrine was once again affirmed by the Supreme Court in Smith v. Maryland, where no search^[8] arose in obtaining dialing records from a telephone company.^[9] The Court rejected finding a search under Katz because “it is too much to believe that telephone subscribers, under these circumstances, harbor any general expectation that the numbers they dial will remain secret.”^[10]

The doctrine itself was created in a technological environment that differs significantly from today’s. Digital surveillance has grown massively and the types of information shared with service providers bears less resemblance to the bank records and dialing records sought in Miller and Smith. In more recent years, the third-party doctrine has been expanded to apply in modern digital contexts where courts have struggled to carefully distinguish between minimally intrusive data, like bank records or phone numbers, and highly intimate information^[11] automatically generated by routine digital activities. This evolution has led courts to confront increasingly nuanced distinctions when applying the third-party doctrine to digital-era surveillance, as exemplified by cases involving email metadata.^[12]

The Supreme Court’s ruling in Carpenter v. United States represents a massive departure from prior applications of the third-party doctrine. There, law enforcement obtained 127 days worth of the defendant’s cell-site records from MetroPCS without a warrant.^[13] The government attempted to rely on Smith and Miller in arguing that there can be no reasonable expectation of privacy in such data when it was voluntarily turned over to a wireless carrier.^[14] The Supreme Court rejected this argument, refusing to extend the third-party doctrine to cell site location information (“CSLI”). The majority noted that CSLI is categorically different from traditional business records like dialed phone numbers or bank statements in that it provides a “detailed and comprehensive record of the person's movements.”^[15] The Court further clarified that a “person does not surrender all Fourth Amendment protection by venturing into the public sphere.”^[16]

One of the most striking aspects of Carpenter is the absence of explicit limitations on its application. By claiming that Fourth Amendment protections still exist even when privacy interests are diminished, the Court left the door open for future challenges to warrantless government access to a wide range of third-party stored data. This ruling demonstrates a fundamental shift in how individuals interact with digital services, where sharing data with third parties is not always a voluntary choice but rather a prerequisite for life in modern society.

B. Terms of Service Agreements and the Illusion of Consent

In the 21st century, Terms of Service (“ToS”) agreements govern nearly every interaction between users and online platforms. They set the terms and conditions under which users can access cloud storage, social media, email services, and other digital platforms. Somewhere deep in the agreement includes how data is collected, stored, shared, and even sold. ToS agreements purport to give users the information they need to adequately weigh the pros and cons; however, there is lengthy debate to be had regarding whether these agreements actually reflect genuine user consent.^[17]

Unlike traditional contracts, ToS agreements are non-negotiable. This means that users must accept all provisions of the agreement in full or be denied access to these digital services in their entirety. This all-or-nothing approach creates a false sense of choice. Users are led to believe they retain bargaining power, yet receive no meaningful opportunity to discuss terms and are instead forced to comply if they wish to use a tool that the rest of society uses. To complicate matters further, many ToS agreements obtain consent that is passive in nature, making it even less meaningful. Some platforms require users to actively click “I agree” to consent while others infer consent by mere use of the platform. These are known as “browse-wrap agreements” and a defining feature of them is that express consent is not necessary to establish the mutual assent element of the contract.^[18] Browse-wrap agreements are especially problematic because they rely on the fiction that users have knowingly agreed to all terms of service when they are likely unaware that a legally binding contract exists in the first place.

Research repeatedly demonstrates that the vast majority of users do not read ToS agreements, nor would it be reasonable to expect them to. For instance, in 2019, the Pew Research Center conducted a study examining Americans’ attitudes and experiences with privacy policies and laws. It was revealed that just 9% of Americans claimed they always read the privacy policies before agreeing to it.^[19] Even if society were to place an expectation on individuals to review these terms before agreeing to them, this view completely ignores the amount of time and energy needed to understand these complex contracts. A 2008 study found that an individual would have to spend 30.5 work days a year in order to read the privacy policies for each site they visited annually.^[20] Given these findings, it becomes increasingly difficult to argue that ToS agreements constitute genuine and informed consent. The expectation that users meticulously review every ToS agreement is detached from reality, as the practical demands of daily life make this an impossible burden.

Even for the 9% of Americans who claim to always read privacy policies before signing them, comprehension remains a significant barrier. ToS agreements are full of vague, ambiguous, and confusing language that the average person does not regularly use in their daily lives. Understanding these agreements requires more than a baseline level of literacy—it requires a developed comprehension of contract law and privacy law that most consumers are not equipped with. ToS agreements are drafted by corporate attorneys whose main goal is to protect the company, not the consumer. For these reasons, most users are at a severe disadvantage. This power imbalance only reinforces the illusion of consent because users are expected to agree to terms they cannot reasonably be expected to understand.

When faced with ToS agreements, courts have shown inconsistent approaches in applying the third-party doctrine to determine whether a reasonable expectation of privacy exists under the Fourth Amendment. In United States v. Warshak, the Sixth Circuit became the first federal appellate court to recognize a reasonable expectation of privacy in the contents of email communications stored by an internet service provider.^[21] The court compared internet service providers to post offices or telephone providers, emphasizing that “the police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call—unless they get a warrant.”^[22] While this case represents major privacy progress, the court did caution that “if the ISP [Internet Service Provider] expresses an intention to ‘audit, inspect, and monitor’ its subscriber's emails, that might be enough to render an expectation of privacy unreasonable.”^[23] In contrast, the Ninth Circuit decided to take a much more deferential approach in United States v. Rosenow. There, the court was comfortable with the warrantless search and seizure of incriminating evidence of child sexual exploitation stored in the defendant’s Yahoo and Facebook accounts.^[24] The court placed great significance on the existence of a ToS agreement, finding a “contractual right under the terms of its privacy policy, to which Rosenow agreed, ‘to investigate, prevent, or take action regarding illegal activities.’”^[25] These two cases resulted in dramatically different outcomes, underscoring the ongoing uncertainty surrounding the role of ToS agreements in Fourth Amendment analysis.

They raise important questions: Should ToS agreements be dispositive in determining a user's expectation of privacy, or should there be further inquiry into the role digital data plays in our private lives?

The answer is clear. ToS agreements should not determine Fourth Amendment protections. The inconsistent treatment of ToS agreements in Fourth Amendment jurisprudence is not only confusing but deeply problematic and unjust. The continued reliance on the fine print of contracts to determine whether someone retains a reasonable expectation of privacy leads to outcomes that will always favor government interests over individual rights. This is not what the Fourth Amendment envisions. The Founders did not draft the Constitution picturing a “dystopian future in which our Fourth Amendment rights are at the mercy of form contracts written by lawyers for multinational corporations.”^[26]In a world where digital participation is no longer optional, courts must adopt a uniform approach that prioritizes heightened privacy protections over technical, non-negotiable contractual formalities.

At the heart of this issue lies a fundamental confusion between how consent is understood in contract law versus constitutional law. The threshold for establishing consent in contract law is significantly lower than in constitutional contexts. In contract law, parties can mutually assent to an agreement based on minimal or passive actions, such as clicking “I agree.” This is because contract law was created to facilitate efficient economic transactions between sophisticated parties that the law presumes understand the weight of their actions.^[27] Fourth Amendment jurisprudence tells us that the test for constitutional consent is far more demanding. In Schneckloth v. Bustamonte, the Supreme Court held that consent must be voluntary and based on the totality of the circumstances, including whether the individual subjectively understood their rights and was free from force.^[28] Consent under the Fourth Amendment cannot be established through the passive, mindless means that contract law allows for. It requires an elevated level of substantive awareness to protect against the natural imbalance of power that exists between individuals and the government. Allowing ToS agreements to control Fourth Amendment rights completely obliterates the essential separation between commercial transactions and constitutional protections that legal scholars routinely recognize.

C. Carpenter Must Extend to Cloud-Stored Data

Given that ToS agreements do not, by themselves, undermine a user’s reasonable expectation of privacy, it naturally follows that the Court’s holding in Carpenter should extend to cloud-stored data. The Court’s recognition that data characterized by depth, sensitivity, and involuntary disclosure warrants heightened Fourth Amendment protection applies equally, if not more forcefully, to cloud-stored data. Just as CSLI reveals intimate details regarding a person’s movement, cloud-stored records such as emails and photos provide an extensive window into our personal lives. The fact that this data is stored in a remote server is immaterial in the privacy analysis. If anything, the remoteness signals a strengthened need to protect the data.

Cloud-stored data parallels CSLI not only in the deeply personal nature of the information it contains but also in the lack of user control over collection, transmission, and storage of the data. Much of this cloud-stored data is automatically backed up and shared across multiple devices without any deliberate or informed decision on the user’s end.^[29] As cloud services become deeply integrated into everyday digital practices, such as email, mobile apps, and document editing, users are increasingly required to rely on third-party storage simply to navigate modern life. Opting out of cloud services is no longer a realistic alternative. Just as the Court in Carpenter described cell phones as “indispensable to participation in modern society,” cloud storage has likewise become a fundamental necessity in the digital age.^[30] It’s not just convenient—it’s the backbone of how we live and work today. Considering this reality, the logical extension of Carpenter is crystal clear: if a warrant is required to access sensitive location data that users involuntarily share with a third-party provider, the same constitutional protection must apply to cloud-stored data. To treat cloud-stored data as any less deserving of protection than CSLI would be to draw an arbitrary and unsound distinction, one that runs contrary to the broader privacy principles outlined in Carpenter.

