12 July 2000


Date: Tue, 11 Jul 2000 16:36:02 -0400
To: Declan McCullagh <declan@well.com>
From: Barry Steinhardt <Barrys@aclu.org>
Subject: Carnivore Letter

Declan,

Below is the text of the letter that the ACLU sent today to the House Judiciary Subcommittee on the Constitution regarding the FBI's aptly named "CARNIVORE" system for intercepting email. This is the system that was the subject of this morning's story in the Wall Street Journal.

Barry Steinhardt

__________

July 11, 2000

VIA FAX

Hon. Charles T. Canady, Chairman
Constitution Subcommittee of the House Judiciary Committee
362 Ford House Office Bldg.
Washington, D.C. 20515-6220

Hon. Melvin L. Watt, Ranking Member
Constitution Subcommittee of the House Judiciary Committee
362 Ford House Office Bldg.
Washington, D.C. 20515-6220

Dear Representatives Canady and Watt:

We are writing to you about the new FBI email surveillance system aptly named "Carnivore," which gives law enforcement extraordinary power to intercept and analyze huge volumes of email. The Carnivore system gives law enforcement email interception capabilities that were never contemplated when Congress passed the Electronic Communications Privacy Act  (ECPA), codified in relevant part at 18 U.S.C. 2510-22 and 18 USC 3121-27. Carnivore raises new legal issues that cry out for Congressional attention if we are to preserve Fourth Amendment rights in the digital age.

The existence of Carnivore first came to light in the April 6 testimony of Attorney Robert Corn-Revere to the Constitution Subcommittee. Its operation was further detailed in a report that appeared in today's Wall Street Journal (copy attached).  According to these reports, the Carnivore system -- essentially a computer running specialized software-- is attached directly to an Internet Service Provider's (ISP) network. Carnivore is attached either when law enforcement has a Title III order from a court permitting it to intercept in real time the contents of the electronic communications of a specific individual, or a trap and trace or pen register order allowing to it obtain the "numbers" related to communications from or to a specified target.

But unlike the operation of a traditional a pen register, trap and trace device, or wiretap of a conventional phone line, Carnivore gives the FBI access to all traffic over the ISP's network, not just the communications to or from a particular target. Carnivore, which is capable of analyzing millions of messages per second, purportedly retains only the messages of the specified target, although this process takes place without scrutiny of either the ISP or a court.

Carnivore permits access to the email of every customer of an ISP and the email of every person who communicates with them. Carnivore is roughly equivalent to a wiretap capable of accessing the contents of the conversations of all of the phone company's customers, with the "assurance" that the FBI will record only conversations of the specified target.  This "trust us, we are the Government" approach is the antithesis of the procedures required under our the wiretapping laws. They authorize limited electronic surveillance of the communications of specified persons, usually conducted by means of specified communications devices.  They place on the provider of the communications medium the responsibility to separate the communications of persons authorized to be intercepted from other communications.

Currently, law enforcement is required to "minimize" its interception of non-incriminating communications of a target of a wiretap order.  Carnivore is not a minimization tool. Instead, Carnivore maximizes law enforcement access to the communications of non-targets.

In his testimony to your subcommittee Mr. Corn-Revere described the experience of his client, an ISP that was required to install Carnivore when presented with a trap and trace order. He detailed his client's concerns that a trap and trace order in the context of the Internet revealed information that Congress did not contemplate when it authorized their limited use. In the traditional telephone context, those orders reveal nothing more than the numbers dialed to or from a single telephone line. In the Internet context, these orders and certainly Carnivore, likely involve ascertaining the suspect's e-mail address, as well as header information that may provide information regarding the content of the communication.

As we have stated previously, the ACLU does not believe that it is clear that the Government can serve an order on an Internet service provider and obtain the e-mail addresses of incoming and outgoing messages for a particular subscriber.  Further, it is not clear whether law enforcement agents use or should use authority under the pen register statute to access a variety of data, including Internet Protocol addresses, dialup numbers and e-mail logs.  We certainly do not believe that it is clear that law enforcement can install a super trap and trace device that access to such information for all of an ISP's subscribers.

In light of the new revelations about Carnivore, the ACLU urges the Subcommittee to accelerate its consideration of the application of the 4th Amendment in the digital age.  Legislation should make it clear that law enforcement agents may not use devices that allow access to electronic communications involving only persons other than a specified target for which it has a proper order. Such legislation should make clear that a trap and trace order served on an ISP does not authorize access to the contents of any communication  including the subject line of a communication -- and that the ISP bears the burden of protecting the privacy of communications to which FBI access has not been granted.

We would be happy to work with the Subcommittee on drafting legislation that protects the privacy rights of Americans.

