How the Supreme Court’s “Third Party” Subpoena Doctrine Empowers Governments to Seize Sensitive Information Without Your Knowledge
Almost everything about you is collected and stored somewhere else.
That is the defining fact of modern life, and it is so normal that we rarely stop to notice how strange it really is. Your front door is no longer just a lock and a key. Your Ring camera records who approaches your house and stores that footage not in your home, but on Amazon’s servers. Your email does not live in a file cabinet or even on your laptop. Your Gmail sits in a data center somewhere far from you, perhaps in Palo Alto, replicated across systems you will never see. Your documents are not “on your computer” in any meaningful sense; they are in Google Drive or Microsoft 365, and the files themselves may be stored in Ireland, Virginia or Singapore, distributed across continents for resilience and speed.
Even the act of looking at your own information generates more information. Every time you log in, every time you open a document, every time your phone checks in with a network, a trail is created. Session logs. Access logs. Authentication records. Traceroutes. Location pings. IP addressing history. Device identifiers. Payment metadata. Recovery emails. The invisible plumbing of your life is recorded automatically, constantly, by companies whose business is to provide services at scale.
This means that the most intimate map of who you are is not held by you at all. It is held by third parties. We often talk about how this makes us vulnerable to hackers, and it does. But the deeper vulnerability is not just criminal intrusion. It is lawful compulsion. Because the real superpower of the digital age is not breaking into systems. It is asking for the data politely, with the force of law behind the request. And the law has been moving in that direction for decades.
Mr. Smith Goes to Washington
To understand why so much of your life is available without anyone ever needing to search your house, you have to go back to a Supreme Court decision from 1979: Smith v. Maryland. In Smith, a Baltimore woman was robbed and her purse stolen. The purse contained her address. Shortly afterwards, she began getting strange phone calls and saw a strange man stalking her home. Baltimore police subpoenaed the phone company for the phone records of who was calling the robbery victim, which led them to Smith. Smith objected to the subpoena, arguing that the government needed a search warrant signed by a judge and supported by probable cause. The Supreme Court disagreed. The phone records were not Smith’s records. They were the phone company’s records about how Smith used their service. The phone book explained that they were not private (kids, ask your parents what a phone book is). While the numbers dialed were private and personal, they were business records of a “third party.” No warrant required.
Late night 1990’s television included ads for “Enzyte” – featuring “Smiling Bob” the guy men want to be, and women want to be with, including not-so-subtle sexual innuendos about – well, organ size. The owner of the company selling Enzyte, Steven Warshak, was also under investigation by the government for financial fraud, and in connection with the investigation, the government subpoenaed his Yahoo! Email. In 2010, the 6th Circuit Court of Appeals made a legal distinction between “content” and “non-content” information. Content information (the contents of emails, documents, searches, communications, etc.) could only be obtained by a search warrant. (well, mostly). Non-content information like registration information, credit card and payment information, metadata, routing data, IP address information, date, time and (sometimes) location, can be obtained by “simple subpoena.”
We’re Having a “Third” Party
These subpoenas come in many flavors. For the federal government, there are compulsory process orders or writs under 18 USC 2703 for electronic records. There are grand jury subpoenas under F.R. Crim. P. 6. There are National Security Letters. There are FISA orders. There are Title III orders. There are FISA orders. There are pen register and trap and trace orders. There are writs of assistance under the All Writs Act (used to compel Apple to attempt to decrypt the contents of an iPhone). Finally, there are administrative subpoenas.
As noted above, in a digital age, these tools of compulsory process are often directed not at the person about whom the government wants information – they are directed to some third party to get information about them. A bank. A phone company. An email provider. An app developer. So the subject of the investigation may never know that the government has tracked their activities, collected the identities of their friends, relatives or associates, or, in the case of a warrant, read their documents, communications, and emails. It’s all in the cloud.
In February 2026, the Washington Post ran a story about a person who sent an email to the Department of Justice complaining about their treatment of Afghan refugees – many of whom assisted U.S. troops during our war in Afghanistan. He wasn’t hard to trace – he put his name on the email. The government used administrative subpoenas to find out a lot of information about him, and then sent a couple of agents to his home to question him.
All the Power – None of the Accountability
The Supreme Court has repeatedly held that the government’s power to issue administrative subpoenas is broad so long as Congress has authorized it and the agency stays within the bounds of that authorization. An agency may investigate merely on suspicion that the law is being violated, or even just to assure itself that it is not. The subpoena does not require probable cause; it requires only that the inquiry be within the agency’s authority and that the demand not be unreasonable, and the test for reasonableness generally looks at the burden of production, not at whether there is “just cause” for the demand.
There’s no real way to formally object to or prevent compliance with an administrative subpoena. Some entities, like Google, routinely advise their subscribers that their records have been demanded (with almost no detail about what records and by whom and by what process) and provide an opaque mechanism for objecting. In those circumstances, the data subject is left to file an action for an injunction or TRO in federal court to restrain Google (or the other third party) from complying with a demand for documents they can’t see and don’t know who has requested and for what purpose. Significantly, these administrative subpoenas typically are sent with an “order” that the recipient not notify the data subject that the subpoena has been issued, and that providing such notice constitutes obstruction of justice, or obstruction of an official proceeding, or may subject the subpoena recipient to criminal prosecution! Sophisticated third parties like Google or Meta know enough to tell the government to pound sand in most (well, some) cases, and to force the subpoenaing authority to justify the need for silence. Others are merely cowed by the language.
If the subpoena is overbroad, issued beyond the authority of the agency, or merely harassing or intimidating, there is little recourse because the subpoena is directed at a third party – not the person with a genuine interest in whether it is or is not complied with. Even though you may have a privacy interest in these records, at the end of the day, under the third-party doctrine, they are not your records, and you have no ability in most cases to keep them secret. Several years ago, the DEA tried to use its administrative subpoena authority not to get the phone records of one or two (or one or two hundred) persons, but to simply subpoena virtually ALL of the records of the phone company to create a bulk surveillance database of billions of phone calls, similar to what the NSA attempted to do under its section FISA 702 subpoena authority. Give a mouse a cookie. The threshold for an administrative subpoena is low. Awareness of these compulsory process tools is even lower.
