[Note: There is a helpful set of illustrations accompanying this article that can be viewed by clicking on this link to the Appendix.]

"I realize that this bill basically says you can tap someone's phone for jaywalking, and normally I would say, 'No way.'  But after what happened on September 11th, I say screw 'em."

- Del. Dana Lee Dembrow (D-Montgomery, MD)1

I.  Introduction and Synopsis

As the introductory quote illustrates, the September 11, 2001 attacks on New York City and the Pentagon in Washington, D.C. had a significant effect on the way legislators have approached privacy and surveillance lawmaking in the months subsequent to the attacks.  While the quote comes from a Maryland state representative and references a proposed modification of Maryland state wiretap laws, those changes are being modeled after the USA Patriot Act ("Patriot Act") and appear to reflect the attitude of federal lawmakers as well.  The Patriot Act, federal legislation signed into law on October 26, 2001 by President George W. Bush, was designed to provide the U.S. Justice Department with new powers in intelligence gathering, criminal procedure, and immigration violations in an effort to prevent future terrorist attacks both at home and abroad.

Among the numerous provisions of the Patriot Act is § 216, "Modification of Authorities Relating to Use of Pen Registers and Trap and Trace Devices," which extends application of the Pen Register and Trap and Trace Statute ("Pen Register Statute"), formerly limited to telephone technology, to electronic wire communications such as e-mail and internet website browsing.  Pen registers were traditionally mechanical devices installed on telephone networks that monitor telephone numbers dialed by a specific target.  Trap and trace devices are similar to modern day caller ID devices that record telephone numbers of calls placed to a target from a third party.  The new statute authorizes pen register/trap and trace device installation by law enforcement authorities to record dialing, signaling, routing, and addressing information without a search warrant.

The U.S. Supreme Court has held that pen register use to record incoming and outgoing telephone numbers does not constitute a Fourth Amendment search and thus does not require a search warrant.  The Court's holding was premised on the fact that pen registers did not record actual content of phone conversations.  The Patriot Act, however, expands the scope of pen register-type surveillance to include not just telephone "dialing and signaling" information, but "routing and addressing" information as applied to electronic communications.  At the same time, the Patriot Act maintains the prior standard of judicial oversight that is significantly less than that provided by a search warrant.

This paper will examine § 216 of the Patriot Act, specifically seeking to answer whether the expansion of the application of the Smith pen register doctrine to include routing and addressing information of electronic communications is constitutional.2  Section I of the paper consists of an introduction and synopsis and Section II is a description of pen registers, trap and trace devices, and an overview of the Internet.  Section III will provide an overview of the evolution of wiretap and pen register statutes.  Section IV will examine in some detail the pen register and trap/trace provisions of the Patriot Act.  Section V is a review of the relationship between pen registers and the Fourth Amendment, Section VI will analyze the constitutionality of § 216, both facially and as-applied to a hypothetical investigative scenario, and Section VII will attempt to provide recommendations for bringing the new pen register provisions within the bounds of the Smith decision.  Finally, Section VIII consists of a conclusion and summary.

II.  Pen Registers, Trap & Trace Devices, and the Internet

Prior to the advent of the Internet and electronic computer networks, law enforcement surveillance techniques involving communication primarily centered on the telephone.  The FBI, state, and local law enforcement agencies, in an effort to monitor criminal activities utilizing telephone technology, began utilizing equipment called pen registers and trap/trace devices to obtain dialed-number information from specific surveillance targets.  Pen registers are mechanical devices that record the numbers dialed from a particular telephone unit by monitoring and responding to changes in electrical voltage caused by the turning of a telephone dial or the pressing of buttons on a push-button telephone.3   They do not have the capability to "hear" or record aural communications, and pen registers disclose neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed.4  Installation of a pen register traditionally involved locating "appearances" in the telephone wires-places where specific telephone lines emerge from the sealed telephone cable-and identifying the relevant pairs of wires that constituted the circuits of the telephone line.5  Trap and trace devices work much the same way but capture the incoming electronic or other impulses that identify the originating number of a telephone from which a call was transmitted.6  Trap and trace devices perform functions equivalent to modern CallerID systems.

The challenge of gathering pen register and trap/trace information for communications involving possible criminal activity has been significantly altered upon the introduction of more modern electronic forms of messaging.  The Internet, with its rapid integration into the U.S. and global communication landscape, created new opportunities for criminals and terrorists to coordinate plans without fear of the traditional monitoring technology that had been utilized on telephone lines for so many years.