Sincerely,

Laura W. Murphy
Director, ACLU Washington National Office

Barry Steinhardt
Associate Director, ACLU

Gregory T.  Nojeim
Legislative Counsel, ACLU Washington National Office

cc:  Members of the Constitution Subcommittee of the House Judiciary Committee

Barry Steinhardt
Barrys@aclu.org
Associate Director
American Civil Liberties Union
125 Broad St. New York, NY 10004
212 549 2508 (v) 212 549 2656 (f)

--------------------------------------------------------------------------

POLITECH -- the moderated mailing list of politics and technology
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/

--------------------------------------------------------------------------


Source: http://www.house.gov/judiciary/corn0406.htm

Jump to Carnivore-application case history.


Testimony of Robert Corn-Revere

before the

Subcommittee on the Constitution

of the

Committee on the Judiciary

United States House of Representatives

 

The Fourth Amendment and the Internet

 

April 6, 2000

 

Robert Corn-Revere

Hogan & Hartson L.L.P.
Columbia Square
555 13th Street, N.W.
Washington, D.C. 20004
(202) 637-5600

Mr. Corn-Revere is a partner in the Washington, D.C. office of Hogan & Hartson L.L.P., specializing in First Amendment, Internet and communications law. Before joining Hogan & Hartson in 1994, Mr. Corn-Revere served as Chief Counsel to Interim Chairman James H. Quello of the Federal Communications Commission. Previously, from 1990 until 1993, he was Commissioner Quello’s Legal Advisor. Before entering government service, Mr. Corn-Revere was an associate at Hogan & Hartson from 1985 to 1990, and at Steptoe & Johnson from 1983 to 1985.

Mr. Corn-Revere has written extensively on First Amendment, Internet and communications-related issues and is a frequent speaker at professional conferences. He is co-author of a three-volume treatise entitled Modern Communications Law, published by West Publishing Company, and is Editor and co-author of the book, Rationales & Rationalizations, published in 1997. He is a member of the Editorial Advisory Boards of Pike & Fischer’s Internet Law & Regulation and the Media Institute’s Commercial Speech Digest. Since 1987, Mr. Corn-Revere has taught at the Communications Law Institute of the Columbus School of Law, Catholic University of America. He is Chairman of the Media Institute's First Amendment Advisory Council and is a member of the Institute’s Board of Trustees. Mr. Corn-Revere is also an Adjunct Scholar to the Cato Institute and to Citizens for a Sound Economy Foundation in Washington D.C.

Summary

The issue of privacy on the Internet has been the focus of much attention in the past few years. However, much of the concern in this regard has been directed toward the possible commercial exploitation of personal information gleaned from the Web. Where attention has been devoted to the question of government surveillance and the Internet, it often has been part of a call to update federal law in order to facilitate electronic surveillance. In light of these developments, I suggest that more attention should be devoted to the potential impact on privacy of increased government surveillance.

Increasingly, more aspects of Americans’ daily lives are conducted using the Internet. As Congress noted when it expanded statutory protection for transactional records under the Electronic Communications Privacy Act ("ECPA"), "in the eight years since the enactment of ECPA, society’s patterns of using electronic communications technology have changed dramatically. Millions of people now have electronic mail addresses. Businesses, nonprofit organizations and political groups conduct their work over the Internet. Individuals maintain a wide range of relationships on-line." And, just as "more ideas and information are shared on the Internet than in any other medium," more information can be collected by means of electronic surveillance by the government.

There has long been an uneasy relationship between electronic surveillance and the Fourth Amendment to the U.S. Constitution. Since 1968, Congress has written these Fourth Amendment concerns into the federal law governing electronic surveillance. The law has been updated periodically to take technological advancement into account, first in 1986 and again in 1994. In each case, Congress attempted to balance the investigatory needs of law enforcement with the demands of protecting privacy. Given the significant changes in computer and communications technologies in recent years, Congress should again examine the laws governing electronic surveillance. In doing so, it should give due regard to the increasing ways in which these technologies may be used to intrude on privacy.

One current issue involves authorizations for pen registers and trap and trace devices on the Internet. Pen registers are devices used to record telephone numbers that are dialed from a telephone, and trap and trace devices are used to determine the number of origin of a telephone call. Among other things, there have been calls for clarification that authority to use such devices extends to equipment that may be installed on the data networks of Internet Service Providers and for expanded ability to authorize such surveillance across judicial districts. However, it should be recognized that a pen register in the Internet context can intercept far more than a "telephone number," and a case study of such a pen register order is described in this testimony. If Congress decides to amend the law to extend pen register and trap and trace authority, it should do so only after fully considering the Fourth Amendment implications of such a change.

Testimony of Robert Corn-Revere

The Fourth Amendment and the Internet

April 6, 2000

 

Mr. Chairman, and Members of the Subcommittee. Thank you for inviting me to testify on this important subject.

