PRIA Logo
Back to search
Civil RightsConstitutional Law

Carpenter v. United States — Digital Privacy & the Third-Party Doctrine

15 min read·Updated May 14, 2026

Carpenter v. United States — Digital Privacy & the Third-Party Doctrine

Carpenter v. United States, 585 U.S. 296 (2018), is the Supreme Court's most consequential digital privacy decision — a 5-4 ruling that held the government must obtain a warrant supported by probable cause before accessing historical cell-site location information (CSLI) from a wireless carrier, even though that information was voluntarily shared with the carrier as a third party. The decision placed a significant limit on the third-party doctrine — the long-established rule, from Smith v. Maryland (1979) and Miller v. United States (1976), that persons have no reasonable expectation of privacy in information voluntarily disclosed to third parties such as banks or telephone companies. Chief Justice Roberts, writing for a five-Justice majority, held that CSLI's unique characteristics — its comprehensiveness, its historical reach, the involuntary nature of its generation, and its capacity to serve as a "detailed chronicle of a person's past" — took it outside the third-party doctrine's scope and required Fourth Amendment warrant protection. Carpenter did not overrule Smith and Miller but created a significant digital exception to the third-party doctrine, generating extensive lower-court litigation about where the exception's boundaries lie. The case is central to understanding the constitutional limits of government access to digital data and the ongoing judicial project of applying the Fourth Amendment's 18th-century framework to 21st-century surveillance technology.

Current Law (2026)

ParameterValue
Case citationCarpenter v. United States, 585 U.S. 296 (2018)
Constitutional basisU.S. Const. amend. IV — "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures"
Core holdingGovernment must obtain a warrant to access historical CSLI from a wireless carrier; court order under 18 U.S.C. § 2703(d) is insufficient
Third-party doctrineNOT overruled, but Carpenter creates a significant exception for data that is comprehensive, involuntarily generated, and reveals the "privacies of life"
Katz testStill governs: whether there is a subjective expectation of privacy that society recognizes as reasonable
ScopeExplicitly limited to historical CSLI; Roberts warned the holding does not necessarily apply to other digital data categories
Lower court applicationCourts have divided on applying Carpenter to real-time CSLI, tower dumps, location data from apps, financial records in digital form
Key statute affected18 U.S.C. § 2703(d) — the "specific and articulable facts" standard under the Stored Communications Act no longer sufficient for CSLI without a warrant
  • U.S. Const. amend. IV — Fourth Amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized"
  • 18 U.S.C. § 2703 — Stored Communications Act § 2703: governs government access to stored communications and records held by providers; § 2703(d) permits access to non-content records (including CSLI) with a court order based on "specific and articulable facts" rather than probable cause; Carpenter held this insufficient for historical CSLI
  • 18 U.S.C. § 2703(c)(1)(B) — "D-order" provision: the specific subsection used by prosecutors to obtain Carpenter's CSLI; now requires a warrant for historical CSLI under Carpenter
  • 18 U.S.C. § 3122 — Pen Register Act: allows government to obtain pen registers (outgoing call data) and trap-and-trace devices (incoming call data) with a court order based on relevance; Carpenter raised questions about the Act's application to digital location data
  • Katz v. United States, 389 U.S. 347 (1967) — Established that the Fourth Amendment protects reasonable expectations of privacy, not just physical spaces; Harlan's concurrence ("what a person knowingly exposes to the public...is not a subject of Fourth Amendment protection") provides the framework Carpenter applies
  • Smith v. Maryland, 442 U.S. 735 (1979) — No reasonable expectation of privacy in phone numbers dialed (conveyed to phone company); established the third-party doctrine for call records; Carpenter distinguished but did not overrule
  • United States v. Miller, 425 U.S. 435 (1976) — No reasonable expectation of privacy in bank records; the other pillar of the third-party doctrine
  • United States v. Jones, 565 U.S. 400 (2012) — GPS tracker attached to vehicle is a Fourth Amendment search; Carpenter built on Jones's analysis of location tracking
  • Riley v. California, 573 U.S. 373 (2014) — Police must obtain a warrant to search cell phone incident to arrest; recognized cell phones as "minicomputers" requiring full Fourth Amendment protection; presaged Carpenter

Key Mechanics

The warrant requirement. After Carpenter, law enforcement must obtain a Fourth Amendment warrant — supported by probable cause and issued by a neutral magistrate — before compelling a wireless carrier to disclose historical cell-site location information (CSLI). The prior standard under 18 U.S.C. § 2703(d) — a court order based on "specific and articulable facts" showing the records are "relevant and material" to an investigation — is no longer sufficient for historical CSLI. Probable cause is a higher bar: officers must show a fair probability, based on articulable facts, that the records will contain evidence of a crime.

