Cybertelecom
Cybertelecom
Federal Internet Law & Policy
An Educational Project
ECPA :: Title III :: Pen Register Act
Non Content :: Trap & Trace
Dont be a FOOL; The Law is Not DIY

Introduction

Beyond content in transmission and store content, there is non-content information including

Definition: Transactional information is also known as "Call Detail Records" or "telephone metadata." Metadata is data about communications, but is not the communications itself. [Forum Guide to Metadata, National Center for Educational Statistics ("Metadata is data about data")] [See Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53 Rev. 4 (April 2013) (superseded) (setting forth definition of "metadata") ("Information describing the characteristics of data including, for example, structural metadata describing data structures (e.g., data format, syntax, and semantics) and descriptive metadata describing data contents (e.g., information security labels).")] [American Civil Liberties Union v. Clapper, 785 F. 3d 787, 793-94 - Court of Appeals, 2nd Circuit 2015 ("Unlike what is gleaned from the more traditional investigative practice of wiretapping, telephone metadata do not include the voice content of telephone conversations. Rather, they include details about telephone calls, including, for example, the length of a call, the phone number from which the call was made, and the phone number called. Metadata can 794*794 also reveal the user or device making or receiving a call through unique "identity numbers" associated with the equipment (although the government maintains that the information collected does not include information about the identities or names of individuals), and provide information about the routing of a call through the telephone network, which can sometimes (although not always) convey information about a caller's general location")] [In Re Electronic Privacy Information Center, On Petition for a Writ of Mandamus and Prohibition, or a Writ of Certiorari, to the Foreign Intelligence Surveillance Court, S. Ct. July 8, 2013, attaching In re Application of the FBI for an Order Requiring the Production of Tangible Things from Verizon Business Network Services, Inc. on Behalf of MCI Communication Services, Inc., No. BR 13- 80 (FISC Apr. 25, 2013)) ("Telephony metadata includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer.")] [Kerr, Orin, "Websurfing and the Wiretap Act," Washington Post, June 4, 2015 ("the line between contents and metadata is not abstract but contextual with respect to each communication")]

Risks Transactional information can reveal significant amounts of personal information. [Jonathan Mayer and Patrick Mutchler, MetaPhone: The Sensitivity of Telephone Metadata, Web Policy (Mar. 12, 2014)] [Susan Landau, Categorizing Uses of Communications Metadata: Systematizing Knowledge and Presenting a Path for Privacy, In New Security Paradigms Workshop 2020 (NSPW '20), October 26–29, 2020, Online, USA. ACM, New York, NY, USA, 19 pages. https://doi.org/10.1145/3442167.3442171 (The NSA knew full well the value of such metadata; as former NSA Director Michael Hayden noted in 2014, "We kill people based on metadata." )] [Data retention: Law enforcement accessed 'metadata' more than 296k times in FY18, ComputerWorld] [Cole, David, "We Kill People Based on Metadata," New York Review of Books, May 10, 2014] [Landau, Susan Listening In: Cybersecurity in an Insecure Age, Yale University Press, 2017 ("Communications metadata can show the underlying structure of criminal and terrorist conspiracies. This metadata is everywhere: in the bits in the cell towers that say this phone was in this vicinity at this time, and in routers that say an email was sent at this moment from this physical vicinity. Even negative metadata—for instance, that a phone was turned off in a given vicinity—can benefit investigators. In France, police have used information on when and where phones are turned off to find criminals using stolen credit cards [73]. Patterns that show pairs of phones that trade off—one working only when the other is not—can highlight the presence of terrorists or drug dealers.")]

Legal protections Customers have no Fourth Amendment protection in transactional records pursaunt to the third party doctrine. See United States v. Baxter, 492 F.2d 150, 167 (9th Cir. 1973), cert. denied, 416 U.S. 940, 94 S.Ct. 1945 (1974); United States v. Fithian, 452 F.2d 505, 506 (9th Cir. 1971); United States v. Clegg, 509 F.2d 605, 610 (5 Cir. 1975) . Customers have no expectation of privacy in their telephone records (who they called) and the use of a Pen Register does not constitute a search. Smith v. Maryland, 442 U.S. 735 (1979)

While there is not constitutional protection of this information, there is statutory protection pursuant to ECPA; FISA; and possibly CPNI.

