The Fourth Amendment protects against unreasonable searches. Article I, Section 8 of the Pennsylvania Constitution does the same — but more. So when the Office of Attorney General issues a subpoena to your internet service provider, no warrant required, no judge involved, and gets back records showing exactly which torrent files your computer was sharing with the world, you might reasonably expect a court to take a hard look.
In Commonwealth v. Zealor, 2026 PA Super 81, the Superior Court took that look but resolved the matter unfavorably for the defendant. The court held that an administrative subpoena issued under 18 Pa.C.S. § 5743.1—Pennsylvania’s stored-communications statute—could be used to identify a particular subscriber behind a shared IP address, including by matching that subscriber’s port-level connection logs to known infohashes for child pornography. No warrant. No magistrate. No probable cause. And, the court said, no constitutional problem.
Zealor was sentenced to two-and-a-half to seven years for fifty counts of possessing child sexual abuse material. But the legal questions the case raises about digital privacy reach well beyond this defendant.
How the Investigation Worked
A Pennsylvania State Police corporal assigned to the Internet Crimes Against Children Task Force was monitoring BitTorrent peer-to-peer file-sharing networks. He received a notification that a particular IP address appeared to be sharing child pornography. He successfully downloaded files from a computer using that address, including a video of a small child being assaulted.
A Deputy Attorney General then issued an administrative subpoena under Section 5743.1 to Comcast for subscriber information associated with the IP address. Comcast’s response pointed back not to a residential customer, but to Digital Media, LLC, which provides internet service to an apartment complex called Jefferson Apartments in Norristown.
This is where the case gets technically interesting. Digital Media doesn’t give each apartment its own public-facing IP address. Instead, all the apartments share a single public IP address through what’s called Network Address Translation, or NAT. Each subscriber’s router gets assigned a unique port number, and the combination of the shared IP address and a particular port identifies which apartment is doing what online.
So the DAG issued a second administrative subpoena—this time to Digital Media—asking, in effect, which subscriber’s port number had been used to make connections associated with a specific torrent identifier (called an “infohash”) for child pornography. Digital Media identified Edward Zealor’s port. That information was used to support a search warrant for Zealor’s apartment, which produced the evidence that led to his conviction.
Zealor moved to suppress, arguing that the administrative subpoenas were unconstitutional, exceeded the scope of the statute, and were improperly served on out-of-state corporations. He lost on all three.
The Constitutional Argument and the Third-Party Doctrine
The heart of Zealor’s appeal is a Fourth Amendment and Article I, Section 8 challenge. He argued that the information the Commonwealth obtained—subscriber identification, payment information, and detailed connection logs tying his port to specific torrent files—was the kind of constitutionally protected information that requires a warrant supported by probable cause.
To understand what the court did with this argument, you need a little background on what’s called the third-party doctrine. The basic idea is old and not flattering to digital privacy: if you voluntarily turn information over to a third party, you give up your reasonable expectation of privacy in it. The doctrine traces back to United States v. Miller, 425 U.S. 435 (1976), where the U.S. Supreme Court held that bank customers have no Fourth Amendment privacy interest in their bank records because they voluntarily shared the information with the bank.
The doctrine has been extended over the years to cover all kinds of digital records—emails once they’re delivered, files turned over to a repair shop, and, importantly here, IP addresses. The Third Circuit has held flatly that no reasonable expectation of privacy attaches to IP addresses because they’re “voluntarily turned over” to internet service providers in order to use the internet at all. United States v. Christie, 624 F.3d 558 (3d Cir. 2010).
The Pennsylvania Superior Court applied that same reasoning in Commonwealth v. Kurtz, 294 A.3d 509 (Pa. Super. 2023), and the Supreme Court affirmed in 2025, though with a fractured plurality. See Commonwealth v. Kurtz, 348 A.3d 133 (Pa. 2025). The plurality held Kurtz had no enforceable expectation of privacy in his internet searches; a concurrence by three justices would have decided the case on different grounds; Justice Donohue dissented. The result is that Kurtz stands as Superior Court precedent on the IP-address question, but its Supreme Court footing is shakier than a clean affirmance would suggest.
The Carpenter Question
The most interesting wrinkle here — and the one Zealor pressed — is whether Carpenter v. United States, 585 U.S. 296 (2018), changes the analysis. Carpenter is the U.S. Supreme Court’s most significant digital-privacy decision of the last decade. It held that the government needs a warrant to obtain historical cell-site location information from a wireless carrier, even though that information is technically held by a third party.
Carpenter worked a change in the third-party doctrine. The Court reasoned that cell-site location data isn’t really “shared” with the carrier in any meaningful sense—your phone generates the data automatically, just by being powered on. And the data, when aggregated, gives the government “a detailed chronicle of [the user’s] physical presence compiled every day, every moment, over several years.” That kind of intrusion, the Court said, requires a warrant.
Zealor argued that the connection logs the Commonwealth got from Digital Media were Carpenter-style data—a detailed record of his online life that he never meaningfully chose to share. The Superior Court disagreed. Unlike cell-site data, which gets collected the moment you turn on your phone, IP-level connection records require affirmative action from the user. You have to download the peer-to-peer software. You have to use it to make connections to other users. You have to share the file. Each of those is an active choice, the court said, and active choices forfeit privacy under the third-party doctrine.
