Put the Katz Back in the Bag: Restoring Privacy Rights in the Digital Age | Student Journal of Information Privacy Law

Put the Katz Back in the Bag: Restoring Privacy Rights in the Digital Age

Tommy Scherrer

The word “privacy” appears nowhere in the Constitution, yet the Supreme Court has recognized that a constitutional right to privacy emerges from certain “penumbras, formed by emanations” of guarantees in the Bill of Rights.[1] Of these guarantees, that of the Fourth Amendment provides the clearest architecture for a right to privacy by recognizing the individual citizen’s dominion over their “persons, houses, papers, and effects,” and requiring the government to justify any intrusion.[2] This article argues for a restoration of the American privacy regime to this original foundation: enforceable boundaries that empower individuals to control access to their lives.

I. Introduction

The Court complicated the foundations of American privacy rights in Katz v. United States when it reimagined privacy rights as a matter of “reasonable expectations.”[3] That formulation was intended to liberalize the Fourth Amendment and extend its protections beyond physical trespass. However, by grounding privacy rights in what a small group of lawyers believe society recognizes as “reasonable,” the Court detached protection from the concrete boundaries of the Constitution and created an ambiguous standard. As we journey further into the 21^st century, and state and private surveillance become normalized as necessary to a secure society, our general expectation of privacy is shrinking rapidly, and our rights are shrinking with it.

The text of the Constitution protects citizens through their persons, homes, papers, and effects—real places and things that anchor enforceable boundaries. Katz inverted that logic by replacing hardline rules with shifting baselines and mistaking trust for consent to surveillance. In the decades that followed, this logic hardened into the third-party doctrine, which holds that any information shared with others loses constitutional protection.[4] The consequences of this doctrine are especially harsh in today’s world, when nearly all personal information flows through third parties. If privacy rights are to remain a foundation of democratic life, they need to be grounded in some sort of enforceable boundary. Because today’s data and the inferences drawn from it can reach further into private life than any physical trespass, the protections of the Fourth Amendment must be interpreted with that reality in mind.

II. From Warren and Brandeis to Katz: Privacy Rights Beyond Property Rights

While modern privacy law rests on Katz v. United States, the holding in Katz didn’t emerge from a vacuum. It was shaped by two strands of thought that preceded it and only converged in that case: the classical liberalist vision of privacy as dignity and solitude, and the jurisprudential struggle over whether the Fourth Amendment required physical trespass for a “search” to occur.

The liberal vision can be traced at least as far back as Samuel Warren and Louis Brandeis’s 1890 essay, The Right to Privacy, published in the Harvard Law Review.[5] There, they famously described privacy as “the right to be let alone.” Their essay became one of the most influential law review articles in American history and continues to shape generations of legal thought. The recognition that modern technologies can inflict distinct personal injuries beyond material harm was an update to classical ideas about liberty and served as a launchpad for a growing right to privacy.

Decades later, Brandeis carried these ideas to the Supreme Court. In Olmstead v. United States, the court confronted whether federal agents violated the Fourth Amendment by wiretapping telephone lines outside a suspect’s home.[6] The majority held that there was no constitutional violation, reasoning that a “search” only occurs when government agents physically trespass into a constitutionally protected area such as a house, office, or filing cabinet.[7] Because the agents had tapped wires without entering private premises, the majority opinion concluded that the Fourth Amendment wasn’t implicated.

Justice Brandeis’s famous, landmark dissenting opinion built on the themes that he first articulated in the Harvard Law Review. He argued that the Constitution must protect people, not merely physical spaces. For Brandeis, personal privacy was a fundamental safeguard against tyranny. The Fourth Amendment’s central purpose, he wrote, was to secure individuals against “every unjustifiable intrusion by the government,” whether by breaking down a door or intercepting a private call.[8] His dissent was an attempt to elevate privacy into a principle more fundamental than property, one that secured the dignity of the individual in the face of new methods of surveillance.

Together, Warren and Brandeis’s aspirational essay and Justice Brandeis’s later dissent to Olmstead set the stage for the decision in Katz. Both hinted at privacy as something deeper, more fundamental to liberty than property, but neither carried the full force of the law as stable doctrinal foundations. Not until 1967 would the Court attempt to resolve that tension by borrowing Brandeis’s emphasis on protecting people rather than places, offering a new framework to govern privacy in modern life.

Charles Katz was a gambler whose telephone calls from a public booth were secretly recorded by FBI agents using an electronic listening device attached to the outside of the booth. The government argued, echoing Olmstead, that because the agents had not physically entered the booth, there was no “search” within the meaning of the Fourth Amendment. The Court disagreed. In a break from precedent, it adopted Brandeis’s formulation and held that “the Fourth Amendment protects people, not places.”[9] Even in a public phone booth, the Court held that Katz was entitled to rely on the privacy he sought, and that attaching a listening device without a warrant was an unreasonable search under the Fourth Amendment. In reaching that conclusion, the Court moved past trespass as the decisive factor and echoed Brandeis’s earlier insistence that privacy must adapt to new surveillance methods.

