No Warrant Required for Single Historical App-Based Location Data: State v. Diaw as a Modern Extension of the Third-Party Doctrine

1. Introduction

In State v. Diaw, Slip Opinion No. 2025-Ohio-2323, the Supreme Court of Ohio confronted a recurring question in the digital-age Fourth Amendment landscape: Do police need a warrant to obtain from a third-party marketplace application a single, historical latitude-and-longitude point identifying where a user logged in? The controversy arose after law enforcement subpoenaed the online-marketplace app “Letgo” for subscriber information linked to an alleged robbery.

The appellant, Mamadou Diaw, argued that the police had violated his reasonable expectation of privacy under the U.S. Constitution’s Fourth Amendment (applied to the states through the Fourteenth Amendment) by acquiring location data without first securing a warrant. The Franklin County Court of Common Pleas agreed and suppressed the evidence; the Tenth District Court of Appeals reversed. On further appeal, the Ohio Supreme Court affirmed the appellate court, establishing a statewide precedent that a single, voluntarily conveyed historical location point held by a third-party application is not protected by the Fourth Amendment.

2. Summary of the Judgment

• Holding: A user of an online-marketplace application has no reasonable expectation of privacy in a single, historical location data point voluntarily conveyed to the app; therefore, law enforcement need not obtain a warrant to subpoena that information.
• Outcome: The Court affirmed the Tenth District’s judgment, reinstated the location data, and remanded to the trial court for proceedings consistent with its opinion.
• Key Rationale:
  • The information was voluntarily disclosed to a third party (Letgo).
  • The data concerned only one location point rather than a “mosaic” of continuous tracking as in Carpenter v. United States.
  • The location was a public place (a McDonald’s), diminishing any privacy interest.

3. Analysis

3.1 Precedents Cited and Their Influence

1. Smith v. Maryland, 442 U.S. 735 (1979)
   • Introduced the modern articulation of the “third-party doctrine,” holding that a pen register capturing dialed numbers is not a search.
   • Diaw heavily relies on this reasoning—if a user knowingly discloses data to a service provider, privacy expectations evaporate.
2. United States v. Miller, 425 U.S. 435 (1976)
   • Found no expectation of privacy in bank records voluntarily handed to the bank.
   • The Court analogized Letgo to the bank: it is a business recipient of user-supplied information used in ordinary commerce.
3. Carpenter v. United States, 585 U.S. 296 (2018)
   • Recognized privacy in multi-day cell-site location information (CSLI) because it reveals the “whole of one’s physical movements.”
   • Diaw distinguishes itself by limiting Carpenter to massive, involuntarily generated datasets; a single historical point does not create an intrusive chronicle.
4. United States v. Jones, 565 U.S. 400 (2012)
   • GPS tracking for 28 days constituted a search under property-trespass theories and privacy expectations.
   • The Diaw Court observed that the privacy alarms in Jones (long-term, comprehensive surveillance) are absent here.
5. California v. Ciraolo, 476 U.S. 207 (1986) & United States v. Knotts, 460 U.S. 276 (1983)
   • Stand for the principle that activities or exposures in public view are not protected.
   • Because Diaw’s physical presence at a McDonald’s was exposed to any passerby, he could not cloak that fact in privacy after disclosing it to Letgo.

3.2 Court’s Legal Reasoning

1. Step 1 – Is there a search?
   A search occurs upon physical trespass or invasion of a reasonable expectation of privacy. The Court adopted the Katz two-prong framework and concluded Diaw satisfied neither prong.
2. Step 2 – Subjective expectation.
   The Court found no manifestation of privacy. Diaw chose to use Letgo, which explicitly collects location information to facilitate local sales. No steps (e.g., disabling location services) were taken to conceal it.
3. Step 3 – Objective reasonableness.
   Guided by Smith/Miller, the Court ruled society is not prepared to recognize privacy in a single data point intentionally disclosed in commercial dealings, particularly where the location is a public venue.
4. Step 4 – Third-party doctrine reaffirmed.
   Carpenter carved out a narrow exception for exhaustive CSLI; in contrast, Letgo data is (a) discrete, (b) user-initiated, and (c) commercial. Therefore, the doctrine remains intact.
5. Step 5 – Distinguishing Carpenter.
   Carpenter concerned 13,000 data points across 127 days, generated passively; here, a single, affirmative data entry. The “mosaic theory” of privacy is not implicated.

3.3 Potential Impact of the Decision

• Digital Investigations: Police may now subpoena limited historical location data from Ohio-based third-party platforms without a warrant, provided the request is narrowly tailored and the data was voluntarily supplied.
• App Design and Terms of Service (ToS): Developers may clarify in ToS that location data is stored and may be disclosed to law enforcement. This explicit notice will further erode any claim of “reasonable expectation.”
• Boundary of Carpenter: Diaw solidifies the view that Carpenter is mosaic-specific; single or minimal data points remain subject to the traditional third-party doctrine.
• Legislative Action: Privacy advocates may seek statutory protections in Ohio (akin to California’s Electronic Communications Privacy Act) because constitutional avenues are foreclosed for small data requests.
• Litigation Strategy: Defense counsel must now show either (a) involuntariness of disclosure, (b) sufficiently large data volume, or (c) heightened privacy interests (home, health data, etc.) to defeat the third-party doctrine in Ohio.

4. Complex Concepts Simplified

• Third-Party Doctrine: If you voluntarily give information to someone else (a “third party”), you lose Fourth Amendment protection over that info. It can be shared with police without a warrant.
• Historical vs. Real-Time Data: Historical data shows where you were; real-time data shows where you are now. Courts treat real-time tracking as more invasive.
• Location Data Point: A single set of latitude-longitude coordinates. Unlike CSLI spread over days, one point yields minimal insight into a person’s “whole private life.”
• Subpoena vs. Search Warrant: A subpoena is a court-ordered demand for information, often requiring less probable cause than a warrant. Diaw says subpoenas suffice for single location points.
• Katz Two-Prong Test: (1) Did the person actually expect privacy? (2) Does society view that expectation as reasonable?
• Mosaic Theory: The idea that a mass of data points can reveal more than each individual point, triggering heightened privacy concerns (Carpenter).

5. Conclusion

State v. Diaw cements a clear dividing line in Ohio’s Fourth Amendment jurisprudence: Obtaining a single, voluntarily disclosed, historical location data point from a third-party application does not constitute a search. The ruling revives and clarifies the continued vitality of the third-party doctrine after Carpenter, underscoring that Carpenter’s exception is narrow and limited to large-scale, involuntary data accumulations that create a comprehensive picture of a person’s life.

Going forward, Ohio courts will likely apply Diaw whenever law enforcement seeks discrete digital breadcrumbs—IP addresses, login timestamps, or single location pings—from commercial intermediaries. Only when the government amasses sustained, detailed tracking data will Carpenter’s protective mantle potentially apply.

The decision thus balances prosecutorial efficiency with privacy, but it shifts the onus onto legislatures and technology users to safeguard digital footprints that, even when small, can be revealing in aggregate. For the moment, Ohioans who transact through location-enabled apps should proceed with the understanding that one click may place them squarely within the investigative gaze of law enforcement—without a warrant in hand.