NOTE
Marking Carnivore’s Territory:
Rethinking Pen Registers
on the Internet
Anthony E. Orr*
Cite as: Anthony E. Orr, Marking Carnivore’s Territory:
Rethinking Pen Registers on the Internet,
8
available at http://www.mttlr.org/voleight/orr.pdf
Part I. Introduction
Part II. Carnivore and
Its Capabilities
Part III. Legal
Authority and Requirements for Traditional
Pen Register and Trap and Trace Installations
Part IV. Current Law
Does not Authorize Use of
Carnivore as an “Internet Pen Register” to Capture
E-mail Addressing Information Under
18 U.S.C.
§ 3123
A. Carnivore
Meets Constitutional Requirements
for Pen Registers
1. Carnivore
Under Smith v. Maryland
2. Carnivore’s
Constitutional Challenges
B. Carnivore Pen Register Installations are Not Authorized
Under 18 U.S.C. § 3123
1. Carnivore
is Incompatible with the Literal Language
of and Judicial Interpretation of § 3123
2. Legislative
Intent Indicates that Carnivore is Not Authorized by § 3123
3. The
Communications Assistance for Law Enforcement
Act Explicitly Imposes a Higher Standard of Proof for
Intercepting E-mail Addressing Information
4. Carnivore
Does Not Meet the Minimization
Requirements of 18 U.S.C. § 3121
Part IV. Conclusions
Part V. Epilogue: The
USA PATRIOT Act
A. Introduction
B. The New Face of Pen Register Law
1. Carnivore
Moves Permanently onto the Internet:
Patriot Act Section 216
2. The
War on Terrorism’s Secret Weapon: Patriot
Act Section 214
C. Implications of USA PATRIOT ACT
for Previous Analysis
“Carnivore” entered the online world’s collective
consciousness in June 2000 when the Federal Bureau of Investigation unveiled
the Internet surveillance software program to telecommunications industry
specialists.[1] The FBI claims the program allows
agents to scan the traffic of an Internet Service Provider (ISP) for messages
or commands to or from a criminal suspect and then intercept only those
messages, capturing copies of e-mails, web site downloads and other file
transfers.[2]
Reactions to Carnivore were immediate and frequently as
vicious as the program’s moniker. Privacy advocates warned that the program
posed serious threats to the online privacy of law-abiding citizens, as it
created the potential for widespread monitoring of Internet traffic.[3]
Internet Service Providers balked at the notion of an outside entity installing
a device, over which they would have no control, on their networks.[4]
An oversight panel of the House Judiciary Committee convened a hearing on
Carnivore on
A central issue in the controversy surrounding Carnivore
is whether current law permits the FBI to employ the program in the Internet context.
Bureau officials claim statutory authority for deployments under three
provisions originally enacted to regulate telephone surveillance—Title III of
the Omnibus Crime Control and Safe Streets Act of 1968
(Title III)[7]
and the Electronic Communications Privacy Act of 1986 (ECPA)[8]—and
a statute governing retrieval of “transactional records” of communications—the
Communication Assistance for Law Enforcement Act of 1994 (CALEA)[9].[10] Title III governs the use of
electronic surveillance to capture the full content of communications, commonly
referred to as “wiretapping.”[11]
The ECPA is concerned with the use of “pen register” devices—which
traditionally allowed law enforcement officers to record the telephone numbers
dialed from a suspect’s telephone[12]—and
“trap and trace” devices—which traditionally involved capturing the originating
telephone numbers of incoming calls to a criminal suspect, like caller ID
devices.[13]
In a manner not entirely clear, FBI officials justify interception of e-mail
addressing information under a conflation of ECPA and CALEA.[14]
The FBI cites Smith
v. Maryland[15]
for constitutional authority to employ the pen register and trap and trace
functions of Carnivore. Smith holds
that telephone customers have no reasonable expectation of privacy in the
electronic impulses dialed and transmitted over telephone lines to initiate a
telephone call.[16]
By analogy, Bureau officials assert that they are entitled to obtain a court
order to install Carnivore as a pen register or trap and trace capable of
intercepting the Internet Protocol (IP) addresses and “To:” and “From:” fields
of e-mails coming to or originating from a criminal suspect.[17]
While the pen register and trap and trace functions are
neither the most controversial nor potentially invasive aspects of Carnivore,
they are at least the most legally contestable of its uses. The FBI’s assertion
of constitutional and statutory authority to employ these functions on the
Internet are challenged by those who believe a pen register capturing IP
address and/or header information from e-mail messages falls outside the scope
contemplated by the courts and Congress for pen registers.[18] This note
explores this question, drawing on statutes and case law that form the
foundation of authority for electronic surveillance.