What § 2703(d) orders still cover. The Carpenter ruling did not invalidate the Stored Communications Act or repeal § 2703(d). That provision still covers a wide range of non-content records — subscriber information, transaction logs, non-CSLI metadata — that do not share the comprehensive, involuntary, and revealing characteristics the Court identified as distinctive to historical CSLI. The practical line: if the records can reconstruct a person's physical movements over days or weeks, a warrant is required; if the records reflect discrete voluntary transactions (a specific call log, a billing record), § 2703(d) may still suffice.

The third-party doctrine exception. Smith v. Maryland (1979) and United States v. Miller (1976) held that sharing information with a third party — a phone company, a bank — eliminates any reasonable expectation of privacy in that information. Carpenter carves out a "digital-age exception" for data that is: (1) comprehensive — generated continuously, not event-by-event; (2) involuntary — produced as an inescapable byproduct of using a phone in modern society; and (3) revealing — capable of exposing "familial, political, professional, religious, and sexual associations." CSLI checks all three boxes. Smith's phone numbers and Miller's checks checked none.

Scope and open questions. Chief Justice Roberts explicitly limited the holding to historical CSLI spanning seven or more days. The Court left open: real-time CSLI (prospective tracking); shorter-duration historical CSLI (courts have generally held that one or two days may not require a warrant); tower dumps (bulk data from all devices connecting to a specific tower); location data from apps and sold by data brokers; and digital financial records. These open questions are actively litigated in district and appellate courts as of 2026.

Enforcement: the exclusionary rule. Evidence obtained in violation of Carpenter is suppressible under the Fourth Amendment exclusionary rule. The main exception is good faith: if officers obtained CSLI before June 22, 2018 (the decision date) in reliance on then-valid § 2703(d) orders, courts have generally declined to suppress the evidence because the officers acted in objective good faith reliance on existing law. Post-Carpenter violations do not qualify for good-faith protection.

How It Works

The Facts: Robbery Conviction and CSLI

Timothy Carpenter was convicted in federal court for participating in a series of armed robberies of Radio Shack and T-Mobile stores in Michigan and Ohio in 2010 and 2011. Prosecutors obtained court orders under 18 U.S.C. § 2703(d) — without a warrant — compelling MetroPCS and Sprint to disclose historical cell-site location information covering 127 days of Carpenter's movements. The records showed Carpenter's phone connecting to cell towers near the robbery sites at the times the robberies occurred — powerful evidence placing him at the crime scenes. Carpenter moved to suppress the CSLI records, arguing the government needed a warrant under the Fourth Amendment. The district court denied the motion; the Sixth Circuit affirmed.

The Third-Party Doctrine: Smith and Miller

To understand Carpenter, one must understand the doctrine it limited. Smith v. Maryland (1979) arose from a case where police asked the phone company to install a "pen register" to record the numbers dialed from Smith's home, without a warrant. The Supreme Court held there was no Fourth Amendment search: Smith had voluntarily conveyed the dialed numbers to the phone company (by dialing them) and therefore assumed the risk that the company would share them with the government. Persons have no reasonable expectation of privacy in information they voluntarily reveal to third parties.

United States v. Miller (1976) applied the same logic to bank records: checks and deposit slips conveyed to a bank are not the depositor's private papers — they are business records of the bank, which can be subpoenaed without implicating the Fourth Amendment.

The third-party doctrine made practical sense in its era. When you tell your bank your financial information, you accept that banks maintain records and that the government can access business records through legal process. The rule encouraged predictability in commercial transactions and limited the scope of Fourth Amendment protection to genuinely private spaces and effects.