As an Adjunct Professor at the Communications Law Institute, Columbus School of Law at the Catholic University of America I have long had an interest in the privacy implications of new communications technologies. As a practitioner, I regularly counsel Internet Service Providers ("ISPs") and other Internet-related businesses on compliance with privacy laws, including the Electronic Communication Privacy Act ("ECPA"). In addition, I am a member of the legal team for Daniel Bernstein, a cryptographer who successfully challenged U.S. export controls on encryption software as a violation of the First Amendment. The views I express today are mine alone; I am not testifying on behalf of any client.

Introduction

I believe it is vital for Congress now to examine the Fourth Amendment implications of electronic surveillance on the Internet and the World Wide Web. As the United States Supreme Court explained in 1997, the Internet is a unique and wholly new medium of worldwide human communication. 

/ Judge Paul L. Friedman of the U.S. District Court for the District of Columbia has suggested that "[i]t is probably safe to say that more ideas and information are shared on the Internet than in any other medium," and that it may be only a slight overstatement to conclude that "the Internet represents a brave new world of free speech." / Another federal judge has suggested that the Internet "may well be the premier technological innovation of the present age." / Increasingly, more aspects of Americans’ daily lives are conducted using this new medium. And, just as "more ideas and information are shared on the Internet than in any other medium," more information can be collected by means of electronic surveillance.

The issue of privacy on the Internet has been the focus of much attention in the past few years. However, much of the concern in this regard has been directed toward the possible commercial exploitation of personal information gleaned from the Web. Where attention has been devoted to the question of government surveillance and the Internet, it often has been part of a call to update federal law in order to facilitate electronic surveillance. A recent example of such advocacy is the recent report by the President’s Working Group on Unlawful Conduct on the Internet entitled The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet (February 2000) ("The Electronic Frontier"). Similarly, it was reported recently that the Securities and Exchange Commission is seeking to create an automated surveillance system to scour the Internet for people who violate securities laws. /

In light of these developments, I suggest that more attention should be devoted to the potential impact on privacy of increased government surveillance. While I agree with the suggestion of the President’s Working Group that the law should be updated to account for technological change, I think it must take into account the important Fourth Amendment values that form the foundation of our law. Any legislative reform also should examine the historic considerations that led Congress in the past to amend U.S. law governing electronic surveillance. With these thoughts in mind, I will address the Fourth Amendment and statutory background relating to electronic surveillance and I will describe a recent experience I had in trying to apply existing law governing pen registers and trap and trace devices to Internet communications.

Background: The Fourth Amendment and Federal Law

There has long been an uneasy relationship between electronic surveillance and the Fourth Amendment to the U.S. Constitution. The Fourth Amendment prohibits unreasonable searches or seizures, including those relating to a person’s papers. It provides:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. /

 

In Olmstead v. United States, the Supreme Court in 1928 considered whether warrantless wiretapping violated the Fourth Amendment. The Court found no constitutional violation because the surveillance was accomplished without intruding on the physical property of the defendant. / By failing to acknowledge that technology permitted the government to intrude on communications in a way that previously was impossible, a five-vote majority concluded that the Fourth Amendment "does not forbid what was done here" because "[t]he United States takes no such care of telegraph or telephone messages as of mailed sealed letters." /

Justice Brandeis wrote in dissent that constitutional principles were undermined to the extent the Court focused excessively on the method chosen for communication. He argued forcefully that constitutions must be interpreted with technological advancements in mind to preserve fundamental rights. In particular, Justice Brandeis wrote, constitutions must be designed "to approach immortality" and "our contemplation cannot only be what has been but of what may be." / Foreshadowing the rise of a computer-based society, he warned that:

Discovery and invention have made it possible for the Government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet.

 

* * *

The progress of science in furnishing the Government with means of espionage is not likely to stop with wire-tapping. Ways may some day be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. Advances in the psychic and related sciences may bring means of exploring unexpressed beliefs, thoughts and emotions.

 

* * *

Can it be that the Constitution affords no protection against such invasions of individual security?

 

Justice Brandeis concluded that if the courts did not adapt to new realities, then constitutional principles would be "converted by precedent into impotent and lifeless formulas" and that "[r]ights declared in words might be lost in reality." /

The Supreme Court eventually adopted Justice Brandeis’ view toward wiretapping. In Katz v. United States, it declared that the Fourth Amendment "protects people, not places" and held that wiretapping is allowable only after a valid warrant is issued — the same as for any other search. / The Court reasoned that "[t]o read the Constitution more narrowly is to ignore the vital role that the public telephone has come to play in private communication." / The decision expressly overruled Olmstead, replacing the previous focus on the means of communication with an appreciation of the fact of communication as the source of constitutional rights. It concluded that "[t]he Government’s activities in electronically listening to and recording the petitioner’s words violated the privacy upon which he justifiably relied. . . ." /