The Internet evolved from the U.S. Department of Defense's information sharing system called the Advanced Research Project Agency Network (ARPANET).  The modern Internet, much like the original ARPANET, is a network of computers that are connected for the purpose of facilitating information amongst individual computers in the network.  The method of data exchange differs significantly from familiar telephone transmissions and thus has created new technological and legal questions in the area of Internet surveillance.   Rather than electronic pulses and aural signal transmission, the Internet utilizes a system of protocols and packets.  For an exchange between two computers (one a "client" and the other a "server"), data is transmitted through use of a Transmission Control Protocol and the Internet Protocol (TCP/IP).  When the server receives the request for data, it locates the file sought on its computer and breaks the file into small bundles of digital data, each with a set of instructions telling the "packet" where to go in the network.  The TCP assigns a sequence number so it can track what it has sent and eliminate the need to duplicate sending the same packet twice unless the packet is lost somewhere along the way to the client.  The Internet Protocol routes the packets across the Internet, utilizing several servers along the way.  The Protocol assigns a numerical address to every packet before they are sent and the originating server is then notified if any packets failed to reach the destination in which case the packet is retransmitted.  Upon arriving at the destination client, the packets are "reassembled" to form the original data sequence, whether it is in the form of an e-mail message, a web page, or a computer file.7

This technological shift from analog voice communications over telephone wires to digital data transfers through multi-hop interconnected networks has raised issues involving pen register and trap/trace equipment, methods, and the application of authorization statutes to this now-prevalent technology.  In most cases, the evolution of communications has outpaced the corresponding evolution in statutory definitions and constitutional safeguards, and the result has been continued attempts to stretch antiquated statutory terms and methods to fit the ever-changing communication modes.  One by-product of this failure to keep pace is a large degree of uncertainty regarding the level of privacy protection the Constitution provides to users of electronic networks.

III.  Wiretap Legislation and Pen Register Statutes

Prior to the Patriot Act

 Title III of the Omnibus Crime Control and Safe Streets Act of 1968 ("Wiretap Act") was the first significant federal law addressing electronic surveillance of communications.8  The Wiretap Act was passed as a response to U.S. Supreme Court decisions holding that wiretapping of the content of telephone communications requires a judicial finding of probable cause (and a search warrant), and must be limited in scope and duration.  The legislation authorized federal law enforcement authorities to apply for wiretap orders under limited circumstances such as investigations of certain serious crimes and only when other less-intrusive techniques had failed.9  In addition, the scope of monitoring was "minimized"10 to prevent unnecessary access to nonincriminating conversations.11

 In 1978 Congress passed the Foreign Intelligence Surveillance Act ("FISA"), which supplemented the Wiretap Act and enhanced capabilities for conducting counterintelligence operations against foreign powers or agents of foreign powers.12  FISA is a surveillance regime separate from ordinary domestic law enforcement and it authorizes issuance of secret wiretap orders for national security cases whether or not any laws were or will be broken.13  While one cannot obtain a FISA order unless foreign intelligence is the primary purpose of the order, courts have held that criminal information obtained in the course of FISA monitoring may be used in criminal prosecutions.14

 In 1986, in an effort to update the Wiretap Act to accommodate nonvoice electronic communications and wireless voice communications, Congress enacted the Electronic Communications Privacy Act ("ECPA").15  The ECPA not only extended the Wiretap Act to include new technologies, but it changed the manner and means by which law enforcement is authorized to access communications, depending on whether the means of communication involved voice, in-person, over a wire, or whether it was a stored electronic communication such as e-mail.16  Under the Wiretap Act, for example, orders for voice communications could be sought only in cases of special need involving a limited list of serious federal felonies and were subject to minimization requirements.  Search warrants to obtain stored electronic communications, however, could be sought under the ECPA by an application for a warrant in any case involving a federal felony and without the special need or minimization requirements that the Wiretap Act required.17

 The ECPA also modified the Wiretap Act to add provisions to restrict use of pen register and trap/trace devices.18  The pen register and trap/trace portions of the enactment were added in response to the U.S. Supreme Court decision in Smith v. Maryland19 in 1979, holding that use of this equipment does not require a search warrant issued on probable cause.  The pen register provisions in the ECPA allowed law enforcement authorities to obtain a court order for installation of the devices with a judicial finding much lower than the probable cause requirement to obtain a full wiretap.20  While the ECPA expanded coverage of wiretap orders to include various electronic communications, the pen register and trap/trace definition in the statute was phrased in terms of telephone technology only.21

IV.  The Pen Register and Trap/Trace Provisions of The USA Patriot Act

 On October 26, 2001, President George W. Bush signed into law the USA Patriot Act "so that we can combat terrorism and prevent future attacks."22  The Patriot Act implemented or modified several provisions to enhance crime investigation, antiterrorism efforts, and to strengthen immigration laws.23  Signed into law just forty-four days after the attacks of September 11, 2001, this legislation was pushed through Congress during a time when voicing dissent over such changes and speaking out for privacy concerns was looked upon as unpatriotic.  Indeed, during the Senate debates over the bill, the lone critic was Sen. Russ Feingold of Wisconsin who remarked that the Senate has "a duty to analyze, to test, to weigh new laws that the zealous and often sincere advocates of security would suggest to us."24  He said the Patriot Act "does not strike the right balance between empowering law enforcement and protecting constitutional freedoms."25

 Among other things, The Patriot Act modified the pen register and trap/trace provisions of the ECPA in several areas to incorporate Internet and e-mail communications.26  The definition of a pen register was expanded to mean "a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted."27  Similarly, a trap/trace device is now defined as "a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication."28  While the legislation expands the meaning of pen register and trap/trace device to include routing and addressing information, it does not define "routing and addressing information" and does not offer any guidance on the scope of these terms.

