April 4, 2000
CDT's Analysis of S. 2092: Amending the Pen Register and Trap and Trace Statute
in Response to Recent Internet Denial of Service Attacks
and to Establish Meaningful Privacy Protections
Pen registers are surveillance devices that capture the phone numbers dialed on outgoing telephone calls; trap and trace devices capture the numbers identifying incoming calls. They are not supposed to reveal the content of communications. They are not even supposed to identify the parties to a communication or whether a call was connected, only that one phone dialed another phone. Nonetheless, in an increasingly connected world, a recording of every telephone number dialed and the source of every call received can provide a very complete picture - a profile - of a person's associations, habits, contacts, interests and activities. For that reason, pen registers and trap and trace devices are very helpful to law enforcement and pose significant privacy concerns. Much of the current debate over surveillance standards relates to the collection of transactional data by these devices and by other means.
A 1986 federal law requires a court order for use of such devices, but the standard for approval is so low as to be nearly worthless - a prosecutor does not have to justify the request and judges are required to approve every request.
These orders apply to email and other Internet activity, but it is not clear what is the Internet equivalent of the dialing information that must be disclosed. In crucial respects, Internet addressing information can be far more revealing than telephone dialing information - not only does it reveal the precise parties who are communicating, but it can even reveal the meaning or content of communications.
Federal law enforcement agencies conduct roughly 10 times as many pen register and trap and trace surveillances as they do wiretaps. In 1996, the Justice Department components alone obtained 4,569 pen register and trap and trace orders. Most orders covered more than one line: in 1996, 10,520 lines were surveilled by pen registers or trap and trace devices. So much information is collected that Justice Department agencies have developed several generations of computer tools to enhance the analysis and linking of transactional data from pen registers and trap and trace devices.
In response to a Justice Department proposal, legislation has been introduced to authorize judges in one jurisdiction to issue pen register and trap and trace orders to service providers anywhere in the country. S. 2092. Other provisions in the bill could have the effect of greatly expanding the scope of these supposedly limited surveillance devices, allowing the collection of more personally revealing information and imposing expensive burdens on ISPs, portals, and other service providers.
Before the geographic reach of pen register and trap and trace orders is expanded, the privacy standards in the current law should be updated: some real substance should be put into the standard for issuing those orders and the scope of information they collect should be carefully limited.
The Framework of the Electronic Surveillance Laws
There are three major laws setting privacy standards for government interception of communications and access to subscriber information:
Title III governs the interception of the "contents" of communications, which the statute defines as "any information concerning the substance, purport, or meaning of that communication." 18 USC 2510(8). Since the Supreme Court has held that the content of communications is fully protected by the Fourth Amendment's limitations on searches and seizures, Title III imposes strict limitations on the ability of law enforcement to obtain call content - limitations that embody, and in some respects go beyond, the protections guaranteed by the Fourth Amendment. A law enforcement agency may intercept content only pursuant to a court order issued upon findings of probable cause to believe that an individual is committing one of a list of specifically enumerated crimes, that communications concerning the specified offense will be intercepted, and that the pertinent facilities are commonly used by the alleged offender or are being used in connection with the offense. 18 USC 2518(3).
On the other hand, the Supreme Court has held that there is no constitutionally-protected privacy interest in the numbers one dials to initiate a telephone call. Smith v. Maryland, 442 U.S. 735, 742 (1979). Accordingly, the pen register and trap and trace provisions in 18 USC 3121 et seq. establish minimum standards for court-approved law enforcement access to the "electronic or other impulses" that identify "the numbers dialed" for outgoing calls and "the originating number" for incoming calls. 18 USC 3127(3)-(4). To obtain such an order, the government need merely certify that "the information likely to be obtained is relevant to an ongoing criminal investigation." 18 USC 3122-23. (There is no constitutional or statutory threshold for opening a criminal investigation.)
The Supreme Court has stressed how limited is the information collected by pen registers. "Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers." United States v. New York Tel. Co., 434 U.S. 159, 167 (1977) (emphasis added). Recent court decisions have reemphasized that such devices' "only capability is to intercept" the telephone numbers a person calls. Brown v. Waddell, 50 F.3d 285, 292 (4th Cir. 1995) (emphasis added).