Justice Harlan’s concurrence supplied the test that would dominate privacy law for the next half-century. He articulated a two-part inquiry: first, whether the individual had exhibited a subjective expectation of privacy; and second, whether society was prepared to recognize that expectation as reasonable.[10] This framework appeared to modernize the Fourth Amendment by freeing it from rigid property rules and allowing it to adapt to emerging technologies. Sure enough, at the time, Katz was celebrated as a liberal expansion of rights. It extended protection beyond the home and its curtilage into the intangible realm of communication. It seemed to vindicate Brandeis’s aspiration of supplying the “right to be left alone” with an enforceable doctrine. Privacy no longer depended on property rights, but on the human claim to dignity in personal life.

Yet the seeds of instability had already been sown. By hinging constitutional principles on what society was willing to recognize as “reasonable,” the Court substituted enforceable boundaries with a reactive standard dependent on shifting social forces. That choice created a continuing vulnerability in the doctrine’s stability.

III. The Expansion and Hollowing of Katz

The “reasonable expectation of privacy” test promises flexibility but proves quite fragile in practice. Its open-endedness allows the Court to expand protections in some contexts while retracting them in others. Over time, the doctrine has narrowed privacy rights more often than it has expanded them. Three developments illustrate this problem: the rise of the third-party doctrine, the admitted circular logic of “reasonable expectations,” and the Court’s ad hoc efforts to patch the crumbling framework.

a. The Third-Party Doctrine

The most devastating blow to privacy rights comes from the third-party doctrine, which insists that information disclosed to intermediaries is categorically unprotected by the Fourth Amendment. In United States v. Miller, the Court held that bank customers have no Fourth Amendment interest in financial records once those records are conveyed to a bank.[11] Because the records were disclosed to a third party, the Court held that Miller couldn’t claim a “reasonable expectation of privacy” in them, since they were business records and the property of the bank.[12] Only three years later, the Court extended this logic to telecommunication data. In Smith v. Maryland, it held that individuals have no expectation of privacy in the phone numbers they dial because those numbers are necessarily disclosed to the telephone company.[13] In both cases, acts of ordinary life, like maintaining a bank account or making a phone call, were treated as consent to surveillance.

Together, these two cases illustrate the danger of the framework inherited from Katz: by equating trusted disclosure to public exposure, the doctrine treats the ordinary use of modern systems as consent to state surveillance. Nearly every activity these days involves some sort of third-party intermediary, and this doctrine leaves vast swaths of modern life outside of the reach of the Constitution.

The Court did attempt to halt the full reach of this logic in Carpenter v. United States.[14] Prosecutors had obtained months of historical cell-site location information (CSLI) without a warrant. Under the third-party doctrine, disclosure of location data to a wireless carrier would normally strip it of Fourth Amendment protection. The Court, however, declined to extend Smith and Miller, and held that individuals maintain a reasonable expectation of privacy in historical CSLI because of what those records allow the government to infer. The Court explained that while cell-site records consist of routine connection logs, their aggregation provides “a comprehensive chronicle of a person’s physical presence.”[15] Carpenter didn’t overrule Katz or the third-party doctrine, but it carved out an exception and implicitly acknowledged that the reasonable-expectations test doesn’t account for the power of inference in the digital age.

b. Judicial Struggles to Patch the Circular Framework

The difficulty of the Katz framework was on full display in United States v. Jones.[16] Without a warrant, FBI agents attached a GPS device to Antoine Jones’s vehicle and tracked his movements continuously for twenty-eight days. Jones moved to suppress the evidence before trial, but the district court only granted his motion in part, suppressing data obtained while the car was parked in his garage, but admitting the rest. Relying on the logic of Katz, the government argued, and the district court agreed, that “a person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another.”[17] It was on that basis that the bulk of the GPS data was admitted, and Jones was convicted.

It took the Supreme Court stepping in to correct this outcome. Writing for the Court, Justice Scalia declined to resolve the case on the government’s Katz-based argument that Jones had no reasonable expectation of privacy in his movements on public roads. Instead, he grounded the holding in property principles, concluding that attaching the GPS device to Jones’s car was a physical trespass on his “effects” and therefore a search under the Fourth Amendment.[19] What lower courts had treated as permissible was reclassified as a trespassory search. Even so, the Court splintered in its reasoning, and several concurring Justices expressed unease with the expectation-of-privacy framework itself.

