Pen register
From Wikipedia, the free encyclopedia
A pen register is an electronic device that records all numbers dialed from a particular telephone line. The term has come to include any device or program that performs similar functions to an original pen register, including programs monitoring Internet communications.
The USA statutes governing pen registers are codified under 18 U.S.C., Chapter 206.
Contents |
[edit] Definitions
Title 18 of the United States Code defines a pen register as:
- a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication, but such term does not include any device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device or process used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business.
This is the current definition of a Pen Register, as amended by passage of the 2001 USA PATRIOT Act. The original statutory definition of a pen register was created in 1984 as part of the Electronic Communications Privacy Act. That defined a 'Pen Register' as:
- A device which records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is dedicated.
A pen register is similar to a trap and trace device. A trap and trace device would show what numbers had called a specific telephone, i.e. all incoming phone numbers. A pen register rather would show what numbers a phone had called, i.e. all outgoing phone numbers. The two terms are often used in concert, especially in the context of Internet communications. They are often jointly referred to as "Pen Register or Trap and Trace devices," to reflect the fact that the same program will probably do both functions in the modern era, and the distinction is not that important. The term 'pen register' is often used to describe both pen registers and trap and trace devices.
[edit] Background
In Katz v. United States (1967), the United States Supreme Court established its "reasonable expectation of privacy" test. It overturned Olmstead v. United States and held that wiretaps were unconstitutional searches, because there was a reasonable expectation that the communication would be private. The government was then required to get a warrant to execute a wiretap.
Ten years later the Supreme Court held that a pen register is not a search because the "petitioner voluntarily conveyed numerical information to the telephone company." Smith v. Maryland, 442 U.S. 735, 744 (1979). Since the defendant had disclosed the dialed numbers to the telephone company so they could connect his call, he did not have a reasonable expectation of privacy in the numbers he dialed. The court did not distinguish between disclosing the numbers to a human operator or just the automatic equipment used by the telephone company.
The Smith decision left pen registers completely outside constitutional protection. If there was to be any privacy protection, it would have to be enacted by Congress as statutory privacy law.
[edit] The Pen Register Act
The Electronic Communications Privacy Act (ECPA) was passed in 1986 (Pub. L. No. 99-508, 100 Stat. 1848). There were three main provisions or Titles to the ECPA. Title III created the Pen Register Act, which included restrictions on private and law enforcement uses of pen registers. Private parties were generally restricted from using them unless they met one of the exceptions, which included an exception for the business providing the communication if it needed to do so to ensure the proper functioning of its business.
In order for law enforcement agencies to get a pen register approved for surveillance, they must get a court order from a judge. However, they need only certify to the judge that the information likely to be obtained is relevant to an ongoing criminal investigation, at which point the judge 'shall' issue the order.
This is the lowest requirement for receiving a court order under any of ECPA's three titles. This reflects the fact that pen registers do not gather the contents of any information, only the addressing or routing information, which was not deemed as important of a privacy interest. Some have argued that the government should be required to present "specific and articulable facts" showing that the information to be gathered is relevant and material to an ongoing investigation. This is the standard used by Title II of the ECPA with regard to the contents of stored communications.
The Pen Register Act did not include an exclusionary rule. While there were civil remedies for violations of the Act, evidence gained in violation of the Act can still be used against a defendant in court. There have also been calls for congress to add an exclusionary rule to the Pen Register Act, as this would make it more analogous to traditional Fourth Amendment protections.
[edit] USA-PATRIOT Act
Section 216 of the 2001 USA PATRIOT Act expanded the definition of a pen register to include devices or programs that provide an analogous function with internet communications. Prior to the Patriot Act, it was unclear whether or not the definition of a pen register, which included very specific telephone terminology, could apply to internet communications. Most courts and law enforcement personnel operated under the assumption that it did, however the Clinton administration had begun to work on legislation to make that clear, and one magistrate judge in California did rule that the language was too telephone-specific to apply to internet surveillance.
The Pen Register Statute is a privacy act. As there is no constitutional protection for information divulged to a third party under the Supreme Courts expectation of privacy test, and the routing information for phone and internet communications are divulged to the company providing the communication, the absence or inapplicability of the statute would leave the routing information for those communications completely unprotected from government surveillance.
The government also has an interest in making sure the Pen Register Act exists and applies to internet communications. Without the Act, they cannot compel service providers to give them records or do internet surveillance with their own equipment or software, and the law enforcement agency, which may not have very good technological capabilities, will have to do the surveillance itself at its own cost.
Rather than creating new laws regarding Internet surveillance, the Patriot Act simply expanded the definition of a pen register to include computer software programs doing Internet surveillance. While not completely compatible with the technical definition of a pen register device, this was the interpretation that had been used by almost all courts and law enforcement agencies prior to the change.
[edit] Terror War Spying
When, in 2006, the Bush administration came under fire for having secretly collected millions of random phone call lists from regular Americans, ostensibly to check for calls to terror suspects, the Pen Register Act was cited, along with the Stored Communications Act, as example of how such domestic spying violated Federal law.
[edit] Notes
- ↑
- U.S. Supreme Court; SMITH v. MARYLAND, 442 U.S. 735 (1979)
- See Generally: Orin Kerr, Internet Surveillance Law After the USA Patriot Act: The Big Brother That Isn't