Congress subsequently incorporated the Fourth Amendment calculus of Katz into federal law. It sought to establish a balance between the interests of privacy and law enforcement in the midst of continuing developments in communications technology. Congress’ first effort to achieve this balance was its enactment in 1968 of the Omnibus Crime Control and Safe Streets Act ("1968 Act"). / The Act prohibited the use of electronic surveillance by private individuals. At the same time, however, the Act created a judicial process by which law enforcement officials could obtain a court’s authorization to conduct such surveillance. / The 1968 Act’s "dual purpose" was to "(1) protect[ ] the privacy of wire and oral communications and (2) delineat[e] on a uniform basis the circumstances and conditions under which the interception of wire and oral communications may be authorized." /

In the years since 1968, Congress has engaged in an ongoing balancing process. In 1970, the United States Court of Appeals for the Ninth Circuit held that the 1968 Act neither required carriers to provide the technical support needed by law enforcement to conduct authorized electronic surveillance, nor authorized the courts to compel such support. / Congress responded by amending the Act to provide that any order issued by a federal court authorizing an electronic interception must, upon request of the government, direct communications service providers to provide all information, facilities, and technical assistance necessary to accomplish the interception. /

Continuing technological developments again prompted Congress to take legislative action in 1986 through passage of ECPA. / It was adopted to bring new communication technologies – such as wireless and electronic communications – under the umbrella of federal wiretap law. / While the purpose of ECPA was to maintain a balance between the privacy of citizens and the needs of law enforcement, / much of the impetus for the law was a determination by Congress that electronic communications lacked sufficient safeguards against governmental and third-party interception. / Congress found that the law had not kept pace with the development of new electronic technologies, and that "the use of sophisticated technologies for surveillance purposes . . . presents dangers to society." / The Office of Technology Assessment found that the use of advanced technology for surveillance could infringe upon First, Fourth and Fifth Amendment protections, as well as the statutory safeguards of Title III and other laws. / It concluded that "[o]ver time, the cumulative effect of widespread surveillance for law enforcement, intelligence, and other investigatory purposes could change the climate and fabric of society in fundamental ways." /

Such findings were foremost in the minds of ECPA’s drafters. As the Senate Report on ECPA noted, "[w]hen the Framers of the Constitution acted to guard against the arbitrary use of government power to maintain surveillance over citizens, there were limited methods of intrusion into the ‘houses, papers, and effects’ protected by the fourth amendment." / It added that "development of new methods of communication and devices for surveillance has expanded dramatically the opportunities for such intrusions." / After pointing to "tremendous advances in telecommunications and computer technologies" as well as surveillance techniques, the Report stated that "[e]lectronic hardware making it possible for overzealous law enforcement agencies, industrial spies and private parties to intercept the personal or proprietary communications of others" required changes in Title III. / The Report concluded that "the law must advance with the technology to ensure the continued vitality of the fourth amendment. Privacy cannot be left to depend solely on physical protection, or it will gradually erode as technology advances. Congress must act to protect the privacy of our citizens. If we do not, we will promote the gradual erosion of this precious right." /

Congress did not make this change out of devotion to some abstract principle. Rather it was well aware of a history of "tapping and bugging [in which the government] targeted many people who might not normally appear to be appropriate targets." / Indeed, the Church Committee investigations in the 1970s revealed the FBI had used electronic surveillance to investigate Dr. Martin Luther King, Jr., Congressman Harold Cooley, dissident groups and journalists among many others. / After providing detailed accounts of improper use of electronic surveillance by the FBI and other government agencies, the Church Committee noted that "[t]echnological developments in this century have rendered most private conversations of American citizens vulnerable to interception and monitoring by government agents." / Accordingly, the Report found:

By their very nature . . . electronic surveillance techniques also provide the means by which the Government can collect vast amounts of information, unrelated to any legitimate governmental interest, about large numbers of American citizens. Because electronic monitoring is surreptitious, it allows Government agents to eavesdrop on the conversations of individuals in unguarded moments, when they believe they are speaking in confidence. Once in operation, electronic surveillance techniques record not merely conversations about criminal, treasonable, or espionage-related activities, but all conversations about the full range of human events. Neither the most mundane nor the most personal nor the most political expressions of the speakers are immune from interception. Nor are these techniques sufficiently precise to limit the conversations overheard to those of the intended subject of the surveillance: anyone who speaks in a bugged room and anyone who talks over a tapped telephone is also overheard and recorded.