Justice Alito, joined by three others, conceded that the test “is not without its own difficulties . . . involves a degree of circularity . . . and judges are apt to confuse their own expectations of privacy with those of the hypothetical reasonable person.” Worse still, the test assumes a stable baseline of social expectations, yet technology continually shifts those baselines, sometimes causing the public to accept surveillance as inevitable even when it represents a profound loss of liberty.

The lesson of Jones is stark: under Katz, the district court could uphold a month of warrantless, round-the-clock surveillance simply by declaring that no “reasonable expectation of privacy” was at stake. The Supreme Court had to revive property-based reasoning to correct that outcome, all while openly admitting that its dominant test lacked a coherent limiting principle.

IV. Why Privacy Needs Enforceable Boundaries

In the final analysis, privacy rights are among the most fundamental preconditions for any democracy. They define realms in which the individual is sovereign, zones where choices, relationships, and identities can develop free from coercion.

The problem with the reasonable expectations framework is that its posture is inherently reactive. Instead of standing as a barrier against intrusion, the law waits for social expectations to be reshaped by government and corporate actors, only then deciding whether privacy rights should exist. In this way, what was once a liberal framework begins to play directly into the hands of powerful state and corporate actors. Agencies and companies expand surveillance, normalize it through everyday practice, and watch as courts ratify the new reality by declaring that no “reasonable” expectation survived that unaccountable process.

A democratic society can’t depend on the goodwill of courts, corporations, or government to honor the individual’s “expectations.” Strict boundaries provide the missing element. In practice, even under Katz, privacy has always followed control. We expect privacy in a hotel room because we rented it, in a phone booth because we dropped a quarter for it, and in a home because we own or lease it. Each of these rests on an enforceable legal relationship, whether it be ownership, leasehold, or possession, that entitles the individual to exclude. What made the expectation “reasonable” was never some amorphous social consensus; it was the recognition of a legally backed boundary.

Seen this way, the flaw in Katz wasn’t the attempt to expand privacy rights beyond property rights. Its flaw was that it severed privacy rights from any stable foundation and tied it instead to judges’ fluctuating perception of what society accepts. If privacy rights are to endure in the digital era, when our jobs, relationships, and almost all personal communications are mediated by third parties, they cannot be left to fluctuating norms over which the individual is largely powerless. Privacy rights must be anchored again in enforceable boundaries, the same logic that the Framers of our Constitution used when they spoke of “persons, houses, papers, and effects.”

V. The Real-World Consequences of a Reactive Framework

The dangers of a reactive framework are not abstract. They’re already visible in the technologies and policies deployed today, where state and corporate actors work in tandem to normalize surveillance while courts lag. By the time the expectations have “adjusted,” the damage has already been done.

Consider Immigration and Customs Enforcement’s reliance on Palantir systems. Documents obtained in litigation revealed that ICE used Palantir’s tools to link GPS data, phone numbers, and social network connections, giving agents the ability to map individuals’ lives without warrants or individualized suspicion.[21] ICE’s use of ImmigrationOS, another Palantir product, integrates multiple government datasets to track immigrants and visa overstays on a massive scale.[22] These systems weren’t designed to secure lawful boundaries around personal data; they were designed to erase them. Under a framework where privacy exists only when society still “expects” it, technologies like these reshape the baseline before courts ever intervene.

This is how the reactive nature of Katz leaves individuals powerless to enforce their privacy rights against massive state and corporate actors. Agencies and platforms move first, expanding their reach and reshaping what counts as normal. By the time courts confront the issue, the social expectation has already shifted, and judges, in the absence of hardline protections, are powerless to defend our rights. The result is a framework that can’t resist modern forms of surveillance.

VI. Toward a Control-Rights Framework for Digital Privacy

If we cherish our privacy rights enough to fight for their survival in the digital age, we have to erect enforceable boundaries around them. Luckily for us, the Constitution provides the model. The Fourth Amendment doesn’t ask whether people “expect” their homes, papers, and effects to be private; it holds as sacred their protection from unreasonable government intrusion. The same principle should govern in the digital sphere. Personal data is the modern equivalent of “papers and effects.” It contains the record of our movements, our communications, and our identities. To say that these materials deserve protection only if society still “expects” them to be private is to concede the field to those who profit from surveillance. Instead, the law should grant individuals affirmative rights of control over their data.

a. Control Rights, Not Absolute Ownership

The goal of this article isn’t to convince the reader that it would be a good idea to completely commodify personal data and turn everyone into a mini capitalist by giving them full property interests in their data. A market-based model would reduce privacy rights to an asset and encourage those with fewer resources to sell away their protections while the wealthy hold onto theirs. At the same time, it would inflate the value of data belonging to the wealthy and famous and create a two-tiered system in which some people’s privacy rights are treated as luxury goods while others’ rights are treated as disposable. The effect would be to entrench inequality along both economic and social lines.

