The Pen Register and the Meter – Reasonable Expectations of Privacy?
So I’m seeing a lot of hyperventilating about the revelations that the DOJ has been conducting traffic analysis. I thought it would be helpful to have a brief primer post on the subject of pen-registers and trap and trace devices.
First, let’s get some basic definitions out of the way.
What the DOJ has supposedly done to the AP is known as “traffic analysis”. This essentially means that they have no actual information on the actual content of the communications, but rather they gather information based on patterns of communication between phone numbers. The original technology used for this type of analysis was called a “pen register” or a “trap and trace device”. They were initially restricted to simply tracking a single phone number, and referred to a specific type of technology.
The use of these items first came into question in Smith v. Maryland, when the Supreme Court essentially ruled that if you give out the number you’re calling to a third party (whether human or automated), you don’t have a real expectation of that fact being private. Essentially the court declared that as you were giving a third party access to the numbers you were calling, you couldn’t really complain when those records were called on by someone else. Smith declared that pen register use didn’t constitute a “search” and thus required no judicial preapproval. This was essentially a ruling on “reasonable expectation of privacy” grounds.
Congress later intervened in 1986 in the form of the Electronic Communications Privacy Act (ECPA) of 1986 which set down some extremely basic protections on the use of third parties in communictions. Specifically the ECPA prevented the interception of messages (up to and including rudimentary electronic comunications) in transit, while requiring a court order (but not a warrant) to secure the right to place a trap/trace device on a phone line.
The Communications Assistance for Law Enforcement (CALEA) made some changes that essentially mandated that third parties in communications make systems more accessible to investigators. The PATRIOT Act expanded this further, making it easier for law enforcement to collect data without any judicial preapproval whatsoever.
Essentially the whole argument is that your records of phone calls and the like are not on the same level as the actual communications themselves, because of the way that modern telecommunications equipment works: You basically use a third party to help you reach the person you’re trying to talk to. As you give this third party that contact information you’re disclosing this voluntarily. (One would say this is akin to collecting the return addresses from the mail that someone is given.)
Interesting in a similar case to Smith in Europe, the United Kingdom was eventually taken as far as the European Court of Human Rights in Malone v. United Kingdom. Now the electronic surveillance laws in the UK are an utter and complete mess (more on them next time), but the ECHR ruled specifically on the use of traffic analysis (called “metering” in the UK) against the UK government:
- Did the government violate Article 8 of the European Convention on Human Rights?
Article 8 says:
1. Everyone has the right to respect for his private and family life, his home and his correspondence.2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. - If there was a violation of Article 8, was it in accordance with the law?
In the first instance, the ECHR ruled that metering was in fact a violation of Article 8’s right for privacy and family life. They then ruled that while the UK government may have had a legitimate interest, done in accordance with law, that it was too broad in scope to allow stand.
Anyway, the problem here is a concept of faulty and an odd definition of expectation or privacy.
I think it’s past time we acknowledged that collection of information of this sort by private service providers should simply be banned, and that the government have to prove a higher standard of evidence before they’re allowed to go and conduct large scale metering/pen register actions like we’ve seen here.
If this revelation and the hyperbolic rage coming from the AP can start a national conversation, it seems in the end, it’d be worth it.
Additional Reading:
“Pen Registers and Trap/Trace Devices” by the EFF
CALEA overview
Overview of Article 8 cases
Let me ask a question. Assuming they wanted to would it be illegal to collect return addresses on mail? All be it that one could duck the issue by not putting a return address on, but likewise today one could buy a prepaid disposable cell phone to do the same. Of course email is harder to do, since the senders address is a mandatory part of the header info, along with the IP address (since you can spoof the sender address by appropriate coding but not the IP address if you want the message to get thru. All it takes is a hacked email program, I further suspect that there exist offshore mail forwarders that allow one to disguise the ip address also.Report
Let me add a link to a web site that tells what the conversation with a sendmail agent from a mail program is: http://www.the-welters.com/professional/smtp.html You will note that the piece says and I can confirm by experience that one can type commands to sendmail.Report
It’s legal to collect return addresses on mail, IIRC. I don’t even think the target of the mail needs to be under surveillance of any official sort.