 The judicial oversight of the pen register statute, meanwhile, has not been modified, despite the expansion of the definitions.  The Patriot Act authorizes a court to "enter an ex parte order authorizing the installation and use of a pen register or trap and trace device...if the court finds that the State law enforcement or investigative officer has certified to the court that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation."29

 Congress, in an effort to limit the constitutional impact of the new changes, also incorporated a type of disclaimer in the "Limitation" section of the pen register statutes by requiring that "a governmental agency authorized to install and use a pen register or trap and trace device under this chapter [18 U.S.C. §§ 3121 et. Seq.] or under State law shall use technology reasonably available to it that restricts the recording or decoding of electronic or other impulses to the dialing, routing, addressing, and signaling information utilized in the processing and transmitting of wire or electronic communications so as not to include the contents of any wire or electronic communications."30

 Clearly Congress' intent with § 216 of the Patriot Act was to expand the use of pen register and trap/trace devices to the Internet environment while maintaining the same relaxed level of judicial oversight over the issuance of the necessary court order to obtain this type of surveillance.  Mindful of the constitutional limitations of this type of eavesdropping, Congress included a catchall provision that restricted information gathered by this method to not include the contents of the communications.   The question then becomes whether Congress has created a statute that is inherently contradictory and whether the attempt to expand the meaning of "pen register" mandates a higher threshold of judicial oversight than the "relevant to an ongoing criminal investigation" provision provides.  As the law stands today, the judicial oversight required prior to issuance of a pen register order is little more than a rubber stamp.

V. Pen Registers and the Fourth Amendment

 Analysis of the constitutionality of pen register statute modifications must begin with an examination of how the traditional pen register doctrine fits, or more precisely, does not fit within the Fourth Amendment.  The Fourth Amendment states, "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."31

 The Supreme Court addressed the threshold requirements for Fourth Amendment protection in Katz v. United States, 389 U.S. 347 (1967).  The Court adopted a test to determine whether a person invoking Fourth Amendment protection can claim a justifiable expectation of privacy that has been invaded by government action.  This inquiry embraces two discrete questions:  whether the individual, by his conduct, has exhibited an actual (subjective) expectation of privacy, and whether the individual's subjective expectation of privacy is one that society is prepared to recognize as reasonable.32

 Twelve years later, the Court applied the Katz test to the issue of pen registers when it decided Smith v. Maryland, 442 U.S. 735 (1979), holding that there is no legitimate expectation of privacy in telephone numbers and that pen register information does not reach the threshold of Fourth Amendment protection.  A proper evaluation of the reach of this decision requires an examination of the Court's language in the opinion.  The Court began its reasoning by explaining that a pen register differs significantly from the listening devices employed in Katz, in that pen registers do not acquire the contents of communications.33  Justice Blackmun emphasized the limited capabilities of pen registers by quoting from the Court's decision in United States v. New York Tel. Co., 434 U.S. 159, 167 (1977):

A law enforcement official could not even determine from the use of a pen register whether a communication existed.  These devices do not hear sound.  They disclose only the telephone numbers that have been dialed-a means of establishing communication.  Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.34

The Court further explained that telephone users typically know that they must convey numerical information to the phone company, that the phone company has facilities for recording that information, and that the phone company does in fact record this information for a variety of legitimate business purposes.35  According to the Court, when the petitioner in Smith used his phone, he voluntarily conveyed numerical information to the telephone company and exposed that information to its equipment in the ordinary course of business.36  In so doing, he "assumed the risk that the company would reveal to police the numbers he dialed."37

The Smith decision clearly rests upon a foundation of voluntariness and an assumption of the risk by a telephone user that the dialing information might be turned over to the authorities, but the Court also strongly factored in the limited ability of pen registers to gather information.  Applying Smith to The Patriot Act expansion of pen register and trap/trace device definitions, one is left wondering just how far Smith was meant to reach.  Smith indicates that "the Court has consistently held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties,"38 and that this principle extends even to financial information voluntarily conveyed to banks in the ordinary course of doing business.39  The question, however, is whether Internet communications and the way in which data is routed through ISPs40 are the functional and legal equivalent of telephone numbers and banking information.

VI.  Is § 216 of The Patriot Act Constitutional?

Analysis of the constitutionality of § 216 of The Patriot Act begins with an examination of the statute itself to determine whether the language itself is facially valid.  The next step is to analyze potential applications of the statute to determine if there are possible "as-applied" uses of the statute that exceed the spirit or letter of Smith, requiring a standard of Fourth Amendment protection not provided by the statute.

