Packet Sniffers and Privacy: Why the No-Suspicion-Required Standard in the USA Patriot Act is Unconstitutional

Transcription

1 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: 1 20-DEC-02 15:11 Packet Sniffers and Privacy: Why the No-Suspicion-Required Standard in the USA Patriot Act is Unconstitutional by Robert Berkowitz* I. INTRODUCTION The legal standards for electronic surveillance, like the underlying technologies themselves, are constantly evolving. Originally aimed at analog telephones with landlines, 1 the law has had to develop in order to deal with an expanding array of electronic communications, 2 most recently the Internet. 3 The challenge is a double one: statutes allowing surveillance must balance law enforcement s need for information with the privacy rights of the subjects of surveillance and the public at large. The USA Patriot Act, 4 passed in the wake of the terrorist attacks on New York City and Washington, D.C., is the most recent attempt to strike this balance. The electronic surveillance provisions of the Act provide clear statutory authority to intercept certain types of Internet communications without the government s having to show probable cause or even reasonable suspicion. This article argues that the USA Patriot Act thereby raises serious questions about individuals * After 13 years in the software industry, Rob Berkowitz graduated cum laude from California Western School of Law in September He lives in Carlsbad, California with his wife and two children. 1. Title III of the Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. No , 82 Stat. 212 (1968), current version at 18 U.S.C.A (Supp. 2002) [hereinafter Wiretap Act]. 2. Title III of the Electronic Communications Privacy Act of 1986, Pub. L. No , 100 Stat. 1868, current version at 18 U.S.C.A (Supp. 2000)[hereinafter ECPA]; see also Communications Assistance for Law Enforcement Act, Pub. L. No , 108 Stat (1994), current version at 47 U.S.C (2000) [hereinafter CALEA]. CALEA was intended to preserve the government s ability... to intercept communications involving advanced technologies such as digital or wireless transmission modes, or features and services such as call forwarding, speed dialing and conference calling, while protecting the privacy of communications and without impeding the introduction of new technologies, features, and services. H.R. REP. NO , at 9 (1994), cited in United States Telecom Assoc. v. FCC, 227 F.3d 450, 454 (2000). 3. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act), Pub. L. No , 216, 115 Stat. 272, codified at 18 U.S.C.A (Supp. 2002) [hereinafter USA Patriot Act or the Act]. 4. Id.

2 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: 2 20-DEC-02 15:11 2 Computer Law Review and Technology Journal [Vol. VII Fourth Amendment right to be secure against unreasonable searches and seizures. 5 In thinking about electronic surveillance, it is important to distinguish between two kinds of information that the government might seek. One is addressing and routing information, equivalent to what one could learn from reading the outside of a sealed mail envelope without being allowed to open it. This kind of information is thought to pose little risk to privacy, and receives little or no constitutional protection. 6 The other type of information is content information, or the equivalent of the letter inside the envelope. This kind of information carries a reasonable expectation of privacy, and is entitled to Fourth Amendment protection. 7 These distinctions become more difficult to apply as the technology for sending communications becomes more complex. For telephone calls, the content information is the actual conversation between participants. The addressing information includes the number the caller dialed, the originating number from which the caller dialed, the time of the call, and its duration. In the telephone context, addressing surveillance for outgoing calls is conducted using a device called a pen register. 8 Devices that collect information about incoming phone calls are called trap and trace devices. The federal pen register statute also covers these devices. The statute allows the government to obtain a court order authorizing collection of addressing information for renewable periods of sixty days. 9 The application must be made by an attorney and approved by a federal judge, but the attorney only needs to certify that the information likely to be obtained... is relevant to an ongoing criminal investigation. 10 The judge s role in approving surveillance of addressing information in the telephone context is ministerial in nature U.S. CONST. amend. IV. 6. See, e.g., United States v. Huie, 593 F.2d 14, 15 (5th Cir. 1979) ( There is no reasonable expectation of privacy in information placed on the exterior of mailed items and open to view and specifically intended to be viewed by others. ). 7. See, e.g., United States v. Phillips, 478 F.2d 743, 748 (5th Cir. 1973) ( [T]he privacy of a sealed item bearing the proper amount of postage for a first class item is protected from warrantless opening, not because it is given the appellation of first class but because the Constitution commands that result. ). 8. See United States v. Guglielmo, 245 F. Supp. 534, 535 (N.D. Ill. 1965) (explaining that a pen register is a mechanical device attached on occasion to a given telephone line, usually at central telephone offices.... There is neither recording nor monitoring of the conversation. ) U.S.C.A (Supp. 2002) U.S.C.A. 1323(a) (Supp. 2002). 11. See United States v. Fregoso, 60 F.3d 1314, 1320 (8th Cir. 1995); In re Application of the United States, 846 F. Supp. 1555, (M.D. Fla. 1994).