Why CSLI Is Different: The Carpenter Analysis

Chief Justice Roberts's majority identified several features of CSLI that distinguish it from the records in Smith and Miller:

Comprehensive and detailed: CSLI is generated automatically every time a cell phone connects to a tower — for calls, texts, data, and even when the phone is idle. A smartphone generates hundreds of location data points per day. The 127 days of records obtained in Carpenter's case painted a "detailed chronicle of a person's past" — not merely a log of specific voluntary activities (like phone calls or bank transactions) but a near-complete record of everywhere Carpenter had been for four months.

Retroactive surveillance: Unlike a GPS tracker (which the government must proactively deploy), CSLI enables retroactive reconstruction of location history. The government can access years of stored location data from carriers without having had any prior suspicion. This retroactive surveillance capacity — the ability to "travel back in time" and investigate people who were never suspected at the time the data was generated — is a qualitatively different form of government power than the contemporaneous interception addressed in Smith and Miller.

Involuntary generation: Unlike the phone numbers in Smith (which Smith deliberately dialed) or the bank records in Miller (which Miller deliberately created by writing checks), CSLI is generated involuntarily. A person need not make any affirmative choice to generate CSLI — merely carrying a phone creates the record. As Roberts observed, "carrying a cell phone is indispensable to participation in modern society." To say Carpenter "voluntarily disclosed" his location to carriers is a legal fiction when the disclosure is an inescapable consequence of carrying a device that modern life requires.

Revealing the privacies of life: The Court drew on Riley v. California (2014), which recognized that cell phones contain the "privacies of life." CSLI that tracks a person's movements reveals "familial, political, professional, religious, and sexual associations" — the kind of intimate information that the founders sought to protect when they wrote the Fourth Amendment's prohibition on "general warrants" and writs of assistance that allowed arbitrary searching of homes and papers.

The Narrow Holding and Its Limits

Roberts carefully limited the majority's holding. The Court addressed only the specific question of historical CSLI spanning seven or more days; it declined to resolve several related questions:

  • Whether real-time CSLI (prospective tracking, not historical data) requires a warrant
  • Whether a warrant is required for shorter periods of historical CSLI
  • Whether the Carpenter principle extends to other digital records held by third parties (financial records in digital form, cloud storage contents, social media metadata, IP addresses)
  • Whether the rule applies when CSLI data is "tower dumps" — bulk data about all devices connecting to a particular tower rather than a specific suspect's account
  • Whether foreign intelligence investigations are governed by the same standard

These open questions have generated substantial lower-court litigation. Courts have generally required warrants for real-time cell phone tracking, tower dumps, and extended periods of geolocation data from apps. The outer boundary of Carpenter — where the third-party doctrine reasserts itself — remains contested.

The Dissents: Four Different Theories

Four Justices dissented, each on somewhat different grounds — illustrating the doctrinal difficulty of applying the Fourth Amendment to digital technology:

Justice Kennedy (joined by Thomas and Alito): Smith and Miller should govern. Cell phone users voluntarily share location data with carriers as part of their service contracts; the third-party doctrine applies without modification. Congress, not courts, is the appropriate institution to update privacy rules for digital technology.

Justice Thomas: The third-party doctrine is itself wrongly decided — the Fourth Amendment protects property rights, not reasonable expectations of privacy, and the majority's Katz framework is historically unfounded. Would reconsider both Katz and the third-party doctrine from first principles.

Justice Alito (joined by Thomas): Congress enacted the Stored Communications Act precisely to balance privacy and law enforcement interests in digital records; the "specific and articulable facts" standard of § 2703(d) represents a considered legislative judgment that courts should respect. Carpenter disrupts this statutory framework without adequate guidance.

Justice Gorsuch: The third-party doctrine is deeply problematic, but the majority's solution (a Katz-based exception) is also flawed. Would explore whether a property rights framework — whether individuals have a constitutionally protected property interest in their digital records held by third parties — better grounds Fourth Amendment digital privacy doctrine.