Email’s actually pretty easy to forge, both on the Sender and on the originating IP address. There are still plenty of open relays on the Internet.Report
From what I recall given that the return address on an envelope for example is easily seen in public spaces and indeed must be read for the mail to be delivered, it’s not considered information that you might have any reasonable expectation of hiding.
Prepaid disposable cell phones is one of those things that has given electronic surveillance courts an enormous headache, because the statutory laws that govern the use of wiretaps somewhat assumes that lines are fixed and limited in number.Report
However in a letter the message is private, as one would expect the message in a postcard is not. I.E. they can’t open the letter. Now I don’t know the status of a document sent by UPS or FedEx.Report
This is correct. The content of a letter is considered to be private, but the destiation is not. Same goes for UPS or FedEx boxes. That doesn’t preclude USPS, UPS or FedEx from keeping a registry/database of who and from where people have sent you mail.
What makes all this difficult of course is that email through anonymizers, and disposable cell phones give you something of a new means where the objective, reasonable expectation of privacy here is that your very actions using those forms of communication would be subject to privacy. Of course the USG and the judicial system more specifically haven’t seemed to have recognized this. Nor for that matter are they so keen on allowing things like encryption to stand on its own.Report
Snail mail, too. I believe that every piece of mail that goes through the big processing centers is scanned, often printed with bar codes. I’ve never heard that the envelope scans are stored; but I’ve also never heard that they’re not stored. Certainly, the technology is there and has long been in use; and since you’re using a 3rd party, there’s no expectation of privacy about who you communicate with via snail mail.Report
So far my favorite tweets about this are:
J.P. Feire: “First time I’ve seen an agency do a Monday news dump bc a Friday news dump failed so spectacaularly. It’s like a scandal fire sale.”
Jonah Goldberg: “Government is just the word we use for things we do together, like audit political enemies and monitor journalists’ phone calls.”
Anyway, why did they grab two months worth of phone records when the leak in question only could’ve occurred over about a two day period? Were they just on a fishing expedition?Report
I’d love to see one bit of evidence that Goldberg had any problem with the Bush wiretaps.Report
It’s known as traffic analysis for a reason, I’d imagine they were trying to establish the pattern of who the leaker might be.
But again, this is authorized by court precedent and by statute. I don’t like it, but that’s the law of the land.Report
goldberg is a hoser but that’s genuinely funny.Report
I’d love to see one bit of evidence that Bush wiretapped the press.Report
Goldberg wasn’t necessarily cheering, but he was taking a rather opposing track on excusing the NSA’s wiretapping program back in 2006.
http://old.nationalreview.com/goldberg/goldberg200601131109.aspReport
More broadly I think we’d all be pretty sure how the narrative would play out if it were a President McCain or Romney’s DoJ doing this than the Obama Administration.
“Well clearly whoever is leaking information about US operations in Yemen is endangering national security and the liberal media is only complaining about it because they’re used to being allowed to treat national security like a blahblahblahblah”
Or if the Administration had stood by and done nothing with regard to the AP:
“The Obama Administration clearly cares more about their publicity than they care about effective national security efforts. They should have made sure the leaks were never public etc. etc. etc”Report
And how the AP, like the rest of the MSM, cares more about their so-called rights that about fighting terrorism.Report
You did; the papers were full of it.
Please stop lying.Report
(this was in reply to George ‘I see NOTHINK!’ Turner)Report
Could you perhaps link to an example? I’m pretty sure if he wiretapped the press, the press would’ve written something about it.Report
Most of the stories I remember and have tried looking up have been more general tapping issues, with journalists suspecting they may have been targets, but not being able to prove it.
I did get linked to this story about a wider wiretapping issue which includes the paragraph
“And agents twice improperly gained access to reporters’ calling records as part of leak investigations. ”
which seems pretty much the exact same thing as was happening hereReport
From what I understand, that’s legal because Obama did it too, and if Obama did it, Bush probably did it first, and he did.
And you didn’t complain about that. And whether or not I complained about it is immaterial.Report
“Smith v. Maryland” Noted for when the slope dropped more steeply downhill in the loss of any freedoms…Report
I’ll give you some more milestones as I get to writing the electronic surveillance post.Report