3 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: 3 20-DEC-02 15: ] Packet Sniffers and Privacy 3 The separation of addressing information and content is less clear on the Internet. The Internet is a packet switched network. 12 This means that every communication sent over the Internet is broken down into smaller components called packets. The packets are sent separately across the Internet, and reassembled at their destination. Federal law enforcement officials use a packet sniffer to conduct surveillance on this type of information. A packet sniffer intercepts packets, which contain both addressing and content information. The USA Patriot Act extends the rationale of the pen register statute to the interception of Internet communications. Federal law enforcement officials convinced Congress that using a pen register and conducting certain types of Internet surveillance are analogous, so that the same legal standard (in which no suspicion is required) is appropriate. 13 This analogy, however, is flawed in three ways. First, a pen register collects only addressing information no law enforcement discretion is involved in discarding improperly intercepted information whereas a packet sniffer makes it possible for law enforcement agents to read content not authorized by the court s order. Second, people have a reasonable expectation of privacy in some of the information law enforcement officials obtain using a packet sniffer, unlike their limited privacy interest in envelopes and telephone numbers. Third, the particular packet sniffer that federal law enforcement officials use DCS1000 casts too wide a net, intercepting communications to and from innocent people wholly unrelated to the investigation. These differences render court orders authorizing the use of packet sniffers without probable cause unconstitutional. This conclusion may appear troubling at a time in which law enforcement is struggling to contain terrorist activities. Terrorists use the Internet to support their missions 14 and DCS1000 provides an efficient mechanism for conducting surveillance on these communications. Nevertheless, court orders authorizing this surveillance are unconstitutional, possibly undermining the successful prosecution of suspects and compromising civil liberties of innocent Americans. Furthermore, searches of Internet traffic would comply with constitutional requirements if the Act forced the government to make a higher and more precisely tailored showing of need. Section one of this article explains the rationale for the no-suspicionrequired standard that applies when issuing a court order for conducting surveillance with a pen register. Section two argues that extending the pen-register rationale to packet sniffers is inappropriate because of the greater 12. PRESTON GRALLA, HOW THE INTERNET WORKS 13 (2000). 13. See The Fourth Amendment and the Internet: Hearings Before the Subcomm. on the Constitution, House Comm. on the Judiciary, 106th Cong. (April 6, 2000) (written statement of Robert Corn-Revere), available at house.gov/judiciary/corn0406.htm [hereinafter Corn-Revere testimony]. 14. See Chris Hedges, A European Dragnet Captures New Clues to bin Laden s Network, N.Y. TIMES, Oct. 12, 2001, at B1.

4 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: 4 20-DEC-02 15:11 4 Computer Law Review and Technology Journal [Vol. VII invasion of privacy and greater enforcement discretion involved. Section three suggests changes to the USA Patriot Act that would better protect constitutional privacy requirements. This section also offers technical solutions to some of the privacy issues. The article concludes by arguing that the FBI must modify DCS1000 to bring it into compliance with the Fourth Amendment, so that law enforcement can get the information it needs without compromising citizens right to privacy. II. THE PEN REGISTER RATIONALE Before the USA Patriot Act provided explicit authority to use a packet sniffer, law enforcement officials had to convince individual magistrates that using a packet sniffer was analogous to using a pen register. 15 To evaluate the transferability of the pen register rationale to packet sniffers, one must understand the reason pen register orders were easy to obtain in their original telephone context. A. The Constitutional Basis for Low Thresholds for Pen Registers The constitutional rationale supporting these ministerial court orders in the telephone context relies upon the difference between the content of a telephone call and the transactional information that initiates the call. 16 While courts recognize a reasonable expectation of privacy in the content of a telephone call (the spoken words), they do not recognize a reasonable expectation of privacy in a telephone call s associated transactional information (the telephone number a person dials to initiate a call). 17 This critical distinction has its roots in Katz v. United States, 18 a leading case that established the current approach to privacy. In Katz, the Court held that a search or seizure is 15. Corn-Revere testimony, supra note 13. The Department of Justice took the position that the pen register law applied to the Internet and used it to request court orders. See UNITED STATES DEP T OF JUSTICE, SEARCHING AND SEIZING COMPUTERS AND OBTAINING EVIDENCE IN CRIMINAL INVESTIGATIONS at 102 (2001), available at ( The Pen/ Trap statute permits law enforcement to obtain the addressing information for traditional phone calls.... The Pen/Trap statute [also] permits law enforcement to obtain the addressing information of Internet s (minus the subject line, which can contain contents... ) using a court order, just like it permits law enforcement to obtain addressing information for phone calls and individual Internet packets using a court order. ). 16. COMMERCIAL INTERNET EXCHANGE ASS N, The Legal Standard for Government Tracing of Internet Communications: The Misuse of Pen Register Court Orders for Real-Time Acquisition of Transactional Information, at 4, October 2000, at [hereinafter CIX WHITEPAPER]. 17. Id U.S. 347 (1967). Katz involved a listening device installed on the outside of a public pay telephone.

5 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: 5 20-DEC-02 15: ] Packet Sniffers and Privacy 5 unreasonable if it intrudes upon a person s legitimate expectation of privacy. According to the Court, a legitimate expectation of privacy exists when: 1) the person has a subjective expectation of privacy, and 2) that expectation is objectively reasonable. 19 Nine years later, the Court created a major limit on that objective expectation of privacy. In United States v. Miller, the Court held that a customer has no constitutionally protected expectation of privacy in records that he voluntarily discloses to a business, such as bank information about financial transactions. 20 The Court concluded that the customer, Miller, assumed the risk that the business would reveal the information to the government in the course of cooperating with an investigation. The customer, therefore, had no reasonable expectation of privacy. 21 This principle can limit a person s privacy interest in telephone numbers, which the customer s phone reveals to the phone company, and Internet communications, which the Internet service provider (ISP) monitors for its own purposes. The following year, the Supreme Court applied the expectation of privacy rationale in the telephone context, distinguishing between the content of a telephone call and its addressing information. In United States v. New York Telephone Co., 22 the Court described the limited technical capabilities of a pen register, observing that it is incapable of acquiring or revealing the contents of communications because it discloses only the telephone numbers dialed to establish communication. 23 Pen registers, the Court found, decode outgoing telephone numbers by responding to changes in electrical voltage caused by the turning of the telephone dial (or the pressing of buttons on push button telephones). 24 The pen register records this information on paper tape, 25 so investigators interpret the information by sight rather than by sound. 26 Most importantly, the pen register reveals neither the content of the communication nor the identities of the callers. 27 Two years later the Supreme Court again addressed the constitutionality of pen registers in the landmark case on the subject, Smith v. Maryland. 28 The Court, relying upon the inability of a pen register to reveal content or identities, ruled that there is no constitutionally protected right of privacy in the 19. Id. at United States v. Miller, 425 U.S. 435, 443 (1976). 21. Id U.S. 159, 167 (1977). 23. Id. 24. Id. 25. United States v. Giordano, 416 U.S. 505, 549 (1974). 26. New York Tel. Co., 434 U.S. at Id U.S. 735 (1979).