 

The very intrusiveness of these techniques implies the need for strict controls on their use, and the Fourth Amendment protection against unreasonable searches and seizures demands no less. Without such controls, they may be directed against entirely innocent American citizens, and the Government may use the vast range of information exposed by electronic means for partisan political and other improper purposes. Yet in the past the controls on these techniques have not been effective; improper targets have been selected and politically useful information obtained through electronic surveillance has been provided to senior administration officials. /

 

The revelations of the Church Committee were a catalyst for positive reform. Nevertheless, recent reports indicate that there is always the potential for abuse. For example, it has been estimated that in Los Angeles alone there have been "hundreds of secret ‘handoff’ taps and electronic intercepts, [and] by extrapolation, thousands of Los Angeles residents have had their telephone conversations secretly and illegally monitored by LAPD." / Given such reports it should come as no surprise that a majority of Americans are deeply skeptical of wiretapping as an investigative tool.  During fifteen years of surveys conducted by the Department of Justice, the percentage of the U.S. population that approved of the use of wiretapping never exceeded 30 percent. The level of disapproval ranged from 70 to 80 percent across all demographic groups. /

Congress’ most recent effort to address these issues was the enactment in 1994 of the Communications Assistance for Law Enforcement Act ("CALEA"). / It again sought to "preserve the balance sought in 1968 and 1986" in the face of a now accelerated pace of change in telecommunications technology. / Although the legislation enacted in 1968 and 1970 had made clear that telecommunications carriers were required to cooperate with law enforcement personnel in conducting electronic surveillance, CALEA is the first statute to impose upon telecommunications carriers an affirmative obligation to modify and design their equipment, facilities, and services "to ensure that new technologies and services do not hinder law enforcement’s access to the communications of a subscriber who is the subject of a court order authorizing electronic surveillance." / However, Congress also made clear that CALEA was intended only to preserve the status quo in surveillance capabilities. The law was intended to set "both a floor and a ceiling" on the ability of law enforcement to conduct electronic surveillance. / While CALEA was intended to ensure that new technologies would not reduce law enforcement’s existing surveillance capabilities, it also was carefully crafted to prevent any expansion of those capabilities. /

CALEA also expanded privacy and security protection for telephone and computer communications in certain other respects. / For example, Section 103(a)(4)(A) requires carriers to perform their obligations under the statute "in a manner that protects – [ ] the privacy and security of communications and call-identifying information not authorized to be intercepted" by law enforcement. / Section 103(a)(2) prohibits the use by law enforcement of pen registers and trap and trace devices to obtain tracking or location information on a targeted subscriber, other than that which can be determined from a telephone number. / Section 208 requires that law enforcement use reasonably available technology to minimize information obtained through pen registers. / Section 207 enhances the protection of e-mail and other transactional data, such as transactional logs containing a person’s entire on-line profile, by requiring the presentation of a court order by law enforcement officials, rather than a mere administrative subpoena, to obtain such information. /

CALEA also avoided imposing new obligations on ISPs. The legislative history specified that "[t]he definition of telecommunications carrier does not include persons or entities to the extent they are engaged in providing information services, such as electronic mail providers, on-line services providers, such as Compuserve, Prodigy, America-On-Line or Mead Data, or Internet service providers." / This is not to suggest that Internet communications are somehow immune from electronic surveillance when appropriately authorized under ECPA. Congress made clear that CALEA did not expand or contract the ability to conduct such surveillance, and that "law enforcement will most likely intercept communications over the Internet at the same place it intercepts other electronic communications: at the carrier that provides access to the public switched network." /

Given the vast changes in computer and communications technologies, we currently face much the same situation that existed in the mid-1980s, when Congress adopted ECPA. The law enforcement community points out that the law must be changed to preserve its mission to prevent and punish crime, while the civil liberties community warns of grave dangers to personal privacy and the Fourth Amendment. Each group may emphasize different aspects of the problem, but all agree on one fundamental issue: the law must be updated to keep up with changes in technology.

Pen Registers and Trap and Trace Devices

One aspect of the problem identified by the President’s Working Group on Unlawful Conduct on the Internet involves authorizations for pen registers and trap and trace devices. Pen registers are devices used to record telephone numbers that are dialed from a telephone, and trap and trace devices are used to determine the number of origin of a telephone call. Among other things, there have been calls for clarification that authority to use such devices extends to equipment that may be installed on the data networks of Internet Service Providers and for expanded ability to authorize such surveillance across judicial districts. /

The Supreme Court has held that the information that may be obtained by pen registers or trap and trace devices is not protected by the Fourth Amendment because individuals do not have a reasonable expectation of privacy in the numbers dialed on a telephone. / In reaching this conclusion, the Court stressed the limited capabilities of such devices, noting that "pen registers do not acquire the contents of communications." / The Court has emphasized that:

[A] law enforcement official could not even determine from the use of a pen register whether a communication existed. These devices do not hear sound. They disclose only the telephone numbers that have been dialed – a means of establishing communication. Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers. /

 