Part II provides a brief overview of the Carnivore system
and its capabilities. Part III elaborates on the statutory and constitutional
authority for pen register and trap and trace devices[19] in the
traditional telephone context, as well as the legal requirements for obtaining
a court order to install such a device. Part IV analyzes the FBI’s proposed
justification for Internet use and concludes that while constitutional
authority exists for pen register applications of Carnivore, statutory
authority derives from sections imposing higher evidentiary standards on law
enforcement than the pen register statutes. Part V recommends that Internet pen
register orders be issued only upon satisfaction of the stricter evidentiary
standard of 18 U.S.C. § 2703.
Under pressure from both legislators and privacy
advocates, the FBI submitted Carnivore to independent expert review[20]
at the Illinois Institute of Technology Research Institute (IITRI) and the
Illinois Institute of Technology Chicago-Kent School of Law. In response, the
group issued a draft report in November 2000, providing a complete description
of the Carnivore system’s capabilities and limitations.[21]
The Carnivore software program is installed on a general
purpose desktop computer, which is connected, without keyboard or monitor, to a
switch or hub at an ISP.[22]
The computer receives all of the data “packets” passing through the segment of
the ISP’s network to which it is attached.[23] The “collection
computer,” as this unit is called, is remotely controlled by an FBI computer
connected via telephone link by the commercially available PCAnywhere®
software.[24]
All computers are equipped with a Jaz® drive for removable data storage.[25]
The defining feature of Carnivore is its ability to
“filter” a single suspect’s Internet traffic from among that of all users on a
portion of the ISP’s network, and then capture (by making a copy of the data
packets) only those types of data authorized by court order.[26]
Using a relatively simple Windows®-based interface, an FBI agent may set
Carnivore to capture data packets originating from or destined for a particular
e-mail or IP addresses, whether fixed or dynamically assigned.[27]
In wiretap mode, the system can view the content of e-mails, Hypertext Transfer
Protocol (HTTP, or World Wide Web) pages, File Transfer Protocol (FTP)
sessions, or any other application protocols.[28] In pen register
mode, the program can collect header information such as the “To:” and “From:”
addresses from e-mails and the IP addresses of computers involved in FTP or
HTTP transactions.[29]
Captured data packets are archived for analysis. A
software program called Packeteer® processes the raw output of Carnivore to
reconstruct the higher-level protocols (e.g., HTTP) from the data packets, each
of which represents only a small portion of any given message.[30]
The reconstructed data is then analyzed by a program called CoolMiner®, which
develops statistical summaries and displays pen register or full content
information via an Internet browser.[31]
The IITRI report concluded that when used correctly
pursuant to a Title III wiretap order, Carnivore provides law enforcement
officials with no more information than is permitted by the court order.[32]
This success depends, however, on the ability of the operating agent to properly
configure the filters.[33]
Even when correctly configured in pen register mode, the IITRI report found
that Carnivore collects “To:” and “From:” fields from e-mail, as well as the
length of messages and the length of individual fields within those messages,
possibly exceeding the scope of the authorizing court order.[34]
It is worth noting that Carnivore must scan every data packet traveling the
subnetwork it is monitoring in order to determine which to capture and which to
ignore. Those that pertain to the subject of investigation are captured for additional
filtering and storage, while the rest are ignored.[35] The IITRI
report notes that while Carnivore is designed for “fine-tuned searches,” it is
also capable of “broad sweeps.”[36]
Federal law defines a pen register as “a device which
records or decodes electronic or other impulses which identify the numbers