6 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: 6 20-DEC-02 15:11 6 Computer Law Review and Technology Journal [Vol. VII telephone numbers a person dials. 29 The Court reasoned that the numbers a caller conveys to the telephone company to complete a call are similar to the records a customer conveys to the bank to complete a transaction 30 and are, therefore, more like transactional information than content. In both of these transactions, a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties. 31 The Court also reaffirmed the principle that the Constitution recognizes a legitimate expectation of privacy in the content of a person s communications. 32 Courts analyzing the use of pen registers, then, have consistently relied on the devices limited abilities. The court order allowing use of the pen register creates no danger that law enforcement will also intercept content information. As the New York Court of Appeals noted, [t]he traditional pen register was, to a large extent, self-regulating. Neither through police misconduct nor through inadvertence could it reveal to anyone any information in which the telephone user had a legitimate expectation of privacy. 33 That court therefore held that a normal wiretap warrant was required when the device used as a pen register was also capable of recording the contents of communication, subject only to the good faith restraint of the police not to use it in that way. 34 B. A Sliding Scale of Statutory Protection Federal statutes governing electronic surveillance reflect the differences in technology, and the differences between addressing information and content information. 35 These laws provide a good (but not perfect) hierarchy of protection for electronic communication. The more private the communication, the more protection the laws provide. 36 In other words, the level of reasonable suspicion necessary for conducting surveillance increases proportionally with the likelihood that law enforcement personnel will intercept content. The types of information protected and the legal standard required to search are as follows, in increasing order of protection: Id. at Id. at Id. at See id. at People v. Bialostock, 610 N.E.2d 374, 378 (N.Y. 1993). 34. Id. 35. The Wiretap Act, 18 U.S.C (2000), and the ECPA, 18 U.S.C.A (Supp. 2002), as amended by the USA Patriot Act create the relevant framework. 36. CIX WHITEPAPER, supra note 16, at Id. at 8.

7 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: 7 20-DEC-02 15: ] Packet Sniffers and Privacy 7 Type of information Legal standard for conducting a search Real-time transactional Ministerial court order based upon a certification information (digits dialed, that the installation of a pen register, trap and trace routing and addressing device, or packet sniffer is related to an ongoing information) criminal investigation. 38 A person s identity, Subpoena. 39 billing address, length and types of services to which the person subscribed Stored transactional Court order based upon judicial review of reasonable information (e.g. records suspicion and relevance to an ongoing criminal showing when was investigation. 40 sent and received) Stored content (e.g. Regular warrant based upon probable cause. 41 content saved on a person s computer) Real-time content in Wiretap Act warrant (more demanding than a regular transit (e.g. content warrant) based on probable cause plus the likelihood while the message is that the surveillance will capture the target being delivered) information. 42 The USA Patriot Act put some types of information a packet sniffer reveals in the first category as the conceptual equivalent 43 of the telephone numbers that a pen register reveals. It thereby authorizes, under the low nosuspicion evidentiary standard, court orders for the installation and use of a packet sniffer on the data network of an ISP to obtain a person s dialing, routing, addressing, and signaling information. 44 So how does a packet sniffer work, and why should the rules governing it be different? 38. Id. at See 18 U.S.C.A 2703(c)(2) (Supp. 2002). 40. CIX WHITEPAPER, supra note 16, at Id. 42. Id. at Paul Taylor, Issues Raised by the Application of the Pen Register Statutes to Authorize Government Collection of Information on Packet-Switched Networks, 6 VA. J.L. & TECH 10 (Spring 2001), at issue1/v6i1a04-taylor.html. 44. USA Patriot Act, supra note 2, at 216. Specific changes to the text of the pen register statutes yield the following results: numbers dialed now includes dialing, routing, addressing, and signaling information ; installation on a telephone line now includes installation on an ISP s data network ; single subscriber s line now includes all traffic on an ISP s data network ; and capturing the contents of any communication is expressly forbidden. Id.

