Always “Written” In: Seventh Circuit Holds Still Constitutional IP Address Pen Register Commands After Carpenter – Privacy
In 2016, Edward Soybel, a disgruntled former employee, began carrying out cyber attacks against his former employer, WW Grainger, Inc. (Grainger), an industrial supplies company. One of Grainger’s key service offerings, KeepStock, uses large database tables stored on Grainger computers to help its customers track their inventory. By remotely logging into KeepStock and deleting millions of records, Soybel effectively rendered KeepStock unusable for several days until Grainger was able to restore the data.
Grainger called the FBI, who determined that the IP address from which the attacks were carried out belonged to the main router used for all Internet traffic coming out of the large Chicago apartment building in which Soybel resided. To identify which unit in the building generated the attacks, the FBI had to obtain information from the master router itself, so they sought to place two tracking devices: one to track the IP addresses accessed by the master router, and another to track which IP address the reachable Soybel unit is addressing (like the seventh circuit, we will collectively call these two devices a “pen register”). After showing that the IP address information was “relevant to an ongoing investigation,” the FBI obtained an order under the Pen Registry Act and installed the Pen Registry.
By correlating the timing of the IP address data derived from the pen’s registry – but without gaining access to the contents of the transmissions – the FBI determined that the attacks originated from Soybel’s unit. Soybel was arrested and charged with 12 counts of violating the Computer Fraud and Abuse Act and was ultimately convicted by a jury out of 12. On appeal, Soybel argued that the use of the pen by the warrantless FBI, which would have required the government to show probable cause rather than simply that the information was “relevant” to an investigation, violated its Fourth Amendment rights. In an opinion dated September 8, 2021, the Seventh Circuit rejected this argument and upheld Soybel’s conviction.
Soybel based his appeal on the landmark Fourth Amendment Supreme Court ruling Carpenter v. United States, 138 S. Ct. 2206 (2018), which was released while Soybel’s charges were pending. In Carpenter, the court ruled unconstitutional a legal regime that allowed access to location information of historic cell sites (CSLI) by court order and without warrant, such as the Pen Register Act. Soybel argued that the pen log evidence should have been deleted because the IP information was sufficiently similar to the CSLI in Carpenter that it also required a warrant. The Seventh Circuit was not convinced.
The court began by noting that not all investigative techniques constitute Fourth Amendment searches. The Fourth Amendment offers no protection for information that an individual “knowingly exposes to the public”, a principle known as “third party doctrine”. See Katz v. United States, 389 US 347, 351 (1967). In Smith v. Maryland, 442 US 735 (1979), the Supreme Court applied this doctrine to allow law enforcement to install a pen register to track the history of landline telephone calls, in accordance with the Pen Register Act, on the basis that a phone user voluntarily discloses the numbers he is dialing (as opposed to the content of his conversation) to the phone company, a third party, as part of the dialing process. Prior to Carpenter, circuit courts had always held that the discovery of IP addresses via pen registers on Internet routers was as constitutional as the discovery of phone numbers in the same way. The Soy The court followed these precedents, explaining that “technological differences do not necessarily give rise to constitutional differences”.
In Soy, the seventh circuit joined with three other circuits to conclude that Carpenter did not change this conclusion. The court noted that the data from the CSLI at issue in Carpenter were materially different from Soybel’s IP data because, as the Supreme Court had explained, the CSLI data revealed “all of the [Carpenter’s]physical movements “and created” a complete record of the phone holder’s whereabouts. . . [for] every moment, for several years. “
For the Seventh Circuit, these “unique characteristics” of CSLI are not found in the IP address data: the government had not accessed information regarding Soybel’s movements, but had simply learned which websites Someone in Soybel’s apartment had accessed and when. Even though the IP Pen Registry captured sensitive information such as visits to political or dating websites, the government could not access any content from those visits or even confirm who accessed the sites. And unlike the historical CLSI data in Carpenter, the government was unable to access IP data prior to the installation of the pen registry. Finally, while CSLI is passively collected every time a cell phone is powered on, an internet user must act in an affirmative manner to visit a website (or to remotely delete reams of data from a former employer, as the case may be. ) to generate IP data.
For all these reasons, the court ruled that “an IP pen registry is analogous in all material respects to a traditional telephone pen registry”, and Soybel therefore did not have a reasonable expectation of the confidentiality of the data collected. through the registry.
As discussed in a recent Application edge post, federal circuit courts are in the process of answering a variety of questions the Supreme Court has left open in Carpenter. Soy is another piece of this puzzle. The entities that collect historical CSLIs have received some clarity from Carpenter on what information is not fair play to warrantless government investigators. But entities that collect other forms of potentially sensitive data, such as IP data here or location data generated by IoT devices and consumer handheld devices, still face some uncertainty about what to expect. Following Carpenter on information about the activities of an individual which gives rise to a reasonable expectation of privacy and therefore requires a warrant to be collected. We discussed some considerations for companies operating in this space earlier this year. Businesses that collect or process such data for EU residents should also consider whether and how these decisions impact their obligations under the post-GDPR.Schrems II to contest certain data requests from law enforcement agencies.
With its decisions in Soy and Hammond, the Seventh Circuit, at least, signaled its inclination to the cabin Carpenter. However, the Soy court highlighted certain factors which may, in Carpenter, weigh in favor of the warrant requirement – whether the information gathered is retrospective, whether it is specific to a single individual, whether it involves universal localization, and whether it is ubiquitous in modern life. Only the last of these factors favored the defendant in Soy, and the court easily found it insufficient to require the deletion of the evidence.
Courts will likely continue to grapple with Fourth Amendment issues stemming from prosecutions based on digital data collected without a warrant. We will keep you posted.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.