Transactional Records: Pen Registers & Trap and Trace

Law enforcement officers may seek to receive transactional information about the communication, or they may seek to receive the communication, the message, itself. Generally, the actual content of a communications receives greater protection than information about the transaction of a communication.

A "pen register" is defined as "a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication . . . ." 18 U.S.C. § 3127(3).

A "trap and trace device" is defined as "a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, provided, however that such information shall not include the contents of any communication." 18 U.S.C. § 3127(4).

"Because Internet headers contain both “to” and “from” information, a device that reads the entire header (minus the subject line in the case of email headers) is both a pen register and a trap and trace device, and it is commonly referred to as a pen/trap device." [Search Seizure 2009 p 154]

Transactional information does not reveal the message of the communication but more generally provides information that the communication took place. These are known as pen register, or trap and trace records. 18 U.S.C. §§ 3121-27.

Pen registers traditionally recorded "the number dialed on a telephone line" and trap and trace devices "capture incoming electronic impulses that identify the originating number." [Electronic Frontier] [Hill 1195-96] The Patriot Act clarified that law enforcement offices may also seek all "dialing, routing, addressing, or signaling information" including email addresses, inbound FTP connections, or the location from which a remote user is logging in. 18 U.S.C. § 3121(c). [DOJ US Attorney's Manual Title 9-7.500 Electronic Surveillance: Prior Consultation with the Computer Crime and Intellectual Property Section of the Criminal Division (CCIPS) for Applications for Pen Register and Trap and Trace Orders Capable of Collecting Uniform Resource Locators (URLs)] [H.R. Rep. No. 103-827, at 10, 17, 31] [Allen 409] [Forrester 9th Cir. 2007 (IP addresses covered)]

Transactional information would not include the subject line of an email. 18 U.S.C. § 2510(8).

In the old network, transactional information could be acquired by attaching a device to the network. In the new network, the Patriot Act made clear that a trap and trace device could be “attached or applied;” in other words, law enforcement officials can gain access to software and computer processing. [See Carnivore, CALEA]

Cell Tower Information

Telephone Numbers

Call Detail Records

Internet

"The distinction between addressing information and content also applies to Internet communications. For example, when computers on the Internet communicate with each other, they break down messages into discrete chunks known as packets and then send each packet out to its intended destination. Every packet contains addressing information in the header of the packet (much like the "to" and "from" addresses on an envelope), followed by the payload of the packet, which contains the contents (much like a letter inside an envelope). The Pen/Trap statute permits law enforcement to obtain the addressing information of Internet communications much as it would addressing information for traditional phone calls. However, collecting the entire packet ordinarily implicates Title III. The primary difference between an Internet pen/trap device and an Internet Title III intercept device is that the former is designed to capture and retain only addressing information, while the latter is designed to capture and retain the entire packet." - Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal InvestigationsPDF Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 152 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

  • IP Address (origination and destination)
  • Ports
  • transport layer protocol (TCP, UDP)
  • Domain Name / URL
  • Routing
  • Packet load (number of packets, size of packets, amount of traffic, variation on amount of traffic (lots of traffic between 8 and 10 pm, little traffic at 2 am))
  • Time of traffic
  • Cookies

See Assessment; Forensics

Emails

"The same distinctionapplies to Internet email. Every Internet email message consists of a set of headers that contain addressing and routing information generated by the mail program, followed by the actual contents of the message authored by the sender. The addressing and routing information includes the email address of the sender and recipient, as well as information about when and where the message was sent on its way (roughly analogous to the postmark on a letter). See United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008) (email to/from addresses and IP addresses constitute addressing information). The Pen/Trap statute permits law enforcement to obtain the header information of Internet emails (except for the subject line, which can contain content) using a court order, just like it permits law enforcement to obtain addressing information for phone calls and individual Internet packets using a court order. Conversely, the interception of email contents, including the subject line, requires compliance with the strict dictates of Title III." - Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal InvestigationsPDF Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 152 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