A. § 216 of The Patriot Act On Its Face

 Congress was clearly aware of the constitutional limitations that the Smith decision imposed on pen register and trap/trace device use when The Patriot Act was drafted and passed.  The modifications embodied in § 216 and codified in 18 U.S.C. §§ 3121-27 contain no less than three references to limitations on gathering "content."41  First, Congress included a limitation that requires government agencies to use "technology reasonably available to it that restricts...the processing and transmitting of wire or electronic communications so as not to include the contents of any wire or electronic communications."42

This limitation is peculiar and seems to open the door to situations where there would be no limitation at all, so long as law enforcement agencies are using equipment "reasonably available" to them.  In other words, prior to implementing a pen register application without a search warrant, an agency is presumably required to use reasonable efforts to locate and employ equipment that is capable of restricting dialing, routing, addressing, and signaling information so as not to include any information considered "content."  But if an agency uses reasonable efforts and fails to locate such equipment, there appears to be no limit to using the equipment that was available.  Thus, the protection provided by this provision appears to be illusory.

However, Congress also modified the definitions of both pen registers and trap/trace devices.  Although the definitions are expanded to include not just mechanical devices but processes (e.g. software), and to include not just dialing and signaling information but routing and addressing information, they are reigned in by language that states, "provided...that such information shall not include the contents of any communication."43  Because Congress did restrict the definitions of pen registers and trap/trace devices to only include equipment that does not record contents of communications, any device that does collect content cannot fall under 18 U.S.C. §§ 3121-27 and would need to meet the requirements of Title III.  Thus, despite the flaw in 18 U.S.C. §3121(c), the amended pen register statutes appear to facially meet the requirements set forth in Smith.

B.  § 216 of The Patriot Act "As-applied" to a Hypothetical Investigative Scenario

 Although Congress may have protected the statute from obvious facial invalidity with the "no content" provision, the more constitutionally challenging aspect of the new pen register statute manifests itself when the new law is implemented utilizing current technology.  § 216 of The Patriot Act now authorizes agencies to gather "routing and addressing" information from pen register devices in addition to the more traditional "dialing and signaling" information, however these new terms are not defined in the statute or in the Wiretap Act.  Although law enforcement agencies have attempted to justify the gathering of routing and addressing information with pen registers by analogizing to traditional telephone pen register applications44, many of these analogies fall down when applied to Internet data communications.  To understand how these new definitions are applied, it is useful to examine the way the FBI deploys its DCS1000 system ("Carnivore").

 Carnivore is a system developed by the FBI used to implement court-ordered surveillance of electronic communication.  The Carnivore architecture comprises: 1) a one-way tap into an Ethernet data stream; 2) a general purpose computer to filter and collect data; 3) additional general purpose computers to control the collection and examine the data; and 4) a telephone link to the collection computer.45  PCAnywhere, a commercial software product, allows the additional computers to control the collection computer via the telephone link.46  Carnivore software is loaded on the collection computer while Packeteer and CoolMiner are installed on the control computers.47  All the computers are equipped with Jaz drives for removable data storage.48

 When placed at an ISP, the collection computer receives all packets on the Ethernet segment to which it is connected and records packets or packet segments that match Carnivore filter settings.49  The tap is strictly one-way which ensures that Carnivore cannot transmit data on the network, and the absence of an installed Internet protocol (IP) stack ensures that Carnivore cannot process any packets other than to filter and optionally record them.50  Control computers are located at FBI sites.  When connected by modem to the collection computer, an operator can set and change filter settings, start and stop collection, and retrieve collected information.51  Using the commercially-available Packeteer and CoolMiner software on the control computer, the operator can reconstruct target activity from the collected IP packets (see Image A, Appendix).52  In "pen mode," designed to emulate a pen register, the operator can see the TO and FROM e-mail addresses and the IP addresses of computers involved in File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP) sessions.  In full-collection mode, the operator can view the content of e-mail messages, HTTP pages, and FTP sessions.  The operator can select the collection mode from a graphical user interface screen offering menu options of "Full," "Pen," and "None" (see Image B, Appendix).53

 In 2000, the U.S. Department of Justice and the FBI contracted with the Illinois Institute of Technology Research Institute (IITRI) to conduct an independent lab test on the functionality and effectiveness of the Carnivore system.54  The tests were intended to determine whether the system a) provides investigators with all, but only, the information it is designed and set to provide in accordance to a given court order, b) introduces any new, material risks of operational or security impairment of an ISP network, c) risks unauthorized acquisition of electronic communication information, and d) provides protections commensurate with the level of the risks.55
 In keeping with the scope of this paper, the test results discussion will be confined to the relevant results of the "Pen" mode settings.

C.  Pen Mode E-mail Data Collection

 This test was conducted to simulate a court order situation restricting collection to non-content e-mail fields sent to and from a target, requiring the target's e-mail address to be input into the configuration filter menu.56  This mode does not permit the collection of the SUBJECT field or the message body.57  The result of the test showed that Carnivore did not collect any fields other than TO and FROM, as required, but in some trials failed to collect the requested TO and FROM information.58  In this mode, Carnivore replaces e-mail header information with Xs.59  Due to this characteristic, when the data is viewed in CoolMiner, it is relatively simple to determine the length of each field in the header and the length of the entire message (see Image C, Appendix).60

D.  Pen Mode Non-Content Web Browsing Collection

 This test was conducted to simulate a court order authorizing the collection of source and destination IP addresses for a target's web browsing activities.61  As part of the pen mode, Carnivore is restricted to non-URL data for web destinations (limited to IP addresses only) and is not authorized to collect web content.62  While Carnivore technically passed the test as it was set up, the results showed that while no URL or content was collected, the CoolMiner analysis provided information on the number of bytes transferred between the client and server (see Image D, Appendix).63  This means that Carnivore might potentially provide relevant information concerning the amount of data downloaded or the type of data (e.g. an image download might constitute a much larger number of bytes than a text download).