8 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: 8 20-DEC-02 15:11 8 Computer Law Review and Technology Journal [Vol. VII III. WHY THE PEN REGISTER RATIONALE SHOULD NOT EXTEND TO PACKET SNIFFERS The rationale supporting the use of a pen register does not support the use of packet sniffer searches for three reasons. First, the devices operate differently, especially in that packet sniffers allow more intrusive searches. Second, unlike a pen register, DCS1000 intercepts information that should be protected by the subject s reasonable expectation of privacy. Third, DCS1000 searches inevitably gather information from innocent people beyond the target. A. A Packet Sniffer is Much More than a Pen Register To execute a court order for Internet surveillance, the FBI uses a custom-made packet sniffer, which it originally called Carnivore for its ability to find the meat within the data. 45 In the face of growing public concern regarding privacy, the FBI renamed the voracious sounding Carnivore with the innocuous name DCS To install DCS1000, FBI agents bring a personal computer containing the Microsoft Windows NT operating system and packet sniffing software to the offices of the subject s ISP. 47 Together, the agents and ISP officials identify an access point and install a one-way tapping device onto the network. 48 This tap provides an exact copy of the network data traffic. 49 DCS1000 analyzes this traffic, looking for information that identifies the criminal suspect, and saves the desired information to disk so that it is readable by FBI agents. 50 Although DCS1000 analyzes all data it receives from the network tap, it saves neither the data of non-suspect individuals whose data is com- 45. See John Schwartz, Tapping Into Gray Areas, New Internet Surveillance Technology Raises As Many Questions As It Answers, HOUSTON CHRON., Feb. 16, 2001, at 1 (reporting that Carnivore replaced an earlier system called Omnivore. As the tool developed and became more discerning able to get at the meat of an investigation it was named Carnivore. ). 46. Declan McCullagh, Anti-Attack Feds Push Carnivore, WIRED NEWS, Sep. 12, 2001, at See IIT RESEARCH INSTITUTE AND THE ILLINOIS INSTITUTE OF TECHNOLOGY CHICAGO-KENT COLLEGE OF LAW, INDEPENDENT REVIEW OF THE CARNIVORE SYSTEM, DRAFT REPORT, (November 17, 2000) [hereinafter INDEPENDENT RE- VIEW] at ES.4, available at draft_1.pdf. 48. FBI, Carnivore Diagnostic Tool, at carnlrgmap.htm. 49. Id. 50. Id.

9 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: 9 20-DEC-02 15: ] Packet Sniffers and Privacy 9 mingled in the network traffic, nor the data of the criminal suspect that does not comply with the terms of the court order. 51 The pen register rationale is not appropriate for the use of packet sniffers because the pen register the Smith Court considered allowed no discretion on the part of law enforcement agents. 52 A packet sniffer differs from a pen register because it can reveal purport, content, and identities. Most importantly, a packet sniffer is not self-regulating; human beings must choose to obey the limits on searchable data, or the content of private communications will be revealed. Specifically, the DCS1000 requires case-specific configuration to comport with the terms of a court order. The following subsections explore the issue of self-regulation by explaining the technical capabilities of pen registers and packet sniffers. 1. Pen Registers and Trap and Trace Devices Remember that the pen register rationale developed at a time when law enforcement conducted surveillance on individuals using rotary dial telephones to communicate by voice. 53 When law enforcement officials conduct electronic surveillance pursuant to a pen register court order, they are seeking two types of telephone numbers: the number a suspect dials to initiate a telephone call, and the number of a telephone call that the suspect receives. Different devices, under the pen register statute, record different types of information: a pen register records a suspect s outbound telephone numbers and a trap and trace device (much like a caller ID device) records a suspect s inbound numbers. 54 The telephone network is a circuit switched network, whether implemented on an old style analog network or on a modern digital network. When a person makes a telephone call on an analog network (the type of network on which the Smith court based its rationale), the network dedicates a specific circuit for communication between caller and recipient. 55 Procedurally, the network: 1) accepts transactional information for the call; Id. 52. People v. Bialostok, 610 N.E.2d 374, 378 (N.Y. 1993). 53. The Carnivore Controversy: Electronic Surveillance and Privacy in the Digital Age: Hearings Before the Senate Judiciary Comm., 106th Cong. (September 6, 2000) (testimony of James X. Dempsey, Senior Staff Counsel, Center for Democracy and Technology), available at [hereinafter CDT testimony] U.S.C. 3127(3)-(4)(2000)(amended to add Internet surveillance by section 216 of the USA Patriot Act, 115 Stat. 290 (2001)). 55. United States Telecom Ass n v. FCC, 227 F.3d 450, 464 (D.C. Cir. 2000). 56. This information includes the number dialed, as well as the number and accounting information of the phone used to make the call. The Fourth Amend-

10 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: DEC-02 15:11 10 Computer Law Review and Technology Journal [Vol. VII 2) establishes a connection with the destination; 57 and 3) opens the line for voice communication. All of the electronic signals carrying the communication travel along this circuit. 58 Transactional information is separate in time and space from the call content on an analog telephone network, which permits access to the transactional information (which has virtually no expectation of privacy) without revealing the call content (which has very high expectations of privacy). 59 Modern digital telephone networks function slightly differently, passing the transactional information on a separate channel from the conversation. 60 This separation reinforces the impossibility of... acquiring the contents of the conversation. 61 Thus, pen registers and trap and trace devices, whether on analog or digital networks, are only capable of reporting the numeric transactional information (i.e. telephone numbers). 62 They are incapable of recording content (i.e. conversations). 63 The limited capability of these devices is central to the rationale supporting their use. Courts consider traditional pen registers to be self-regulating. 64 A pen register cannot reveal the content of a telephone call either intentionally or mistakenly, 65 thereby ensuring that law enforcement does not intrude upon a person s legitimate expectation of privacy Packet Sniffing Devices When law enforcement officials conduct electronic surveillance using DCS1000 pursuant to a pen register court order, they are seeking dialing, ment and Carnivore: Hearings Before the United States House of Representatives Subcommittee on the Constitution, Committee on the Judiciary, 106th Cong. (July 28, 2000) (statement of Deborah S. Pierce, Staff Attorney, The Electronic Frontier Foundation), [hereinafter EFF statement], available at vore.html. 57. Id. 58. Id. 59. Electronic Frontier Foundation, Carnivore FAQ, at Newsletters/EFFector/HTML/effect13.06.html#Ib [hereinafter Carnivore FAQ]. 60. INDEPENDENT REVIEW, supra note 7, at A Id. 62. New York Tel. Co., 434 U.S. at Id. 64. Bialostok, 610 N.E.2d at Id. 66. Id.