Carpenter in Practice: The Warrant Requirement for CSLI

After Carpenter, law enforcement must obtain a warrant supported by probable cause before compelling carriers to disclose historical CSLI. The government cannot satisfy the Fourth Amendment with a § 2703(d) court order showing only "specific and articulable facts" that the records are "relevant and material to an ongoing criminal investigation." Probable cause — a fair probability that the records will yield evidence of a crime — is required.

For law enforcement, Carpenter imposes a higher standard for a commonly used investigative technique. CSLI had been widely used in drug, robbery, and trafficking investigations as a way to establish that a suspect was in a particular place at a particular time. The warrant requirement adds time and judicial oversight to that process, and some CSLI requests that could survive § 2703(d)'s relevance standard may not satisfy probable cause.

How It Affects You

<!-- pria:personalize type="impact" -->

If you are a criminal defendant whose prosecution relied on cell phone location data: Carpenter requires a warrant for historical CSLI. If government prosecutors obtained your CSLI records using a § 2703(d) court order (not a warrant based on probable cause), the evidence may be suppressible as obtained in violation of the Fourth Amendment. The key questions: (1) Was the access pre-Carpenter (June 2018)? Pre-Carpenter access in good-faith reliance on existing law may be excused under the good-faith exception to the exclusionary rule. (2) How many days of CSLI were obtained? Carpenter addressed 127 days; courts have generally found that shorter periods may not require a warrant, though the cutoff is unsettled. (3) Was it real-time tracking or historical data? Real-time tracking generally requires a warrant post-Carpenter. Consult a criminal defense attorney — Fourth Amendment suppression motions are complex and fact-specific.

If you are concerned about government surveillance of your movements: Carpenter establishes that the government must have probable cause and a warrant to access the historical location history your cell phone generates with your carrier. However, the decision does not prohibit all government location tracking. Real-time tracking, short-term CSLI requests, GPS tracking with a warrant, and location data from mobile apps you have installed (which may be subject to different doctrine) remain available investigative tools. Private companies — data brokers, app developers, advertisers — are not subject to the Fourth Amendment and can acquire and sell your location data without any constitutional constraint. If you are concerned about commercial location tracking, the legal framework is statutory (state privacy laws, FTC enforcement), not constitutional.

If you are a law enforcement officer or federal agent: After Carpenter, use a warrant when seeking more than a few days of historical CSLI. The "specific and articulable facts" standard of § 2703(d) is insufficient for historical CSLI regardless of how the statute is worded. Build probable cause and get a warrant — it is the safe course that ensures the evidence is admissible. For real-time cell phone tracking (using "stingrays" or IMSI catchers), a warrant is also required in most jurisdictions post-Carpenter. Tower dumps — bulk requests for all devices connecting to a cell tower during a time window — are more contested; some courts require warrants, others do not. Document your legal authority for every digital evidence request and anticipate suppression challenges.

If you are a technology company, carrier, or data holder: Carpenter limits the government's ability to use court orders (rather than warrants) to access certain digital records held by third parties. However, the holding is specifically about CSLI; other records held by carriers, platforms, and data brokers may still be accessible under § 2703(d) or other legal process short of a warrant. The Electronic Communications Privacy Act (ECPA) framework — enacted in 1986 and now dramatically outdated — governs most government requests for digital records. ECPA reform efforts have been ongoing for years; the discrepancy between statutory requirements and constitutional standards post-Carpenter creates compliance uncertainty. Consult legal counsel when receiving government process for customer data, especially location information.

<!-- /pria:personalize -->

State Variations

The Carpenter rule is a federal constitutional floor: state constitutions, statutes, and court decisions may provide broader protection for digital location data.

State constitutional privacy: Several state constitutions provide stronger privacy protections than the Fourth Amendment as interpreted by the federal courts. California's constitution explicitly protects privacy as an "inalienable right" (Cal. Const. art. I, § 1), and California courts have applied this provision to digital records. Washington, Montana, and other states have strong state constitutional privacy provisions that may independently require warrants for CSLI and other digital data.

State electronic surveillance statutes: Many states have enacted wiretap and electronic surveillance laws that go beyond federal ECPA requirements. Some states require warrants for categories of electronic surveillance that federal law permits with court orders. Before seeking digital records in state investigations, law enforcement must comply with both federal and state statutory frameworks.

