The Fourth Amendment was written for a world of locked doors and sealed letters. It now governs a world where your smartphone logs your location 24 hours a day, your smart speaker records ambient conversation, and your car knows where you drove last Tuesday. The gap between what the Constitution’s framers imagined and what modern technology enables has become a chasm — one that law enforcement, corporations, and foreign governments are eager to exploit.
That’s the central argument of a sweeping new examination by Ars Technica, which traces how the digital devices we carry, install, and drive have fundamentally undermined the right to privacy that Americans have long taken for granted. The piece draws on legal scholarship, recent court rulings, and forensic analysis to paint a picture that should unsettle anyone who owns a phone — which is to say, virtually everyone.
The problem isn’t hypothetical. It’s already here.
Consider the sheer volume of data a single smartphone generates. Location pings from cell towers. Wi-Fi connection logs. App usage data. Biometric identifiers. Browsing history. Text messages, both encrypted and not. Purchase records. Health metrics from wearable integrations. Each data point alone might seem trivial. Aggregated over weeks and months, they compose a portrait of a person’s life more detailed than anything a team of private investigators could assemble in a year of physical surveillance. Courts have only begun to wrestle with the implications.
The Supreme Court’s 2018 decision in Carpenter v. United States was supposed to be a landmark. Chief Justice John Roberts, writing for the majority, held that the government generally needs a warrant to access historical cell-site location information from wireless carriers. The decision recognized that digital records can reveal “the privacies of life” and that individuals maintain a reasonable expectation of privacy in the comprehensive record of their physical movements. But Carpenter was narrow by design. It addressed only historical cell-site data. It said nothing about real-time tracking, geofence warrants, data purchased from brokers, or the ocean of information generated by IoT devices that didn’t exist when the case was argued.
And that narrowness has become the loophole.
Law enforcement agencies at every level — federal, state, local — have grown adept at routing around Carpenter‘s protections. One method: purchasing location data from commercial data brokers rather than requesting it from carriers. Because the data is commercially available, agencies argue no warrant is needed. The logic is circular and troubling. Companies collect the data through apps that users download, often with permissions buried in terms-of-service agreements that almost no one reads. The government then buys what it couldn’t constitutionally compel. As Ars Technica details, this commercial surveillance pipeline has become one of the most significant privacy threats facing ordinary citizens.
Geofence warrants represent another expanding front. Rather than identifying a suspect and then seeking evidence, these warrants work in reverse: law enforcement defines a geographic area and a time window, then demands that Google or another provider hand over information on every device that was present. The technique has been used in investigations ranging from bank robberies to the January 6 Capitol breach. Critics — including civil liberties organizations and some federal judges — argue that geofence warrants are the digital equivalent of searching every home on a block because a crime occurred on the street. Google announced in late 2023 that it would begin storing location data on users’ devices rather than centrally, a move designed to make geofence warrants technically harder to fulfill. But the underlying legal questions remain unresolved.
Smart home devices add another dimension entirely. Amazon’s Ring doorbells, once marketed as neighborhood safety tools, have become a de facto surveillance network. Police departments in hundreds of cities established partnerships with Ring, gaining the ability to request footage from residents — and in some cases, to obtain it directly from Amazon without the homeowner’s knowledge, through legal process that falls short of a full warrant. Amazon has since tightened some of these policies, but the architecture remains. Your neighbor’s doorbell camera may be recording your comings and goings, and that footage may end up in a police database without either of you being aware.
Cars are no better. Modern vehicles are rolling data centers. A 2023 investigation by the Mozilla Foundation found that every major car brand it reviewed failed to meet basic privacy standards. Cars collect location data, driving behavior, voice recordings from in-cabin microphones, and even biometric data in some cases. General Motors was caught sharing detailed driving data with insurance companies through its OnStar platform without making the practice clear to customers. Tesla vehicles, equipped with multiple external cameras and internal sensors, generate enormous volumes of data that the company retains. The question of who owns vehicle data — the driver, the manufacturer, or some third party — remains largely unanswered by law.
Then there’s the matter of encryption, the one technical safeguard that has consistently proven effective at protecting digital privacy. End-to-end encryption, as implemented by Signal, WhatsApp, and Apple’s iMessage, ensures that only the sender and recipient can read a message. Governments worldwide have waged a sustained campaign to weaken or circumvent it. The argument is always the same: law enforcement needs access to encrypted communications to fight terrorism, child exploitation, and organized crime. The counterargument is equally consistent: any backdoor built for the government will inevitably be discovered and exploited by criminals, hostile foreign intelligence services, or both. There is no such thing as a vulnerability that only the good guys can use.
The UK’s Investigatory Powers Act, sometimes called the Snooper’s Charter, grants the government sweeping authority to compel companies to remove encryption protections. Apple pulled its Advanced Data Protection feature from the UK market rather than comply with a secret order to build in government access. The standoff illustrates the tension between national security imperatives and individual privacy rights — a tension that has no clean resolution and that is playing out simultaneously in the European Union, Australia, India, and the United States.