URLs

"In some circumstances, questions may arise regarding whether particular components of network communications contain content. See In re Application of United States, 396 F. Supp. 2d 45, 49 (D. Mass. 2005) (asserting that uniform resource locators ("URLs") may contain content); In re Pharmatrak, Inc. Privacy Litigation, 329 F.3d 9, 16 (1st Cir. 2003) (noting that user-entered search terms are sometimes appended to the query string of the URL for the search results page). Because of these and other issues, the United States Attorneys' Manual currently requires prior consultation with CCIPS before a pen/trap may be used to collect all or part of a URL. See United States Attorneys' Manual § 9- 7.500. Prosecutors who have other questions about whether a particular type of information constitutes contents may contact CCIPS for assistance []." - Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal InvestigationsPDF Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 152 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

IP Numbers

"Addressing" covers IP numbers. Courts have found that IP numbers are the same as telephone numbers. The courts have also found that there is no expectation of privacy is a telephone number pursuant to the third party doctrine.

  • US v. ULBRICHT, Court of Appeals, 2nd Circuit 2017 ("IP addresses are not merely passively conveyed through third party equipment, but rather are voluntarily turned over in order to direct the third party's servers." United States v. Christie, 624 F.3d 558, 574 (3d Cir. 2010) ...The recording of IP address information and similar routing data, which reveal the existence of connections between communications devices without disclosing the content of the communications, are precisely analogous to the capture of telephone numbers at issue in Smith. That is why the orders here fit comfortably within the language of a statute drafted with the earlier technology in mind. The substitution of electronic methods of communication for telephone calls does not alone create a reasonable expectation of privacy in the identities of devices with whom one communicates. Nor does it raise novel issues distinct from those long since resolved in the context of telephone communication, with which society has lived for the nearly forty years since Smith was decided. Like telephone companies, Internet service providers require that identifying information be disclosed in order to make communication among electronic devices possible. In light of the Smith rule, no reasonable person could maintain a privacy interest in that sort of information.")
  • United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008)
    • Neither this nor any other circuit has spoken to the constitutionality of computer surveillance techniques that reveal the to/from addresses of e-mail messages, the IP addresses of websites visited and the total amount of data transmitted to or from an account.[5] We conclude that the surveillance techniques the government employed here are constitutionally indistinguishable from the use of a pen register that the Court approved in Smith. First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users' imputed knowledge that their calls are completed through telephone company switching equipment. 442 U.S. at 742, 99 S.Ct. 2577. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that this information is provided to and used by Internet service providers for the specific purpose of directing the routing of information. Like telephone numbers, which provide instructions to the "switching equipment that processed those numbers," e-mail to/from addresses and IP addresses are not merely passively conveyed through third party equipment, but rather are voluntarily turned over in order to direct the third party's servers. Id. at 744, 99 S.Ct. 2577.
    • Second, e-mail to/from addresses and IP addresses constitute addressing information and do not necessarily reveal any more about the underlying contents of communication than do phone numbers.
  • United States v. Wheelock, 772 F.3d 825, 828 (8th Cir. 2014) (holding that the defendant "cannot claim a reasonable expectation of privacy in [the] government's acquisition of his subscriber information, including his IP address and name," because it had been "revealed to a third party" (internal quotation marks omitted))
  • Christie, 624 F.3d at 573 (holding that there is no expectation of privacy in "subscriber information provided to an internet provider," such as an IP address (internal quotation marks omitted));
  • Guest v. Leis, 255 F.3d 325, 336 (6th Cir. 2001) (holding that "computer users do not have a legitimate expectation of privacy in their [bulletin board] subscriber information because they have conveyed it to another person");
  • United States v. Graham, 824 F.3d 421, 432 (4th Cir. 2016) (en banc) (noting that "third-party information relating to the sending and routing of electronic communications does not receive Fourth Amendment protection");
  • United States v. Carpenter, 819 F.3d 880, 887 (6th Cir. 2016) ("[C]ourts have not (yet, at least) extended [Fourth Amendment] protections to the internet analogue to envelope markings, namely the metadata used to route internet communications, like . . . IP addresses.").

