The Pen Register and the Meter – Reasonable Expectations of Privacy?
So I’m seeing a lot of hyperventilating about the revelations that the DOJ has been conducting traffic analysis. I thought it would be helpful to have a brief primer post on the subject of pen-registers and trap and trace devices.
First, let’s get some basic definitions out of the way.
What the DOJ has supposedly done to the AP is known as “traffic analysis”. This essentially means that they have no actual information on the actual content of the communications, but rather they gather information based on patterns of communication between phone numbers. The original technology used for this type of analysis was called a “pen register” or a “trap and trace device”. They were initially restricted to simply tracking a single phone number, and referred to a specific type of technology.
The use of these items first came into question in Smith v. Maryland, when the Supreme Court essentially ruled that if you give out the number you’re calling to a third party (whether human or automated), you don’t have a real expectation of that fact being private. Essentially the court declared that as you were giving a third party access to the numbers you were calling, you couldn’t really complain when those records were called on by someone else. Smith declared that pen register use didn’t constitute a “search” and thus required no judicial preapproval. This was essentially a ruling on “reasonable expectation of privacy” grounds.
Congress later intervened in 1986 in the form of the Electronic Communications Privacy Act (ECPA) of 1986 which set down some extremely basic protections on the use of third parties in communictions. Specifically the ECPA prevented the interception of messages (up to and including rudimentary electronic comunications) in transit, while requiring a court order (but not a warrant) to secure the right to place a trap/trace device on a phone line.
The Communications Assistance for Law Enforcement (CALEA) made some changes that essentially mandated that third parties in communications make systems more accessible to investigators. The PATRIOT Act expanded this further, making it easier for law enforcement to collect data without any judicial preapproval whatsoever.
Essentially the whole argument is that your records of phone calls and the like are not on the same level as the actual communications themselves, because of the way that modern telecommunications equipment works: You basically use a third party to help you reach the person you’re trying to talk to. As you give this third party that contact information you’re disclosing this voluntarily. (One would say this is akin to collecting the return addresses from the mail that someone is given.)
Interesting in a similar case to Smith in Europe, the United Kingdom was eventually taken as far as the European Court of Human Rights in Malone v. United Kingdom. Now the electronic surveillance laws in the UK are an utter and complete mess (more on them next time), but the ECHR ruled specifically on the use of traffic analysis (called “metering” in the UK) against the UK government:
- Did the government violate Article 8 of the European Convention on Human Rights?
Article 8 says:
1. Everyone has the right to respect for his private and family life, his home and his correspondence.2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
- If there was a violation of Article 8, was it in accordance with the law?
In the first instance, the ECHR ruled that metering was in fact a violation of Article 8’s right for privacy and family life. They then ruled that while the UK government may have had a legitimate interest, done in accordance with law, that it was too broad in scope to allow stand.
Anyway, the problem here is a concept of faulty and an odd definition of expectation or privacy.
I think it’s past time we acknowledged that collection of information of this sort by private service providers should simply be banned, and that the government have to prove a higher standard of evidence before they’re allowed to go and conduct large scale metering/pen register actions like we’ve seen here.
If this revelation and the hyperbolic rage coming from the AP can start a national conversation, it seems in the end, it’d be worth it.