11 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: DEC-02 15: ] Packet Sniffers and Privacy 11 routing, addressing, and signaling information. 67 In practice, this information includes the following: network addresses, including both Internet Protocol (IP) addresses and port numbers; 68 addresses, 69 including the address of both the sender and recipient, and the name of lists that simultaneously send e- mail to a group of people; and Uniform Resource Locators (URLs), 70 including the full path and file name of a Web page, as well as parameters that a Web browser passes to an application hosted on a Web server. Unlike the telephone network call data, Internet data does not travel along a single path. 71 As mentioned above, the Internet is a packet-switched network, which breaks data into packets that traverse the network to a destination. 72 To optimize resources, the network dynamically calculates a route for each packet based upon the currently available resources. And because these resources change rapidly, individual packets commonly take different routes to the destination to be reassembled. To appreciate fully the USA Patriot Act s impact requires a basic understanding of the parts of these packets. Each packet has two components: a header and a payload. 73 The header contains the information necessary for the network to deliver the packet to its destination for reassembling the message. 74 The USA Patriot Act treats this as addressing information, which is collectable under a ministerial court order. The payload section of the packet, on the other hand, contains the actual communication (e.g. the text of an e- mail message). 75 Generally speaking, this information is content, which the Act expressly forbids collecting with only a ministerial court order. DCS1000 is not self-regulating (nor does the USA Patriot Act require it to be), but is instead a configurable device 76 that can collect a broad spectrum U.S.C.A. 3127(3) & (4) (Supp. 2002). 68. Department of Justice, Computer Crime and Intellectual Property Section, Field Guidance on New Authorities That Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001, available at (last updated Nov. 5, 2001). 69. Id. 70. EFF statement, supra note United States Telecom Ass n v. FCC, 227 F.3d 450, 464 (D.C. Cir. 2000). 72. Carnivore FAQ, supra note United States Telecom Ass n, 227 F.3d at Id. 75. Id. 76. Internet and Data Interception Capabilities Developed by FBI: Hearings Before the United States House of Representatives, Subcommittee on the Con-

12 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: DEC-02 15:11 12 Computer Law Review and Technology Journal [Vol. VII of Internet communications. It is capable of both narrow, address-only searches and full wiretap-like content searches of Internet communications. 77 After obtaining a pen register court order, FBI technicians must configure DCS1000 to limit its search capabilities to comply with the terms of the court order. 78 Adherence to the court order thus depends entirely on whether the agent installing DCS1000 programs it for a limited search. With this technical overview in mind, the operative differences between pen registers and packet sniffers emerge. Although transactional information and content are separated by time and space on a telephone network, they coexist in time and space within the packet on a packet-switched network. 79 While a pen register is incapable of recording content, DCS1000 is actually designed to do so. 80 Since law enforcement officials must configure the packet sniffers on a case-by-case basis, the devices are not self-regulating, and the Court s rationale for upholding the use of pen registers does not properly extend to the use of packet sniffers. B. Packet Sniffers Collect Information Protected by Reasonable Expectations of Privacy The Smith Court held that using a pen register did not violate subjective or objective expectations of privacy because a caller voluntarily assumes the risk that the telephone company collects call information and will share it with the government. 81 It is unclear, however, that a person assumes a similar risk of revealing private information when sending or surfing the Internet. Moreover, the information that law enforcement officials obtain with a packet sniffer does reveal content and identities. Thus, Internet surveillance conducted pursuant to a no-suspicion-required court order violates reasonable expectations of privacy. 1. No Assumption of the Risk The Smith Court held that there is no legitimate expectation of privacy in telephone numbers because a customer knows that the telephone company records this information for billing purposes and for fraud prevention. 82 Each month, telephone customers receive an itemized bill showing long distance stitution, Committee on the Judiciary, 106th Cong. (Statement for the Record of Donald M. Kerr, Assistant Director Laboratory Division Federal Bureau of Investigation) (July 24, 2000), [hereinafter Kerr statement], available at Id. 78. Id. 79. See CDT testimony, supra note Kerr statement, supra note Smith v. Maryland, 442 U.S. 735, 744 (1979). 82. Id. at 742.