dialed or otherwise transmitted on the telephone line to which such device is attached.”[37]
A “trap and trace device” means “a device which captures the incoming
electronic or other impulses which identify the originating number of an
instrument or device from which a wire or electronic communication was
transmitted.”[38]
Law enforcement officials need not obtain a search warrant
before installing a pen register or trap and trace device. Federal law
requires, however, that an attorney for the government or a law enforcement officer
apply for a court order under 18 U.S.C. § 3123 (1994) before employing
such a device.[39]
This application must include 1) the identity of the attorney or officer making
the application and the identity of the law enforcement agency conducting the
investigation, and 2) a certification by the applicant (i.e. the applicant’s
assertion) that the information likely to be obtained from the pen register or
trap and trace is “relevant to an ongoing criminal investigation being
conducted by that agency.”[40]
When a proper application is submitted, the magistrate must issue an order authorizing the installation and use of a pen
register or trap and trace device.[41] The order must
specify 1) the identity, if known, of the person to whose telephone line
the device will be attached; 2) the identity, if known, of the person who
is the subject of the investigation; 3) the telephone number and physical
location of the telephone line and, in the case of a trap and trace, the
geographic limits of the order, and 4) a statement of the offense to which
the information likely to be obtained relates.[42]
The statutory threshold for obtaining a pen register or
trap and trace order is low and easily met; however, even this standard is more
than the Constitution requires. In Smith
v. Maryland, the Supreme Court held that pen registers do not constitute a
“search” for Fourth Amendment purposes, and thus require no search warrant or
court authorization of any type.[43]
The Court reasoned that telephone subscribers have no reasonable expectation of
privacy in the numbers they dial; thus, those numbers fall outside the Fourth Amendment’s
zone of protection.[44]
Applying the two-prong expectation of privacy test established in Katz v. United States,[45] the Smith Court held that a telephone
subscriber cannot have a subjective expectation of privacy in numbers dialed,
for all telephone customers know that the numbers they dial are revealed to and
recorded by the phone company in the normal course of business, both for connecting
their calls and for other purposes.[46] Furthermore,
even if a customer oblivious to these facts entertained a subjective
expectation of privacy, the Court held that this expectation was not one
society recognizes as objectively reasonable.[47] This result
follows, the Court said, from the doctrine that a person has no legitimate
expectation of privacy in information he voluntarily turns over to a third
party (i.e. the telephone company).[48] Thus, when a
telephone subscriber “voluntarily conveyed numerical information to the
telephone company and ‘exposed’ that information to its equipment in the
ordinary course of business,” the subscriber “assumed the risk that the company
would reveal to police the numbers he dialed.”[49]
The aforementioned statutes and constitutional principles
are now routinely applied to pen registers and trap and trace devices installed
on telephone lines. Over the last three years, the FBI and numerous courts have
applied them to Carnivore installations as well, authorizing the use of the
program as an “Internet pen register” to capture the “To:” and “From:” fields
on e-mail messages. While the FBI views telephone and Internet pen registers as
clearly analogous, and subject to the same laws,[50] others argue
that the Bureau lacks legal authority to capture e-mail addressing information
in particular, because it is more revealing than the numbers dialed on a
telephone.[51]
Viewed from the standpoint of how each type of information is used, Carnivore
likely meets the constitutional requirements for implementation of a pen
register. Neither the literal statutory language nor statutory construction,
however, support the application of ECPA to a pen register in the Internet
context.