In the absence of constitutional protection for such information, federal law prescribes a regime governing pen registers or trap and trace devices. Sections 3121-3127 of ECPA establish procedures for law enforcement officials to obtain authorizations for the use of such devices. However, given the more limited information that may be acquired, the law prescribes a far lesser threshold for obtaining a pen register order than it does other forms of electronic surveillance. / ECPA provides that a court "shall enter an ex parte order authorizing the installation and use of a pen register or trap and trace device" where a law enforcement officer certifies that the "information likely to be obtained is relevant to an ongoing criminal investigation." /

Law enforcement authorities have begun to get court orders for the installation of such devices at ISPs. The President’s Working Group on Unlawful Conduct on the Internet has described pen registers and trap and trace devices as "important tools in the investigation of unlawful conduct on the Internet." / While I have no reason to question this assessment, my discussions with both law enforcement officials and those in the online industries have not turned up more than a handful of accounts of ISP-directed trap and trace orders out of the thousands that are issued each year. / Unfortunately, current law does not require public reporting of the number of such orders when applied to ISPs, so there is no way to determine the extent of the problem.

Nevertheless, it is becoming increasingly clear that the "pen register" and "trap and trace" concepts as set forth in ECPA do not fit well in the online environment. Nor is it valid to assume that such devices do not raise Fourth Amendment issues given that the type of information potentially available from an ISP by a "pen register" greatly exceeds the type of information normally available when one is installed on a telephone line. As Congress noted when it expanded statutory protection for transactional records under Section 2703, "in the eight years since the enactment of ECPA, society’s patterns of using electronic communications technology have changed dramatically. Millions of people now have electronic mail addresses. Businesses, nonprofit organizations and political groups conduct their work over the Internet. Individuals maintain a wide range of relationships on-line." /

As a matter of legal interpretation, the current law does not clearly apply to ISPs and Internet communication. Section 3127 of ECPA defines a pen register as:

a device which records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is attached, but such term does not include any device used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business. /

 

ECPA defines a trap and trace device as "a device which captures the incoming electronic or other impulses which identify the originating number of an instrument or device from which a wire or electronic communication was transmitted." /

The legislative history of these provisions suggests that Congress intended the terms "pen register" and "trap and trace device" to refer only to devices used in connection with telephone systems. The legislative history states that:

Pen registers are devices that record the telephone numbers to which calls have been placed from a particular telephone. These capture no part of an actual telephone conversation, but merely the electronic switching signals that connect two telephones. The same holds true for trap and trace devices, which record the numbers of telephones from which calls have been placed to a particular telephone. /

 

Consistent with the statutory language and legislative history, reviewing courts have interpreted these provisions literally, and narrowly. For example, the Fourth Circuit refused to classify a digital display pager clone as a pen register, despite the fact that it displays phone numbers, because it does not fit the precise definition provided in the text of the statute. / Similarly, Section 3123 was held inapplicable to use of digital analyzers in mobile situations to display numbers dialed from a cellular telephone. / There the court noted that "the statute should be strictly construed, and any ambiguity in its scope must be construed narrowly." /

Although the court in Digital Analyzer held that no order was needed for the interception of numbers dialed by a cellular phone, it declined the government’s request for a prophylactic order and to extend the pen register provisions "by analogy." In addition to the problem that the wireless interception of dialed numbers did not fit the literal terms of ECPA, the court noted that such an order "would not ensure sufficient accountability" where "law enforcement officers us[e] advanced technology that might threaten privacy rights." / Among other problems, the court noted that "calls made by others than the subjects of the investigation could be inadvertently intercepted," that "all such telephones could be analyzed without any record being produced," and that the collection of subscriber information would be authorized "without specific and articulable facts showing that a particular subscriber’s records will be material to an ongoing criminal investigation." /

The President’s Working Group on Unlawful Conduct on the Internet has recognized the dissonance between ECPA’s language and current technology. It pointed out that:

[A]dvances in telecommunications technology have made the language of the statute obsolete. The statute, for example, refers to a "device" that is "attached" to a "telephone line," [18 U.S.C.] §  3127(3). Telephone companies, however, no longer accomplish these functions using physical hardware attached to actual telephone lines. Moreover, the statute focuses specifically on telephone "numbers," id., a concept made out-of-date by the need to trace communications over the Internet that may use other means to identify users accounts." /

Beyond pure questions of legal interpretation, the nature of information gathering using a "pen register" and "trap and trace" device is far different in the online environment compared to traditional telephone systems. It is true that information such as electronic mail is sent over the telephone lines ISPs use to connect their data networks to the telecommunications system, but these facts do not convert the facilities of Internet service providers into "telephone lines." / A trap and trace device or pen register for Internet-based communications is installed on the data network of an ISP, not on a telephone line, and the information which may be intercepted is not limited to that transmitted over a single subscriber line.

