Your private data isn't as private as you think

I’m not a lawyer, and this piece is for informational purposes only, not legal advice. Laws vary by location and change frequently. If you need specific guidance for your situation, please consult with a qualified attorney.

It’s not widely understood that it is technically possible for privately hosted data to be obtained by government, law enforcement, or even private parties without your knowledge. Here’s how it works:

• Someone files a case. It’s possible for this case to be sealed so that you never find out about it. The case needs to have a court that is willing to hear it, which depends on the judge.
• In civil cases, attorneys can issue subpoenas directly during discovery, though judges can quash them if challenged. In criminal cases, prosecutors typically seek court-approved subpoenas or warrants.
• The provider needs to determine whether they will fight the subpoena or grant access to your information.
• If it is a civil case, those providers may notify you. If it is a criminal case, subpoenas often include gag clauses that prohibit providers from notifying you.
• Not wanting a court battle, many providers are likely to provide your information. This is the most frequent outcome.

Civil cases involve disputes between private parties (like individuals or companies), while criminal cases involve the government prosecuting someone for violating the law. As law and policy becomes increasingly draconian, the latter will become more and more common.

Depending on the provider type, they may be compelled to hand over your information. They also might not consider your information to be particularly private. For example, US law has not generally considered call metadata (who you’re speaking to, when, and for how long) to be protected by the Fourth Amendment. An important exception is cell-site location records, which the Supreme Court ruled in 2018 generally require a warrant. But, of course, you can obtain a lot of information just through call records, as well as by obtaining data center records for online apps that use geolocation, like maps, check-in apps, and social media.

US courts have long followed the “third-party doctrine,” which says that if you voluntarily share information with a company (like a phone provider, ISP, or app), you lose any reasonable expectation of privacy over it. In practice, that means metadata and many kinds of records can be handed over to law enforcement without a warrant, simply because you already shared them with a third party.

Much of this information can also be obtained through data brokers. Many apps sell very detailed personal information about their users as secondary revenue, or even as their primary business model. Law enforcement is an active purchaser of information that it couldn’t have obtained directly for Fourth Amendment reasons; because it’s sold as a product, they are able to be a customer like any other. This loophole is beginning to close — Montana became the first state to outlaw the practice — but it remains widespread.

If you’re using a US service, you’re not immune from this potential surveillance even if you live in a country with stronger privacy protections. The CLOUD Act requires that US companies share information with US law enforcement even if the data is stored abroad and a local protection, like the EU’s GDPR, is in place. Businesses that fall under the jurisdiction of the CLOUD Act may be US-owned, but they could also be subsidiaries of US companies. They could also have just enough connection with the US, including those that have a US office or US employees. The key factor is whether US courts have personal jurisdiction over the provider.

There are some protections; companies are allowed to challenge requests where there is a conflict with local law, for example. Some countries have also negotiated more nuanced agreements. The UK and Australia, for example, have agreements that establish specific privacy protections and limit requests to “serious crimes”.

Everyone needs to conduct their own risk assessment. If you’re a journalist who reports on sensitive topics, or if you’re a member of a vulnerable community that is being targeted by government, you need to be very careful with your metadata. But privacy is a group inoculation: if you know people in sensitive groups, you should also be more careful with your data, in case information you accidentally collect is used to implicate them.

Some ways you can protect your private information from being shared without your knowledge:

• Consider which data you share with third parties. Do you really need to check into your favorite restaurant or track your running route?
• Use third-party encryption wherever possible. This means that a service provider doesn’t have access to the content of your communications or files, and you hold the access keys. For example, use end-to-end encrypted messaging apps like Signal, encrypted email services, or other tools that let you manage your own encryption keys. You may still be the target of a subpoena, but for someone to obtain access to your information, they will need to come directly to you to get it.
• Check your default settings. Many apps and devices share more information than you realize by default. Turning off location history, ad personalization, and unnecessary tracking can meaningfully reduce what’s collected about you.

None of these steps are perfect shields. But they can reduce your exposure, raise the bar for anyone trying to access your data, and, just as importantly, help protect the people around you. Privacy isn’t something you defend alone; it’s something we build together. In an era of increasingly expansive surveillance and rising authoritarianism, that’s more important than ever.