Legal Process

Transactional information may be obtained pursuant to a court order. 18 U.S.C. § 3123. [Search & Seizure Manual Appendix D] The law enforcement official must represent to the Court “that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation.” 18 U.S.C. § 3123(a). Court orders shall specify

18 U.S.C. § 3123(b)(1). A court order must specify the initial service provider but it need not specify subsequent providers. 18 U.S.C. § 3123(b)(1)(A). Subsequent providers may request certification that the order applies to that provider, and the law enforcement officer is obligated to provide it. 18 U.S.C. § 3123(a)(1).

Confused? So are we. Check out the What Gets What Chart.

"To obtain a pen/trap order, applicants must identify themselves, identify the law enforcement agency conducting the investigation, and then certify their belief that the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by the agency. See 18 U.S.C. § 3122(b)(1)-(2)." [Search Seizure 2009 p 154]

DOJ has reported that it’s new pen register/trap and trace authority “was employed in the investigation of the murder of journalist Daniel Pearl to obtain information that proved critical to identifying some of the perpetrators.” [Jamie Brown]

Pen Registers for email have been found to be constitutional. [Forrester (9th Cir)]

See also Emergency Trap and Trace

Geographic Scope: Court orders issued by federal court may be executed anywhere in the United States. 18 U.S.C. § 3123(a)(1); 18 U.S.C. § 3127(2). Court orders issued by states are good only within that state. 18 U.S.C. § 3123(a)(2).

Time Limit: These Court orders are good for 60 days and can be extended for an additional sixty-day periods. 18 U.S.C. § 3123(c).

Gag Rule: A court order shall direct the service provider to keep it quiet. The service provider is not permitted to disclose “the existence of the pen register or trap and trace device or the existence of the investigation” unless directed to do so by the court. 18 U.S.C. § 3123(d).

Installation: The court order shall tell the service provider that they get to help the law enforcement officials out with the pen register or trap and trace. 18 U.S.C. § 3124. In instances where officers install their own device, they must use "technology reasonably available to it" in order to avoid intercepting the contents of the communication. 18 U.S.C. § 3121(c). [See Carnivore, CALEA]

"The government must also use "technology reasonably available to it" to avoid recording or decoding the contents of any wire or electronic communications. 18 U.S.C. § 3121(c). When there is no way to avoid the inadvertent collection of content through the use of reasonably available technology, DOJ policy requires that the government may not use any inadvertently collected content in its investigation. However, a few courts have gone beyond the statute's requirement that the government use technology reasonable available to it to avoid collecting content. Citing the exclusion of contents from the definitions of pen register and trap and trace device, these courts have stated or implied that the government cannot use pen/trap devices that might collect any content at all. See In re Application of the United States, 2007 WL 3036849, at *8-9 (S. D. Tex. 2007) ("[T]he Pen Register Statute does not permit the Government simply to minimize the effects of its collection of unauthorized content, but instead prohibits the collection of content in the first place."); In re Application of United States, 416 F. Supp. 2d 13, 17 (D.D.C. 2006) ("[T]he Government must ensure that the process used to obtain information about email communications excludes the contents of those communications."). Courts have been particularly likely to take this position in the context of phone pen/trap devices that would collect "post-cut-through dialed digits" because this data can include content that cannot be separated out using reasonably available technology. See In re Applications of United States, 515 F. Supp. 2d 325, 339 (E.D.N.Y. 2007); In re Application of United States, 441 F. Supp. 2d 816, 827 (S.D. Tex. 2006); In re Application of United States, 2007 WL 3036849, at *8-*9 (S. D. Tex. 2007). Because this area of the law is developing rapidly, prosecutors or agents may have questions about current trends, and they may direct any such questions to [] CCIPS" [Search Seizure 2009 p 156]

Cost Recovery: Service providers shall be paid for their troubles. 18 U.S.C. § 3124(c). [But see CALEA]

Reporting Requirement: In instances where officers install their own device, the officers must comply with the reporting requirement, keeping a record of the officers who installed and have access to the device, the date and time the devices was installed and uninstalled, the configuration of the device, and the information collected by the device. 18 U.S.C. § 3123(a)(3). This information must be provided to the court under seal within 30 days of the termination of the order.