The court also distinguished the scope of the surveillance. Carpenter involved months of location data covering every moment of the defendant’s life. The Zealor subpoenas were narrowly targeted: connection logs tied to specific infohashes for specific files. Not a panoramic view of the defendant’s digital existence, but a focused inquiry into a specific category of conduct.
I think this is where the opinion is at its strongest, and also at its most vulnerable. The targeting argument has real force—the Commonwealth wasn’t fishing through Zealor’s entire internet history, just specific connections tied to specific files it had independent reason to suspect were child pornography. But the broader principle—that any voluntary online activity forfeits Fourth Amendment protection— s exactly the kind of reasoning Carpenter questioned. Carpenter recognized that the third-party doctrine made more sense in 1976, when “voluntarily sharing” meant something like writing a check, than it does in 2026, when virtually every aspect of modern life requires sharing data with third parties just to function. The Superior Court’s confidence that Zealor “could have no reasonable expectation of privacy” in his torrent activity reads to me as overconfident given how much the U.S. Supreme Court itself has signaled that the third-party doctrine is under pressure.
It also hides the ball a little. The state didn’t just learn that Zealor used BitTorrent. It learned which specific files his router connected to, when, and in what pattern. That’s closer to the kind of granular behavioral profile Carpenter worried about than the court’s framing suggests.
The Statutory Scope Argument and a Quiet Bombshell
Zealor’s second argument was that the subpoenas exceeded what Section 5743.1 actually authorizes. The statute, by its terms, allows administrative subpoenas for a subscriber’s “name, address, telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address.” Zealor argued that payment information and detailed port-level connection logs are not subscriber identification—they’re investigatory data—and therefore fall outside the statute.
The court ducked the question. It assumed, for the sake of argument, that the subpoenas exceeded the statute’s scope and held that it didn’t matter. Why? Because suppression isn’t a remedy for non-constitutional violations of the Stored Communications Act. The court relied on Commonwealth v. Dougalewicz, 113 A.3d 817 (Pa. Super. 2015), for the proposition that the Pennsylvania legislature deliberately excluded suppression as a remedy for statutory violations.
This is worth pausing on. The court is saying, in effect, that even if the Commonwealth issued subpoenas that asked for information the statute does not authorize the Commonwealth to demand, the resulting evidence is admissible. The only check on the Attorney General’s use of these subpoenas is the constitutional floor—and we just saw how low that floor is. The statute, in practical terms, is enforceable only as far as its constitutional underpinnings extend.
For a statute that’s supposed to balance law enforcement needs against privacy interests, that’s a significant limitation on its protective force. The legislature could have written suppression in. It chose not to. And the courts have read that choice to mean the statute’s substantive limits are essentially unreviewable in a criminal case.
The Out-of-State Service Argument
Zealor’s third argument was jurisdictional: he claimed that Pennsylvania’s administrative subpoenas couldn’t reach Comcast and Digital Media because they were served on entities outside Pennsylvania, and that 42 Pa.C.S. § 5964—the Uniform Act to Secure Attendance of Witnesses From Without the State—should have applied.
The court dispatched this quickly. Section 5743.1 explicitly authorizes service on “a domestic or foreign corporation,” and the service provisions don’t require the recipient to be in Pennsylvania. The court invoked the canon expressio unius est exclusio alterius—the expression of one thing implies the exclusion of others—to note that only one of the three service subsections specifies Pennsylvania, and the legislature’s silence in the others must mean it didn’t intend that limitation.
The Uniform Act, the court held, applies to compelling witness attendance in criminal proceedings, not to serving administrative subpoenas on corporate custodians of records. And because Comcast and Digital Media voluntarily complied with the subpoenas, no compulsion proceedings were ever needed. End of story.
This part of the opinion is unremarkable as a matter of statutory construction, but it’s worth flagging the practical reality: as long as Pennsylvania can serve administrative subpoenas on corporations anywhere they conduct business, and as long as those corporations comply rather than resist, the geographic limits on Pennsylvania’s investigative authority are essentially nonexistent for digital evidence.
Where This Leaves Us
Zealor applies Kurtz to a slightly different fact pattern and confirms that the administrative subpoena framework under Section 5743.1 is a robust investigative tool that operates almost entirely outside the warrant requirement. For child-exploitation cases, that’s an unsurprising result.
But the broader principles the opinion endorses are significant. Pennsylvania’s third-party doctrine, post-Kurtz, treats virtually all online conduct as voluntarily disclosed and therefore unprotected. The state can identify the human being behind a shared IP address through port-level connection logs without a warrant. It can demand information arguably outside the authorizing statute and face no suppression remedy. It can serve those subpoenas on corporations anywhere in the country.
The dissent we don’t have here — and that I’d have liked to see — would have grappled more vigarously with how Carpenter‘s logic should map onto modern internet infrastructure. The voluntary-disclosure framework works best when “disclosure” looks like handing a document to another person. It works less well when disclosure is the price of admission to almost every online activity, and when the data disclosed reveals not just what you did but who you are.
I’d love to be wrong about how durable this framework is. The U.S. Supreme Court has not had its definitive Carpenter sequel yet, and when it does, the third-party doctrine may finally see the meaningful narrowing it needs. Until then, Zealor is the law, and the line between digital privacy and law-enforcement investigation in Pennsylvania sits a good deal closer to “no privacy” than the constitutional text would suggest.