The pen register/trap and trace statute lacks many of the privacy protections found in the wiretap law. Not only is the standard for judicial approval so low as to be meaningless, but the government can use pen register evidence even if it is intercepted without complying with the law's minimal provisions: Unlike the wiretap statute, which has a statutory exclusion rule, the pen register/trap and trace law has no such provision, and the Fourth Amendment's exclusionary rule does not apply. There is little chance of after-the-fact oversight, since innocent citizens are unlikely to find out about abuses of the statute: Unlike the wiretap law, the pen register/trap and trace statute has no provision requiring notice to persons whose communications activities have been surveilled. Nor, in contrast to the wiretap law, is there any provision for judicial supervision of the conduct of pen registers: Judges are never informed of the progress or success of a pen register or trap and trace. There is also no minimization rule: Section 3121(c) requires the government to use technology reasonably available to it that restricts the recording or decoding of electronic or other impulses to the dialing and signaling information used in call processing, but the FBI has recently admitted that no such technology exists.
Applying Pen Registers to the Internet
The pen register and trap and trace statute was adopted before the Internet was widely available to ordinary citizens. The definition of pen register says that such devices capture only the "numbers dialed or otherwise transmitted" on the telephone line to which the device is attached. 18 USC 3127(3). The definition of trap and trace device refers only to "the originating number of an instrument or device from which a wire or electronic communication was transmitted." 18 USC 3127(4).
There are many questions posed by application of the pen register/trap and trace statute to the Internet. The statute almost certainly applies to email and the Web, for it refers to electronic communications. But what are "the numbers dialed or otherwise transmitted"? Can the government serve a pen register order on an ISP or other service provider like Hotmail, to obtain the addresses of all incoming and outgoing emails for a certain account? Does the pen register /trap and trace authority encompass only numbers (Internet protocol addresses) or does it include email addresses or both? Can a pen register or trap and trace order be served on a portal or search engine? What does the statute mean when applied to URLs? Can the government serve a pen register or trap and trace order on CNN and get the address of everybody who has downloaded or viewed a certain article? What information is collected under a pen register order and from whom in the case of a person who is using the Internet for voice communications? What standard applies if the person has DSL or a cable modem?
The importance of these questions is heightened by the fact that transactional or addressing data of electronic communications like email and Web browsing can be much more revealing than telephone numbers dialed.
First, email addresses are more personally revealing than phone numbers because email addresses are unique to individual users. In many offices, while there is only one phone number normally called from the outside, each person has an individual email address. So while a pen register on a phone line only shows the general number called, a pen register served on an ISP will likely identify the specific recipient of each message. Even in a household, each person online may have a separate email, and may have different email addresses for different purposes, making it more likely that the government can determine precisely who is contacting whom.
Furthermore, if the pen register authority applies to URLs or the names of files transmitted under a file transfer protocol, then the addressing information can actually convey the substance or purport of a communication. If you call (202) 637-9800 on the phone and asks for a copy of our statement on cybercrime and Internet surveillance, a pen register shows only that you called the general CDT number. If you "visit" our website and read the statement, your computer transmits the URL http://www.cdt.org/security/000229judiciary.shtml, which precisely identifies the content of the communication. Does a pen register served on our ISP or our web hosting service require disclosure of that URL? If so, the government has no trouble knowing what you read, for typing in the same URL reveals the whole document.
Such revealing information appears in other addresses:
If you search AltaVista for "hacker tools," the "addressing" data looks like this: http://www.altavista.com/cgi-bin/query?pg=q&sc=on&hl=on&q=hacker+tools&kl=XX&stype=stext&search.x=25&search.y=11.
If you send a message to Amazon.com to buy a book, this is what the URL looks like: http://www.amazon.com/exec/obidos/handle-buy-box=0962770523/book-glance/002-9953098-4097847, where 0962770523 is the standardized international catalogue (ISBN) number of the book you are buying.
Computer security expert Richard Smith has identified numerous ways in which the URLs sent to DoubleClick include personal information about travel plans, health, and other matters. See attached memo and http://users.rcn.com/rms2000/privacy/banads.htm. Can a pen register order be served on DoubleClick? Would it cover the detailed information found in URLs delivered to DoubleClick?
These questions did not exist in 1986, when the pen register statute was enacted. They illustrate how outdated is the rubber-stamp standard of the current law. All of these questions should be addressed before the scope of the pen register statute is further extended.
Jurisdictional Expansion of the Pen Register/Trap and Trace Statute
18 USC 3123(a) currently states that a judge shall authorize the installation and use of a pen register or trap and trace device "within the jurisdiction of the court." The Justice Department argues that this jurisdictional limitation (no different than the jurisdictional limitation that applies to search warrants or subpoenas in the "real" world) poses a burden to law enforcement conducting investigations in cyberspace, since a communication may jump from one computer to another.