The Attorney General must also report to Congress annually on the number of pen register and trap and traces applied for. 18 U.S.C. § 3126

The Pen/Trap Statute and Cell-Site Information


Trap and Trace Order, Example

Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal InvestigationsPDF Computer Crime and Intellectual Property Section, Criminal Division, DOJ, p 235 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

UNITED STATES DISTRICT COURT
FOR THE _________

___________________________

IN RE APPLICATION OF THE
UNITED STATES OF AMERICA FOR
AN ORDER AUTHORIZING THE INSTALLATION
AND USE OF PEN REGISTER AND TRAP
AND TRACE DEVICES
___________________________

)
)
) MISC. NO.
)
) FILED UNDER SEAL
)
)

ORDER

[AUSA name], on behalf of the United States, has submitted an application pursuant to 18 U.S.C. §§ 3122 and 3123, requesting that the Court issue an Order pursuant to 18 U.S.C. § 3123, authorizing the installation and use of pen registers and trap and trace devices ("pen/trap devices") on the [service provider] email account [target email address], whose listed subscriber is [subscriber name].

The Court finds that the applicant is an attorney for the government and has certified that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation being conducted by [law enforcement agency] of unknown individuals in connection with possible violations of [statutes].

IT IS THEREFORE ORDERED, pursuant to 18 U.S.C. § 3123, that pen/trap devices may be installed and used to record, decode, and/or capture dialing, routing, addressing, and signaling information associated with each communication to or from the [service provider] email account [target email address], including the date, time, and duration of the communication, and the following, without geographic limit:

  • IP addresses, including IP addresses associated with access to the account;
  • Headers of email messages, including the source and destination network addresses, as well as the routes of transmission and size of the messages, but not content located in headers, such as subject lines;
  • the number and size of any attachments.

IT IS FURTHER ORDERED, pursuant to 18 U.S.C. § 3123(c)(1), that the use and installation of the foregoing is authorized for sixty days from the date of this Order;

IT IS FURTHER ORDERED, pursuant to 18 U.S.C. §§ 3123(b)(2) and 3124(a)-(b), that [service provider] and any other person or entity providing wire or electronic communication service in the United States whose assistance may, pursuant to 18 U.S.C. § 3123(a), facilitate the execution of this Order shall, upon service of this Order, furnish information, facilities, and technical assistance necessary to install the pen/trap devices, including installation and operation of the pen/trap devices unobtrusively and with minimum disruption of normal service;

IT IS FURTHER ORDERED that [law enforcement agency] reasonably compensate [service provider] and any other person or entity whose assistance facilitates execution of this Order for reasonable expenses incurred in complying with this Order;

IT IS FURTHER ORDERED that [service provider] and any other person or entity whose assistance may facilitate execution of this Order notify [law enforcement agency] of any changes relating to the email account [target email account], including changes to subscriber information, and to provide prior notice to [law enforcement agency] before terminating service to the email account;

IT IS FURTHER ORDERED that [law enforcement agency] and the applicant have access to the information collected by the pen/trap devices as soon as practicable, twenty-four hours per day, or at such other times as may be acceptable to [law enforcement agency], for the duration of the Order;

IT IS FURTHER ORDERED, pursuant to 18 U.S.C. § 3123(d)(2), that [service provider] and any other person or entity whose assistance facilitates execution of this Order, and their agents and employees, shall not disclose in any manner, directly or indirectly, by any action or inaction, the existence of the application and this Order, the pen/trap devices, or the investigation to any person, except as necessary to effectuate this Order, unless and until otherwise ordered by the Court;

IT IS FURTHER ORDERED that the Clerk of the Court shall provide the United States Attorney's Office with three certified copies of this application and Order, and shall provide copies of this Order to [law enforcement agency] and [service provider] upon request;

IT ISFURTHER ORDERED that the application and this Order are sealed until otherwise ordered by the Court, pursuant to 18 U.S.C. § 3123(d)(1).

Date United States Magistrate Judge

Articles

News

© Cybertelecom ::