E.  Pen Mode Non-Content FTP Collection

 This test was conducted to simulate the collection of source and destination information for file transfer protocol activity by a target.64  The purpose of the test was to verify that Carnivore properly restricts itself to only the IP address to which a target opens an FTP connection and doesn't reveal other users' FTP source and destination information or the content of any file transfer.65  The results of the test showed that Carnivore intercepted only the source and destination IP addresses associated with the targeted user's FTP activity, however it also output the number of bytes transferred between the client and server (see Image E, Appendix).66

F.  Is Carnivore a Pen Register?

 When Congress enacted § 216 of The Patriot Act and modified the prior existing pen register statutes to accommodate routing and addressing information transmitted through electronic communications, it is reasonable to conclude that the intent was to bring surveillance modes such as Carnivore within the fold of the pen register statutes.  The questions then become: is Carnivore legitimately a pen register under the definition of The Patriot Act, and if so, does incorporation of processes such as Carnivore into the definition of a pen register violate the letter or spirit of Smith?

 The language of the pen register definition requires that it be, 1) a device or process, 2) which records or decodes, 3)  dialing, routing, addressing, or signaling information, 4) transmitted by an instrument or facility from which a wire or electronic communication is transmitted, and 5) that such information shall not include the contents of any communication.  Certainly Carnivore meets the first four definitional terms-it is a process (software) that decodes and records routing and addressing information transmitted by an instrument or facility (computer).  The application of this definition, however, breaks down in the non-content requirement.  "Content" as it is used in 18 U.S.C. §§ 3121-3127 is defined in 18 U.S.C. § 251067:  "when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication."68  While the terms "substance" and "purport" are not defined within the pen register statutes or the Wiretap Act, one can utilize the common meanings of these terms.  "Substance" of a communication generally refers to "the gist or heart" of the communication or something that is the "essence" of the communication.69  The "purport" of a communication would refer to the "meaning presented, intended, or implied."70

While arguably the information that Carnivore collects beyond the pure routing and addressing information (i.e. the number of bytes transferred during e-mail, web browsing, or FTP activities) should not be considered the "heart" or "essence" of the communication, the definition of "contents" is broad and includes "any information concerning" the "meaning presented, intended, or implied."  Thus, the broad definition of "contents" would likely mean that Carnivore, at least in its current form, should not be considered a pen register and thus would not qualify for the lower judicial oversight provided by the pen register statutes.
Assuming, however, that Carnivore is a pen register under the statutes, it is arguably not a pen register under the holding of Smith.  The Smith Court used the description of a pen register from the Court's United States v. New York Tel. Co.71 opinion to form the basis of its decision in Smith.  The relevant characteristics of a pen register, then, include: 1) it does not acquire contents of a communication, 2) it does not hear sound, 3) it does not indicate whether calls are actually completed, 4) it does not indicate whether a communication actually existed, 5) it only discloses telephone numbers-a means of establishing communication, and 6) it does not disclose the identity of the user.72

Even if assuming arguendo that the Carnivore information concerning bytes transferred is not "content," Carnivore exceeds the letter and the spirit of what the Smith Court would consider to be a pen register.  While Carnivore, similar to a traditional pen register, also does not hear sound, it discloses significantly more about a communication than does a traditional pen register.

Communication completion:  a Carnivore installation may not be capable of determining whether an intended e-mail recipient or recipient server actually received an outgoing e-mail message, but it is capable of determining whether a website has been served to a target client and whether an FTP file has been served to a target client.  Existence of communication:  because Carnivore indicates file size of e-mails, served web pages, and FTP files, it clearly discloses whether a communication existed, unlike a telephone number record which, in contrast, discloses nothing about whether anything was said.  Means of communication:  a means of communication can be described as a technologically required dataset necessary to form a communications channel.  Although an e-mail address, website IP address, and FTP IP address arguably are analogous to telephone numbers, the bytes transferred information collected by Carnivore exceeds the information establishing the basic means of communication.  Identity of the user:  a telephone number only indicates the telephone line that is being used for a communication.  Carnivore, on the other hand, collects e-mail address information.  E-mail addresses tend to be more personal, in that they are more commonly associated with a specific individual rather than a specific computer.  Further, e-mail addresses often contain an individual's name or some characteristic of that individual such as a birth date.73

Given that the information collected by Carnivore goes beyond the limited nature of a pen register as defined by the Smith Court, the eventual constitutionality of The Patriot Act as-applied to a Carnivore-type surveillance would depend on whether a user of electronic communications has a legitimate expectation of privacy in the information recorded by Carnivore in pen mode.74  One could reasonably argue that despite the occasionally personal nature of an e-mail address, a user does not have an objectively reasonable expectation of privacy in that address because the address is a necessary means for establishing communication links with another user and the Internet utilizes these addresses in a similar way that telephone switching equipment utilizes telephone numbers.