The trap and trace provisions of ECPA clearly contemplate making a physical connection to a dedicated telephone line, which envisions a different type of network configuration than exists for Internet-based systems:

[T]he Internet is what is known as a packet-switched network. In a packet-switched network, there is no single, unbroken connection between sender and receiver. Instead, when information is sent, it is broken into small packets, sent over many different routes at the same time, and then reassembled at the receiving end. By contrast, the telephone system is a circuit-switched network. In a circuit-switched network, after a connection is made (as with a telephone call, for example), that part of the network is dedicated only to that single connection. /

The use of pen registers or trap and trace devices to intercept packetized network information raises privacy concerns of a far different magnitude than the Supreme Court contemplated in Smith v. Maryland.  Such information is not the conceptual equivalent of a telephone number, as some suggest. The substance of this issue was addressed by the FCC in its rulemaking proceeding implementing CALEA.  There, the Commission found that interception of packet-mode communications raises significant technical and privacy concerns because call routing information and content are both contained in the packets. /  Thus, interception of packetized information potentially allows the government to "receive both call identifying information and call content under a pen register." /

New York courts have addressed the privacy implications of pen registers that may be "converted" to receive the contents of communications. In People v. Bialostok, for example, the New York Court of Appeals held that, under the New York electronic surveillance statute, a pen register capable of being used as a listening device required an eavesdropping warrant obtainable based on probable cause, rather than merely a judicial order obtainable based on reasonable suspicion. / The court held that the facts that the device’s audio function was disabled, and that no conversations were actually heard, did not remove the need for a warrant. Although Bialostok involved the interpretation of New York law, it is relevant to the constitutional principles underlying federal wiretap law. /

Subsequent decisions have held that such "convertible" pen registers may not be considered wiretaps per se, but the nature of the technology must be carefully reviewed. In People v. Kramer, for example, the New York Court of Appeals noted that pen register technology must be scrutinized as it is used in a given investigation. The court noted that "the appropriate judicial assessment should include not only the capacity of the device used to intercept, hear and record communication, but the manner in which it does so and its susceptibility to evasion of statutory, precedential, and even constitutional protections." /

I believe it would be appropriate to Congress to address similar questions if it decides to amend the law so as to end the confusion regarding use of pen registers or trap and trace devices for Internet-based communications.

 

Case History: Installation of a Pen Register and Trap and Trace Device at an ISP

 

The issues described above present more than an academic concern to ISPs. The nature of the concern probably is best demonstrated by the type of questions a client of mine faced when it received its first pen register order last December. I would cite the case for the committee, but the pen register authorization was an ex parte order, and the subsequent proceedings to clarify the ECPA requirements were conducted before a Magistrate under seal. For that reason I will describe the events without naming any of the parties involved.

My client felt it was necessary to seek clarification for a variety of reasons, among them the ambiguities in the law described by the President’s Working Group on Unlawful Conduct on the Internet. Unfortunately, ECPA provides no clear guidance on this issue and there are no cases directly on point. One reason for the absence of interpretive law is that service providers have no incentive to seek judicial clarification in the vast majority of cases. In addition, it is worth noting that the practice of installing pen registers or trap and trace devices at ISPs is not even mentioned in DOJ’s Federal Guidelines for Searching and Seizing Computers.

Like other ISPs, my client’s policy is to cooperate fully with all lawful orders to cooperate with law enforcement authorities. At the same time, Internet Service Providers are civilly liable under ECPA if they reveal subscriber information or the contents of stored communications to the government without first requiring a warrant, court order, or subpoena. / Indeed, for certain violations of the Act, courts have suggested that only the ISP, and not the government, may be liable where the government obtains information though the use of "improper subpoenas." /

Thus, ISPs have an obligation under ECPA to protect the communications and other information of their subscribers, while complying with lawful requests for assistance from law enforcement authorities. Although the law immunizes ISPs from liability when it supplies information about a subscriber or permits an interception based on "good faith reliance" on a court warrant or order, / reviewing courts have suggested that this immunity could be lost if the service provider has reason to believe that a subpoena or court order is not valid, or if the government's actions exceed its authorization. / As a result, service providers may be placed in an "awkward position" where, as here, they show "a willingness to comply with the Government’s request" yet face the possibility of liability if they do so. / Such situations "threaten to whipsaw the Company in its good faith attempt to cooperate with the Government." /

Last December, my client ("the ISP") was placed in just such an "awkward position" when it was served by federal Marshals with an order providing that United States agents "may install a pen register and trap and trace device to register time, date, and source and destination addressing information of the electronic mail messages sent to and from the subject Internet account, including information regarding the true source of the messages without geographic limitation[.]"  As an apparent indication of some doubt about its authority in this regard, the Assistant United States Attorney applied for this Order not just under § 3122 of ECPA, but also under 18 U.S.C. §§ 2703(c)-(d), which applies to stored electronic data and transactional information about subscribers, and which requires the government to offer "specific and atriculable facts showing that there are reasonable grounds to believe" that the information sought is "relevant and material to an ongoing criminal investigation." In granting the Order, however, the Magistrate determined that the applicant had met only the lower standard of § 3122 – a certification that the information likely to be obtained is relevant to an ongoing criminal investigation

The ISP was contacted by a U.S. Marshal and notified about the Order a day before it was issued. In conversations with the Marshall, the ISP’s Manager for Investigations learned that the government wished to install a device called "EtherPeek" to carry out the Order. / It was explained that the EtherPeek device would be connected to the ISP’s internal data network and would allow the government to monitor the electronic messages on the system. This raised several concerns for the ISP, including whether the device would allow the government to view the contents of intercepted messages, whether the government's review of the messages could be limited to the target of the Order as opposed to all of its customers, and whether use of the device would be consistent with the Order and ECPA.