To preserve the vitality of the Fourth Amendment in the digital era, Carpenter must be given a broad and consistent interpretation. The same privacy concerns that shielded CSLI must also protect emails, documents, and other personal data stored in the cloud. The analysis must not hinge on where the data resides, but rather what it reveals and how little control users have over its retention. Until courts and legislatures update legal standards to reflect the realities of cloud-based technology, the digital privacy of millions of Americans will remain vulnerable.

III. Conclusion

The legal framework surrounding the Fourth Amendment and third-party doctrine was built for an entirely different world than the one you and I recognize today. As this blog has argued, relying on the third-party doctrine and ToS agreements to determine the scope of Fourth Amendment protections is inappropriate in the modern digital landscape. The Supreme Court’s decision in Carpenter signaled an important shift, acknowledging that certain types of digital data demand heightened constitutional safeguards. That same logic must now be extended to cloud-stored information, which reveals just as much (if not more) about a person’s private life as CSLI ever could. How courts and lawmakers choose to navigate the complicated interplay between ToS agreements, the third-party doctrine, and the Fourth Amendment will define the contours of digital privacy for generations to come. As daily life becomes increasingly digitalized, the law must evolve with it. If the Constitution is to remain a living document, it must live where we live: online and in the cloud.

^[1] William J. Cuddihy, The Original Fourth Amendment, 83 U. CHI. L. REV. 1181, 1195 (2016), www.lawreview.uchicago.edu/print-archive/original-fourth-amendment.

^[2] Katz v. United States, 389 U.S. 347, 361 (1967) (Harlan, J., concurring).

^[3] United States v. Miller, 425 U.S. 435, 436 (1976)

^[4] IBM, What Is Cloud Storage?, IBM THINK (Oct. 16, 2024), www.ibm.com/think/topics/cloud-storage.

^[5] Charlie Brownstein, Confronting Carpenter: Rethinking the Third-Party Doctrine and Location Information, 92 FORDHAM L. REV.183, 195 (2023).

^[6] Miller, 425 U.S. at 436.

^[7] Id. at 443.

^[8] A "search" occurs when the government intrudes on an individual’s reasonable expectation of privacy or physically trespasses on private property for the purpose of gathering information.

^[9] Smith v. Maryland, 442 U.S. 735, 737 (1979).

^[10] Id. at 743.

^[11] “Highly intimate information” is personal data revealing sensitive aspects of a person’s life, including but not limited to health status, political views, religions beliefs, social relations, and personal communications.

^[12] See United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008) (holding that the government's surveillance of email metadata, such as IP addresses, did not constitute a search under the Fourth Amendment, distinguishing such data from more “content-rich information”).

^[13] Carpenter v. United States, 585 U.S. 296, 302 (2018)

^[14] Id. at 303.

^[15] Id. at 309.

^[16] Id. at 310.

^[17] Bar Fargon Mizrahi, Risky Fine Print: A Novel Typology of Ethical Risks in Mobile App User Agreements, 66 VILL. L. REV. 483, 487 (2021), www.digitalcommons.law.villanova.edu/vlr/vol66/iss3/1.

^[18] Sam S. Han, Predicting the Enforceability of Browse-Wrap Agreements in Ohio, 36 OHIO N.U. L. REV. 31, 40 (2010), digitalcommons.onu.edu/cgi/viewcontent.cgi?article=1072&context=onu_law_review.

^[19] Brooke Auxier et al., Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information, PEW RESEARCH CENTER 5 (2019), www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/.

^[20] Aleecia M. McDonald & Lorrie Faith Cranor, The Cost of Reading Privacy Policies, 4 I/S: J.L. & POL’Y 543, 563 (2008), kb.osu.edu/items/2ab631c3-a553-5cfd-8a8b-560404f68f68.

^[21] United States v. Warshak, 631 F.3d 266, 274 (6th Cir. 2010)

^[22] Id. at 286.

^[23] Id. at 287.

^[24] United States v. Rosenow, 50 F.4th 715, 722 (9th Cir. 2022)

^[25] Id. at 732.

^[26] Orin S. Kerr, Terms of Service and Fourth Amendment Rights, 172 U. PA. L. REV. 287, 290 (2024), www.scholarship.law.upenn.edu/penn_law_review/vol172/iss2/1.

^[27] Seana Valentine Shiffrin, The Divergence of Contract and Promise, 120 HARV. L. REV. 708, 713 (2007), www.harvardlawreview.org/wp-content/uploads/2006/12/shiffrin.pdf.

^[28] Schneckloth v. Bustamonte, 412 U.S. 218, 249 (1973).

^[29] Google Drive Help, support.google.com/drive/answer/10838124?hl=en (last visited Apr. 26, 2025).

^[30] Carpenter, 585 U.S. at 315.