Privacy rights shouldn’t depend on bargaining power or celebrity status. They should reflect their nature as baseline conditions of liberty, available equally to all citizens. For that reason, individuals should hold enforceable control rights—non-transferable, inalienable entitlements that allow them to govern access and use. These control rights would sound familiar because they’re already recognized in the European Union’s General Data Protection Regulation (GDPR). The GDPR codifies rights of access, rectification, erasure, portability, and restriction of processing.[23] Individuals in the EU can demand compliance directly from state and corporate actors, and those rights are backed by meaningful enforcement mechanisms such as supervisory authorities and substantial penalties.[24] The European approach offers a sound model for American legislators; their control rights resemble property in their enforceability but differ in one crucial respect: they cannot be alienated or sold. They exist to secure autonomy, not to generate another market commodity.

b. Restoring the Architecture of Privacy

As has been stated throughout this article, a control-rights framework would restore privacy rights to the position they occupied before Katz unmoored them: a matter of enforceable boundaries. Just as property law recognizes the right to exclude, privacy rights should recognize the individual’s authority to set the terms of access to their digital life. This would move privacy rights from reactive judgments about what society “expects” to proactive rules that individuals can assert and enforce.

The European Union has already adopted this approach by embedding control rights into a comprehensive legal regime. The important point isn’t the list of specific rights themselves, but the architecture: privacy rights are treated as baseline entitlements that exist across all sectors, not as perks of commercial relationships or conditional protections reserved for children or other limited groups, as they are in the United States.

VII. Conclusion

Katz was hailed as a modernization of the Fourth Amendment, but its reasonable-expectations test continues to prove unstable. By tying privacy rights to shifting social norms, it has enabled surveillance practices rather than restrained them. Courts have tried to patch the framework by falling back on trespass analysis and cutting out narrow exceptions, but the doctrine remains reactive and inconsistent.

A stronger foundation is available. The Constitution protects citizens through their “persons, houses, papers, and effects” by drawing hard lines and demanding justification from the government. In the digital era, that principle should extend to personal data, not through commodification, but through inalienable control rights that individuals can assert equally. Anchoring privacy rights in enforceable boundaries would supply the durability they now lack and fulfill Warren and Brandeis’s original aspiration of giving substance to “the right to be let alone.”

[1] Griswold v. Connecticut, 381 U.S. 479, 484 (1965).

[2] U.S. Const. amend. IV.

[3] Katz v. United States, 389 U.S. 347, 360-361 (1967) (Harlan, J., concurring).

[4] United States v. Miller, 425 U.S. 435 (1976) (holding that a bank customer has no legitimate expectation of privacy in financial records held by a bank).

[5] Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 195 (1890).

[6] Olmstead v. United States, 277 U.S. 438, 466 (1928), overruled by Katz v. United States , 389 U.S. 347 (1967).

[7] Id.

[8] Id. at 478 (Brandeis, J., dissenting).

[9] Katz v. United States, 389 U.S. 347, 351 (1967).

[10] Id. at 361 (Harlan, J., concurring).

[11] United States v. Miller, 425 U.S. 435 (1976).

[12] See id., at 443 (1976) (holding that a depositor has no legitimate expectation of privacy in financial records voluntarily conveyed to banks; arguing that said financial records become business records of the bank).

[13] Smith v. Maryland, 442 U.S. 735, 743–44 (1979) (holding that installation and use of a pen register is not a “search” because individuals lack a reasonable expectation of privacy in numbers they dial and thereby convey to the phone company).

[14] Carpenter v. United States, 585 U.S. 296 (2018).

[15] Id., at 300 (2018).

[16] United States v. Jones, 565 U.S. 400 (2012).

[17] United States v. Jones, 451 F. Supp. 2d 71, 88 (D.D.C. 2006) (quoting United States v. Knotts, 460 U.S. 276, 281 (1983)).

[18] Jones, 565 U.S. at 404.

[19] Id. at 406–07.

[20] Id. at 427 (Alito, J., concurring) (citing Kyllo v. United States, 533 U.S. 27, 34 (2001); Minnesota v. Carter, 525 U.S. 83, 97 (1998) (Scalia, J., concurring)).

[21] Elec. Privacy Info. Ctr., EPIC Settles ICE Lawsuit About Palantir and Profiling (Jan. 31, 2020), https://epic.org/epic-settles-ice-lawsuit-about-palantir-and-profiling/.

[22] Am. Immigr. Council, ICE to Use ImmigrationOS by Palantir, a New AI System, to Track Immigrants’ Movements (Aug. 21, 2025), https://www.americanimmigrationcouncil.org/blog/ice-immigrationos-palantir-ai-track-immigrants/.

[23] Commission Regulation (EU) 2016/679 of 27 Apr. 2016, On the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and repealing Directive 95/46/EC (General Data Protection Regulation), arts. 15–20, 2016 O.J. (L 119) 1.

[24] Id.