While a similar argument might be made for IP addresses of websites and FTP sites, these "addresses" are significantly more revealing than a traditional telephone number.  For example, most telephone numbers are essentially random numerical assignments within a given area code and reveal no substantive information about either the source or destination.  IP addresses, however, are specifically assigned to web servers and are easily "resolved" into URLs simply by typing the numerical IP into a web browser address window.  These URLs often reveal the basic content of a site or even keywords that were input into a search engine.75  Taken as a whole, the pen mode Carnivore installation significantly exceeds the scope of intrusion represented by a traditional "Smith pen register," and consequently the expectation of privacy by electronic communication users should be considered legitimate and objectively reasonable.

VII.  Fixing the Pen Register Statutes

to Achieve Smith-Compliance

The pen register statutes as they exist following The Patriot Act modifications clearly create significant questions in terms of their constitutionality "as-applied" to Carnivore-type state surveillance activity.  One of the simplest ways to correct some of the concern would be for Congress to amend the statutes with specific definitions for the terms "addressing information" and "routing information."  For example, is an e-mail address "addressing information?"  Is an IP address of a website "routing information?"  Does anything beyond simple e-mail addresses and IP addresses (e.g. number of bytes transferred) constitute "content," thereby removing it from valid pen register collection?  Is an IP address really the equivalent of a telephone number when it can so easily be resolved into a URL that possibly reveals content?

While Congress intended to modernize the concept of the pen register to be applicable in today's digital communication world, it failed to define the bounds for interception that qualifies for the "pen register standard" of judicial oversight.  Instead, law enforcement agencies are left to guess and assume that their analogies between telephone technology and the Internet are valid ones, while online privacy suffers the consequence.

Tightening the statutory definitions for the key terms is not only prudent from a predictability perspective, but should be constitutionally mandated by Smith.  The Smith decision, holding that pen register data interceptions were not bound by Fourth Amendment constraints, was predicated on the limited capabilities of a traditional pen register.76  A standard for obtaining court-ordered authorization of a pen register that only requires a law enforcement agency to show relevancy to an ongoing criminal investigation indeed threatens to encroach into territory that the Fourth Amendment was designed to protect.  Thus, it is imperative on Congress to reign in the scope of pen register interception by enacting narrow definitions of "addressing" and "routing."  In the end, however, it may be necessary for the Supreme Court to revisit Smith in the context of an Internet world to determine where exactly those boundaries lie.

  Additionally, Congress should prescribe functional limits to equipment that qualifies as a pen register under the statutes.  In keeping with the Smith philosophy of limited pen register capabilities, Congress should mandate that equipment used for this purpose be limited to "pen mode" only, with no built-in capability for full-content data collection.  For example, with the Carnivore system as it currently exists, the remote operator can select between "pen mode" and "full mode" by merely clicking one button with a mouse.77  Although errors may be rare, there can be no doubt that some will occur with this type of equipment.  When a mouse-click error occurs with Carnivore, "X"-ed out e-mail messages are suddenly recorded as full content.  Currently there is a large gap in judicial oversight between obtaining authorization for a Title III search warrant and pen register court order, but with no corresponding protective "wall" between pen-mode and full-content mode surveillance in either software or hardware.  If the law is going to continue to tolerate limited data collection with virtually no judicial restraints, Congress should implement a fail-safe "barrier" around the systems that procure this data to prevent inadvertent, or even intentional incursions into full-content surveillance.

Segregation of functionality also serves to limit the potential for abuse that can be present in law enforcement surveillance.  While the majority did not address the potential for abuse in the Court's Smith decision, New York courts have dealt with the issue in relation to similar state pen register statutes.  Referring to a pen register device that had the capability of collecting aural communications rather than exclusively telephone number data, the Court of Appeals of New York stated:

We distinguish this more sophisticated technology from that at issue in earlier pen register cases.  The traditional pen register considered in Smith v. Maryland was, to large extent, self-regulating.  Neither through police misconduct nor through inadvertence could it reveal to anyone any information in which the telephone user had a legitimate expectation of privacy.  The same is not true of the device used here.  This is a technology that has the capacity, through willful use or otherwise, to intrude on legitimately held privacy, and it is the warrant requirement, interposing the Magistrate's oversight, that provides to citizens appropriate protection against unlawful intrusion.  Thus, we hold the devices employed here were subject to the warrant requirement and installation of them without one was unlawful.78

VIII.  Conclusion

Many changes to federal and state criminal enforcement and terrorist surveillance laws in the wake of the September 11, 2001 terrorist attacks were rapidly developed and passed by Congress and state legislative bodies.  Clearly the Patriot Act was the most significant of these, and contained within this legislation was a major revision of the pen register statutes.  Whereas prior statutes, including the ECPA, referenced pen registers only in the context of telephone technology, the Patriot Act modified the statutory language to bring surveillance of electronic communications such as Internet e-mails and web browsing into the fold.