The language of Smith
v. Maryland makes it difficult to conclude definitively whether Internet
users hold any reasonable expectation of privacy in e-mail addressing
information. If they do, a Carnivore pen register order constitutes a “search”
for Fourth Amendment purposes and law enforcement officials would be required
to show probable cause to obtain such an order.[52] If no
reasonable expectation exists, and e-mail addressing information is analogous
to telephone numbers, the FBI’s use of Internet pen registers without a showing
of probable cause is proper, from a constitutional law standpoint.[53]
The primary difficulty in drawing the necessary analogy
lies in the
Telephone users, in sum, typically know that they must
convey numerical information to the phone company; that the phone company has
facilities for recording this information; and that the phone company does in
fact record this information for a variety of legitimate business
purposes. . . . [I]t is too much to believe that telephone
subscribers, under these circumstances, harbor any general expectation that the
numbers they dial will remain secret.[56]
The wording of this summary provides the strongest support
for denying that Internet users hold a subjective expectation of privacy in
e-mail addressing information. On the one hand, the billing structure of ISPs,
typically consisting of a flat monthly fee or a fee based on time spent online,
never considers the distance over which messages are sent. Consequently, the
recipient addresses of such messages play no part in determining billing, and
no itemized list of “numbers dialed” is received by users to destroy an
expectation of privacy. But when users send e-mail messages, they certainly
know that addressing information is being “conveyed” to their ISP, if for no
other reason than to route their messages to the proper destination. Moreover,
because e-mail is typically stored on an ISP’s server computer before it is
read by a recipient, and often remains there after reading, users know ISPs
possess “facilities for recording” e-mail addressing information. The
recordability of e-mail addresses is further supported by the knowledge that
e-mail, like all Internet traffic, is composed of digital data that may easily
be recorded by any computer receiving it. And for many of the reasons
articulated by the Smith
Court—particularly detecting fraud and identifying the source of harassing or
obscene messages—users likely expect their ISPs to occasionally or regularly
record the addressing information of certain messages for “legitimate business
purposes.” Considering these auxiliary functions of e-mail addressing, it is
“too much to believe”[57]
that Internet users expect their addressing information to remain private.
Supposing arguendo,
however, that an Internet user could somehow manifest a subjective expectation
of privacy in her e-mail addressing information, the second prong of the Katz test remains to be satisfied—is
that expectation one that society is willing to recognize as objectively
reasonable?[58]
Omitting any discussion of competing social policies or societal norms, the
The depositor takes the risk, in revealing his affairs
to another, that the information will be conveyed by that person to the Government. . . .
[T]he Fourth Amendment does not prohibit the obtaining of information revealed
to a third party and conveyed by him to Government authorities, even if the
information is revealed on the assumption that it will be used only for a
limited purpose and the confidence placed in the third party will not be
betrayed.[63]
With no discussion of the difference between financial
records and telephone numbers, the
When he used his phone, petitioner voluntarily conveyed
numerical information to the telephone company and “exposed” that information
to its equipment in the ordinary course of business. In so doing, petitioner
assumed the risk that the company would reveal to police the numbers he dialed.
