Data Security

By: Laila Abdelaziz

A recent Ninth Circuit ruling in Untied States v. Moalin refused to extend the third-party doctrine to a government surveillance program that collected bulk amounts of metadata[1] concerning large groups of people.[2]  In doing so, the U.S. Court of Appeals for the Ninth Circuit joined the Supreme Court in recognizing the third-party doctrine’s weaning appeal when applied to modern surveillance technologies.[3]

Under the third-party doctrine, courts have traditionally held that a person gives up any reasonable expectation of privacy to information that he or she voluntarily discloses to a third party, such as the record of phone numbers dialed from a phone or the information provided by an individual to a bank.[4]  Without a reasonable expectation of privacy, Fourth Amendment protections generally do not apply.[5]  Although the third-party doctrine had limited reach in the pre-internet world, the doctrine has authorized powerful government surveillance tools in a world where individuals increasingly rely on multiple third parties to conduct most communications.[6]

In a ruling issued on September 2, 2020, the Ninth Circuit found that a 2013 National Security Agency (“NSA”) surveillance program that required major telecommunications providers to turn over large volumes of call detail records, or metadata, violated a key foreign surveillance law, the Foreign Intelligence Surveillance Act (“FISA”) and potentially violated the Fourth Amendment.[7]  Moalin involved a defendant who was convicted based on evidence collected under the NSA metadata collections program.[8]  After analyzing the bulk metadata collection, the court refused to extend the third-party doctrine to the warrantless surveillance program because the amount of information exposed by the metadata, the duration of the surveillance, and the consequences of such collections on the privacy expectations of individuals in a digital age implicated the rights guaranteed under the Fourth Amendment.[9]   

Congress originally passed FISA in 1978 to govern U.S. intelligence operations targeting non-U.S. persons or people reasonably believed to be located outside of the United States; FISA does not require probable cause or an Article III court-issued warrant because the Fourth Amendment does not apply to foreign targets.[10]  However, FISA did interpose some level of judicial review on the government’s collection of foreign intelligence data by authorizing the Foreign Intelligence Surveillance Court (“FISC”) to issue individualized warrants .[11]

However, as communications shifted from phone lines to internet-driven methods, Congress expanded FISA to authorize “bulk,” or mass, government surveillance programs.[12] Privacy advocates and some lawmakers claim this bulk surveillance contravenes Constitutional rights because it often includes Fourth Amendment protected data of US citizens.[13]  The Ninth Circuit agrees. 

Relying on Carpenter v. United States, the Ninth Circuit reasoned that the government’s reliance the third-party doctrine to access bulk metadata from telecommunications providers in Moalin could not overcome claims to Fourth Amendment protection.[14]  In Carpenter, the Supreme Court rejected the third-party doctrine and held that a warrant is required for law enforcement to access cell-site record data, like telephone calling records.[15]  The Court distinguished law enforcement’s warrantless collection of cellphone location data from the traditional applications of the third-party doctrine, where information gathered is limited and less revealing, because cellphone location data reveals the geographic area of an individual over a period of time and therefore triggers an individual’s expectation of privacy.[16]  

Recognizing similar distinctions, the Ninth Circuit questioned whether the third-party doctrine is viable “under current societal realities.”[17]  The court compared the bulk collection of metadata at question in Moalin to the revealing nature of cell-site record data analyzed by the Supreme Court in Carpenter.[18]  The Ninth Circuit reasoned that the ongoing collection of metadata is similar to the 24-hour surveillance that results from the cell-site data records collected in Carpenter.[19]  Also, the court found that the bulk nature of the metadata program was problematic because the collection and analysis of bulk metadata was considerably more revealing than previous technologies allowed for.[20]  

Finally, the Ninth Circuit held that the Fourth Amendment requires the government to inform criminal defendants when the prosecution intends to use evidence or disclose information obtained or derived from the surveillance of that defendant under the government’s foreign intelligence authorities such as FISA.[21]  Thus, Moalin expands the government’s duty to provide notice to criminal defendants in the Ninth Circuit.[22]

[1] United States v. Maolin, No. 13-50572, 2020 U.S. App. LEXIS 28119, *15-16 (9th Cir. Sep. 2, 2020) (explaining that metadata includes phone numbers involved in a call and the time and duration of the call, but not the voice content of the call).  

[2] See id.

[3] See Carpenter v. United States, 138 S. Ct. 2206 (2018) (rejecting the third-party doctrine for law enforcement’s collection of cell-site record data). 

[4] See Smith v. Maryland, 442 U.S. 735 (1979); see United States v. Miller, 425 U.S. 435 (1976). 

[5] Jennifer Safstrom, The Right to Keep Personal Data Private: Carpenter v. U.S., ACLU (Sept. 15, 2017),

[6] Richard M. Thompson II, The Fourth Amendment Third-Party Doctrine, Cong. Res. Serv., 1 (June 5, 2014),

[7] Maolin, 2020 U.S. App. LEXIS 28119 at *7.

[8] Id. at *6-7.

[9] Id. at *23-24.

[10] Foreign Intelligence Surveillance Act of 1978, Pub. L. No. 95-511, 92 Stat. 1783, 1786 (1978).

[11] Id. at 1788.

[12] See FISA Amendments Act of 2008, Pub. L. No. 110-261, 122, Stat. 2436 (2008). 

[13] Lofgren Announces FISA Amendment Agreement that Protects Americans’ Privacy, Congresswoman Zoe Lofgren(May 26, 2020),; Coalition Letter: ACLU and Other Groups Won’t Support Current Version of House Surveillance Bill,ACLU (Oct. 13, 2017),; . 

[14] United States v. Maolin, No. 13-50572, 2020 U.S. App. LEXIS 28119, at *18-19 (9th Cir. Sep. 2, 2020).

[15] Carpenter v. United States, 138 S. Ct. 2206, 2214, 2217 (2018) (quoting United States v. Di Re, 332 U.S. 581, 595 (1948)).

[16] Id. at 2219-20. 

[17] Maolin, 2020 U.S. App. LEXIS 28119 at *23.

[18] See id. at *21-23.

[19] Id. at *21. 

[20] Id. at *22.

[21] Id. at *40.

[22] Rachael Hanna, Metadata Collection Violated FISA, Ninth Circuit Rules, Lawfare (Sept. 14, 2020, 12:49 PM),

Share this post