13 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: DEC-02 15: ] Packet Sniffers and Privacy 13 charges that includes each number the customer dialed. 83 Customers assume the risk that the telephone company will reveal this information to third parties. 84 It is less clear whether Internet users assume a similar risk that their ISP collects and will reveal the transactional information regarding their Internet activities. Many Internet users understanding of how the network works is so minimal that it is questionable whether people actually realize the extent of information they reveal to their ISPs. Unlike telephone bills, the monthly bill Internet users receive from their ISP does not list recipients or viewed Web pages. Moreover, individuals receiving Internet access through their workplace never even receive a bill. It is stretching the telephone analogy too far to argue that Internet users, without a basic understanding of how the Internet works, have knowingly assumed the risk that their ISP will reveal their Internet usage habits to the government Very Low Privacy Expectations in IP Addresses Not all of the information a packet sniffer reveals merits a reasonable expectation of privacy. While this article generally argues that packet sniffers reveal private information, the one exception to this argument is IP addresses. Telephone numbers and IP addresses are conceptually equivalent. The transactional information a pen register collects is limited to a telephone number, which does not conclusively reveal a person s identity because multiple people within a home commonly share telephones. 86 While law enforcement can use a reverse directory to reveal the billing name and address associated with a number, this information has no constitutionally protected privacy expectations. 87 Reverse telephone directories are in the public domain and are readily available through the Internet. Ultimately, a telephone call s transactional information fails to conclusively identify a caller or call recipient. 83. Id. 84. Id. at 744. Although charges for local phone service do not appear on monthly bills, the Court found the same assumption of the risk, refusing to have Fourth Amendment rights turn on the billing practices of particular phone companies. Id. at But see United States v. Miller, 425 U.S. 435, 443 (1976) (stating that the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed. ) (emphasis added). 86. CIX WHITEPAPER, supra note 16, at See Glenn Chatmas Smith, We ve Got Your Number! (Is it Constitutional to Give it Out?): Caller Identification Technology and the Right to Information Privacy, 37 UCLA L. REV. 145, 201 (1989).

14 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: DEC-02 15:11 14 Computer Law Review and Technology Journal [Vol. VII The one element of Internet transactional information that is analogous to a telephone number is an IP address. A telephone number uniquely identifies sending and receiving accounts on the telephone network; similarly, an IP address uniquely identifies a device on the Internet. Each packet a person sends over the Internet includes the sender s IP address. Obtaining IP addresses is potentially justifiable under the pen register rationale 88 because there is no way to identify conclusively an individual through an IP address. Just as a reverse telephone directory can associate a telephone number with a physical address, ISPs are able to correlate a specific IP address with a billing address. As with telephone billing information, however, an ISP s billing information does not conclusively reveal a person s identity. Because of these similarities, IP addresses are conceptually equivalent to telephone numbers and are not protected by any legitimate expectations of privacy. 3. Higher Privacy Expectations with Addresses Transactional information on the Internet is much more than just IP addresses. Transactional information also includes addresses, which are much more revealing than either a telephone number or an IP address. 89 True, an address resembles a telephone number because both reveal the origin and destination of a communication. But has three unique qualities that engender higher expectations of privacy than exist with telephone numbers and IP addresses. First, the way individuals use addresses reveals identities of particular users. Second, the way individuals name lists reveals associations among individuals. Third, a search that collects addresses must open and examine the high-privacy portion of an IP packet. a. Revealing Individual Identities accounts are so inexpensive to create and administer that it is common for individuals to have more than one address. Unlike telephone numbers, the extremely low cost of makes sharing addresses with others in the home the exception, not the rule. 90 Therefore, an e- mail address reveals a specific party to a communication while a telephone number reveals, at most, the billing address of an involved party. Moreover, accounts are password-protected. When a person sends a message, password-protection heightens the likelihood that the intended recipient and only the intended recipient reads the message. In this way, addresses reveal identities, contrary to the pen register rationale in Smith. b. Revealing Group Identity surveillance also violates reasonable expectations of privacy when the packet sniffer collects lists names. An list allows a 88. See CDT testimony, supra note See id. 90. See EFF statement, supra note 60.

15 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: DEC-02 15: ] Packet Sniffers and Privacy 15 sender to address a message to a group of people using only one address. The name of the list appears in the message s To: field, appearing as a regular address. When individuals create these lists, the name often reflects the group s common interest. For example, sending a message to a group named FloridaFlightInstructors strongly suggests that the message s content deals with flight instruction in Florida. In this manner, contrary to Smith s rationale, an address indicates substantive information and not just a number. c. Scanning Private Information Collecting addresses also violates reasonable expectations of privacy because the surveillance process involves parsing the payload of the packet. 91 The transactional portion of an message the To: and From: fields is commingled with content in the payload portion of a packet. 92 To obtain addresses, a packet sniffer must sift through content to find the transactional information. 93 This is similar to the act of opening a business letter and reading the sender s and recipient s addresses, but promising not to read any farther. Parsing a packet s payload reveals content, which is also contrary to the rationale in Smith. 4. Substantial Privacy Expectations in URLs In addition to privacy expectations, the most troubling aspect of the USA Patriot Act is that it permits law enforcement to collect the Uniform Resource Locators ( URLs ) that a person s Web browser sends. 94 A URL s job is to locate a resource on the Web using a unique string of alphanumeric characters. Whether in the form of a text page, audio stream, or a video file, all information that the Internet manages is a resource that has a unique URL. Because they can be thought of as mere addressing information, law enforcement officials argue that they should be allowed to collect URLs pursuant to a ministerial court order. 95 This argument, however, overlooks the kind of information that URLs can reveal. URLs can implicate legitimate expectations of privacy by revealing a file name, which in turn indicates content. URLs can also disclose content by revealing commands sent to an application. a. How a File Name Reveals Content The following chart illustrates what information the URL cwsl.edu/faculty/nlee/nleemain.htm reveals: 91. CDT testimony, supra note Id. 93. Id. 94. Carnivore FAQ, supra note Taylor, supra note 43, at 18.