While there is some apparent logic to the government's argument for tracing computer data across jurisdictional lines, the proposed change would not be limited to computer communications - it would also apply to plain old telephones. Nor would it be limited to situations where it appeared that communications were passing through multiple service providers: it would allow a Miami judge to authorize the use of a pen register in New York on communications starting and ending in New York.
Furthermore, orders issued under the proposed change as introduced would have no limits. A normal subpoena, even one with nationwide effect, is addressed to a specific custodian of the desired information. Fed. R. Crim. Proc. 17(c). This requirement does not appear in S. 209; instead, the government would receive a blank order, which it could presumably serve on multiple, unnamed service providers, with no limit as to time or how often the subpoena could be used.
If the pen register and trap and trace provisions are given nationwide effect, it should not automatically apply to every such order. There should at least be some requirement that the applicant explain to the judge's satisfaction why authority is sought to conduct the investigation across jurisdictional lines: Section 3122(b) should be amended to require in the application, if an order with nationwide effect is sought, a full and complete statement as to the grounds for believing that some of the communications to be identified originate or will terminate outside the jurisdiction of the issuing court or are passing through multiple service providers and that the cooperation of multiple service providers or service providers in other jurisdictions will be necessary to identify their origin or destination. And 3123 should be amended to require the judge to specify to whom the subpoena is directed by name, as well as the geographic extent of the order and the time within which it is effective. (Limiting language on geographic extent already appears in the statute: 3123(b)(1)(C).)
Establishing Meaningful Privacy Standards for Pen Registers
Any territorial extension of the reach of trap and trace or pen register orders should also be coupled with a heightened standard for approval of such devices. Under current law, a court order is required but the judge is a mere rubber stamp - the statute presently says that the judge "shall" approve any application signed by a prosecutor saying that the information sought is relevant to an investigation. Currently, the judge cannot question the claim of relevance, and isn't even provided with an explanation of the reason for the application. Given the obvious importance of this "profiling" information, section 3122(b)(2) should be amended to require the government's application to include a specific description of the ongoing investigation and how the information sought would be relevant and material to such investigation, and section 3123(a) should be amended to state that an order may issue only if the court finds, based on a showing by the government of specific and articulable facts, that the information likely to be obtained by such installation and use is relevant and material to an ongoing criminal investigation.
The second change needed is to define and limit what information is disclosed to the government under a pen register or trap and trace order, especially those served on an Internet service provider or in other packet networks. Unfortunately, S. 2092 goes in the opposite direction. It would amend the definition of pen register devices to include "dialing, routing, addressing, or signalling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted." This completely looses the current sense of the statute, which is limited to information identifying the destination of a communication. The phrase "dialing, routing, addressing or signalling information" is very broad. It increases the amount of information that can be ordered disclosed/collected, in ways that are unclear but that are likely to increase the intrusiveness of these devices, which are not supposed to identify the parties to a communication and not even supposed to disclose whether the communication was completed. It goes well beyond merely eliminating the archaic reference to telephone lines.
A much better way to phrase the pen register definition would be: "dialing, routing, addressing or signalling information that identifies the destination of a wire or electronic communication transmitted by the telephone line or other subscriber facility to which such device or process is attached or applied,".
Similarly, the trap and trace definition could be amended to read: "a device or process that captures the dialing, routing, addressing or signalling information that identifies the originating instrument or device from which a wire or electronic communication was transmitted." These amendments should be coupled with statutory language or legislative history making it clear that pen registers do not authorize interception of search terms, URLs identifying certain documents, files or web pages, or other transactional information.
As an oversight matter, it would be useful to include reporting requirements in the pen register statute that are closer to those applicable to wiretaps. Currently, the statute requires only reports for pen registers and trap and trace devices applied for by the Justice Department, so there is no way of knowing what is done by other federal law enforcement agencies or state and local authorities.
Finally, it should be made clear that any changes to the statute do not expand the obligations on carriers under the Communications Assistance for Law Enforcement Act. Currently, a debate is underway over the meaning of CALEA. The government would almost certainly cite S. 2092's amendments to the definitions of pen register and trap and trace device as justification for requiring carriers to install additional surveillance features. It must be made clear, for example, that the pen register/trap and trace statute's reference to identifying the origin of communications does not imply a design mandate for identification or traceability.
For more information, contact: Jim Dempsey (202) 637-9800