by David Kim

In an issue of first impression, the Opinion Announcing the Judgment of the Court (“OAJC”) concluded that a person who conducts general, unprotected internet searches has no reasonable expectation of privacy in the records generated by those searches under either the Fourth Amendment or Article I, Section 8 of the Pennsylvania Constitution. The OAJC concluded that the traditional third-­party doctrine governs because internet use, unlike cellular device usage, is voluntary rather than involuntary. Although the OAJC distinguished the Pennsylvania Supreme Court’s prior decisions in Commonwealth v. DeJohn, 403 A.2d 1283 (Pa. 1979), and Commonwealth v. Melilli, 555 A.2d 1254 (Pa. 1989), it stressed that its conclusion is limited to general, unprotected internet use.

Background

On July 19, 2016, K.M. was asleep in her home when an intruder awakened her, bound her hands with zip ties, gagged her, blindfolded her, and transported her to a nearby camper where he raped her. Following the assault, the perpetrator released K.M. in a cornfield. Medical personnel retrieved sperm from K.M.’s body, but DNA testing did not yield a match to any known individual.

Without a DNA match and lacking an eyewitness identification, the Pennsylvania State Police investigation faced a dead end. Investigators believed the assault was not random based on several factors. K.M.’s home was remote and not visible from the road, the circumstances suggested familiarity with K.M. and her residence, and K.M. was attacked while her husband was at work. Investigators theorized the perpetrator may have researched K.M.’s personal life and schedule online.

Relying on these deductions, investigators obtained a “reverse keyword search warrant” for Google records generated during the week prior to the assault. The warrant targeted all Google searches for K.M.’s name or address rather than any specific individual’s activity. Over one year later, Google reported that someone had conducted two searches for K.M.’s address hours before the attack. Investigators traced the IP address to the residence of John Edward Kurtz.

Investigators conducted surveillance of Kurtz and discovered he was a correctional officer at the same facility where K.M.’s husband worked. Investigators retrieved a cigarette butt Kurtz discarded in a parking lot, obtained a DNA sample, and matched it to the sample taken from K.M. Upon arrest and interrogation, Kurtz confessed to K.M.’s rape and abduction and admitted to assaulting four additional victims.

Kurtz filed a motion to suppress the evidence derived from Google’s records, arguing the warrant lacked probable cause individualized to him. The trial court denied the motion. A jury convicted Kurtz on all counts arising from five separate victims, and the trial court sentenced him to 59 to 280 years in prison. The Superior Court affirmed, holding that Kurtz could not demonstrate an expectation of privacy in his internet searches or IP address.

Analysis

The OAJC began by explaining that the Fourth Amendment’s protections are triggered only when state action intrudes upon a “constitutionally protected reasonable expectation of privacy.” A person challenging the use of evidence must demonstrate both an actual subjective expectation of privacy and that such expectation is one society is prepared to recognize as reasonable. Katz v. United States, 389 U.S. 347 (1967) (Harlan, J., concurring); Commonwealth v. Alexander, 243 A.3d 177 (Pa. 2020).

The third-­party doctrine holds that a person generally lacks an expectation of privacy in information or materials voluntarily exposed to a third party. This doctrine gained prominence in United States v. Miller, 425 U.S. 435 (1976), and Smith v. Maryland, 442 U.S. 735 (1979). In Miller, the U.S. Supreme Court held that a person could not assert an expectation of privacy in bank records because such documents are voluntarily placed in the hands of third parties. In Smith, the Supreme Court held that use of a pen register to record telephone numbers dialed from a suspect’s home was not a “search” for Fourth Amendment purposes because people generally do not expect privacy in the numbers they dial, which is information necessarily conveyed to telephone companies.