16 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: DEC-02 15:11 16 Computer Law Review and Technology Journal [Vol. VII String of text What it reveals The individual is using a Web browser to display an HTML page. The page is located at California Western School of Law, an educational institution. /faculty The page is stored in a subdirectory that contains information about faculty. /nlee/nleemain.htm The requested page is the main page for faculty member N. Lee. The problem from a privacy perspective is that webmasters commonly name files in a way that indicates the contents of the file. This naming scheme makes website administration more efficient by allowing an individual to know the contents of a file without actually opening it. While the webmaster has no privacy expectations in the file names the public sees, the individual viewing the file has a privacy interest in the fact that he has viewed a file with that name. In this context, the file name is part of the entire URL, and it reveals confidential information by indicating the website an individual visited and by providing an accurate description of what the individual viewed at that website. Law enforcement officials can also use the URL to lead them to and to display the actual page the forbidden content that the suspect viewed. b. How a Command Sent to an Application Reveals Content A Web browser also uses URLs to communicate with applications on a Web server. For example, a common Internet search proceeds as follows: an individual types search parameters into a Web form; the individual clicks a SEARCH button to initiate the search; and the browser passes the search terms to the website s search utility by appending the search terms to the end of the URL. Consider, for example, the URL search?p=all&p=boxcutter This sample URL reveals a search request at the Yahoo shopping site for box cutters. When DCS1000 captures this URL as addressing information, law enforcement officials can view information that explicitly reveals the forbidden content of the communication. C. DCS1000 Searches Intercept Communications of Non-Targeted People DCS1000 conducts surveillance by tapping a particular line of Internet traffic. This allows the packet sniffer to intercept the Internet packets flowing past that particular point in the network. Because the technology works this way, packet sniffers examine all traffic passing through a particular point as they attempt to locate the information subject to the court order. This

17 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: DEC-02 15: ] Packet Sniffers and Privacy 17 means that DCS1000 will search the communications of innumerable customers of the ISP; when looking for the criminal suspect s identifying information, DCS1000 must also search the packets of individuals who are wholly unrelated to the criminal investigation. The FBI argues that this analysis of packets is not a search, because DCS1000 filters and discards the information that agents are not looking for. It writes to disk only the information that complies with the court order s terms and discards the rest before any human reads it. Thus, FBI agents view only what is permissible. 96 In a way, DCS1000 conducts an automated in camera review of the network traffic. Like a neutral magistrate, it maintains privacy interests by revealing to FBI agents only the information that the court order allows. This reasoning ignores the computer s intrusive surveillance. The Fourth Amendment search occurs at the moment DCS1000 analyzes packets of non-suspect customers, before it decides what to write to disk and before agents read what was written. Even though the device subsequently discards the unwanted information, a Fourth Amendment search has taken place. 97 Unlike the privacy protection that a judicial in camera review provides, DCS1000 filtering provides no comparable checks and balances. The executive branch created DCS1000 and the device has never undergone comprehensive public scrutiny. As stated previously, DCS1000 is not a selfregulating device. It is unacceptable to have to trust FBI agents who are focused on ferreting out crime to replace a judge s oversight and focus on respecting individual privacy rights. Conducting electronic surveillance using a device that is capable of intruding upon legitimate expectations of privacy requires a warrant because only interposing the Magistrate s oversight... provides... citizens appropriate protection against unlawful intrusion. 98 D. Recent Cases Find Privacy Interests in Communications That Combine Addressing and Content The USA Patriot Act contains imprecise definitions of transactional information and content. On the Internet, there is transactional information that reveals content and content that reveals transactional information, and the USA Patriot Act does not expressly address this issue. Vague definitions permit law enforcement to over-collect information while providing plausible deniability to claims of privacy intrusion. Even before the Act was passed, federal law enforcement officials obtained Internet surveillance orders (using DCS1000) by using the pen register statute, 99 and challenges on constitutional grounds have not succeeded. Two recent decisions suggest, however, 96. Kerr statement, supra note CDT testimony, supra note People v. Bialostok, 610 N.E.2d 374, 378 (N.Y. 1993). 99. See Kerr statement, supra note 76.

18 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: DEC-02 15:11 18 Computer Law Review and Technology Journal [Vol. VII that courts will require a higher showing of need for searches that gather more than addressing information. In a case involving electronic surveillance of digital pager communications, the Fourth Circuit Court of Appeals reversed a conviction that was based in part upon evidence obtained pursuant to a pen register court order. 100 The court was concerned about law enforcement s usage of a pager clone instead of a traditional pen register to monitor the suspect s coded pager messages. 101 Instead of entering a telephone number, the caller entered a string of numbers with significance to the receiver, and so by intercepting those numbers law enforcement gathered more than phone numbers. 102 When an individual uses a pager in this way, the surveillance reveals content of a communication, although the captured information is only numeric. 103 The court held that the no-suspicion-required standard is too low when using a device that is capable of obtaining content, whether or not the government has actually used it to do so. 104 This decision is reasonable because it requires the neutral detachment of a magistrate to oversee the use of a device that can easily exceed the scope of permissible use. In a similar context, the District of Columbia Circuit Court of Appeals recognized a difference between the interception of call identifying information and interception of call content. 105 The circuit court ruled that while the pen register law authorizes the collection of digits, it does not authorize agents to collect digits that convey content. 106 The court used the numbers that a person presses when using a bank s automated telephone system as an example. 107 By analogy, a court would also not permit the over-collection of alphabetic characters that convey content in addresses and URLs. These decisions should be troubling to proponents of low standards for packet sniffing. Regardless of what constitutes content and what constitutes transactional information, DCS1000 is capable of capturing content. Law enforcement can use the device to conduct full content searches under Wiretap Act warrants. 108 If the Supreme Court applies the same rationale to DCS1000 that the two courts of appeals applied, it will find that the evidentiary standard for the use of DCS1000 is unconstitutionally low. A higher standard will be needed in order to maintain reasonable privacy expectations Brown v. Waddell, 50 F.3d 285, (4th Cir. 1995) Id Id Id Id. at 294 n United States Telecom Ass n v. FCC, 227 F.3d 450, (D.C. Cir. 2000) Id. at For example, digits dialed after a call is connected may reveal private information such as PINS, passwords, or account numbers Id. at Kerr statement, supra note 76.