Although Congress was certainly overdue in reexamining the electronic surveillance statutes as a result of the surge in worldwide Internet use, the changes made to the pen register statutes were apparently made without regard for maintaining the necessary balance between national security and freedom from government intrusion into private communications.  The pen register statutes were originally drafted in response to the U.S. Supreme Court decision in Smith v. Maryland holding that a pen register, with capabilities limited to collecting telephone numbers dialed from a target or dialed by a third party to a target, did not meet the threshold requirements for Fourth Amendment protection.  This holding was premised on both the limited capabilities of the equipment in question and the belief that society does not have a reasonable expectation of privacy in telephone numbers.

In its attempt to update the pen register doctrine to include modern technology, Congress failed to include necessary restraints in the language of the statute to keep the statute within the holding and spirit of Smith.  Facially, §216 of the Patriot Act protects itself by preventing pen register data collection of any "content."  However, by authorizing the collection of addressing and routing information contained within Internet communications, but failing to define the scope of those terms, Congress has created ambiguities destined to result in cases that exceed the bounds of Smith and encroaching into territory reserved for Fourth Amendment protection.  The Fourth Amendment requires search warrants to be issued based on probable cause for government intrusions into private communications that constitute a search.  Pen registers have traditionally been exempt from the search warrant requirements because of the limited nature of their collection capabilities.  The Patriot Act has expanded those capabilities but maintained the same low level of judicial oversight of the process, blurring the distinction between a pen register data collection and a full-content wiretap search.

Analysis of a typical modern pen register installation, illustrated by the FBI's Carnivore system, reveals that there will inevitably be situations where the pen register statutes "as-applied" to a Carnivore-type collection will exceed the constitutional constraints placed on this type of surveillance.  While it is difficult to conclude that the revised statutes are unconstitutional on their face, it is reasonable to conclude that cases will occur that will require the Supreme Court to decide where the boundaries are for modern pen register applications.

Congress should take the initiative in tightening the current pen register statutes to eliminate the uncertainty that now exists.  By incorporating more definitive statutory definitions and by restricting the definition of a pen register to equipment with limited functional capabilities, Congress can go a long way towards preserving our Fourth Amendment rights against unreasonable government intrusion while providing law enforcement the necessary flexibility to conduct limited surveillance.  Although every reasonable American desires a certain degree of security against terrorism, it is important to remember that unregulated surveillance often intrudes upon the lives of non-criminals.  As Justice Marshall said in his Smith dissent, "privacy in placing calls is of value not only to those engaged in criminal activity.  The prospect of unregulated governmental monitoring will undoubtedly prove disturbing even to those with nothing illicit to hide."79  No doubt Justice Marshall would conclude the same about Internet communications today.

1 Matthew Mosk, Terrorism Fears Push Md. Toward Wider Police Power, Washington Post, March 25, 2002, at http://www.washingtonpost.com/wp-dyn/articles/A12099-2002Mar24.html.

2 Some commentators have questioned the constitutionality of the new jurisdictional provisions of §216.  This paper will not address those issues and will be limited to the question of content.

3 United States v. New York Tel. Co., 434 U.S. 159, 167 (1977).

4 Id.

5 Id. at 162.

6 18 U.S.C. § 3127(4)(1994).

7 For a more in-depth description of the development, function, and utilization of the Internet, see ACLU v. Reno, 929 F. Supp. 824, 830-838 (E.D. PA 1996).

8 Title III of the Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. No. 90-351 (codified as amended at 18 U.S.C. §§ 2510-22).

9 See id. §2515.

10 "Minimization" means that law enforcement agents can only listen to criminal conversations and must turn off interception devices when the subjects engage in noncriminal conversations.  In U.S. v. Scott, 436 U.S. 128, 140 (1978), the Supreme Court stated that the determination of whether or not to minimize a conversation should be viewed as "objectively reasonable" based on the circumstances confronted by the monitor at the time of interception.  Electronic Investigative Techniques, U.S. Dep't of Justice US Attorneys Bulletin, at 25 (September 1997).

11 Title III, supra note 8.

12 Foreign Intelligence Surveillance Act, Pub. L. No. 95-511 (codified at 50 U.S.C. §§1801-11).

13 Lee Tien, Foreign Intelligence Surveillance Act Frequently Asked Questions, Electronic Frontier Foundation (September 27, 2001), at http://www.eff.org/Privacy/Surveillance/Terrorism_militias/fisa_faq.html

14 Id.

15 Electronic Communications Privacy Act, Pub. L. No. 99-508 (1986).

16 Mark Roth, Legislation Subpoenas, Search Warrants and Surveillance Orders-Coming to an ISP Near You?, E-Commerce, at 1 (November 2001).

17 Id.

18 ECPA, Pub. L. No. 99-508, 100 Stat. 1868 (1986).

19 Smith v. Maryland, 442 U.S. 735 (1979).

20 ECPA required a certification that "the information likely to be obtained is relevant to an ongoing criminal investigation."  18 U.S.C. § 3122.