The Carpenter Exception

The OAJC traced the evolution of the third-­party doctrine through United States v. Jones, 565 U.S. 400 (2012), and Carpenter v. United States, 585 U.S. 296 (2018). In Jones, the U.S. Supreme Court held that attaching a GPS device to a vehicle and tracking its movements constituted a Fourth Amendment search (clarifying that Katz’s reasonable expectation of privacy test never supplanted the common law trespassory test for determining whether a search occurred for Fourth Amendment purposes). Justice Sotomayor’s concurrence expressed concern that the third-­party doctrine was “ill suited” to the “digital age” because people now “reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

Carpenter addressed whether the government conducts a search when it accesses historical cell-­site location information records (“CSLI”). The OAJC observed that requests for such records “lie at the intersection of two lines of cases”: those holding that people lack an expectation of privacy in public movements and the third-­party doctrine cases. The Carpenter Court rejected a mechanical application of the third-­party doctrine to CSLI records, reasoning that “there is a world of difference between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of location information casually collected by wireless carriers today.”

Importantly, the Carpenter Court explained that cellphone location information “is not truly ‘shared’ as one normally understands the term.” Cellphones are “such a pervasive and insistent part of daily life” that carrying one is “indispensable to participation in modern society,” according to the Carpenter Court. Additionally, a cellphone “logs a cell-­site record by dint of its operation, without any affirmative act on the part of the user beyond powering up.” Id. The Carpenter Court emphasized that “in no meaningful sense does the user voluntarily ‘assume[] the risk’ of turning over a comprehensive dossier of his physical movements.”

Application to Internet Searches

The OAJC concluded that Carpenter’s “narrow” rejection of the third-­party doctrine does not extend to unprotected internet searches. The linchpin of Carpenter was that, because of the “inseparable relationship between a person and his cellphone, it is not objectively reasonable to expect that a cellphone user can avoid the creation of the records,” the Court explained. The inverse must also be true, the OAJC reasoned: “if a person can limit the creation of the records, or if the device or instrumentality at issue is not so inextricably and unavoidably attached to modern life, no such expectation of privacy would prevail.”

The OAJC stated that unlike smartphones, the internet is not a “feature of human anatomy.” Every time a person logs on to the internet, “that person makes a choice.” Users “willingly transmit data to a third party whenever they type terms into a search engine and hit the ‘Enter’ key.” Unlike cellphone users who cannot avoid creation of a data trail, internet users can minimize record creation “by using other methods of research” – telephoning establishments rather than booking online, conducting research in print materials, shielding browsing history, or using virtual private networks, the OAJC reasoned.

The OAJC concluded that any expectation of privacy in routine internet use is negated by common knowledge that websites and internet service providers collect and sell user data. Nearly every internet-­based application informs users of such data collection and provides opt-­out options. The OAJC observed that advertisements appearing for products searched online the previous day demonstrate the absence of privacy in information voluntarily entered into search engines.

The OAJC placed particular emphasis on Google’s Privacy Policy, which explicitly informs users that Google collects information about services used and how they are used, including “details of how you use our service, such as your search queries,” and IP addresses. The Policy further states that Google “will share personal information with companies, organizations or individuals outside of Google” when “reasonably necessary to … meet any applicable law, regulation, legal process or enforceable request.”

Thus, the OAJC concluded when a person performs a Google search, “he or she is aware (at least constructively) that Google collects a significant amount of data and will provide that data to law enforcement personnel in response to an enforceable search warrant.” Any claim to an expectation of privacy under these circumstances “is not one that society would find objectively reasonable.”

Pennsylvania Constitutional Analysis

Kurtz also claimed an expectation of privacy under Article I, Section 8 of the Pennsylvania Constitution, relying primarily upon DeJohn and Melilli. The DeJohn Court declined to follow Miller and held that a person enjoys an expectation of privacy in bank records because participation in the banking system “is not entirely volitional, since it is impossible to participate in the economic life of contemporary society without maintaining a bank account.” The Melilli Court recognized an expectation of privacy in telephone communications based upon Pennsylvania’s “long history of affording special protection to the privacy interest inherent in a telephone call.”