19 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: DEC-02 15: ] Packet Sniffers and Privacy 19 IV. HOW TO BE PATRIOTIC AND RESPECT PRIVACY SIMULTANEOUSLY In its haste to pass the USA Patriot Act, Congress granted the FBI the authority to unconstitutionally compromise privacy. Fortunately, this situation can be remedied. This section explores two related issues. First, it will examine ways in which Congress could amend the USA Patriot Act to comply with the Fourth Amendment and principles of privacy. Second, it will discuss technical solutions to decrease the potential for invasions of privacy. A. How the USA Patriot Act Should Be Changed Packet sniffing devices have provided valuable evidence in dozens of cases. Any legislation authorizing the use of a packet sniffer must be carefully drafted so as not to undermine the device s usefulness. Nevertheless, privacy concerns must moderate the scope of the surveillance. To accomplish this balance, the USA Patriot Act should be amended to require a higher threshold to obtain a court order, and the court s role in granting such orders should be judicial rather than ministerial. As noted, to the extent that it reveals information that is analogous to a telephone number, a packet sniffer is conducting a reasonable search for Fourth Amendment purposes. In practice, however, DCS1000 is incapable of obtaining this information without intruding upon legitimate privacy expectations. The device can and does search information that the Fourth Amendment protects, 109 including the information of innocent people. Therefore, the USA Patriot Act should not have extended the authority of ministerial court orders to the use of packet sniffers. addresses and URLs that reveal file locations and file names both reveal content as well as addressing information. This content is low privacy content because it indicates meaning without revealing the exact content of the communication. Specifically, observing a person s website viewing habits reveals facts that, combined with logical deductions drawn from those facts, can constitutionally lead to a reasonable suspicion that criminal activity is afoot. Law enforcement should be able to collect this information without a warrant. But there must be a check against unfettered surveillance. To collect this low privacy content information, the USA Patriot Act should require a neutral and detached magistrate to issue a court order after establishing the existence of reasonable suspicion. This oversight would ensure the reasonableness of the surveillance and would add only minimal procedural overhead, given the significant overhead FBI agents already encounter in preparing DCS1000 and coordinating with the ISP to install and use it. Other kinds of URL information, however, involve high privacy content. An Internet user s use of HTML forms, and the URLs sent as searches to various applications, reveal private information. This use of URLs also discloses content, because as described above it can reveal the substance of a 109. Id.

20 \\server05\productn\s\smc\7-1\smc101.txt unknown Seq: DEC-02 15:11 20 Computer Law Review and Technology Journal [Vol. VII person s communication with an application on a Web server. Thus the URLs involved in HTML forms and search requests should have full Fourth Amendment protections and the USA Patriot Act should require a warrant based on probable cause for this type of information. B. How Technical Solutions Could Protect Privacy To address the over-capable issue raised by the courts of appeals (the self-regulation issue), the FBI should develop variations of DCS1000 that are precisely tailored to the information sought and are, therefore, self-regulating. Instead of including all features of DCS1000 in one application, the FBI should create applications that contain subsets of features. For example, the FBI could use: DCS1000 to conduct warranted content and transactional searches, DCS1001 to conduct more limited, reasonable-suspicion searches, and DCS1002 to collect IP addresses and port numbers. These spin-offs would not be capable of exceeding the scope of a court order or warrant because the features that would permit such access would simply not be present. They would be self-regulating and would not require trusting an FBI agent to properly configure and use DCS1000. Still, the issue of parsing the payload portion of a packet to obtain addressing information remains. This issue is inherently linked to the architecture of an IP packet and is unlikely to change to accommodate law enforcement objectives any time soon. Therefore, this sort of searching must continue indefinitely. To satisfy privacy concerns, the FBI should permit the judicial branch and public representatives to test the operation of DCS1000 and its progeny and to review DCS1000 s source code. This would ensure that the automated in camera review functions in a way to protect public privacy. This approach would maintain packet sniffers usefulness while simultaneously upholding constitutional safeguards of privacy. V. CONCLUSION Technical and legal changes are necessary to bring the use of DCS1000 into compliance with the Fourth Amendment because the indiscriminate, nosuspicion-required standard is too low for packet sniffers. As explained, using a packet sniffer is not the conceptual equivalent of using a pen register because DCS1000 is not a self-regulating device incapable of intercepting content. It is instead a powerful program capable of conducting searches that violate legitimate privacy expectations. Despite all of this, DCS1000 is an important tool for law enforcement. Being able to sort easily through huge amounts of information in a way that is both undetectable and highly accurate is a laudable engineering accomplishment. The surveillance technology, however, must evolve, and the general searching of packets of innocent people must stop. In addition, the FBI should subject the source code to inspection to verify that its capabilities are appropriately limited.