The switching equipment that processed those numbers is merely the modern
counterpart of the operator who, in an earlier day, personally completed calls
to the subscriber.[64]
Substituting the proper e-mail terms into this formula, it
becomes clear that e-mail addressing information revealed to no one other than
an ISP’s equipment nevertheless falls squarely within the Miller assumption of risk doctrine, as interpreted in Smith. Telephone numbers dialed and
e-mail addressing information serve the same legitimate business purpose—both
tell network switching equipment where to send the call or message of the
initiating party. The fact that no human being may ever view the header
information is of no consequence. When an Internet user sends a message over an
ISP’s network, she has revealed the addressing information to the ISP’s
equipment in the ordinary course of business, and she assumes the risk that the
ISP will reveal her addressing information to the government. A Carnivore
installation on the ISP network simply facilitates this “revelation” by the
ISP.[65]
Having established doctrinally that Internet users have
neither a subjective nor an objective expectation of privacy in e-mail
addressing information per Smith, one
additional wrinkle casts some doubt on whether Carnivore pen register
installations are constitutional. The
Indeed, a law enforcement
official could not even determine from the use of a pen register whether a
communication existed. . . . They disclose only the telephone
numbers that have been dialed—a means of establishing communication. Neither
the purport of any communication between the caller and the recipient of the
call, their identities, nor whether the call was even completed is disclosed by
pen registers.[66]
Two aspects of the Carnivore system raise concerns in
light of this qualification. First, recall that the IITRI Draft Report on
Carnivore found that the system collects more than simply addressing
information from e-mail. The report noted that when correctly configured in pen
register mode, Carnivore collects not only the “To:” and “From:” fields of targeted
e-mail messages, but also the length of the message and the length of
individual fields within those messages.[67] In fact, the
system captures the entire e-mail message and all of its fields (including the
“SUBJECT” line and contents of the message), but replaces each character in
fields other than “To:” and “From:” with an X.[68]
Certainly this information reveals more than the analog to
“numbers dialed.” While not revealing to law enforcement the subject of the message,
whether the message contains any illegal content, etc., it does indicate
“whether a communication existed” or “whether the call was even completed.”[69]
Considering the
The second potential constitutional problem with Carnivore
is contained in suggestions by some that e-mail addressing information itself
is more revealing of identity than mere telephone numbers.[70] An e-mail address
typically consists of a username connected to a server name by “@” (e.g.,
student@umich.edu). The username is typically assigned to one individual for
institutional e-mail accounts (e.g., university and business), but may be used
by multiple members of a single household in the case of a private ISP account.
In the institutional settings mentioned, usernames are often assigned by a
central authority and typically contain some part of the user’s proper name.
Private ISPs typically permit customers to choose their own usernames, within
certain parameters. Very frequently these usernames also contain variations on
or parts of the customer’s proper name. Some ISPs allow individuals within a
household using the same Internet access account to create their own unique usernames.
With these characteristics in mind, it appears e-mail
addressing information often does reveal more about the identity of the sender
and receiver than the ten simple digits of a telephone number. But one may well
question whether this fact is necessarily troublesome from a constitutional
standpoint. It is unclear whether an e-mail address more accurately reveals the
actual sender or recipient of an
e-mail than does a telephone number. For someone other than the owner named in
the records of the telephone company or ISP to use either type of account,
access must be gained. For an e-mail account, this means the user must be privy
to the owner’s password. However, e-mail accounts can typically be accessed
from almost any geographic location. For a telephone call, the user must gain
access to the owner’s actual home, where the telephone line terminates. In
either case, such access is most likely to be had by other members of the
owner’s household. Indeed, access to both telephones and e-mail accounts by
multiple members of the same household is quite common. Thus, it is unclear
whether e-mail addresses really reveal that much more about the identity of
message senders and recipients. With no particular guidance from the
Whether e-mail addresses themselves reveal too much
information, and thus any pen register use of Carnivore is a violation of the
Fourth Amendment, is a policy question that will eventually require judicial or
legislative resolution. But it need not presently hinder the FBI’s use of the
program. The problem of overcollection identified by the IITRI report, however,
may be a fatal constitutional flaw. From the standpoint of information
functionality, Carnivore appears to collect more information than
constitutionally authorized for a pen register. Unlike telephone numbers and
e-mail addressing information, the length of messages and the length of
individual fields within those messages is not regularly collected for any
legitimate business purpose. This is especially true in the e-mail
context—while a telephone company may legitimately record the length of
messages for billing purposes, an ISP has no reason to monitor the length of
e-mail messages.[72]
Particularly troublesome is Carnivore’s collection of the entire body of the
message in “X” form. This surely raises concerns that if the software can
electronically “redact” a message, perhaps it could also un-redact it,
revealing the full contents. Short of such an overt violation, the possibility
exists that a glitch in the system would prevent the redaction from occurring,
with the same result. In either case, the Carnivore system is collecting more
than is constitutionally authorized by Smith,
whether that information is then submitted to electronic minimization or not.
In light of the Smith Court’s
insistence that pen registers may only collect the telephone numbers dialed, the
version of Carnivore reviewed by the IITRI team appears constitutionally
unsound, and should not be authorized for use as an Internet pen register.
To bring Carnivore into compliance with the Fourth
Amendment, the FBI must alter the program to eliminate the overcollection of
data in pen register mode. The IITRI report not only suggests that this is
possible, but provides two suggestions for how it might be accomplished.[73]
First, the IITRI team recommended the FBI create two separate versions of
Carnivore—one for pen registers and one for full-content collection.[74]
Separation of the functions would serve two purposes; not only would it allow
the customization of the software to prevent overcollection, but it would also
eliminate the risk that the program would be accidentally configured for
full-content collection when only a pen register was authorized.[75]
Second, the IITRI report provides suggestions for simple software modifications
that would prevent Carnivore from overcollecting in pen register mode.[76]
The report goes so far as to name the specific instructions that should be
captured for Simple Mail Transfer Protocol (SMTP) and Post Office Protocol
(POP) e-mail systems.[77]
If these alterations are made to the Carnivore software program, it will satisfy
the constitutional requirements elaborated in Smith.
Doctrinally, a slightly modified Carnivore program would
meet the constitutional requirements of a pen register device. The Constitution
is, however, only the first hurdle law enforcement officers must cross before a
pen register installation is legally permissible. The applicability of federal
statutes governing pen registers is far more questionable, as the literal
statutory language, congressional intent, and judicial decisions concerning
other communications technologies suggest the FBI’s use of Internet pen
registers is not authorized by the ECPA, and thus should not be available under
the minimal evidentiary standard applicable to pen register applications.
The ECPA defined a pen register as a “device which records
or decodes electronic or other impulses which identify the numbers dialed or
otherwise transmitted on the telephone line to which such device is attached.”[78]
Carnivore, on the other hand, is attached to a hub or switch of an ISP and
monitors a portion of the ISP’s overall traffic.[79] In pen register
mode, it intercepts not “numbers dialed,” but e-mail addressing information.[80]
The dissonance between the statute’s literal language and the physical
structure of Carnivore installations was noted in testimony before Congress and
raised as an objection to the use of Carnivore as a pen register or trap and
trace device.[81]
The reality of a Carnivore installation does not coincide
with the plain textual definition of a pen register. Judicial interpretation of
the governing statutes in reference to two other technologies support this
conclusion. The United States Court of Appeals for the Fourth Circuit held in Brown v. Waddell[82]
that a digital display pager “clone,” used by law enforcement officers to
intercept pages sent to a suspected drug dealer, does not fall within the statutory
definition of a pen register “in the critical sense that it is not attached to
a telephone line.” A few weeks later, the United States District Court for the
Central District of California reached a similar result in In re Application of the U.S.A. for an Order Authorizing the Use of a
Cellular Telephone Digital Analyzer.[83]
There the court found that use of a cellular telephone digital analyzer—a
device capable of intercepting the electronic serial number (ESN) and telephone
number of a particular cellular telephone, as well as the numbers dialed on
that phone—was not governed by the ECPA’s pen register provisions because it
was not attached to a telephone line.[84]
Beyond the literal language of 18 USC § 3127 and judicial interpretation thereof, legislative intent also falls squarely on the side of limiting pen registers exclusively to devices attached to telephone lines. In the Glossary section of its report on ECPA, the Senate Judiciary Committee defined both pen registers and trap and trace devices exclusively in relation to telephone applications: “Pen registers are devices that record the telephone numbers to which calls have been placed from a particular telephone. .&n