The OAJC distinguished both precedents. Unlike mobile phones or the banking system, general internet use “is not an inextricable and involuntary aspect of our daily life.” That the internet is “helpful, readily available, and convenient does not render its use involuntary in such a way that a person today has no choice but to rely upon it.” The Melilli Court’s recognition of privacy protections for telephone calls stemmed from their “intimate and confidential nature,” involving two parties and often personal topics. General internet use involves a user transmitting data about “countless topics to internet service providers” and cannot “reasonably be equated to private telephone calls between family members or friends,” according to the OAJC.

The OAJC emphasized that this conclusion is limited to general, unprotected internet use. Users who take affirmative steps to secure privacy – such as using virtual private networks, browsers that do not collect or share data, or password-­protected websites – “might retain a constitutionally recognizable expectation of privacy,” the OAJC opined. But when an average internet user “opens an unencrypted internet browser and performs a search on a website such as Google, he or she voluntarily enables the creation and collection of data, and, in such circumstances, has no societally recognized expectation of privacy.”

Conclusion

The OAJC concluded that Kurtz had no enforceable expectation of privacy in his internet searches under either federal or state constitutional law. Because the OAJC found that Kurtz lacked a reasonable expectation of privacy in the records generated by the searches, it did not reach Kurtz’s probable cause challenge to the warrant. Because the third-­party doctrine applied and Kurtz voluntarily shared information with Google, he could not prevail on a challenge to the validity of the search warrant.

Accordingly, the Court affirmed the judgment below (though, as discussed in the Editor’s Note, no single rationale commanded a majority). See: Commonwealth v. Kurtz, 2025 Pa. LEXIS 1975 (2025).

Editor’s Note: Kurtz is a fractured (non-­majority) decision. Justice Wecht authored the Opinion Announcing the Judgment of the Court (“OAJC”), joined only by Justices Dougherty and Brobson, concluding that “the average search engine user” has no reasonable expectation of privacy in records generated by “general, unprotected internet searches” (and expressly limiting the discussion to such unprotected searches), and therefore declining to reach Kurtz’s allocatur issue challenging probable cause before affirming the judgment.

Chief Justice Todd concurred in the result, joined by Justices Mundy and McCaffery, and would affirm on a different ground, finding sufficient probable cause to support the Google warrant while avoiding resolution of the constitutional privacy question.

Justice Mundy also filed a separate concurrence. Although she joined Chief Justice Todd’s probable-­cause concurrence (and thus concurred in the judgment without deciding the constitutional issue), she added that if the Pennsylvania Supreme Court were required to resolve the constitutional question, she would agree with the OAJC’s conclusion regarding “general, unprotected” searches – an important signal but not a majority holding.

Justice Donohue dissented, rejecting the OAJC’s no-­privacy conclusion under Article I, Section 8 and further concluding that the affidavit fell short of probable cause, such that suppression and reversal were required.

As a matter of binding precedent, Kurtz resolves the case but does not yield a single majority rationale on the novel privacy issue (or on probable cause), because the OAJC’s privacy analysis garnered only three votes while Chief Justice Todd’s concurrence (joined by Justices Mundy and McCaffery) would affirm on probable-­cause grounds without reaching the constitutional question. Consequently, any precedential value is limited to whatever narrow common ground can fairly be identified among the Justices concurring in the judgment.

Nevertheless, the opinions “map” the Pennsylvania Supreme Court’s fault lines in a way that future litigants and courts will inevitably treat as informative. Most notably, the debate is framed around the scope of “general, unprotected” searching and whether (and when) search-­query records are meaningfully “voluntary” disclosures in modern life, with Justice Mundy expressly signaling in her separate concurrence that she would agree with the OAJC’s bottom-­line view if the question must be reached. The OAJC expressly leaves the door open to the possibility that users who take affirmative steps to secure their privacy, such as employing virtual private networks or privacy-­focused browsers, may retain a constitutionally recognizable expectation of privacy.

Anyone with an interest in the reasonable expectation of privacy in internet search records is strongly encouraged to read the full text of each opinion filed in this case.  

Subscribe today

Already a subscriber? Login