Domestically, the FBI has long pushed for what it calls “responsible encryption” — a term that privacy advocates view as an oxymoron. Former FBI Director Christopher Wray repeatedly warned that encrypted devices were creating a “going dark” problem, preventing agents from accessing evidence even with valid warrants. But technical experts, including those who helped build the internet’s security infrastructure, have consistently testified that weakening encryption for law enforcement would compromise the security of banking systems, health records, and critical infrastructure. The math doesn’t care about policy preferences.
What makes the current moment particularly fraught is the convergence of several trends at once. Artificial intelligence has dramatically increased the ability to analyze and correlate massive datasets. Facial recognition technology, trained on billions of photos scraped from social media, can now identify individuals in real time from surveillance camera feeds. Voice recognition can match recordings to known speakers. Predictive policing algorithms claim to forecast where crimes will occur — and who will commit them — based on historical data that often reflects existing racial and socioeconomic biases. Each of these capabilities feeds on the data that digital devices produce. And each raises constitutional questions that existing law is ill-equipped to answer.
The third-party doctrine, a legal principle established by the Supreme Court in the 1970s, holds that information voluntarily shared with a third party — a bank, a phone company — carries no reasonable expectation of privacy. Carpenter carved out a narrow exception, but the doctrine remains largely intact. It was developed in an era when sharing information with a third party was a conscious, discrete act. Today, our devices share data with dozens of third parties continuously, automatically, and without any meaningful human decision. The doctrine’s foundational assumption — that sharing is voluntary — has become a fiction.
Some states have moved to fill the federal vacuum. California’s Consumer Privacy Act and its successor, the California Privacy Rights Act, give residents the right to know what data companies collect, to delete it, and to opt out of its sale. Colorado, Connecticut, Virginia, and several other states have passed their own privacy laws. But the patchwork approach creates compliance headaches for companies and inconsistent protections for citizens. A comprehensive federal privacy law has been discussed in Congress for years. It hasn’t materialized. Industry lobbying, partisan disagreements over preemption of state laws, and the sheer complexity of the subject have stalled every major proposal.
Meanwhile, the data keeps flowing.
One particularly underappreciated vector is health data generated outside the traditional healthcare system. Fitness trackers, period-tracking apps, sleep monitors, and mental health platforms collect extraordinarily sensitive information that falls outside the protections of HIPAA, which governs only covered entities like hospitals and insurers. After the Supreme Court’s Dobbs decision overturned Roe v. Wade in 2022, privacy advocates warned that period-tracking data could be subpoenaed by prosecutors in states that criminalized abortion. Those warnings were not speculative. Law enforcement agencies have already sought digital evidence — search histories, text messages, app data — in reproductive health investigations.
The international dimension compounds everything. American data doesn’t stay in America. Cloud servers span continents. Apps developed in one country collect data from users in another. TikTok’s Chinese parent company, ByteDance, has faced years of scrutiny over whether the Chinese government could access data on American users — a concern that led to legislation requiring ByteDance to divest or face a ban. But TikTok is one app among millions. The data brokerage industry operates globally, with firms buying and selling personal information across borders with minimal regulatory oversight.
So where does this leave the average person?
In a position of profound vulnerability, mostly. The tools available to individuals — VPNs, encrypted messaging, browser privacy settings, app permission management — offer real but limited protection. They require technical knowledge, sustained effort, and a willingness to sacrifice convenience. Most people won’t turn off location services on their phones because maps and ride-hailing apps stop working properly. Most people won’t read the privacy policy of every app they install because those policies are deliberately written to be unreadable. The burden of privacy protection has been shifted almost entirely onto the individual, which is exactly how the companies that profit from data collection want it.
And the asymmetry is staggering. A single person trying to protect their privacy faces off against surveillance architectures built by some of the most sophisticated engineering organizations in human history. Google’s entire business model depends on knowing what you’re interested in. Meta’s depends on knowing who you know and what you do. Amazon’s depends on knowing what you buy and what you might buy next. These aren’t companies that will voluntarily limit their data collection. They will comply with laws when forced to. They will not go further.
The courts remain the most likely venue for meaningful change, but the pace of litigation is glacially slow compared to the pace of technological development. By the time a case challenging a particular surveillance practice reaches the Supreme Court, the technology at issue may already be obsolete, replaced by something more invasive and less understood. Carpenter took two years from certiorari to decision. In that time, the volume of data generated by the average smartphone roughly doubled.
There are reasons for cautious optimism. Public awareness of digital privacy risks has grown substantially. The post-Snowden era produced a generation of technologists committed to building privacy-preserving systems. Apple has made privacy a core part of its brand identity, implementing features like App Tracking Transparency that have materially reduced cross-app surveillance. The EU’s General Data Protection Regulation, for all its flaws and enforcement inconsistencies, established the principle that individuals have fundamental rights over their personal data — a principle that has influenced legislation worldwide.
But awareness and principle haven’t yet translated into the kind of structural reform that the scale of the problem demands. The digital devices we depend on for work, communication, health, entertainment, and navigation are also instruments of surveillance. Not by accident. By design. The data they generate is too valuable — to companies, to governments, to criminals — for it to be left uncollected. Until the law catches up with that reality, the Fourth Amendment’s promise of security in one’s “persons, houses, papers, and effects” will remain, for most Americans, more aspiration than fact.
The locked door still matters. But it doesn’t stop much anymore.


WebProNews is an iEntry Publication