The ISP was concerned that the device to be installed would have the ability to see all content and header information for all email messages sent or received by its system. Indeed, the materials available at the manufacturer's website stated that "EtherPeek and TokenPeek capture all conversations on a network segment, much like a telephone tap," and the product description indicated that it would enable the user to view the content portion(s) of electronic messages. At a minimum, the ISP was concerned that the device would disclose the header information on email messages, including the subject line, which would exceed the terms of the Order and the authority under ECPA. In addition, to the extent the Marshals intended to access the EtherPeek device remotely, the ISP was concerned that their activities would create a major security hole in its internal network that could be exploited by others.

In view of these concerns, the ISP proposed a compromise that would not entail the installation of a device on its system. It designed a software solution to comply with the Order to provide the government with email sender and recipient information, without disclosing the content of communications, or invading the privacy of other subscribers. Initially, the government agreed not to insist upon installing or requiring the installation of its own device at the ISP. A few weeks later, however, the Marshal’s Service became dissatisfied with the compromise solution and insisted that it should install its own device.

At that point, the ISP filed a motion seeking that the Magistrate who had issued the trap and trace order quashed, or at least limit and/or clarify the order. / The motion provided the background leading up to the order, including the ISP’s efforts to assist the Marshals short of having a device attached to its facilities, the Marshals’ resulting demand for attachment of the device, and the legal bases for the ISP’s belief that such activities were not authorized by ECPA.

The government opposed the ISP’s motion. The essential thrust of the opposition was that 18 U.S.C. § 3122 empowers it to obtain the "conceptual equivalent of a telephone number" and that, even though email addresses "are commonly referred to by names, . . . such names are viewed by the computer as a number." It acknowledged that its proposed device would not be connected directly to a telephone line but would be connected to "a router which is connected to the telephone lines some customers use to access [the ISP’s] system." The opposition stated that the government did not intend to install the "EtherPeek" device, but instead planned to use a proprietary software program with the not very reassuring name of "Carnivore." Although the government acknowledged that Carnivore would be capable of capturing more than the information authorized under the order, it would be programmed to obtain only information from the target subscriber’s account, and would be configured not to intercept the content of any communication. It was acknowledged that Carnivore would enable remote access to the ISP’s network and would be under the exclusive control of government agents.

Following a hearing on the motion, the Magistrate denied the ISP’s motion. In a four-page Order, he held that the government’s proposed activities to intercept email routing information is the functional equivalent of capturing telephone numbers with a pen register or trap and trace device. The Order noted some key differences between the use of a pen register or trap and trace device installed at an ISP and more traditional uses of such devices. The Magistrate agreed that the drafters of Section 3121-3127 of ECPA did not contemplate that it would be used to authorize the issuance of court orders to capture email addresses of persons sending email to and receiving email from a targeted email address. The Magistrate also noted that Carnivore is not attached to a telephone line, which is a crucial element of statutory definition. However, because the ISP’s network is attached, ultimately, through other pieces of equipment, to telephone lines, the Magistrate upheld the trap and trace order.

At the hearing the Magistrate indicated that he would welcome guidance from reviewing courts. However, as noted above, there is little incentive for ISPs to litigate cases of this type, and, as a result, no reported cases. Although this case might provide some guidance, the decision is under seal. Ultimately, the ISP and the government reached an accommodation in which the device was installed and further assurances were made about network security and about protecting the privacy of subscribers generally.

Conclusions

This story is not intended to suggest that any of the parties involved acted without due regard for the law enforcement or privacy interests at issue. The government was pursuing a legitimate law enforcement objective and was sensitive to the privacy interests at stake. At the same time, the ISP made a good faith effort to meet the needs of law enforcement while seeking judicial clarification to protect the privacy of its subscribers. The story indicates, however, that the authority to install pen registers or trap and trace devices on the data networks of ISPs is far from clear, and that current law is unsatisfactory from both law enforcement and privacy perspectives. The story does not address what would happen if a government entity used this authority without due regard to the privacy interests involved. If Congress decides to amend the law to extend pen register and trap and trace authority, it should do so only after fully considering the Fourth Amendment implications of such a change.