State privacy laws: The California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act, and similar state laws regulate commercial collection and use of personal data including location information — separate from the Fourth Amendment framework governing government access. These statutes give individuals rights to know what location data has been collected, to delete it, and in some cases to opt out of its sale. They do not limit government access with legal process but create a regulatory framework for the commercial data ecosystem that generates much of the digital information government seeks.

Location data from apps: Carpenter addressed CSLI held by carriers; it did not directly address location data generated by apps and held by app developers or data brokers. Government access to app-generated location data (which may be sold commercially and accessible to government via purchase rather than legal process) is regulated primarily by statute and remains a developing area of law. Several states have enacted laws specifically restricting law enforcement purchase of location data from commercial brokers.

Pending Legislation

  • Electronic Communications Privacy Act (ECPA) Reform: ECPA was enacted in 1986 and has not been comprehensively updated to address the digital era. The Email Privacy Act (to require warrants for all stored email) and similar reform proposals have been introduced in multiple Congresses; comprehensive ECPA reform to align statutory standards with Carpenter and Riley constitutional requirements remains pending.
  • Geolocation Privacy Protection Act: Periodically introduced legislation would require law enforcement to obtain a warrant before accessing geolocation data from any source — carriers, apps, or data brokers — closing the loophole that allows government to purchase commercial location data without a warrant.
  • American Data Privacy and Protection Act: Federal comprehensive privacy legislation that would, among other things, regulate commercial data brokers' collection and sale of location data. Passed the House Energy and Commerce Committee in 2022 but has not been enacted. If enacted, it would limit the commercial data ecosystem that government currently exploits to access location data without legal process.

Recent Developments

  • 2018Carpenter v. United States decided: Warrant required for historical CSLI covering seven or more days. Roberts's majority creates a "digital-age exception" to the third-party doctrine based on the comprehensive, involuntary, and revealing nature of cell phone location data.
  • 2019–2026 — Lower court application of Carpenter: Courts have applied Carpenter to require warrants for real-time cell phone tracking, stingray/IMSI catcher use, tower dumps in some circuits, and extended geolocation data from mobile apps. Courts have been more reluctant to extend Carpenter to shorter-duration CSLI requests, financial records in digital form, and IP addresses.
  • 2022United States v. Moore-Bush (First Cir., en banc, June 9, 2022): Eight-month pole-camera surveillance of a home's exterior raised Carpenter questions about long-term location monitoring; the en banc First Circuit divided 3-3 on whether a warrant was required, with the unanimous court declining to suppress on good-faith reliance grounds. The Supreme Court denied certiorari on May 22, 2023, leaving the doctrinal question unresolved.
  • 2023 — Commercial location data and government purchase: Law enforcement agencies (including ICE and the FBI) have purchased commercial location data from data brokers without legal process, arguing that no Fourth Amendment constraint applies to voluntary commercial purchases. Multiple civil liberties organizations have challenged this practice; a federal district court in Ziccarelli v. Malonis found that government purchase of location data does not violate the Fourth Amendment because the data was voluntarily shared with commercial parties — a ruling in tension with Carpenter's logic.
  • 2025 — Trump administration surveillance expansion: Executive orders and DOJ guidance in 2025 emphasized expanded use of available surveillance tools; the boundaries of Carpenter's warrant requirement have been tested in national security and immigration enforcement contexts, with pending litigation on whether the ruling applies to immigration enforcement operations using geolocation data.
  • 2026 — FTC data-broker enforcement and Carpenter gap: The Federal Trade Commission has pursued enforcement actions against commercial data brokers that sell precise location data — including actions against X-Mode Social and InMarket — under FTC Act § 5 unfair practice authority. These actions target the commercial surveillance gap Carpenter left open: the government itself can buy location data from brokers without a warrant if the data was originally collected with consumer consent. Congress has not yet closed this loophole via statute. Meanwhile, at least three federal circuits have pending appeals on whether Carpenter extends to persistent (weeks-long) app-based location tracking sold to law enforcement through data broker intermediaries — a question that will likely require Supreme Court resolution.

At My Address

See how Carpenter v. United States — Digital Privacy & the Third-Party Doctrine plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address