21 The term "pen register" under the ECPA means "a device which records or decodes electronic or other impulses which identify numbers dialed or otherwise transmitted on the telephone line to which such device is attached."  18 U.S.C. § 3127(3) (1986).

22 Declan McCullagh, Terror Act Has Lasting Effects, Wired News, October 26, 2001, at http://www.wired.com/news/conflict/0,2100,47901,00.html.

23 See, e.g., U.S. Dep't of Justice Field Guidance on New Authorities Enacted in the 2001 Anti-Terrorism Legislation, at http://www.acm.org/usacm/DOJ_Terrorism_Law.htm.

24 McCullagh, supra note 22.

25 Id.

26 § 216 of the Patriot Act also significantly changed the jurisdictional requirements for issuance of a court order to install pen registers, however that issue will not be examined in this paper.

27 18 U.S.C. § 3127(3)(2001).

28 18 U.S.C. § 3127 (4) (2001).

29 18 U.S.C. § 3123 (2) (2001) (emphasis added).

30 18 U.S.C. § 3121 (c) (2001) (emphasis added).

31 U.S. Const. amend. IV.

32 Katz v. United States, 389 U.S. 347, 361 (1967) (J. Harlan concurring).

33 Smith v. Maryland, 442 U.S. 735, 741 (1979).

34 Id. (quoting United States v. New York Tel. Co., 434 U.S. 159, 167(1977)) (emphasis added).

35 Id. at 743.

36 Id. at 744.

37 Id.

38 Id. at 743.

39 Id. at 744.

40 Internet Service Providers

41 See, 18 U.S.C. § 3121(c) (2001); 18 U.S.C. § 3127(3)(2001); 18 U.S.C. § 3127(4)(2001).

42 18 U.S.C. § 3121(c)(2001) (emphasis added).

43 See, 18 U.S.C. § 3127(3)(2001); 18 U.S.C. §3127(4)(2001).

44 Daniel P. Collins (Dep't of Justice), Is Online Privacy Under Attack?: No-The USA Patriot Act properly and constitutionally protects and preserves the privacy of American citizens, Optimize Magazine (January 2002), at http://www.optimizemag.com/issue/003/pr_squareoff_no.htm. ("The act properly implements [the concept of technological neutrality] by amending the definitions of pen register and trap-and-trace device to make them technologically neutral.  At the same time, it preserves the substantive requirements imposed by the prior statute, as well as the requirement to obtain a court order for the use of the devices.")

45 See Illinois Institute of Technology Research Institute, Independent Review of the Carnivore System-Final Report, at ix (2000), available at http://www.usdoj.gov/jmd/publications/carniv_final.pdf.

46 Id.

47 Id.

48 Id.

49 Id.

50 Id.

51 Id.

52 Id.  For a graphical illustration of the Carnivore architecture, see Image A in Appendix.

53 Id. at x.  A screen shot of the Carnivore Configuration menu screen is available as Image B in Appendix.

54 Id. at vii.

55 Id. at vii.

56 Id. at C-1.

57 Id.

58 Id.

59 Id. at C-3.

60 Id. at 3-24.  A screen shot of the output data for a non-content e-mail message is contained in Image C in the Appendix.

61 Id. at C-4.

62 Id.

63 Id. at C-5.  A screen shot of the output data for a non-content web browsing session is contained in Image D in the Appendix.

64 Id. at C-7.

65 Id.

66 Id. at C-8.  For a screen shot of the out results of the FTP test, see Image E in Appendix.

67 18 U.S.C. § 3127(1)(2001).

68 18 U.S.C. § 2510(8)(2001)(emphasis added).

69 See, The American Heritage Dictionary of the English Language, Fourth Edition (2000).

70 Id.

71 United States v. New York Tel. Co., 434 U.S. 159, 167 (1977).

72 Id.

73 For example, my e-mail address is: bradley.bennett@att.net.  This address clearly reveals the user's name.  It is also common for users to establish e-mail addresses containing their birth date:  brad1004@domain.com.  This address might reveal that Brad's birthday is October 4.  Other possibilities that are more revealing than phone numbers are: fatfred@domain.com, bradloveslawschool@domain.com, etc.

74 Katz, supra note 32.

75 Jim Dempsey, CDT's Analysis of S.2092: Amending the Pen Register and Trap and Trace Statute in Response to Recent Internet Denial of Service Attacks and to Establish Meaningful Privacy Protections (April 4, 2000), at http://www.cdt.org/security/000404amending.shtml ("Such revealing information appears in other addresses: If you search Yahoo for information about "FBI investigations of computer hacking," the addressing information you send to Yahoo includes your search terms. The URL looks like this: http://search.yahoo.com/bin/search?p=FBI+and+hacking+investigations.").

76 Smith, supra note 33, at 741.

77 IITRI, supra note 45, at 3-13.

78 People v. Bialostok, 610 N.E.2d 374, 378 (Ct. App. N.Y. 1993).

79 Smith, supra note 33, at 751 (J. Marshall dissenting).