- Fifth Circuit blocks unauthorized government access to Dropbox files, upholding Fourth Amendment digital privacy rights.
- Case finds state officials violated constitutional protections by exploiting ex-employee’s access without a warrant.
- Ruling rejects expansion of “third-party doctrine,” preserving privacy for cloud-stored communications.
- Parallel case in Pennsylvania highlights employers must respect employee cloud privacy amid workplace policies.
- Decision emphasizes warrants for digital searches, urging legal transparency in surveillance practices.
In a major victory for digital privacy rights, the U.S. Court of Appeals for the Fifth Circuit ruled this month that state officials violated the Fourth Amendment when they accessed a nonprofit’s Dropbox files without a warrant through an ex-employee’s unauthorized access. The May 28 decision in Heidi Group v. Texas has far-reaching implications, reinforcing that encryption, passwords and cloud services do not negate constitutional privacy protections — a critical check on surveillance in the digital age.
The case involves the Texas Health and Human Services Commission’s Office of Inspector General (OIG), which allegedly colluded with a fired employee of the Texas pro-life nonprofit, The Heidi Group, to surreptitiously access the organization’s Dropbox account for nearly a year. Emails obtained by the court revealed a senior OIG investigator, Gaylon Dacus, encouraged the ex-worker to continue exploiting lingering access rights, even after her legal ties to the group had ended.
“The Fourth Amendment does not countenance such conduct,” Judge Andrew S. Oldham wrote for the three-judge panel, stressing that Heidi Group’s cloud-stored files were entitled to the same protections as physical documents in a locked office. “It would be absurd to say that Texas officials had an unlimited right to surreptitiously break into Heidi’s online folders,” the ruling declared.
The Heidi Group case details: How state investigators circumvented warrants
The controversy began in 2023 when Phyllis Morgan, a recent Heidi Group employee, retained access to the nonprofit’s Dropbox account after her termination. Instead of reporting the security breach or pursuing legal avenues to gather evidence, OIG investigator Gaylon Dacus allegedly orchestrated an unofficial data-heist.
Court documents show Dacus repeatedly prompted Morgan to forward Heidi Group documents via email. In one exchange, Morgan wrote, “Send me any new info,” to which Dacus responded, “Thank you for the additional information. Much appreciated.”
The Fifth Circuit condemned the state’s use of Morgan’s breach and rejected claims that Heidi Group’s contractual agreements with Texas permitted unregulated access. “The government cannot access the content of Heidi’s documents and files without implicating the Fourth Amendment,” the panel wrote, rejecting the expansion of the third-party doctrine—a legal principle originally allowing warrantless surveillance of data shared with third parties like phone companies.
Dacus was denied qualified immunity, as his actions were deemed a violation of “clearly established” Fourth Amendment standards. The court emphasized alternatives like subpoenas or warrants as lawful means of obtaining information.
Breaking the third-party doctrine: Digital privacy in the cloud era
Historically, the third-party doctrine has faced scrutiny in alignment with technological advancements. In Smith v. Maryland (1979), the Supreme Court ruled that sharing information — like phone numbers — with a third party (e.g., a phone company) extinguishes a reasonable privacy expectation.
However, the Heidi Group case updates this framework for modern data storage. The court distinguished between content and metadata, ruling that encrypted files in third-party systems retain their private status unless users willingly publish them. Judge Oldham likened cloud-stored documents to private emails or letters: “Each contains information transmitted through an intermediary not intended to be broadcast to the world.”
The decision aligns with the 2018 Supreme Court ruling in Carpenter v. United States, which limited the third-party doctrine’s application to cell-site tracking data. Taken together, these cases suggest a judicial trend toward prioritizing user privacy over unchecked government access to digital information.
Employer caution advised: Employee cloud privacy comes to the forefront
The Heidi Group ruling also resonates beyond government actions, with parallels to a 2019 Pennsylvania case: Frankhouser v. Clearfield County CTC. There, a school district employee’s private Dropbox photos were accessed by supervisors, leading to a Fourth Amendment lawsuit.
Judge Kim R. Gibson of the Western District of Pennsylvania denied the employer’s motion to dismiss, reasoning that Ms. Frankhouser’s personal photos, stored remotely, were shielded by her reasonable expectation of privacy — even though the photos resided in a work-authorized app.
“If the employer permitted use of cloud storage, it cannot exploit that access to intrude on private materials,” said litigator Katharine Beattie, co-author of an analysis of the case. “Employers who ignore these boundaries risk costly litigation.”
The cases underscore best practices: Employers should clearly restrict how and where workers use personal accounts on company devices, avoid accessing private cloud data and avoid blanket declinations of privacy rights in workplace policies.
Privacy and the future of digital surveillance
The Fifth Circuit’s ruling in Heidi Group v. Texas sends a clear signal: governments and institutions cannot treat the cloud as a free-for-all for electronic surveillance. As cloud storage becomes a cornerstone of modern data management, legal safeguards must evolve to prevent unconstitutional overreach.
Without judicial checks on technology’s power, the Fourth Amendment risks becoming a relic. For now, the Heidi Group’s fight has earned a legal beacon for defenders of private data — proof that the Constitution still holds, one folder at a time.
Sources for this article include: