THE GEORGE WASHINGTON UNIVERSITY
LAW SCHOOL
P UBLIC L AW AND L EGAL T HEORY WORKING P APER N O,043
THE BIG BROTHER THAT ISN’T
Orin S,Kerr
This paper can be downloaded without charge from the
Social Science Research Network Electronic Paper Collection:
http://ssrn.com/abstract=317501
INTERNET SURVEILLANCE LAW AFTER THE USA PATRIOT ACT:
Copyright 2003 by Northwestern University School of Law Printed in U.S.A,
Northwestern University Law Review Vol,97,No,2
607
INTERNET SURVEILLANCE LAW AFTER THE USA
PATRIOT ACT,THE BIG BROTHER THAT ISN’T
Orin S,Kerr
INTRODUCTION
Following the September 11 terrorist attacks on New York and Wash-
ington,Congress rushed into action and quickly passed antiterrorism legis-
lation known as the USA Patriot Act.
1
The Patriot Act has been widely
understood as a,sweeping”
2
antiterrorism law that gave the government
“vast new powers”
3
to conduct electronic surveillance over the Internet,
The Act’s surveillance provisions proved so controversial that Congress
added a sunset provision that will nullify several of its key provisions after
four years,on December 31,2005.
4
To many legislators,the vast law en-
Associate Professor,George Washington University Law School,From the fall of 1998 until the
summer of 2001,I was a lawyer in the Computer Crime and Intellectual Property Section of DOJ’s
Criminal Division,My experience at DOJ included working with the Internet surveillance laws that ex-
isted before the Patriot Act,I also commented on and helped draft the legislative proposals to amend
those laws,including some proposals that influenced portions of what later became the Patriot Act,I
hope that my familiarity with these laws from my time in government will shed light that outshines the
occasionally myopic effect of personal experience,All of the views expressed in this Article are solely
my own and do not reflect the positions of the Department of Justice,Thanks to Peter Swire,Steve
Saltzburg,Beryl Howell,Jeffrey Rosen,Dan Solove,Lee Tien,Peter Raven-Hansen,Cynthia Lee,Jon
Molot,and Mark Eckenwiler for commenting on earlier drafts,All errors remain my own,
1
See Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism Act (USA Patriot Act) of 2001,Pub,L,No,107-56,115 Stat,272,The formal title
is the,Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism (USA Patriot Act) Act of 2001.” Id,The awkward name of the USA Patriot Act
derives from its legislative history,the Act combines elements of two antiterrorism bills,the Senate’s
USA Act,Senate Bill 1510,and the House of Representative’s Patriot Act,House Bill 2975,The Senate
approved the,Uniting and Strengthening America Act” (or,USA” Act) by a vote of 96 to 1 on October
11,2001,The House approved the,Provide Appropriate Tools Required to Intercept and Obstruct Ter-
rorism Act” (or,Patriot” Act),by a vote of 337 to 79 on October 12,2001,The final bill started with
the basic framework of the Senate bill and then added many of the components of the House bill to cre-
ate a compromise bill that combined both titles to create the USA Patriot bill,The USA Patriot bill was
approved by the House on October 24th by a vote of 356 to 66,passed the Senate on October 25th,a
vote of 98 to 1,and was signed by President Bush on October 26th,For simplicity’s sake,I will refer to
the final enacted law as the,USA Patriot Act,”,the Patriot Act,” or simply,the Act.”
2
Jesse J,Holland,New Powers To Fight New Threat; Bush Vows Stiff Enforcement of Anti-
Terrorism Laws,SEATTLE TIMES,Oct,26,2001,at A1,
3
Id,
4
See Uniting and Strengthening America by Providing Appropriate Tools Required To Intercept
and Obstruct Terrorism (USA Patriot Act) Act of 2001,Pub,L,No,107-56,§ 224,115 Stat,272,295
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
608
forcement authorities unleashed by the Patriot Act seemed too dangerous to
extend indefinitely.
5
The Patriot Act triggered tremendous anxiety in part because few under-
stood exactly what it did,At the time of its passage,even many key legisla-
tors seemed to have little idea of the laws governing electronic surveillance,
both before the Patriot Act and following it.
6
Did the Act go too far? How
much privacy did Internet users have,and how much were they giving away?
No one seemed to know,and because the legislation rushed through Congress
with remarkable speed,
7
little in the way of Committee reports or other legis-
lative history existed to help explain it.
8
Most commentators simply assumed
the worst,they sensed that Internet users probably had very little privacy on-
line before the Patriot Act,and that the Patriot Act bargained away whatever
precious drops of privacy they had left.
9
This Article argues that the common wisdom on the USA Patriot Act is
incorrect,The Patriot Act did not expand law enforcement powers dramati-
cally,as its critics have alleged,In fact,the Patriot Act made mostly minor
amendments to the electronic surveillance laws,Many of the amendments
merely codified preexisting law,Some of the changes expanded law en-
forcement powers,but others protected privacy and civil liberties,Several
of the most controversial amendments may actually increase privacy pro-
tections,rather than decrease them,Most importantly,none of the changes
altered the basic statutory structure of electronic surveillance law created by
the Electronic Communications Privacy Act of 1986.
10
While critics of the
Patriot Act have rightly insisted that the government should have no more
surveillance power than it needs,they have failed to see that the Patriot Act
generally offers a balanced approach that in some ways protects civil liber-
ties more than the laws it replaced,The Patriot Act is hardly perfect,but it
is not the Big Brother law that many have portrayed it to be,
(“[T]his title and the amendments made by this title,,, shall cease to have effect on December 31,
2005.”),This so-called sunset provision does not apply to all of the Patriot Act’s amendments involving
electronic surveillance,it applies to about half of the provisions,See id,(explaining the sections to
which the sunset provision does not apply),
5
See Adam Clymer & Robin Toner,A Nation Challenged,The House,Vote Approves New Pow-
ers for Antiterror Investigators,N.Y,TIMES,Oct,18,2001,at B9,
6
See Editorial,Stampeded in the House,WASH,POST,Oct,16,2001,at A22 (noting that when the
House voted on House Bill 2975 on October 12,2001,“all manner of members of both parties com-
plained they had no idea what they were voting on,were fearful that aspects of the,,, bill went too
far—yet voted for it anyway”),
7
The Bush Administration introduced its proposed Anti-Terrorism Act on September 19,2001,just
eight days after the attacks,President Bush signed the Patriot Act on October 26,2001,See Martha
Mendoza,New Anti-Terror Law Brings Consternation; Security,Officials and Lawyers Try To Deci-
pher Complex Provisions,Federal Guidance Is in Short Supply,L.A,TIMES,Dec,16,2001,at A4,
8
The only existing Committee Report is the House Judiciary Committee’s Report on House Bill
2975,See H.R,REP,NO,107-236 (2001),available at ftp://ftp.loc.gov /pub/thomas/cp107/hr236p1.txt,
9
See infra notes 68–79,
10
Pub,L,No,99-508,§§ 101–11,100 Stat,1848,1848–59,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
609
This Article will explain how and why the conventional wisdom about
the Patriot Act misses the mark,It begins by explaining what Internet sur-
veillance is and how it works,which provides some guidance for under-
standing how Congress has decided to regulate it,It then applies this
framework to study three of the major criticisms of the Patriot Act,This
approach unfortunately sacrifices breadth for depth,but it allows us to see
how misconceptions about both the law and technology of the Internet has
led to significant misunderstandings about Internet surveillance law and the
effect of the USA Patriot Act,
The argument proceeds in four Parts,Part I explains the basic frame-
work of network surveillance law that governs any communications net-
work,It classifies the types of laws employed to govern the surveillance of
communications networks such as the postal system,the telephone,and the
Internet using a series of dichotomies,Once a framework has been devel-
oped,it is then possible to articulate an entire set of surveillance laws for
each network and make comparisons across different technologies,This
Part also explains how Internet surveillance includes both email and packet-
level surveillance,and how laws that govern Internet surveillance must
grapple with both levels of surveillance,
Part II considers the highly controversial pen register amendments to
the Patriot Act,These amendments apply a privacy law originally designed
for the telephone to the Internet,The amendments have been widely criti-
cized on the ground that they granted the government sweeping powers to
investigate crime involving the Internet,After explaining why Internet sur-
veillance is primarily governed by statutory law,rather than the constitu-
tional protections of the Fourth Amendment,Part II argues that the
criticisms of the pen register amendments are unfounded,The pen register
amendments merely reaffirmed preexisting practice,and if anything proba-
bly increased privacy protections afforded to Internet communications,
rather than decreased them,
Part III studies the Patriot Act’s impact on the FBI Internet surveillance
tool popularly known as,Carnivore.” The Patriot Act has received broad
criticism for expanding the use of Carnivore,which itself has been por-
trayed as a dangerous tool that enables the FBI to invade privacy online,
This Part argues that the public understanding of Carnivore has it largely
backwards,The analysis explains how surveillance tools such as Carnivore
work,and how Carnivore was itself designed to protect privacy and to en-
sure compliance with court orders,not invade privacy in an effort to cir-
cumvent judicial review,The Part explains that the Patriot Act did not
expand the use of Carnivore,but rather added new regulations on its use,
Part IV analyzes the new,computer trespasser” exception to the Wire-
tap Act,The trespasser exception has drawn criticism for weakening the
Wiretap Act’s privacy protections in cyberspace,The analysis explains
how the Wiretap Act applies to the Internet,and how the application of this
law designed for the telephone to the Internet creates the need for a tres-
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
610
passer exception,The Part also explains how the trespasser exception
probably expands Internet privacy protections,rather than reduces them,by
implicitly minimizing the scope of other exceptions to the Wiretap Act that
otherwise could have been read to eviscerate privacy protections online,
I,A GENERAL FRAMEWORK OF NETWORK SURVEILLANCE LAW
Communications networks are a defining feature of modern life.
11
Hundreds of millions of Americans use the postal system,the telephone
network,and the Internet to communicate with each other.
12
Although
these technologies differ from each other in important ways,they share a
common function,they are all global communications networks that allow
users to send,receive,and store information,
Unfortunately,communications networks also provide a stage for the
commission of criminal acts.
13
Networks can be used by criminals to con-
tact co-conspirators,deliver threats,further frauds,or engage in countless
other criminal activities.
14
When communications networks are used to fur-
ther crimes,the network itself becomes a crime scene.
15
Telephone records,
stored emails,and undelivered packages can contain important clues for law
enforcement,Much like a physical neighborhood,the networks themselves
become surveillance zones,complete with criminals seeking to evade detec-
tion and police trying to catch them,
The goal of this Part is to offer a taxonomy of network surveillance
law,A basic framework is necessary to understand the legal rules that ap-
ply to the surveillance of communications networks such as the Internet,the
postal network,or the telephone network,The framework allows us to ap-
preciate the relationship between the different types of surveillance that can
occur in a network,as well as to compare how the rules differ across differ-
11
See generally MANUEL CASTELLS,THE RISE OF THE NETWORK SOCIETY (2000); FRANCES
CAIRNCROSS,THE DEATH OF DISTANCE,HOW THE COMMUNICATIONS REVOLUTION WILL CHANGE
OUR LIVES (1997),
12
See CASTELLS,supra note 11,at 6–10,
13
See Michael Edmund O’Neill,Old Crimes in New Bottles,Sanctioning Cybercrime,9 GEO,
MASON L,REV,237,242–52 (2000) (reviewing different types of Internet crimes),For more specific
examples of how computer networks can be used to commit crimes,see Gretchen Morgenson,S.E.C,
Says Teenager Had After-School Hobby,Online Stock Fraud,N.Y,TIMES,Sept,21,2000,at A1 (using
computer networks to commit securities fraud); CYBERSTALKING,A NEW CHALLENGE FOR LAW
ENFORCEMENT AND INDUSTRY (1999) (use of computer networks to engage in stalking),available at
http://www.usdoj.gov/criminal/cybercrime/cyberstalking.htm (last modified Oct,18,1999); see also,
e.g.,United States v,Cohen,260 F.3d 68 (2d Cir,2001) (use of the Internet to gamble on sporting
events); PHILIP JENKINS,BEYOND TOLERANCE,CHILD PORNOGRAPHY ON THE INTERNET (2001) (use of
the Internet to collect child pornography),
14
See generally Scott Charney & Kent Alexander,Computer Crime,45 EMORY L.J,931 (1996),
15
See U.S,DEP’T OF JUSTICE,SEARCHING AND SEIZING COMPUTERS AND OBTAINING EVIDENCE IN
CRIMINAL INVESTIGATIONS,at vii (2001) [hereinafter CCIPS MANUAL] (“The dramatic increase in
computer-related crime requires prosecutors and law enforcement agents to understand how to obtain
electronic evidence stored in computers.”),available at www.cybercrime.gov/searchmanual.wpd,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
611
ent networks,As the framework illustrates,the basic contours of surveil-
lance law for any communications network involves only a small number of
questions,which correspond to the,what,”,who,”,when,” and,how” of
collecting evidence from the network,What kind of information exists in
the network? Who collects it,how,and under what circumstances?
By illustrating these principles in the context of three network tech-
nologies—the Internet,the telephone system,and the postal system—this
Part demonstrates that similar surveillance issues arise in each network in-
dependently of the technology involved,Different technologies may merit
different answers to these questions,of course,but the basic questions re-
main the same.
16
The analysis starts with the,what,” moves next to the
“who,” turns to the,when,” and then concludes with the,how.”
A,Envelope Information Versus Content Information (“What”)
The fundamental purpose of a communications network is to send and
receive communications,As a result,every communications network fea-
tures two types of information,the contents of communications,and the
addressing and routing information that the networks use to deliver the con-
tents of communications,The former is,content information,” and the lat-
ter is,envelope information.”
The essential distinction between content and envelope information
remains constant across different technologies,from postal mail to email,
With postal mail,the content information is the letter itself,stored safely in-
side its envelope,The envelope information is the information derived
from the outside of the envelope,including the mailing and return ad-
dresses,the stamp and postmark,and the size and weight of the envelope
when sealed.
17
Similar distinctions exist for telephone conversations,The content in-
formation for a telephone call is the actual conversation between partici-
pants that can be captured by an audio recording of the call.
18
The envelope
information includes the number the caller dials,the number from which
the caller dials,the time of the call,and its duration,This calling informa-
tion is not visible in the same way that the envelope of a letter is,but it
equates roughly with the information derived from the envelope of a letter,
In both cases,the envelope information contains to-and-from addressing,
data about the time the communication was sent,and information about the
16
See Joseph H,Sommer,Against Cyberlaw,15 BERKELEY TECH,L.J,1145,1147 (2000),
17
See 39 C.F.R,§ 233.3(c)(1) (2002) (articulating an administrative procedure for obtaining a,mail
cover,” which is defined as,the process by which a nonconsensual record is made of any data appearing
on the outside cover of any sealed or unsealed class of mail matter,or by which a record is made of the
contents of any unsealed class of mail matter as allowed by law”),
18
See 18 U.S.C.A,§ 2510(8) (West Supp,2002) (defining the,contents” of a,wire communica-
tion” as,any information concerning the substance,purport,or meaning of that communication”),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
612
communication’s size and length.
19
These principles translate to the Internet quite readily in the case of
email,The content information for an email is the message in the body of
the email itself,much like the phone conversation or the letter in the enve-
lope,The email also carries addressing information in a,mail header.”
Mail headers are digital postmarks that accompany every email and carry
information about the delivery of the mail.
20
Many email programs show
users only some of this information by default,but can be configured to re-
veal the full mail header.
21
A full mail header looks something like this,
FIGURE 1,FULL MAIL HEADER
Received,from SpoolDir by NLCMAIN (Mercury 1.48); 25 Oct 01 20:56:41
EST/EDT
Return-path,<eck@panix.com>
Received,from mail2.panix.com (166.84.0.213) by main.nlc.gwu.edu (Mer-
cury 1.48) with ESMTP;
25 Oct 01 20:56:40 EST/EDT
Received,from panix3.panix.com (panix3.panix.com [166.84.1.3])
by mail2.panix.com (Postfix) with ESMTP id 272278F14
for <okerr@main.nlc.gwu.edu>; Thu,25 Oct 2001 20:56:01 -0400 (EDT)
Received,(from eck@localhost)
by panix3.panix.com (8.11.3nb1/8.8.8/PanixN1.0) id f9Q0u1d15137
for okerr@main.nlc.gwu.edu; Thu,25 Oct 2001 20:56:01 -0400 (EDT)
From,<eck@panix.com>
Message-Id,<200110260056.f9Q0u1d15137@panix3.panix.com>
Subject,
To,okerr@main.nlc.gwu.edu (Kerr,Orin)
Date,Thu,25 Oct 2001 20:51:01 -0400 (EDT)
In-Reply-To,<20011026005212.5D2F1487A8@mail1.panix.com> from
“Kerr,Orin” at Oct 25,2001 08:47:28 PM
X-Mailer,ELM [version 2.5 PL6]
MIME-Version,1.0
Content-Type,text/plain; charset=us-ascii
Content-Transfer-Encoding,7bit
X-PMFLAGS,35127424 0 1 Y08B38.CNM
19
This information is generally known as,pen register” and,trap and trace” information,See infra
notes 99–104,
20
See ADAM GAFFIN,THE BIG DUMMY’S GUIDE TO THE INTERNET ch,6 (“Just as the postal service
puts its marks on every piece of mail it handles,so do Net postal systems,Only it’s called a ‘header’
instead of a postmark.”),at http://www.cs.indiana.edu/docproject/bdgtti/bdgtti_6.html (last visited Feb,
4,2003),
21
See id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
613
This gobbledygook is a mail header that was generated from an email sent to
my George Washington University email account on October 25,2001 from
the email address,eck@panix.com.” Each of the lines in the mail header has
specific meaning,and when read together,tells a story about the message,
how it was processed,and how and when the network directed it from its ori-
gin to its destination.
22
Notice that the mail header above does not contain a
subject line,although subject lines appear in the mail header,they are gener-
ally recognized as content.
23
Viewed as a whole,the email header (minus the
subject line) provides information about the email that is roughly analogous
to the routing information in other communication networks,
However,there is much more to Internet surveillance than email,In
fact,only a small fraction of the Internet’s traffic involves human-to-human
communications such as email messages,Most Internet communications are
communications between humans and computers,such as World-Wide-Web
pages in transit,commands sent to remote servers,and file transfers.
24
Many
others are computer-to-computer communications,such as network adminis-
trative traffic that keeps the Internet running smoothly.
25
These communica-
tions can provide evidence of crime in the same manner as email,For
example,the government may wish to monitor a computer hacker by watch-
ing and recording the commands he sends to the computers he has hacked,
These commands do not involve email,but instead consist of commands sent
directly to the victim computer.
26
A complete understanding of Internet sur-
veillance must go beyond email surveillance to encompass the surveillance of
human-to-computer and computer-to-computer communications,
To understand how the envelope-content distinction applies to human-
to-computer and computer-to-computer communications,it helps to under-
stand a few details about how the Internet works,The Internet is a,packet
switched” network,which means that every communication sent over the
Internet is broken down into individual packets.
27
These packets are the cy-
ber equivalent of letters between two computers,each containing about one
page of information and are sent across the Internet to their destination.
28
Computers communicate with each other by sending and receiving packets
of information across the Internet.
29
22
For example,the email was sent at 8:51 p.m,and was received at 8:56 p.m,For more on how to
read email headers,see,for example,Reading Email Headers,at http://www.stopspam.org/email/
headers/headers.html (last visited Feb,4,2003),
23
See CCIPS MANUAL,supra note 15,at 148,
24
See PRESTON GRALLA,HOW THE INTERNET WORKS (Greg Wiegand et al,eds.,1999),
25
See id,at 13,
26
See,e.g.,United States v,Seidlitz,589 F.2d 152,154–55 (4th Cir,1978) (explaining how a recording
device can be used to monitor commands entered by a computer hacker unauthorized to use a network),
27
See GRALLA,supra note 24,at 13,
28
See id,
29
See id,at 14–15 (explaining the packet-based nature of Internet communications),Consider web
surfing,When an Internet user types in a website address into a browser,the computer sends out pack-
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
614
Surveilling the Internet at the packet level provides a second way of
conducting Internet surveillance that can be considered distinct from email
surveillance,Like other forms of surveillance,packet surveillance divides
into envelope information and content information,When a computer
sends information across the Internet,it breaks the communication into
packets and creates a,packet header”
30
to direct the packet to its destina-
tion,The packet header contains addressing information,such as the to and
from Internet addresses of the two computers,often referred to as the Inter-
net Protocol addresses,or simply IP addresses,
31
as well as information
about what kind of packet it is (e.g.,part of a web page,part of a picture
file).
32
When the packet arrives at its destination,the receiving computer
discards the packet header and keeps the original message,At the packet
level,this message is the content information in the packet,generally re-
ferred to as the packet’s,payload.”
33
Some communications,such as web
pages in transit,typically are,packetized” only once,the host computer
creates the packets,and the destination computer discards the packet head-
ers and reassembles the original file when the packets arrive,Other com-
munications can be packetized several times over in the course of delivery,
For example,an email may be broken down into packets and reassembled
into the original email a few times on its trip from sender to receiver,
While I don’t wish to lose technophobic readers,it helps to understand
the basic relationship between email surveillance and packet surveillance,
Email surveillance is a subset of packet surveillance,in that while an email
travels across the Internet,both the envelope and content information of
emails travel across the Internet as payloads of individual packets,Obtaining
content information at the packet level for a packet that happens to carry an
email message may yield either envelope information for the email (the email
header),or content information (the email itself),or both (in the case of a
short email that can fit the entire header and message on one packet),Con-
sider a medium-length email that is divided into three packets,The first
ets to the remote computer that hosts the website,These packets contain requests for the remote com-
puter to send back the contents of the website,See id,at 140–45 (explaining how web pages work),
The remote computer then sends back several packets that together contain the contents of the web page,
and the user’s computer reassembles them and presents him with the web page requested,Although it
appears to the user as though he is,visiting” the website,the computers achieve this appearance through
a complex exchange of packets across the Internet,
30
See id,at 34–38,
31
See BRENDAN P,KEHOE,ZEN AND THE ART OF THE INTERNET 5 (4th ed,1996) (explaining IP ad-
dresses),IP addresses consist of a set of four numbers,each from 0 to 255,linked with a period,So,for
example,an IP address might be 123.9.232.87,See id,
32
See VINCENZO MEDILLO ET AL.,A GUIDE TO TCP/IP NETWORKING (1996) (“IP’s job is simply to
find a route for the datagram and get it to the other end,In order to allow routers or other intermediate
systems to forward the datagram,it adds its own header,The main things in this header are the source
and destination IP address,the protocol number,and another checksum.”),available at
http://www.ictp.trieste.it/~radionet/nuc1996/ref/tcpip/ (last visited Feb,4,2003),
33
See id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
615
packet will start with the packet header,which is needed to deliver the packet
to the recipient’s server,and then will contain a payload that consists of both
the mail header and then the beginning of the email’s contents,The second
packet then starts with its own packet header,followed by a payload that con-
sists of the next portion of the email’s contents,The third packet comes last,
and consists of a packet header and then the last portion of the email.
34
When
the email arrives at its destination,the server will shed the packet headers and
reassemble the email into the mail header and the contents of the email,
The following table summarizes the envelope and content information
for the four types of communications network surveillance,
TABLE 1,ENVELOPE AND CONTENT INFORMATION FOR POSTAL MAIL,
TELEPHONE CALLS,EMAILS,AND INTERNET PACKETS
34
Notably,each packet includes its own number,so that the different packets can arrive at different
times to their destination and the computer at the destination will be able to reassemble them into the
original communication,See GRALLA,supra note 24,at 13,
SURVEILLANCE
TYPE
ENVELOPE
INFORMATION
CONTENT
INFORMATION
Postal Mail
1) To,from mailing
address of a letter
2) Postmark,stamp
3) Color,size,weight
of package
The contents of the letter
Telephone 1) To,from telephone
numbers for a call
The contents of the
telephone
Email
1) To,from email
address for an
email
2) Mail header info
(length of email,
digital postmarks)
minus the subject line
The contents of the
email,including the
subject line
Internet Packets 1) To,from IP
addresses
2) Remaining packet
header information
(length of packet,
type of traffic)
Payload of the packet
(the contents of any
communication between
two computers)
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
616
Notably,all four categories mirror the distinction between envelope and
content information,The envelope provides addressing information,and
the content provides the actual communication that the network will deliver
to its destination,
B,Prospective Versus Retrospective Surveillance
The next distinction considers the timing of the surveillance,Is the
surveillance designed to capture future communications that have not yet
been sent over the network (“prospective” surveillance),or is it designed to
look for stored records and past communications that may be retained in the
network (“retrospective” surveillance)? Wiretapping a telephone provides
the classic example of prospective surveillance,When the FBI wiretaps a
telephone line,it seeks to listen to the contents of future conversations,In
the case of retrospective surveillance,in contrast,the government seeks to
access stored records of past communications,The use of O.J,Simpson’s
telephone records in his murder trial furnishes a well-known example.
35
The Los Angeles Police Department obtained Simpson’s phone records to
show that Simpson had made several suspicious calls the night of his wife’s
murder.
36
This example illustrates retrospective surveillance of envelope
information; the police used the phone company’s stored business records
relating to past communications to try to prove Simpson’s guilt.
37
The law often distinguishes between prospective and retrospective sur-
veillance because they raise somewhat different privacy concerns,As Jus-
tice Douglas noted in his concurrence in Berger v,New York,
38
prospective
surveillance can at worst constitute,a dragnet,sweeping in all conversation
within its scope.”
39
The surveilling party taps into the network at a given
location and picks up traffic passing through,but cannot know in advance
exactly what the traffic will be,Some of the traffic may prove relevant,but
usually much of the traffic will not be.
40
Further,it can be technically diffi-
cult (if not impossible) to filter the communications down to the relevant
evidence before the government observes it,Accordingly,prospective sur-
veillance tends to raise difficult questions of how the communications
should be filtered down to the evidence the government seeks.
41
In con-
trast,the scope of retrospective surveillance is generally more limited,The
35
See Michael Miller,Time of Phone Call a Key to O.J,Case,S.F,EXAMINER,Aug,13,1994,at
A1,
36
See id,
37
See id,
38
388 U.S,41,64–68 (1967) (Douglas,J.,concurring),
39
Id,at 65,
40
See Scott v,United States,436 U.S,128,145 (1978) (Brennan,J.,dissenting) (“Because it is dif-
ficult to know with any degree of certainty whether a given communication is subject to interception
prior to its interception,there necessarily must be a margin of error permitted.”),
41
See id,at 140–43 (discussing difficulties of filtering the fruits of a wiretap),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
617
primary difference is that in most cases a substantial portion of the evidence
will no longer exist.
42
Because retrospective surveillance involves access-
ing records that have been retained in a network,the scope of surveillance
ordinarily will be limited to whatever information or records may have been
retained in the ordinary course of business.
43
Some records may be kept,
but others may not,
Retrospective surveillance also presents less formidable filtering chal-
lenges than prospective surveillance because the process of storing records
may itself help filter them,For example,retrospective surveillance of a
computer network generally means accessing stored files; an individual will
log on to a computer and look through logs and files that the system may
have retained in a particular folder or storage location,In the case of
emails,emails arriving at an Internet service provider will ordinarily be
screened and deposited by the ISP’s computer into individual accounts.
44
If
law enforcement obtains an order compelling the ISP to divulge all stored
emails in a particular email account,the ISP will be able to locate emails in
the account without screening through other emails.
45
In contrast,prospec-
tive surveillance means intercepting Internet packets as they cross the Inter-
net,or installing a monitoring device that collects the information
immediately before it is packetized and sent across the Internet or immedi-
ately after it arrives at its destination and is depacketized,The latter will
tend to pick up more information than the former.
46
The difference is merely one of degree,however,Filtering out unre-
lated files for materials targeted by a court order presents a constant chal-
lenge.
47
For example,in the case of retrospective surveillance of an email
account,the government can obtain a search warrant to obtain evidence of
crime in the form of stored emails,Someone must go through the stored
emails in the account and separate the pertinent from the non-pertinent
42
See CCIPS MANUAL,supra note 15,at 137 (“In general,no law regulates how long network ser-
vice providers must retain account records in the United States,Some providers retain records for
months others for hours,others not at all.”),
43
See id,
44
See id,at 82,
45
See,e.g.,United States v,Lamb,945 F,Supp,441,458–59 (N.D.N.Y,1996) (search warrant or-
dering AOL to divulge,all stored files” in specific Internet accounts),
46
See GRALLA,supra note 24,at 15,This may depend on the particular circumstances,however,
For example,a network may or may not have a,firewall” in place that records packet header informa-
tion entering or exiting the network protected by the firewall,Absent a firewall,no record of these
packets would ordinarily be kept,
47
See Andresen v,Maryland,427 U.S,463,482 n.11 (1976),The court noted,
In searches for papers,it is certain that some innocuous documents will be examined,at least cur-
sorily,in order to determine whether they are,in fact,among those papers authorized to be seized,
Similar dangers,of course,are present in executing a warrant for the,seizure” of telephone con-
versations,In both kinds of searches,responsible officials,including judicial officials,must take
care to assure that they are conducted in a manner that minimizes unwarranted intrusions upon
privacy,
Id,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
618
files.
48
Nonetheless,retrospective surveillance usually presents a less se-
vere filtering challenge than prospective surveillance.
49
C,Powers of the Government Versus Powers of the Provider (“Who”)
Having explored the types of information that the government may wish
to monitor on a communications network,we can now look to the different
types of legal rules that may regulate the surveillance,Legal rules governing
surveillance of communications networks generally divide into two types,
rules concerning government surveillance of the network for law enforcement
purposes,and rules governing network providers who may conduct surveil-
lance of their own and wish to disclose the information to the government.
50
Of these two types of rules,the latter is less understood,but no less impor-
tant,In any communications network,a service provider will administer each
48
See,e.g.,Lamb,945 F,Supp,at 458–59 (rejecting a Fourth Amendment challenge to a search
warrant for stored email in which the warrant required AOL to divulge,all stored files” in specific
Internet accounts to the government,rather than only the evidence of crime),Justice White stated this
point quite aptly in his Berger dissent,
Petitioner suggests that the search is inherently overbroad because the eavesdropper [conducting
prospective surveillance] will overhear conversations which do not relate to criminal activ-
ity.,,, [However,] the same is true of almost all searches of private property which the Fourth
Amendment permits,In searching for seizable matters,the police must necessarily see or hear,
and comprehend,items which do not relate to the purpose of the search,That this occurs,how-
ever,does not render the search invalid,so long as it is authorized by a suitable search warrant and
so long as the police,in executing that warrant,limit themselves to searching for items which may
constitutionally be seized,
Berger,388 U.S,at 108 (White,J.,dissenting),
49
Notably,the technology of the Internet can blur the line between prospective and retrospective
surveillance because communications in transit from their origin to their destination can be temporarily
stored at intermediary points,either for a few milliseconds,or for a longer period,Because the law
draws a distinction between prospective Internet surveillance (governed by the Wiretap Act and the Pen
Register Statute,18 U.S.C.A,§§ 2510–2522,3121–3127 (West Supp,2002)) and retrospective surveil-
lance (governed by the Electronic Communications Privacy Act (ECPA),id,§§ 2701–2711),this creates
a series of questions as to where to draw the line between these two legal regimes,Compare Steve Jack-
son Games,Inc,v,United States Secret Serv.,36 F.3d 457,460–63 (5th Cir,1994) (holding that a tem-
porarily stored email file is governed by ECPA,not the Wiretap Act),with Konop v,Hawaiian Airlines,
236 F.3d 1035,1048 (9th Cir.) (holding that a temporarily stored email file is governed by the Wiretap
Act in addition to ECPA),withdrawn,262 F.3d 972 (9th Cir,2001),rev’d,302 F.3d 868 (9th Cir,2002),
The Patriot Act helped clarify this line by removing the statutory language that past courts had used to
find that the prospective Wiretap Act governed temporarily stored contents,See 18 U.S.C.A,§ 2510(1)
(defining,wire communication”); United States v,Smith,155 F.3d 1051,1058–59 (9th Cir,1998) (rely-
ing on the pre-Patriot Act definition of,wire communication” to hold that the Wiretap Act applies to
stored voicemail),The courts have not yet had the opportunity to draw the line post-Patriot Act,How-
ever,presumably the courts will draw some kind of functional equivalence test,in which the functional
equivalent of prospective surveillance is government by the Wiretap Act and Pen Register Statute,while
access to a stored file in a way that is not the functional equivalent of prospective surveillance is gov-
erned by ECPA,
50
Another possible category exists,rules concerning provider surveillance of the network at the re-
quest of (or pursuant to a court order obtained by) law enforcement,However,I will consider these
rules as a subset of the rules concerning government surveillance of the network,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
619
segment of the network with responsibility for that portion of the network.
51
A
network can have a single provider like the United States Postal Service,The
Postal Service enjoys a statutory monopoly over the United States postal mail
system.
52
Most networks are decentralized,however,The Internet provides a
clear example of a highly decentralized network,No one owns the Internet as a
whole,Instead,thousands of independent Internet service providers (ISPs)
each administer small corners of the network.
53
Rules governing provider surveillance are quite important because provid-
ers often need to surveil their corner of the network for a variety of business-
related reasons,For example,the phone company may need to keep records of
calls for long-distance billing (envelope surveillance)
54
or may need to listen to
calls on occasion to combat telephone fraud or assess the quality of the line
(content surveillance).
55
Similarly,ISPs may need to maintain email logs,or
intercept communications in transit to determine the source of a network prob-
lem or ferret out an unauthorized intruder.
56
Providers may discover evidence
of a crime on their own and wish to report it to law enforcement,
1,Government Powers.—In categorizing the rules,two features stand
out as the most important,The first considers the legal threshold that the gov-
ernment must satisfy before it can collect a particular type of information,The
second considers the different rules that may apply depending on whether the
government conducts the surveillance of the network itself,or the government
obtains an order requiring the provider to monitor on the government’s behalf.
57
a,Thresholds (“When”).—The first question asks,What type
of threshold showing must the government make before it can acquire a cer-
tain type of information? For example,should the FBI be allowed to open
postal mail without a court order,or must the FBI first obtain a search war-
rant? Can the local police require the phone company to provide a cus-
tomer’s long-distance records without a court order,or is some court order
required,and if so,what kind of order?
51
See CASTELLS,supra note 11,
52
See Air Courier Conference of Am,v,Am,Postal Workers Union,498 U.S,517,519 (1991)
(“Since its establishment,the United States Postal Service has exercised a monopoly over the carriage of
letters in and from the United States.”).,The postal monopoly is codified,,, [at] 18 U.S.C,§§ 1693–
1699 and 39 U.S.C,§§ 601–606.” Id,
53
See GRALLA,supra note 24,at 5,
54
See,e.g.,Smith v,Maryland,442 U.S,735,742 (1979) (“In fact,pen registers and similar devices
are routinely used by telephone companies for the purposes of checking billing operations,detecting
fraud and preventing violations of law.” (internal quotations omitted)),
55
See,e.g.,Bubis v,United States,384 F.2d 643 (9th Cir,1967),
56
See,e.g.,CLIFF STOLL,THE CUCKOO’S EGG (1989) (recounting how a system administrator con-
ducted electronic surveillance of his network to trace a computer hacker),
57
Other questions include the role of judicial review in obtaining the order and later challenging it,
as well as the remedy when the law has been violated,From a practical standpoint,these factors can be
important determinants of how closely and consistently the laws are followed,For the sake of simplic-
ity,however,I will skip these questions in the course of the analysis,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
620
The different thresholds can be placed along a continuum,ranging
from the lowest threshold to the highest,A continuum based on thresholds
commonly found in current surveillance law might look something like this,
TABLE 2,LEGAL THRESHOLDS FOR GOVERNMENT SURVEILLANCE
NO LEGAL PROCESS
The government can acquire the informa-
tion without process or order,
SUBPOENA
The government must obtain a subpoena,
such as a grand jury subpoena duces
tecum
58
or an administrative subpoena,be-
fore acquiring the information.
59
The sub-
poena compels the provider to disclose the
information to the government,
RELEVANCE COURT ORDER
The government must obtain a court order
before acquiring the information but can
obtain the order merely by certifying to the
court that the information likely to be ob-
tained is relevant to a law enforcement in-
vestigation.
60
ARTICULABLE FACTS
COURT ORDER
The government must obtain a court order
before acquiring the information,and to ob-
tain the order must offer specific and ar-
ticulable facts establishing reasonable
grounds to believe the information to be
obtained is both relevant and material to an
ongoing criminal investigation.
61
58
See,e.g.,FED,R,CRIM,P,6 (granting subpoena power to federal grand jury),
59
See,e.g.,5 U.S.C,app,(2000) (authorizing administrative subpoenas pursuant to § 6(a)(4) of the
Inspector General Act),
60
See,e.g.,18 U.S.C.A,§ 3123 (West Supp,2002) (describing process for obtaining a pen register
or trap and trace order),
61
See,e.g.,id,§ 2703(d) (requiring government to obtain a court order before ordering an Internet service
provider to divulge records,and stating that the order must state,specific and articulable facts showing that
there are reasonable grounds to believe that the contents of a wire or electronic communication,or the records
or other information sought,are relevant and material to an ongoing criminal investigation”),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
621
PROBABLE CAUSE
SEARCH WARRANT
The government must obtain a search war-
rant before acquiring the information,The
search warrant requires,probable cause,”
which in the criminal context means that
the government must offer facts establish-
ing a likelihood that a crime has occurred
and that evidence of the crime exists in the
location to be searched.
62
“SUPER” SEARCH WARRANT
The government must obtain a special
search warrant before acquiring the infor-
mation that adds threshold requirements
beyond those of ordinary search warrants
(e.g.,requiring the government to exhaust
all other means of obtaining the informa-
tion,requiring special authorization).
63
THE GOVERNMENT MAY NOT
ACQUIRE THE INFORMATION BY
ANY LEGAL PROCESS
The law may forbid the government from
acquiring the information regardless of the
legal process,
This list is illustrative rather than exhaustive,It reflects the continuum
of court orders and legal processes that Congress currently uses to govern
law enforcement surveillance of communications networks,For the most
part,the greater the privacy interest at stake,the higher the threshold Con-
gress uses,Exactly what thresholds apply is up to Congress when it enacts
statutory privacy laws and the courts when they interpret the Fourth
Amendment,
b,Direct Versus Indirect Surveillance (“How”).—The second
issue raised by government surveillance is the difference between what I
will call,direct” and,indirect” government surveillance,Direct govern-
ment surveillance rules authorize the government to conduct surveillance of
the network on its own,In contrast,indirect government surveillance rules
authorize the government to compel providers to conduct surveillance on
the government’s behalf,The difference between direct and indirect sur-
62
See FED,R,CRIM,P,41 (authorizing the issuance of search warrants based on probable cause);
18 U.S.C.A,§ 2703(a) (requiring a search warrant to compel an ISP to disclose the contents of certain
types of stored communications held by the ISP),
63
See 18 U.S.C.A,§ 2516 (describing procedure for obtaining a Wiretap order),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
622
veillance lies in the implementation of court orders,does the government
install its own monitoring device and tap into the network directly,or does
it serve the order on the provider and require the provider to conduct the
monitoring and provide the results to law enforcement? The former is di-
rect surveillance,the latter indirect surveillance,
The law may distinguish between direct and indirect surveillance be-
cause the two can raise somewhat different privacy concerns,Indirect sur-
veillance imposes a third-party screen between the network and the
government,and the government sees only what the provider shows them,
If the prospect of government overreaching concerns us more than that of
provider overreaching,a law that imposes more serious legal constraints on
direct surveillance would be a more favorable option,At the same time,if
there is reason to believe that a provider will be unwilling or unable to
comply fully with a surveillance order,it may be preferable to allow the
government to engage in direct surveillance,Each type of surveillance re-
quires trust in someone; the difference comes in who receives the grant of
trust,Direct surveillance asks us to trust the government,and indirect sur-
veillance asks us to trust the provider,
These competing concerns occupied center stage in the recent debate
over Carnivore,the FBI’s tool for conducting direct surveillance of the
Internet.
64
Carnivore (later incarnations of which have been known as
DCS-1000) is a,packet sniffer,” an Internet wiretap that reads traffic while
it is in transit in packet form.
65
Carnivore is discussed in depth in Section
III,but for now it is important to note that the Carnivore debate revolves in
part around the issue of whether Internet surveillance should proceed by
way of direct surveillance or indirect surveillance,Should providers be
trusted to use their own surveillance devices to implement surveillance or-
ders,or can the FBI be trusted to conduct the surveillance with Carnivore?
Either way,an accountable party must conduct the surveillance pursuant to
a court order and turn over the results to law enforcement,
2,Provider Powers.—Providers themselves often conduct surveil-
lance of their network,As a result,surveillance rules must also consider
when and how providers can collect information about the communications
within their network,and also when they can disclose that information to
law enforcement,The rules regulating provider surveillance focus gener-
ally not on legal process,but rather on the factual circumstances in which
64
See,e.g.,Thomas R,McCarthy,Don’t Fear Carnivore,It Won’t Devour Individual Privacy,66
MO,L,REV,827 (2001); Christian David Hammel Schultz,Note,Unrestricted Federal Agent:,Carni-
vore” and the Need To Revise the Pen Register Statute,76 NOTRE DAME L,REV,1215 (2001); Manton
M,Grier,Jr.,Comment,The Software Formerly Known as,Carnivore”,When Does Email Surveil-
lance Encroach Upon a Reasonable Expectation of Privacy?,52 S.C,L,REV,875 (2001); Aaron Ken-
dal,Comment,Carnivore,Does the Sweeping Sniff Violate the Fourth Amendment?,18 T.M,COOLEY
L,REV,183 (2001),
65
See infra Part III,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
623
the law prohibits provider surveillance and disclosure,Consider the follow-
ing example,Imagine that a band of computer hackers breaks into a pro-
vider’s computer network,and that the hackers set up illegal servers from
within the network to distribute counterfeit software to other hackers,The
provider would likely notice the illegal entry when the unauthorized traffic
slowed down the rest of the network,To locate the problem and block the
unauthorized traffic,a network administrator would likely conduct various
forms of surveillance,He might look through the network for the illegal
server (conducting retrospective surveillance),set up a sniffer to watch the
unauthorized traffic in an effort to trace it (prospective surveillance),and,if
that is successful,may wish to disclose the records to the police to help
them crack the case (disclosure),The rules governing the providers regu-
late when the provider can conduct specific types of surveillance and when
the provider can disclose that information to law enforcement.
66
II,THE PATRIOT ACT AND APPLYING THE PEN REGISTER
STATUTE TO THE INTERNET
The passage of the USA Patriot Act on October 26,2001 has been
widely portrayed as a dark moment for the civil liberties of Internet users,
The ACLU declared that the Act gave law enforcement,extraordinary new
66
The different categories can be summarized using a fairly simple matrix,A blank matrix might
look like this,
TABLE 3
TYPE OF INFORMATION
CONDITIONS WHEN
GOVERNMENT
SURVEILLANCE
ALLOWED
CONDITIONS WHEN
PROVIDER SURVEILLANCE
AND DISCLOSURE TO
GOVERNMENT ALLOWED
Envelope Information,
Prospective
Direct,
Indirect,
Envelope Information,
Retrospective
Direct,
Indirect,
Content Information,
Prospective
Direct,
Indirect,
Content Information,
Retrospective
Direct,
Indirect,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
624
powers.”
67
Another civil liberties group,the Electronic Frontier Founda-
tion,announced that,the civil liberties of ordinary Americans have taken a
tremendous blow with this law.”
68
The website of the Electronic Privacy
Information Center featured a drawing of a tombstone that stated,The
Fourth Amendment,1789–2001.”
69
Major media outlets agreed,The New
York Times viewed the Act as an overreaction to September 11th,and con-
cluded that the law gave the government unjustified,broad new powers.”
70
The Washington Post also opposed the Act,its editorial board described
the Patriot Act as,panicky legislation” that,reduce[d] the healthy oversight
of the courts.”
71
The unanimous verdict was that the Patriot Act created a
sweeping and probably unjustifiable expansion of law enforcement author-
ity in cyberspace.
72
Is this verdict justified? To answer this,it is crucial to recognize that
the Patriot Act is not a single coherent law,The Act collected hundreds of
minor amendments to federal law,grouped into ten subparts or,Titles,” on
topics ranging from immigration to money laundering.
73
With many of
these amendments,the devil is in the details,especially in the electronic
surveillance context,the complex relationship among sections of statutory
text means that the changes often defy easy soundbites,Further,the lan-
guage that passed on October 26th differed in significant ways from the
language the Justice Department first proposed just a few days after Sep-
tember 11th,The congressional negotiations that ensured the quick passage
of the Patriot Act led to many compromises,and even considerable victo-
ries for the Act’s opponents,Altogether,these features make broad charac-
terizations of the Patriot Act difficult to maintain,
When we focus on the Internet surveillance provisions that passed into
law,however,it becomes clear that the popular understanding of the Patriot
Act is substantially wrong,The Patriot Act did not tilt the balance between
67
ACLU Legislative Analysis,USA Patriot Act Boosts Government Powers While Cutting Back on
Traditional Checks and Balances,at www.aclu.org/congress/110101a.html (last visited Feb,4,2003),
68
Elec,Frontier Found.,EFF Analysis of the Provisions of the USA Patriot Act That Relate to
Online Activities (Oct,31,2001),at www.eff.org/Privacy/Surveillance/Terrorism_militias/2001
1031_eff_usa_patriot_analysis.html,
69
See Patricia Cohen,9/11 Law Means More Snooping? Or Maybe Less?,N.Y,TIMES,Sept,7,
2002,at B9,
70
Robin Toner & Neil A,Lewis,House Passes Terrorism Bill Much Like Senate’s,But with 5-Year
Limit,N.Y,TIMES,Oct,13,2001,at B6,
71
See Editorial,A Panicky Bill,WASH,POST,Oct,26,2001,at A34,
72
As a student author recently concluded:,Although it is unlikely that the USA PATRIOT Act’s
far-reaching extensions of surveillance law would have enabled the government to prevent the tragedy
we witnessed on September 11th,2001,it is patently apparent how we will all pay the price of a false
sense of security at the cost of cherished freedoms.” Sharon H,Rackow,Comment,How the USA
PATRIOT Act Will Permit Governmental Infringement upon the Privacy of Americans in the Name of
“Intelligence” Investigations,150 U,PA,L,REV,1651,1696 (2002),
73
See Pub,L,No,107-56,115 Stat,272,The Act consists of ten subparts,Title I through Title X,
Only one of these subparts,Title II,directly relates to Internet surveillance laws,See id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
625
Internet privacy and security strongly in favor of security,Most of the Pa-
triot Act’s key changes reflected reasonable compromises that updated anti-
quated laws,Some of these changes advance law enforcement interests,but
others advance privacy interests,and several do both at the same time,
None challenged the basic legal framework that Congress created in 1986 to
protect Internet privacy,Studying the Internet surveillance provisions of
the Act suggests that the media portrayal of the Patriot Act as,extraordi-
nary” and,panicky legislation” has little in common with the law Congress
actually enacted,
The remainder of this Article explores how the common understanding
of the Patriot Act misses the mark by focusing on three particularly contro-
versial aspects of the Patriot Act,Admittedly,this approach sacrifices
breadth for depth,as it ignores dozens of Patriot Act amendments that
equally deserve careful study.
74
However,the approach also lets us exam-
ine a few specific controversies with care and to use them as examples that
generally apply to the Patriot Act as a whole.
75
In particular,this Part of the Article will explore one of the most contro-
versial provisions of the Patriot Act,the amendments making the pen regis
74
For example,the Patriot Act made many minor changes to the rules governing retrospective sur-
veillance,which affected the privacy protections governing both voicemails and Internet records,These
changes appear in the newly revamped 18 U.S.C.A,§ 2703,However,the three examples I study in this
Article all involve prospective surveillance,The limited scope of my approach also means that I focus
on fairly specific changes to the surveillance laws,while ignoring others that may be related,For exam-
ple,the pen register amendments clarified that the laws applied to the Internet (which I discuss in this
Part) and also allowed the government to obtain nationwide orders (which I do not discuss),
75
Of course,some provisions of the Patriot Act may prove to have serious negative consequences
for privacy and civil liberties,The Patriot Act’s amendments relating to the Foreign Intelligence Sur-
veillance Act,50 U.S.C.A,§§ 1801–1811 (West Supp,2002),are particularly notable in this regard,as
is the broader restructuring of the relationship between law enforcement and the intelligence community
in surveillance investigations,
At the same time,several provisions in the Patriot Act other than the ones I discuss in this Article
were controversial in large part because they were misrepresented in the press,The attention paid to
“roving wiretaps” provides a good example,Congress first enacted a law allowing the government to
obtain roving wiretaps in criminal cases in 1986,and the debate over their use goes back to that period,
See,e.g.,Clifford S,Fishman,Interception of Communications in Exigent Circumstances,The Fourth
Amendment,Federal Legislation,and the United States Department of Justice,22 GA,L,REV,1 (1987),
These laws were challenged and upheld by the courts,See,e.g.,United States v,Petti,973 F.2d 1441,
1443 (9th Cir,1992) (Browning,J.),Section 206 of the Patriot Act expanded this authority to FISA
cases,so that it could be used in terrorism investigations,in addition to criminal investigations,The
press and commentators sometimes ignored this preexisting authority,however,and instead discussed
the Patriot Act as if it were the first law to introduce roving wiretaps,See,e.g.,Editorial,Constitutional
Concerns,DAILY OKLAHOMAN,Sept,29,2001,at 6A; Erwin Chemerinsky,Giving Up Our Rights for
Little Gain,L.A,TIMES,Sept,27,2001,at B17,As a result,to a large extent the public debate over the
roving wiretap provisions of the Patriot Act concerned whether the events of September 11th justified a
law that Congress had already enacted fifteen years earlier,Of course,the fact that Congress enacted a
law in 1986 does not in itself justify its existence today,but it does seem relevant to whether the
amendment broke new ground,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
626
ter law applicable to the Internet.
76
The pen register law has governed pro-
spective envelope surveillance of the telephone since Congress enacted it in
1986,
77
and the Patriot Act makes clear that this law also applies to the Inter-
net,The press uniformly presented this change as a significant expansion of
law enforcement authority.
78
The Washington Post stated that this change
“makes it easier for the government to engage in wiretapping by,in effect,low-
ering the standard of judicial review.”
79
The New York Times described this
change as a grant of,broad authority to inspect logs of Internet use and the ad-
dress fields of email messages.”
80
Both the political left and the political right
agreed that this was a significant and potentially dangerous change,On the left,
the New Republic thundered that this change gave the government,essentially
unlimited authority to install recording devices”
81
to monitor the Internet,On
the right,a group of lawyers affiliated with the Federalist Society approved of
the Patriot Act as a whole,but singled out the pen register amendments as the
only troubling change to the electronic surveillance laws.
82
This Part will explain why these criticisms of the Patriot Act are un-
founded,The pen register amendments to the Patriot Act do not signal an
unwarranted expansion of law enforcement authority,To the contrary,the
changes reaffirm existing law that aligns Internet surveillance law with postal
and telephone surveillance,More importantly,to the extent that the amend-
ments actually changed the law at all,on the whole they probably added to
the privacy of Internet communications,rather than subtracted from it,Ironi-
cally,the pen register amendments that have been portrayed as unwarranted
expansions of law enforcement authority are neither unwarranted,nor even
expansions of authority,This does not mean that Congress could not increase
the privacy protections of the pen register law in the future; it could,and I
think it probably should,However,it turns out that the Patriot Act is not the
source of the problem,but rather the first step toward a better solution,
To understand how the common wisdom has misjudged the Patriot
Act’s pen register amendments,it is necessary to step back and understand
why statutory protections matter in this area,as well as how the law treats
76
The pen register law is codified at 18 U.S.C,§§ 3121–3127,
77
The pen registers laws were passed as part of the Electronic Communications Privacy Act of
1986,Pub,L,No,99-508,100 Stat,1848,
78
See,e.g.,Declan McCullagh,USA Act Stampedes Through,WIRED NEWS,Oct,25,2001 (“The
U.S,Senate is set to end a month-long debate over balancing freedom and security on Thursday by
granting police more surveillance power and sharply curtailing Americans’ privacy.”),available at
www.wired.com/news/conflict/0,2100,47858,00.html (last visited Feb,4,2003),
79
See Editorial,supra note 6,
80
Lisa Guernsey,Living Under An Electronic Eye,N.Y,TIMES,Sept,27,2001,at G1,
81
Jeffrey Rosen,Tapped Out,NEW REPUBLIC,Oct,15,2001,at 12,
82
See TOM GEDE ET AL.,FEDERALIST SOCIETY FOR LAW AND PUBLIC POLICY STUDIES,WHITE
PAPER ON ANTI-TERRORISM LEGISLATION,SURVEILLANCE & WIRETAP LAWS,DEVELOPING
NECESSARY AND CONSTITUTIONAL TOOLS FOR LAW ENFORCEMENT 21–22 (calling the pen register
amendments,the single most difficult issues presented by the new law”),at http://www.fed-soc.org/
Publications/Terrorism/Anti-TerrorismLegislation.pdf (last visited Feb,4,2003),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
627
the prospective surveillance of envelope information in other contexts,such
as the postal network and the telephone,This facilitates a comparison be-
tween the law applied to Internet envelope surveillance before the Patriot
Act and the law after the Patriot Act,
A,Internet Privacy Is Statutory Privacy
Most discussions of the rules that govern government surveillance fo-
cus on the Fourth Amendment and the,reasonable expectation of pri-
vacy”
83
test,In the case of Internet privacy law,however,the real action
tends to be in the legislature,not the courts,The explanation for this lies in
the narrow way that the courts have interpreted the reasonable expectation
of privacy test in communications networks,While many questions remain,
the existing cases appear to have left Congress with relative liberty to create
the set of rules it thinks best,To a surprising extent,Internet privacy is
statutory privacy,Under current law,Congress creates the primary rules
that regulate law enforcement surveillance of the Internet,rather than the
courts.
84
The cases most responsible for the fairly narrow Fourth Amend-
ment protections in communications networks hold that an individual has
no reasonable expectation of privacy in information revealed to third par-
ties.
85
I will call this mechanism the disclosure principle,information dis-
closed to a third party does not receive Fourth Amendment protection,If I
tell you a secret,the government cannot violate my reasonable expectation
of privacy by persuading you to disclose my secret to the police.
86
While
such an expectation of privacy might seem reasonable in a practical sense—
a reasonable person might expect you not to disclose the secret—the courts
have concluded that it is not,reasonable” in a constitutional sense.
87
83
Katz v,United States,389 U.S,347,361 (1967) (Harlan,J.,concurring),
84
Of course,this statement is based on current law,The courts may start finding constitutional pro-
tections in Internet communications that may be difficult to see based on existing precedents,Cf,Kyllo
v,United States,533 U.S,27,34 (2001) (suggesting that as technology advances,the courts should in-
terpret the Fourth Amendment to,assure preservation of that degree of privacy against government that
existed when the Fourth Amendment was adopted”),
85
The cases include Smith v,Maryland,442 U.S,740,743–44 (1979),United States v,Miller,425
U.S,435,443 (1976),Couch v,United States,409 U.S,322,335 (1973),and Hoffa v,United States,385
U.S,293,302 (1966),
86
See Hoffa,385 U.S,at 302–03 (holding that Jimmy Hoffa’s Fourth Amendment rights were not
violated when his friend to whom he disclosed secrets became a government informant),
87
As the Supreme Court stated in Miller,
[T]he Fourth Amendment does not prohibit the obtaining of information revealed to a third party
and conveyed by him to Government authorities,even if the information is revealed on the as-
sumption that it will be used only for a limited purpose and the confidence placed in the third
party will not be betrayed,
425 U.S,at 443 (citations omitted and emphasis added),See generally Orin S,Kerr,The Fourth
Amendment in Cyberspace,Can Encryption Create a,Reasonable Expectation of Privacy?”,33
CONN,L,REV,503,507–12 (2001) (explaining how the Supreme Court’s,reasonable expectation of
privacy” diverges from the expectation of privacy of a reasonable person),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
628
The disclosure principle carries tremendous significance when consid-
ering how the Fourth Amendment applies to communications networks,
Communications networks require partial (and sometimes total) disclosure
to the network provider to send communications,Envelope information
provides a clear example,Envelope information is simply the,to” and
“from” information offered to the network provider to help the provider de-
liver the contents,For example,the postal service must read the,to” ad-
dress on a letter to deliver it properly,Similarly,a caller necessarily
discloses the phone number he is dialing to the phone company when he
communicates it to the phone company so the company can complete the
call,
Under the disclosure principle,the courts have unanimously rejected
claims of Fourth Amendment protection in envelope information,In the
case of postal mail,the courts have held that postal customers have no rea-
sonable expectation of privacy in the outside of their envelopes and pack-
ages because they must be viewed by Postal Service employees in the
course of delivery.
88
As a result,the government can examine the outside
of an envelope and copy the envelope information without a court order or a
search warrant.
89
The Supreme Court applied the same rationale to the tele-
phone network in Smith v,Maryland,
90
concluding that dialing a telephone
number to connect a call eliminates Fourth Amendment protection in the
numbers dialed because it discloses the numbers dialed to the telephone
company.
91
The courts have more recently applied the same rationale to the
Internet,holding that an Internet user cannot enjoy a reasonable expectation
of privacy in non-content information sent to an ISP because the user has
disclosed the information to the ISP.
92
The disclosure principle also has important implications for Fourth
Amendment protections in the case of content information,Here,we have
to be quite careful,the courts have struggled to apply the Fourth Amend-
ment to contents sent over communications networks,The law is quite
murky and may change,In general,however,the courts have held that a
user has a reasonable expectation of privacy in content information that is
sealed away from the network provider,but does not retain such protection
in information disclosed or openly visible to the provider,In the postal
88
See United States v,Huie,593 F.2d 14,15 (5th Cir,1979) (“There is no reasonable expectation of
privacy in information placed on the exterior of mailed items and open to view and specifically intended
to be viewed by others.”),
89
See United States v,Hinton,222 F.3d 664,675 (9th Cir,2000) (citing United States v,Van
Leeuwen,397 U.S,249,250–52 (1970)),
90
442 U.S,at 745–46,
91
See id,at 743–44,
92
See Guest v,Leis,255 F.3d 325,335–36 (6th Cir,2001) (finding no expectation of privacy in
non-content information disclosed to ISP); United States v,Hambrick,55 F,Supp,2d 504,508–09
(W.D,Va,1999),aff’d,225 F.2d 656 (4th Cir,Aug,3,2000); United States v,Kennedy,81 F,Supp,2d
1103,1110 (D,Kan,2000),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
629
context,for example,a person normally enjoys Fourth Amendment protec-
tion in the contents of their sealed letters,
93
but not in their unsealed post-
cards or opened packages.
94
In the context of the telephone network,a
caller normally enjoys Fourth Amendment protection in the contents of
their calls,
95
but not when they use cordless phones that operate via radio
waves disclosed to the public.
96
The courts have not yet determined how
this rationale applies to Internet communications.
97
However,because the
contents of Internet communications are mixed together with envelope in-
formation and disclosed to the ISP,it is at least possible that courts will find
that Internet users cannot have a reasonable expectation of privacy in Inter-
net content information,much like postcards or cordless phone calls,
Under these precedents,Internet surveillance law has become pre-
dominantly statutory law.
98
The rules that actually govern electronic sur-
veillance tend to be statutory rules,inspired by constitutional values,but not
necessarily governed by constitutional commands.
99
Further,because the
93
See Ex parte Jackson,96 U.S,727,733 (1877) (concluding that the Fourth Amendment protects
sealed postal letters); United States v,Phillips,478 F.2d 743,748 (5th Cir,1973) (“[T]he privacy of a
sealed item bearing the proper amount of postage for a first class item is protected from warrantless
opening,not because it is given the appellation ’first class’ but because the Constitution commands that
result.”),
94
See United States v,Jacobsen,466 U.S,109,119 (1984) (holding that,Respondents could have
no privacy interest in the contents of the package,since it remained unsealed”); United States v,
Vasquez,858 F.2d 1387,1391 (9th Cir,1988) (concluding that because envelope was found unsealed,
police officer’s search of its contents did not violate the defendant’s Fourth Amendment rights),Re-
markably,no cases exist directly dealing with Fourth Amendment protections in postcards,However,
there are many cases dealing with Fourth Amendment rights in unsealed packages and information on
the exterior of packages and envelopes,all of which hold that a person has no Fourth Amendment pro-
tection in such information,
95
See Berger v,New York,388 U.S,41,44–45 (1967) (finding Fourth Amendment protection in
the contents of telephone conversations),
96
See,e.g.,Tyler v,Berodt,877 F.2d 705,706 (8th Cir,1989); McKamey v,Roach,55 F.3d 1236,
1239–40 (6th Cir,1995); United States v,McNulty,47 F.3d 100,104–06 (4th Cir,1995); United States
v,Smith,978 F.2d 171,177–81 (5th Cir,1992),Of course,Congress can protect such calls when the
Fourth Amendment does not,In the case of cordless telephone calls,Congress added statutory protec-
tion against their interception in 1994,See McKamey,55 F.3d at 1238 n.1,
97
See United States v,Bach,310 F.3d 1063,1066 (8th Cir,2002) (assuming,but not deciding,that
the Fourth Amendment protects stored emails and noting that,[w]hile it is clear to this court that Con-
gress intended to create a statutory expectation of privacy in e-mail files,it is less clear that an analo-
gous expectation of privacy derives from the Constitution”),
98
Of course,this case law has not stopped most commentators on Internet surveillance law from
making the case for strong privacy protections in constitutional terms,The most common approach is to
recite a brief history of Fourth Amendment law ending in 1967 with Katz v,United States,389 U.S,347
(1967),and then to announce that Katz guarantees strong privacy protections in new technologies,See,
e.g.,Rackow,supra note 72,at 1656 (following this path and concluding that,[p]rivacy as protected by
the Fourth Amendment denotes a right to be free from unwanted governmental surveillance”),This ap-
proach surely reflects honorable aspirations,but it strangely ignores the fact that in the thirty-five years
since Katz,the courts have mostly rejected such an expansive view of its holding,
99
In fact,the courts have often deferred to Congress’s judgment when confronted with a Fourth
Amendment challenge to electronic surveillance,See,e.g.,McNulty,47 F.3d at 105–06 (rejecting a claim
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
630
courts have demonstrated a marked reluctance to incorporate legislative
standards of privacy protection in new technologies into constitutional
Fourth Amendment rules,
100
statutory laws often provide the only rules that
protect Internet privacy,Absent some legislative rules,few privacy protec-
tions exist,
Congress has responded to this constitutional vacuum with a series of
laws that offer relatively strong (although hardly perfect) legislative privacy
protections,Congress first made it a crime to wiretap telephone lines in
1934,
101
even though wiretapping did not violate the Fourth Amendment at
that time.
102
Congress has since revisited the surveillance statutes every
few years to take into account advancing technology and changing social
norms,The two most important dates are 1968 and 1986,In 1968,Con-
gress created the modern Wiretap Act that regulates prospective content
surveillance of telephone lines today,
103
and in 1986,Congress expanded
that law to the Internet and added regulations of retrospective surveillance
as well when it enacted the Electronic Communications Privacy Act.
104
B,Prospective Envelope Surveillance of the Postal
Network and the Telephone
Although Congress has enacted statutory privacy protections that gov-
ern network surveillance,Congress historically has shown little interest in
protecting mere envelope information,Congress has regulated prospective
content information very strictly,with a warrant requirement in the case of
the postal system,
105
and a super-warrant requirement for telephones and the
of constitutional protection in calls to a cordless phone user,in part on the ground that holding to the con-
trary would force the court,to rule the statutory exceptions of Title III unconstitutional,” an,untoward re-
sult” given the,heavy presumption of constitutionality [that] attaches to the carefully considered decisions
of a coequal and representative branch of our Government” (internal quotations and brackets omitted)); see
also Adams v,City of Battle Creek,250 F.3d 980,986 (6th Cir,2001) (“The Electronic Communications
Privacy Act is part of detailed legislative scheme under Title III of the Omnibus Crime and Control Act of
1986,The legislation seeks to balance privacy rights and law enforcement needs,keeping in mind the pro-
tections of the Fourth Amendment against unreasonable search and seizure,Congress made the Act the
primary vehicle by which to address violations of privacy interests in the communication field.”),
100
See,e.g,McNulty,47 F.3d at 106 (rejecting argument that subsequent legislative protection of
privacy rights in cordless phone calls should influence court to recognize constitutional protections in
the same); United States v,Hambrick,225 F.2d 656 (4th Cir,Aug,3,2000) (rejecting argument that
statutory protection of Internet subscriber information under the Electronic Communications Privacy
Act created a constitutional reasonable expectation of privacy in the information),
101
See 47 U.S.C,§ 605 (1934); Nardone v,United States,302 U.S,379,381–82 (1937),
102
See Nardone,302 U.S,at 381 (citing Olmstead v,United States,277 U.S,438 (1928)),
103
See 18 U.S.C.A,§§ 2510–2522 (West Supp,2002),
104
See Electronic Communications Privacy Act of 1986,Pub,L,No,99-508,§§ 101–11,100 Stat,
1848,1848–59,
105
See Ex parte Jackson,96 U.S,727,733 (1877),Of course,this limitation is constitutional,not statu-
tory,Congress has protected the content of sealed letters and packages sent through the mail through a criminal
prohibition,See 18 U.S.C.A,§ 1703 (“Whoever,being a Postal Service officer or employee,unlawfully,,,
opens any letter,,, shall be fined under this title or imprisoned not more than five years,or both.”),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
631
Internet.
106
However,mere envelope information has traditionally received
little if any protection in communications networks such as the postal sys-
tem and the telephone,
In the postal system,no statutory protection exists,Surveillance of en-
velope information is governed solely by a postal regulation enacted in
1975.
107
The regulation prohibits envelope surveillance of postal mail
unless it is conducted pursuant to a request to initiate a,mail cover.”
108
The
regulation defines a mail cover as a,nonconsensual record,,, of any data
appearing on the outside cover of any sealed or unsealed class of mail.”
109
A mail cover can be instituted whenever a law enforcement agent files a
written request with the Postal Inspector that,specifies,,, reasonable
grounds to demonstrate the mail cover is necessary to,,, [o]btain informa-
tion regarding the commission or attempted commission of a crime.”
110
When that request is received,the postal inspectors will initiate the mail
cover and conduct envelope surveillance for thirty days.
111
As a matter of
privacy law,the mail cover regulation offers only meager privacy protec-
tion,Law enforcement agents do not need to obtain a court order,and no
judge need ever learn of the surveillance,If agents violate the statute,there
is no remedy—criminal,civil,or suppression.
112
The law offers somewhat higher protection for prospective envelope
surveillance of the telephone network,The privacy law that applies is
known as the pen register law because in the 1960s the phone company
could create a record of numbers dialed from a telephone by installing a de-
vice known as a pen register.
113
Congress first enacted the pen register law
106
See 18 U.S.C.A,§ 2518 (discussing the requirements that the government must meet to obtain a
Wiretap Order),
107
See 39 C.F.R,§ 233 (2002),This regulation was first enacted on March 12,1975,See 40 Fed,
Reg,11,579 (1975),
108
39 C.F.R,§ 233.3(b),
109
See id,§ 233.3(c)(1) (defining the phrase,mail cover”),The reference to,contents” of,un-
sealed” matter presumably refers to postcards,This includes,the name of the addressee,the postmark,
the name and address of the sender (if it appears),and the class of mail,” United States v,Huie,593 F.2d
14,14 (5th Cir,1979),but may simply consist of a photograph of the exterior of the envelope,see 39
C.F.R,§ 233.3(c)(2) (defining a,record” as,a transcription,photograph,photocopy or any other fac-
simile of the image of the outside cover,envelope,wrapper,or contents of any class of mail”),
110
See 39 C.F.R,§ 233.3(e)(2)(iii),The mail cover can be authorized on other grounds,see id.,but
these are the most common ones,
111
See id,§ 233.3(g)(5),
112
See United States v,Hinton,222 F.3d 664,674 (9th Cir,2000) (“Although it is undisputed that
the officers did not follow the proper procedures for obtaining a mail cover,suppression is not the ap-
propriate remedy,,,,”),
113
A pen register was described by one early court as follows,
The pen register is a mechanical device attached on occasion to a given telephone line,usually at
central telephone offices,A pulsation of the dial on a line to which the pen register is attached re-
cords on a paper tape dashes equal to the number dialed,The paper tape then becomes a perma-
nent and complete record of outgoing calls as well as the numbers called on the particular line,
Immediately after the number is dialed and before the line called has had an opportunity to answer
(actually the pen register has no way of determining or recording whether or not the calls are an-
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
632
in 1986
114
and created a statutory criminal prohibition on the prospective
surveillance of envelope information for the telephone network,subject to a
few exceptions.
115
The pen register law allows the government to obtain a
court order authorizing the collection of envelope information for renew-
able periods of sixty days.
116
Although the application must be made by an
attorney and approved by a federal judge,the threshold for obtaining the
order is low,the attorney must only certify to the court that,the informa-
tion likely to be obtained,,, is relevant to an ongoing criminal investiga-
tion.”
117
Violations of the pen register statute do not result in suppression
of the evidence; instead,the remedy is a criminal prosecution,
118
and in the
case of a lawyer,possible ethical charges.
119
C,Prospective Envelope Surveillance of the Internet,
The Uncertain Privacy Protections Before the USA Patriot Act
What about the Internet? More specifically,in the period leading up to
the Patriot Act,what privacy laws regulated the prospective surveillance of
envelope information in the case of email surveillance and packet surveil-
lance? The answer is surprisingly unclear,The only law that could con-
ceivably have applied was the pen register statute,but it provided an odd mix
of telephone-specific language and more general text,The statute divided the
category of envelope information into two subcategories,the,to” addressing
swered) the pen register mechanically and automatically is disconnected,There is neither re-
cording nor monitoring of the conversation,
United States v,Guglielmo,245 F,Supp,534,535 (N.D,Ill,1965),
114
See Electronic Communications Privacy Act of 1986,Pub,L,No,99-508,§ 301(a),100 Stat,
1848,1868,
115
See 18 U.S.C.A,§ 3121(a) (West Supp,2002),Violations of the pen register statute are misde-
meanors,See id,§ 3121(d),One exception allows providers to collect envelope information in the or-
dinary course of business,See id,§ 3121(b),
116
See id,§§ 3122–3123,
117
Id,§ 3123(a); see also United States Telecom Ass’n v,FCC,227 F.3d 450,454 (D.C,Cir,2000)
(“Rather than the strict probable cause showing necessary for wiretaps,pen register orders require only
certification from a law enforcement officer that ‘the information likely to be obtained is relevant to an
ongoing criminal investigation.’”),So long as the application contains these elements,the court will au-
thorize the installation of the pen/trap device,The court will not conduct an,independent judicial in-
quiry into the veracity of the attested facts.” In re United States,846 F,Supp,1555,1559 (M.D,Fla,
1994); see also United States v,Fregoso,60 F.3d 1314,1320 (8th Cir,1995) (“The judicial role in ap-
proving use of trap and trace devices is ministerial in nature,,,,”),
118
As one court has explained,
The salient purpose of requiring the application to the court for an order is to affix personal re-
sponsibility for the veracity of the application (i.e.,to ensure that the attesting United States Attor-
ney is readily identifiable and legally qualified) and to confirm that the United States Attorney has
sworn that the required investigation is in progress.,,, As a form of deterrence and as a guarantee
of compliance,the statute provides,,, for a term of imprisonment and a fine as punishment for a
violation [of the statute],
In re United States,846 F,Supp,at 1559,
119
A knowingly false certification would constitute not only a violation of the statute but also a ma-
terially false statement to the court in the course of an attorney’s official duties,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
633
information,which historically would be obtained by installing a pen register,
and the,from” addressing information,which historically would be obtained
by running a,trap and trace.”
120
Rather than refer to the information to be
gathered,the structure of the pen register law prohibited the installation or
use of a pen register or trap and trace device without a court order,
Before the Patriot Act,however,the definitions of the terms,pen reg-
ister” and,trap and trace device” did not make clear whether they applied
only to the telephone,or whether they could also apply to the Internet,The
definition of,trap and trace device” was quite broad,it referred to,a de-
vice which captures the incoming electronic or other impulses which iden-
tify the originating number of an instrument or device from which a wire or
electronic communication was transmitted.”
121
Given that most Internet
communications are,electronic communication[s],”
122
this definition ap-
peared to apply to the Internet as well as to the phone system,In contrast,
the definition of,pen register” appeared strikingly telephone-specific,the
law defined a pen register as,a device which records or decodes electronic
or other impulses which identify the numbers dialed or otherwise transmit-
ted on the telephone line to which such device is attached.”
123
So did the pen register laws apply to the Internet? The Justice Depart-
ment believed they did and that the pen register laws regulated both Internet
email and packet-level envelope surveillance just as they did telephone enve-
lope surveillance.
124
In fact,Justice Department practice had embraced the
120
,Trap and trace” information is so called because collecting the information originally required
the telephone company to trace the phone line using a tool known as a,terminating trap.” In re United
States,610 F.2d 1148,1151 (3d,Cir,1979),
121
18 U.S.C.A,§ 3127(4) (West Supp,2002),
122
See CCIPS MANUAL,supra note 15,at 106 (“[A]lmost all Internet communications (including
email) qualify as electronic communications.”),The phrase,electronic communication” means
any transfer of signs,signals,writing,images,sounds,data,or intelligence of any nature transmit-
ted in whole or in part by a wire,radio,electromagnetic,photoelectronic or photooptical system
that affects interstate or foreign commerce,but does not include—
(A) any wire or oral communication;
(B) any communication made through a tone-only paging device;
(C) any communication from a tracking device (as defined in section 3117 of this title); or
(D) electronic funds transfer information stored by a financial institution in a communications sys-
tem used for the electronic storage and transfer of funds;
18 U.S.C.A,§ 2510(12),
123
18 U.S.C.A,§ 3127(3); see also PETER P,SWIRE,ADMINISTRATION WIRETAP PROPOSAL HITS THE
RIGHT ISSUES BUT GOES TOO FAR (Brookings Institute Analysis Paper No,3,2001) (“ECPA has not aged
gracefully,Much of its language reflects the telephone technology of the 1980s rather than the Internet realities
of today.”),available at http://www.brook.edu/dybdocroot/views/articles/fellows/2001_swire.htm,
124
See CCIPS MANUAL,supra note 15,at 102,As the DOJ described in their January 2001 Manual,“The
Pen/Trap statute permits law enforcement to obtain the addressing information of Internet communications
much as it would addressing information for traditional phone calls.,,, The Pen/Trap statute [also] permits
law enforcement to obtain the addressing information of Internet emails (minus the subject line,which can con-
tain contents).” Id,The Manual cites Brown v,Waddell for an example of law enforcement,using a court or-
der,just like it permits law enforcement to obtain addressing information for phone calls and individual Internet
‘packets’ using a court order.” Id,(citing Brown v,Waddell,50 F.3d 285,292 (4th Cir,1995)),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
634
pen register statute for several years as the means of conducting Internet en-
velope surveillance,Federal judges had at least implicitly agreed,judges had
signed pen register orders authorizing Internet email and packet surveillance
hundreds,if not thousands,of times in the years leading up to the Patriot
Act.
125
While some magistrate judges had asked prosecutors whether the
statute applied to the Internet,the judges always satisfied themselves that it
did and signed the order.
126
One magistrate judge in Los Angeles had also
written an unpublished order agreeing that the statute applied to the Internet,
“Although apparently not contemplated by the drafters of the original stat-
ute,” Judge James McMahon wrote,“the use of a pen register order in the
present situation is compatible with the terms of the statute.”
127
The text re-
mained uncertain,but as a matter of law enforcement practice,it was gener-
ally understood that the pen register laws applied to the Internet.
128
Notably,the government’s conclusion that the pen register statute ap-
plied to the Internet created a double-edged sword,Without the pen register
statute,the government could conduct envelope surveillance without a court
order,The government or anybody else could wiretap the Internet and col-
lect any noncontent information it wished without restriction.
129
Applying
the pen register laws to the Internet denied the government the power to
conduct envelope surveillance without a court order,which limited gov-
ernment power and blocked private entities from conducting prospective
envelope surveillance,thus protecting privacy,At the same time,applying
the pen register statute to the Internet benefited law enforcement by giving
the government a relatively easy way of obtaining orders compelling ISPs
to conduct prospective envelope surveillance on the government’s behalf,
Absent that authority,the government would need to install monitoring de-
vices itself,rely on the voluntary cooperation of ISPs,or try to use other
laws requiring a higher factual showing than the pen register laws to obtain
court orders compelling ISPs to conduct envelope surveillance.
130
125
See Carl S,Kaplan,Concern over Proposed Changes in Internet Surveillance,N.Y,TIMES,Sept,
21,2001,at E1 (quoting Marc Zwillinger,former Trial Attorney of the Computer Crime and Intellectual
Property Section of DOJ,that during his time at the Justice Department,he used the pen register statute
to obtain envelope information,hundreds of times”),
126
When I was at the Justice Department,I would occasionally hear of magistrate judges raising such
questions with Assistant U.S,Attorneys who applied for pen register orders to conduct Internet surveillance,
127
See In re United States of America,Cr,No,99-2713M (C.D,Cal,Feb,4,2000) (McMahon,
Mag,J.) (unpublished opinion) (on file with author),
128
See CCIPS MANUAL,supra note 15,at 102,
129
So long as the device did not pick up any,content,” 18 U.S.C.A,§ 2510(8) (West Supp,2002),
it did not violate the Wiretap Act,
130
See United States v,New York Telephone,434 U.S,159,168–70 (1977) (holding that in the ab-
sence of an explicit law,the government can obtain a search warrant to order the installation of a pen
register),A plausible claim could be made that the government could have also used the retrospective
authority of 18 U.S.C.A,§ 2703 in combination with the All Writs Act,28 U.S.C,§ 1651 (2000),in or-
der to obtain a court order to perform such surveillance with a specific and articulable facts threshold
rather than probable cause otherwise required by the New York Telephone case,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
635
Despite the fact that federal judges appeared willing to agree with the
DOJ’s conclusion that the pen register statute applied to the Internet before
the Patriot Act,two events helped precipitate the Patriot Act’s pen register
amendments,First,on July 17,2000,President Clinton’s Chief of Staff
John Podesta announced the Clinton Administration’s support for amend-
ments to the pen register statute,making clear that the statute applied to the
Internet.
131
Podesta argued that it was,time to update and harmonize our
existing laws to give all forms of technology the same legislative protec-
tions as our telephone conversations.”
132
Although the Clinton Administra-
tion’s proposal did not go far in Congress,it set a precedent for clarifying
the scope of the pen register laws.
133
The second event that helped precipitate the pen register amendments
occurred on November 17,2000,when Magistrate Judge Patricia Trumbull
of the Northern District of California in San Jose denied an ex parte gov-
ernment application for an Internet pen register order,and rendered an un-
published written decision holding that the pen register laws did not apply
to the Internet.
134
Judge Trumbull reasoned that the language of the pen
register statute was sufficiently telephone-specific that it could not be read
to apply to the Internet.
135
In particular,she noted that the pen register stat-
ute required the court to specify in its order,the number and,if known,the
physical location of the telephone line to which the,,, device is to be at-
tached.”
136
Because Internet pen register orders did not specify a telephone
line,Judge Trumbull reasoned that,the proposed technology does not fall
within the scope of the statute.”
137
Judge Trumbull’s decision added special urgency to the call for a legis-
lative clarification of the scope of the pen register statute,On one hand,the
decision was an unpublished and unpublicized order by a sole magistrate
judge,in conflict with general practice and the prior written opinion of an-
other magistrate judge in the same circuit.
138
On the other hand,Judge
131
See John Schwartz,U.S,Hopes To Extend Online Wiretapping,WASH,POST,July 18,2000,at
E1,The amendment was only one of several relating to Internet surveillance that the Clinton admini-
stration endorsed at that time,See id,
132
Remarks by John Podesta,White House Chief of Staff,on Electronic Privacy,at 2000 WL
21168908 (transcript by U.S,Newswire),The Clinton Administration proposals were the product of a
15-agency White House working group chaired by Peter Swire,the Clinton Administration’s Privacy
“czar.” See SWIRE,supra note 123,
133
The Administration’s proposal was introduced as Senate Bill 3083,Some of its pro-privacy
measures appeared in a strongly pro-privacy House bill that passed the House Judiciary committee as
House Bill 5018,See SWIRE,supra note 123,
134
See In re United States,Cr-00-6091 (N.D,Cal,Nov,17,2000) (Trumbull,Mag,J.) (unpublished
opinion) (on file with author),
135
See id,at 4,
136
See id,(quoting 18 U.S.C.A,§ 3123(b)(1)(C)),
137
See id,at 5 (citing In re United States,885 F,Supp,197,200 (C.D,Cal,1995)),
138
See In re United States of America,Cr,No,99-2713M (C.D,Cal,Feb,4,2000) (McMahon,
Mag,J.) (unpublished opinion) (on file with author),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
636
Trumbull was the only magistrate judge in San Jose,California.
139
Note the
location,the San Jose division of the Northern District of California covers
Silicon Valley and includes the home of such powerhouse Internet service
providers as Yahoo! and Hotmail,Even if Judge Trumbull’s decision could
be appealed and overturned,the slow pace of litigation meant that it would
be many months,if not several years,before the government could use the
statute to authorize envelope surveillance at some of the country’s most
popular Internet service providers,Within the criminal division of the DOJ,
a sense emerged that the best approach was to keep quiet about Judge
Trumbull’s decision,which it did,as the DOJ has never shared Judge
Trumbull’s unpublished decision with the public.
140
Instead,DOJ remained
committed to pursuing a legislative fix when an opportunity arose that
would establish clearly that the pen register laws applied to the Internet,
D,The Patriot Act and the Expansion of the Pen Register Laws
In the wake of the terrorist attacks on New York and Washington on
September 11,2001,pressure built on the Bush Administration to propose
antiterrorism legislation.
141
Just days after the attacks,Attorney General
John Ashcroft contacted various divisions within DOJ and sought recom-
mendations for legislative changes that could help fight the war on terror-
ism,One area that surfaced as a promising arena was Internet surveillance
law,The DOJ had been clamoring for changes to the antiquated surveil-
lance laws for years,and the September 11th attacks provided an obvious
opportunity to update the laws,The link between the surveillance laws and
terrorism was not direct because the September 11th attacks did not directly
implicate the Internet,However,terrorists groups such as Al-Qaeda were
known to favor the latest Internet technologies to communicate with each
other,
142
which meant that updating the Internet surveillance laws could as-
sist law enforcement in terrorism-related cases,In any event,the obviously
antiquated surveillance laws provided one of the few areas in which new
laws were both clearly needed and could conceivably help the Justice
Department fight terrorism,Further,the events of September 11th changed
139
See ALMANAC OF THE FEDERAL JUDICIARY (2002),
140
The Justice Department has continued to maintain its silence about Judge Trumbull’s decision,
In one recent document,DOJ announced that,[a]lthough numerous courts across the country have ap-
plied the pen/trap statu[t]e to communications on computer networks,no federal district or appellate
court has explicitly ruled on its propriety.” COMPUTER CRIME AND INTELLECTUAL PROPERTY SECTION,
FIELD GUIDANCE ON NEW AUTHORITIES THAT RELATE TO COMPUTER CRIME AND ELECTRONIC
EVIDENCE ENACTED IN THE USA PATRIOT ACT OF 2001,at http://www.cybercrime.gov/PatriotAct.htm
(last visited Feb,4,2003),Note the Clintonian phrasing here,because neither of the Magistrate Judge
orders were appealed to a district court judge or the Ninth Circuit,the statement may be technically true,
However,it is certainly misleading,
141
See Jonathan Krim,Anti-Terror Push Stirs Fears for Liberties,Rights Groups Unite To Seek
Safeguards,WASH,POST,Sept,18,2001 at A17,
142
See,e.g.,Kevin Maney,Osama’s Messages Could Be Hiding in Plain Sight,USA TODAY,Dec,
19,2001,at B6 (noting Al-Qaeda’s use of advanced technologies such as encrypted Internet communi-
cations and steganography),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
637
partment fight terrorism,Further,the events of September 11th changed the
political climate considerably,softening the opposition that had success-
fully blocked DOJ efforts to amend the Internet surveillance statutes in the
previous Congress.
143
Fortunately for Ashcroft,the DOJ had already prepared a comprehen-
sive proposal for updating the Internet surveillance laws,For several years,
teams of lawyers within the Justice Department and elsewhere in the execu-
tive branch had worked on legislative proposals to update the electronic
surveillance laws.
144
Many bills had been introduced in Congress,includ-
ing ones that previously had the Clinton Administration’s support.
145
By
the time September 11th arrived,amendments that had been proposed and
debated within the Justice Department for several years were already
drafted and provided an obvious starting point for amendments to the elec-
tronic surveillance laws.
146
Eight days after September 11th,the proposals
formed the basis for the electronic surveillance portions of the Justice De-
partment’s proposed Anti-Terrorism bill,The DOJ bill in turn provided the
basis for the USA Patriot Act passed on October 26,
Updating the pen register statute so that it clearly applied to the Inter-
net provided one obvious priority,especially in light of the Clinton Admini-
stration’s failed efforts and Judge Trumbull’s order,The Justice
Department’s proposal aimed to do this in a minimalist way,Rather than
rewrite the entire statute,the DOJ proposed to amend the definition of,pen
register” and,trap and trace device” to make clear that it applied broadly to
network envelope information,encompassing both telephones and the
Internet,The DOJ proposed to describe envelope information as,dialing,
routing,addressing,or signaling information”
147
and to amend the defini-
tions of pen register and trap and trace device to incorporate this broader
definition.
148
Congress essentially adopted the DOJ’s approach in the Pa-
143
In the year 2000,the primary momentum among bills that changed Internet surveillance law be-
longed to pro-privacy bills such as House Bill 5018,See Cutting Edge Legislation Seeks To Tighten Pri-
vacy Laws,L.A TIMES,Sept,7,2000,at C8,
144
Within the Computer Crime and Intellectual Property Section of DOJ’s Criminal Division,for
example,an informal,High Tech Crime Bill” working group within the section tasked itself with writ-
ing proposed legislative amendments to the Internet surveillance laws,I was one of the attorneys who
participated in the Working Group,
145
See Schwartz,supra note 131,
146
For example,the High Tech Crime Bill working group had spent two years studying,writing,
and debating the need for dozens of changes to the surveillance laws,The group had drafted proposed
legislative text for the changes and had also written explanations of the sections that could form the ba-
sis for a future House or Senate Committee report on the amendments if the amendments ever became
law,The written explanations later emerged as a,Field Guide” to the Patriot Act,It is available at the
CCIPS website at http://www.cybercrime.gov/PatriotAct.htm,
147
See ANALYSIS OF PROVISIONS OF THE PROPOSED ANTI-TERRORISM ACT OF 2001,AFFECTING
THE PRIVACY OF COMMUNICATIONS AND PERSONAL INFORMATION,Sept,24,2001,at www.epic.org/
privacy/terrorism/ata_analysis.html (last visited Feb,4,2003),
148
Id,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
638
triot Act,with the slight modification that the phrase,dialing,routing,ad-
dressing,or signaling information” was supplemented with a clarification
that,such information shall not include the contents of any communica-
tion.”
149
This clarification to the DOJ’s proposal was added at Senator
Leahy’s recommendation to ensure that the expanded pen register amend-
ment did not trump the Wiretap Act.
150
E,Why Criticisms of the Pen Register Amendments Are Misplaced
As demonstrated earlier,the Patriot Act’s modification of the pen reg-
ister statute to include all,dialing,routing,addressing,or signaling infor-
mation” proved to be one of the most controversial provisions in the Act,
The media widely interpreted this change as a sweeping and unjustified ex-
pansion of law enforcement authority,To be fair,some of these reactions
derived from the initial DOJ proposal,which lacked Senator Leahy’s clari-
fication that the changes to the scope of the pen register statute did not alter
the scope of the Wiretap Act (although as I will explain shortly,it is
unlikely that such a clarification was necessary),But even so,the criticisms
of the pen register amendment prove surprisingly weak,
First,the criticisms ignore the fact that the pen register statute is pri-
marily a privacy law,The law protects envelope information,making it a
federal crime to collect envelope information without a court order.
151
If
the pen register statute did not apply to the Internet,then email and packet
envelope surveillance would be totally unregulated by federal privacy law,
In such a world,the government would be allowed to conduct envelope
surveillance of the entire country’s emails and Internet communications
without a court order,or without even any prior authorization within the
Executive Branch,Even more broadly,any private party would be allowed
to do the same,
149
See 18 U.S.C.A,§ 3127(3)–(4) (West Supp,2002),Notably,the minimalist approach of the
USA Patriot Act retains the pen register statute’s awkward structure,The statute does not directly pro-
hibit prospective envelope surveillance without a court order,Instead,the statute achieves the same goal
in a roundabout way,it prohibits the use or installation of a pen register or trap and tract device without
a court order and then defines a pen register and trap and trace device as a,device or process” that con-
ducts prospective envelope surveillance,
150
See Statement of Senator Patrick Leahy on the Uniting and Strengthening of America Act (“USA
ACT”) (Oct,11,2001),at http://leahy.senate.gov/press/200110/101101a.html,According to Senator
Leahy,
The Administration and the Department of Justice flatly rejected my suggestion that these terms
[“dialing,routing,addressing,and signaling”] be defined to respond to concerns that the new
terms might encompass matter considered content,which may be captured only upon a showing of
probable cause,not the mere relevancy of the pen/trap statute,Instead,the Administration agreed
that the definition should expressly exclude the use of pen/trap devices to intercept,content,”
which is broadly defined in 18 U.S.C,Section 2510(8),
Id,
151
See 18 U.S.C.A,§ 3121(d) (“Whoever knowingly violates [the prohibition against installing or
using a pen register or trap and trace device without a court order] shall be fined under this title or im-
prisoned not more than one year,or both.”),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
639
The Patriot Act’s pen register amendments helped avert this situation
by clarifying that the government was required to obtain a court order to
conduct prospective envelope surveillance of Internet communications,In
other words,the Patriot Act requires a court order,where before it may not
have been necessary,From a civil libertarian standpoint,this is plainly a
step in the right direction,Ironically,the real problem with the Patriot Act
from a civil libertarian perspective is not that it goes too far,but that it does
not go far enough in protecting the privacy of envelope information,Mak-
ing it a crime to conduct envelope surveillance on the Internet without a
court order is an improvement,but should have been matched with a higher
threshold to obtain the court order that was required,combined with judicial
review of the government’s application.
152
I would personally support such
a change; I believe that a higher,specific and articulable facts”
153
threshold
would not add substantial burden for law enforcement,and at least on paper
it would add privacy protection.
154
However,the fact that this section of the
Patriot Act could have offered stronger protection should not obscure the
fact that as a whole the amendment helps add privacy protections,not re-
duce them,
The criticisms of the pen register amendments also missed the mark
because they failed to recognize that the changes codified a decade’s worth
of preexisting practice that had matched Internet privacy protections to tele-
phone privacy protections,The Justice Department had been obtaining pen
register orders to conduct envelope surveillance for years,and the new text
explicitly recognized and approved the practice,The legislative change did
not expand any authority,at most,the change merely overruled Magistrate
Judge Trumbull’s unpublished order.
155
Although styled a,change” in the
law by its critics,the pen register amendments merely reaffirm the status
quo,In itself this provides no reason to celebrate the amendments,as the
status quo may be inadequate,However,the fact that the change reaffirms
longstanding practice seems to undercut claims that the change dramatically
expanded law enforcement powers,
Further,applying the pen register laws to the Internet matched the
152
The ACLU has made this argument,See Calvin Galvin,Rights and Wrongs,Why New Law-
Enforcement Powers Worry Civil Libertarians,SEATTLE TIMES,Dec,6,2001,at A3,
153
18 U.S.C.A,§ 2703(d),
154
I add the caveat,on paper” because in my government experience I never knew or even heard of
any law enforcement agent or lawyer obtaining a pen register order when the agent did not also have
specific and articulable facts,which would satisfy the higher threshold,My experience is narrow,but it
suggests that the practical burden of obtaining the order combined with the certification to a federal
judge and potential for criminal liability effectively regulates government officers and deters them from
obtaining pen register orders in bad faith,On the other hand,there may be rogue officers out there,if
not now then in the future,and a higher threshold combined with judicial review could potentially pro-
vide an extra barrier to abuse,
155
See In re United States of America,Cr-00-6091 (N.D,Cal,Nov,17,2000) (Trumbull,Mag,J.)
(unpublished opinion) (on file with author),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
640
regulation of the Internet to the regulation of the telephone network and ex-
ceeded the protection that the law provides to similar surveillance of the
postal network,After the Patriot Act,envelope surveillance of the tele-
phone and the Internet requires a pen register order,whereas envelope sur-
veillance of postal mail still requires no court order whatsoever.
156
Although some believe that the standards for Internet envelope surveillance
should be more strict than their analogues in the telephone context
157
—a
question analyzed in the next Part—at the very least the Patriot Act imposes
same standard for analogous information in the case of the telephone,and
more privacy protection for analogous information in the case of the postal
network,
Criticisms of the pen register amendments also failed to note that the
negotiations over the various bills that led to the Patriot Act actually added
privacy protections to the pen register statute that prohibit the disclosure of
information obtained through envelope surveillance.
158
Prior to the Patriot
Act,government officials could publish or leak information obtained by use
of a pen register or trap and trace device.
159
During the congressional nego-
tiations,pro-privacy legislators managed to insert language that limits the
disclosure of information obtained through prospective envelope surveil-
lance of Internet and telephone communications to disclosures made,in the
proper performance of the official functions of the officer or governmental
entity making the disclosure.”
160
Any other disclosure is prohibited.
161
Al-
though the exact contours of this prohibition remain unclear,the new provi-
sion bolsters the privacy protections that the pen register statutes offer to
envelope information,
What explains the harsh criticisms of the pen register provisions in the
Patriot Act? It seems that some of the civil libertarian concern derived from
a strained reading of DOJ’s initial draft of the pen register amendments,As
156
Note that despite the public perceptions that we have no privacy in our use of new technologies,
in fact there is a general trend in privacy law that the more advanced the technology,the more privacy
protection the law extends,
157
See infra notes 137–54,
158
See 18 U.S.C.A,§ 2707(g) (West Supp,2002),
Any willful disclosure of a,record,” as that term is defined in section 552a(a) of title 5,United
States Code,obtained by an investigative or law enforcement officer,or a governmental entity,
pursuant to section 2703 of this title,or from a device installed pursuant to section 3123 or 3125 of
this title,that is not a disclosure made in the proper performance of the official functions of the of-
ficer or governmental entity making the disclosure,is a violation of this chapter,This provision
shall not apply to information previously lawfully disclosed (prior to the commencement of any
civil or administrative proceeding under this chapter) to the public by a federal,state,or local gov-
ernmental entity or by the plaintiff in a civil action under this chapter,
Id,
159
In contrast,evidence obtained pursuant to a Title III order cannot be disclosed except in limited
situations,see 18 U.S.C.A,§ 2517,and federal law places strict limits on information obtained pursuant
to a grand jury subpoena,see FED,R,CRIM,P,6(e),
160
See 18 U.S.C.A,§ 2707(g),
161
Id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
641
noted earlier,
162
the initial DOJ proposals expanded the definition of pen
register and trap and trace devices to include devices or processes that collect
“dialing,routing,addressing,and signaling information.”
163
Given the fun-
damental distinction between envelope information and content information,
and even its constitutional moorings,it seems clear that this phrase was de-
signed to broadly include non-content addressing information,However,at
least some critics apparently viewed the phrase,dialing,routing,addressing,
and signaling information” as an ingenious government scheme to include
contents,as well,and to quietly overthrow the Wiretap Act,Thanks to a
long-redundant section of the Wiretap Act that exempts pen register and trap
and trace information from the scope of the Wiretap Act,
164
it was at least
theoretically possible that a broad reading of the pen register and trap and
trace device statutes could expand the statute into the traditional terrain of the
Wiretap Act,reducing privacy protections.
165
For example,if the contents of
one person’s email to another could be interpreted as in some sense a signal
from the sender to the receiver,then perhaps the contents of the email consti-
tuted,signaling information” under the pen register statute,and the govern-
ment could then intercept the email with a pen register order,rather than a
wiretap order,As best I can tell,it was this chain of logic that led to reports
that the pen register amendments would allow the government to obtain the
contents of communications without a Wiretap Order.
166
This objection to the pen register amendments suffers from two impor-
tant weaknesses,First,it is difficult to imagine that a court actually would
have construed the phrase,dialing,routing,addressing,and signaling in-
formation” to include contents,To reach this result,the court would have
had to ignore the fundamental distinction between contents and envelope
information,a distinction of constitutional magnitude in the telephone and
mail contexts and possibly in the Internet context as well.
167
It seems fanci-
ful to believe that a judge would read the ambiguous word,signaling” in
162
See supra notes 149–51 and accompanying text,
163
18 U.S.C.A,§ 3127(3)–(4),
164
See 18 U.S.C.A,§ 2511(2)(h) (“It shall not be unlawful under [the Wiretap Act,,, to use a pen
register or a trap and trace device.,,,”),
165
See United States v,Fregoso,60 F.3d 1314,1321 (8th Cir,1995) (“Title III makes it clear that
devices which satisfy the statutory definition of pen registers or trap and trace devices set forth in 18
U.S.C.A,§ 3127 are exempted from its requirements.”); Brown v,Waddell,50 F.3d 285,290 (4th Cir,
1995) (noting that,interceptions of electronic communications by two specific devices—‘pen registers’
and ‘trap and trace devices’—were,however,specifically exempted by the 1986 amendments from these
generally applicable authorization requirements”),
166
See,e.g.,Larry Lipman,Congress Close to Passage of Anti-Terrorism Bills,PALM BEACH POST,
Oct,4,2001,at 16A (noting that,Democrats accepted the idea [of applying the pen register statute to
the Internet] in principle but expressed concern that the [initial DOJ proposal] provision could also per-
mit access to the content of emails,opening the door to potential abuse”); Jonathan Ringel,Will New
Anti-Terror Tools Pass Muster?,LEGAL TIMES,Oct,8,2001,at 14 (noting concerns that expanding the
pen register statute,to email would also necessarily give government access to the content of emails”),
167
See supra notes 94–98 and accompanying text,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
642
the largely unknown pen register statute as silently overruling a major stat-
ute,the Wiretap Act,In fact,ambiguous language in the pen register statute
dating from 1986 could have been read exactly the same way,but in fifteen
years had never been so construed,the 1986 definition of,pen register”
covered,numbers,,, transmitted”
168
over a telephone line,but no one had
ever thought that the contents of communications that happen to include
numbers were somehow exempted from the Wiretap Act,To the contrary,a
year before the Patriot Act,the D.C,Circuit had suggested that numbers di-
aled after a call had been connected constituted Wiretap Act contents.
169
In
light of this history,the broad reading of the initial DOJ proposal seems dif-
ficult to square with the proposal itself,
Second,as I noted earlier,
170
the initial DOJ proposal was amended to
clarify that pen register and trap and trace information,shall not include the
contents of any communication.”
171
This amendment helpfully addressed
the concerns that amendments to the pen register statute might lessen the
scope of the Wiretap Act,confirming that they did not,From the standpoint
of critiquing the Patriot Act,however,it means that the harshest criticisms
of the pen register amendments derived from rather strained interpretations
of only an initial draft of the text,rather than the Patriot Act itself,
F,Does the Internet Deserve Higher Standards? The Weak Case
for Internet Particularity
So the Patriot Act applies the standard for the telephone network to the
Internet,But so what? According to the Patriot Act’s critics,Internet enve-
lope surveillance implicates far more serious privacy interests than does
telephone envelope surveillance.
172
Critics reason that email accounts re-
veal more private information about their users than telephone accounts,
and that Internet envelope surveillance encompasses private activities such
as websurfing that deserve higher privacy protection than a mere pen regis-
ter order.
173
As a result,they claim,the low threshold for obtaining a tele-
168
18 U.S.C,§ 3127(3) (1986),
169
See United States Telecom Ass’n v,FCC,227 F.3d 450,462 (D.C,Cir,2000) (“Post-cut-through
dialed digits can also represent call content,For example,subjects calling automated banking services
enter account numbers,When calling voicemail systems,they enter passwords,When calling pagers,
they dial digits that convey actual messages,And when calling pharmacies to renew prescriptions,they
enter prescription numbers.”),
170
See supra notes 149–51 and accompanying text,
171
18 U.S.C.A,§ 3127(3)–(4),
172
See,e.g.,Press Release,American Civil Liberties Union,ACLU Says Congress Should Treat
Administration Proposal Carefully; Says Many Provisions Go Far Beyond Anti-Terrorism Needs (Sept,
20,2001) (“The Administration’s bill would extend this low threshold of proof to Internet communica-
tions that are far more revealing than numbers dialed on a phone.”),available at http://www.aclu,
org/news/2001/n092001e.html,
173
See Kaplan,supra note 125 (quoting Professor Daniel Solove for the view that evidence of web-
surfing is,much more telling about an individual” than the numbers they dialed from a telephone),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
643
phone pen register order is too low,and should be replaced by a higher
threshold such as,specific and articulable fact” or probable cause,
These criticisms are also misplaced,Here my argument is quite nar-
row,I agree with civil libertarian critics who believe that the pen register
standard should be raised.
174
However,if the pen register standard needs
changing,it should be raised for both the Internet and the telephone; the ar-
gument for raising the Internet standards while maintaining the current
standards for the telephone turns out to be surprisingly weak,The claim
that prospective envelope surveillance of an Internet account provides more
private information than the same surveillance of a telephone account is not
accurate in most cases,Internet and telephone envelope surveillance usu-
ally provide equally sensitive information,and in some key ways,Internet
envelope surveillance provides much less sensitive information,
Consider the envelope information for a telephone call,In particular,
imagine that the police are investigating Bugsy and Mugsy,two alleged
mobsters,The police have placed a pen register on Bugsy’s telephone,and
it reveals that at 3:10 p.m,the telephone located at Bugsy’s home at 123
Main Street was used to place a twelve-minute call to Mugsy’s home at 62
Pine Street,This will be very important information for the police,Al-
though the police cannot be sure that the call was placed by Bugsy or re-
ceived by Mugsy,they do know that there was someone present at Bugsy’s
place at 123 Main Street between 3:10 p.m,and 3:22 p.m.,and that there
was also someone at 62 Pine Street at those times as well,The twelve-
minute call suggests that the two people on opposite ends of the line knew
each other,or at least had something substantial to discuss,The pen regis-
ter yields fairly private information,activity from within the suspects’
homes that tells the police where they were,at what time,and how long
they spoke,
If a telephone call were replaced with an email,however,the police
would know comparatively less,and the invasion of privacy would be less
severe,Imagine that the police place a pen register on Bugsy’s email ac-
count,bugsy@criminal.com,and that it records the fact that someone sent
at 3:10 p.m,to the account mugsy@gangster.com,Again,the police cannot
be sure that the communication was sent by Bugsy or received by Mugsy,
as the fact that someone used an account does not necessarily mean that any
particular person used it.
175
More importantly,however,the police will
know very little about the whereabouts of Bugsy and Mugsy,They will
know that someone (probably Bugsy) sent an email at 3:10 p.m,to Mugsy’s
account,However,they will not know where Bugsy was located at that
time,whether Mugsy ever received the email,or where Mugsy is located,
The above argument also assumes that Mugsy and Bugsy each have known
174
See supra notes 152–54 and accompanying text,
175
See CCIPS MANUAL,supra note 15,at 90–91 (noting that the fact that an account or address was
used does not establish conclusively the identity or location of a particular person who used it),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
644
email accounts in the first place,which is generally not true,as there is no
centralized email book that matches the phone book,which makes it harder
for the police to associate suspects with particular addresses.
176
In sum,if
the police try to find Bugsy and Mugsy,or try to pin down and identify
their whereabouts and conduct at particular times,the telephone envelope
surveillance will tend to yield more private and useful information than
email envelope information,
Further,comparing email surveillance to telephone surveillance itself
stacks the deck slightly in favor of finding greater privacy interests in the
case of Internet surveillance than phone surveillance,The reason is that
many pen register orders are implemented on packet headers,not email
headers,As mentioned in Part I,email surveillance has far greater privacy
interests at stake than mere packet-level surveillance of the Internet,When
the government obtains a pen register order to collect packet headers,the
information it yields involves a reduced privacy interest than in the case of
either email or telephone surveillance.
177
G,The Pen Register Statute and URL Search Terms
Critics of the Patriot Act’s pen register amendments have also argued
that the amendments grant the government too much power because they al-
low the government to collect Internet search terms and lists of websites vis-
ited with a mere pen register order.
178
According to these critics,the Patriot
Act lowers the threshold that the government must meet to obtain search
terms and monitor web surfing; the government can now obtain a pen register
order instead of a Title III warrant.
179
This criticism has it backwards,how-
ever,The pen register amendments could not have lowered the legal thresh-
olds for conducting websurfing surveillance,Depending on how past and
current ambiguities in the law are resolved,the amendments either retained
176
Further,this hypothetical assumes that Mugsy uses an email address with a username,Mugsy,”
and Bugsy has a username,Bugsy.” Criminals who are seeking to evade the detection of the police are
not so stupid,Mugsy and Bugsy will be much more likely to have less illuminating usernames such as
“Cathy27,”,akjs3242K,” or,62Power.” Further,they will likely register their email accounts using
fake names and stolen credit card numbers so the accounts cannot be easily identified with them,Of
course,in the telephone context,criminals will also take similar measures by using stolen,cloned” cel-
lular phones,
177
For example,the IP header will reveal only that at a particular time,a packet of information such
as part of a web page or an email was sent from one computer to another computer,Who was responsi-
ble for sending the packet,or where that person might be,or who was the intended recipient,will remain
entirely unknown,
178
See,e.g.,Jane Black,Uncle Sam Needs Watching,Too,BUS,WEEK ONLINE (Nov,29,2001)
(“The Patriot Act also expands the ‘pen register’ statute to include email and Internet surfing.”),at
http://www.businessweek.com/bwdaily/dnflash/nov2001/nf20011129_3806.htm; Kaplan,supra note
125,
179
See,e.g.,Elec,Frontier Found.,supra note 68 (“The government may now spy on web surfing of
innocent Americans,including terms entered into search engines,by merely telling a judge anywhere in the
U.S,that the spying could lead to information that is ‘relevant’ to an ongoing criminal investigation.”),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
645
the pre-Patriot Act treatment of websurfing surveillance,or else raised the le-
gal standard from no court order to a pen register order standard,How the
surveillance laws apply to search terms and websurfing remains quite unclear,
but the ambiguities turn out to have nothing to do with the Patriot Act.
180
The primary question raised by surveillance of websurfing and Internet
search terms is whether the government can monitor websurfing conduct,
such as search terms entered into search engines and URLs visited,without
collecting the,contents”
181
of communications,The government must ob-
tain a Title III super warrant to obtain,contents” of communications in
transit.
182
The Wiretap Act itself does not define,contents” clearly,but
merely states that it,includes any information concerning the substance,
purport,or meaning”
183
or a communication,As a matter of legal doctrine,
if Internet search terms and URLs constitute,contents,” the government
must obtain a super warrant to intercept them.
184
However,if they do not
fall within the scope of,contents,” then either the information counts as
“dialing,routing,addressing,or signaling information”
185
requiring a pen
register order,or else the government does not need any order to obtain the
information as it falls outside the scope of both statutes.
186
Whether URLs that include search terms and other websurfing addresses
can contain,contents” presents a surprisingly difficult question,The concep-
tual difficulty is that the legal categories of,contents” and,addressing infor-
180
Internet search terms raise interesting questions under current law because they appear in the
Internet address directed back to the user from the search engine,For example,entering a Google query
for,Patriot Act” returns the following URL,http://www.google.com/search?hl=en&ie=150-8859-
1&q=%2patriot+act%22,Copying this URL into a web browser will then retrieve the results of the
search,Whether the pen register laws allow the government to collect websurfing data beyond packet
headers is largely a theoretical question,The government apparently has never tried to obtain a pen reg-
ister order to monitor websurfing in this way,In an informal survey of experienced federal prosecutors,
I was unable to find anyone who had heard of such an application,Prospective surveillance of websurf-
ing turns out to be of fairly limited help to a criminal investigation,At the same time,such surveillance
is possible,for example,the FBI’s DCS-1000 surveillance tool has a setting that allows the tool to col-
lect websurfing information,Because the government has never sought such an order,no court has ever
assessed its permissibility,
181
18 U.S.C.A,§ 2510(8) (West Supp,2002) (providing that,‘contents,’ when used with respect to
any wire,oral,or electronic communication,includes any information concerning the substance,pur-
port,or meaning of that communication”),
182
Id,§ 2516,
183
Id,
184
See Brown v,Waddell,50 F.3d 285,294 n.11 (4th Cir,1995),One subtlety to this question is
that we must go beyond the abstract question of whether the pen register allows the government to
monitor websurfing to the more specific question of what kind of evidence of websurfing can be col-
lected under what authorities,
185
18 U.S.C.A,§ 3127,
186
This raises an interesting question not clearly answered by the Patriot Act,Is all non-content in-
formation,dialing,routing,addressing,and signaling” information,so that all prospective information
triggers the Pen Register statute and/or Title III? Or is there a third category outside of,contents” and
“dialing,routing,addressing,and signaling” information?
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
646
mation” are straightforward in the case of human-to-human communications,
but can be quite murky when considering human-to-computer communications,
In the case of human-to-human communications,“contents” include any mes-
sage or communication that the human sender intends to communicate to the
human recipient.
187
This covers the subject line and the body of emails,
188
as
well as the substance of a telephone call,In these cases,the,contents” are the
messages that the sender wants to send to the recipient,
How does this apply when the message is destined for a computer instead
of a person? This asks a profoundly important question that neither Congress
nor the courts have fully answered,When an Internet user surfs the web,he
sends commands to his computer directing it to send commands to the host
computer,asking the host to send back packets of data that will be assembled
by his computer into a web page.
189
We can look at the user’s command in two
ways,either the command is the,content” of the communication between the
user and his computer or it is merely,addressing information” that the user en-
tered into his computer to tell the computer where it should go and what it
should do,much like the pen register information in Smith v,Maryland.
190
The same problem arises in determining which legal order is required
to monitor a computer hacker’s commands sent to a remote server,Are
these commands,contents” of the communications between the hacker and
the computer,“addressing” information that tells the computer what to do,
or something else? No court has yet considered such questions squarely,
191
187
See supra note 181,Notably,the definition of,wire communication” and,aural” that Congress
enacted in the original 1968 Act together require that the communication contain,the human voice.” 18
U.S.C.A,§ 2510(1),(18),
188
See CCIPS MANUAL,supra note 15,at 102,
189
See GRALLA,supra note 24,at 139–40,
190
Smith v,Maryland,442 U.S,735,741–42 (1979),This is a difficulty latent in Smith that has not
yet fully been appreciated,In Smith,the Court analogized dialing a phone number to contacting an op-
erator and asking the operator to connect the call,Id,at 744–45,Because disclosing the number to an
operator would eliminate the speaker’s reasonable expectation of privacy in the information,so did dis-
closing the information to the phone company’s computer,So far,so good,The difficulty is that if a
speaker calls the operator and places that request,then that request constitutes the contents of the com-
munication between the speaker and the operator,The contents of the conversation between the speaker
and the operator becomes the addressing information for the ensuing conversation between the speaker
and the person he wishes to call,As a result,it is difficult in the abstract to say whether that initial
communication should be considered addressing information or contents,
191
See United States Telecom Ass’n v,FCC,227 F.3d 450,462 (D.C,Cir,2000) (noting that,[n]o
court has yet considered” whether digital signals entered by a user to a computer over a telephone line
are contents and stating that,it may be that a Title III warrant is required”),The D.C,Circuit did sug-
gest that human-to-computer communications can,in fact,be,contents” according to Title III,at least in
the context of the telephone network,Id,at 462,In discussing whether the government can intercept
dialed digits entered after a call has been completed (known as,post-cut-though dialed digits”),the
court offered the following analysis:,Post-cut-through dialed digits can also represent call content,For
example,subjects calling automated banking services enter account numbers,When calling voicemail
systems,they enter passwords,When calling pagers,they dial digits that convey actual messages,And
when calling pharmacies to renew prescriptions,they enter prescription numbers.” Id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
647
which means that the legal distinction between,contents” and,addressing
information” remains murky for human-to-computer communications,
Congress has not yet carefully addressed how electronic surveillance
statutes apply to human-to-computer communications,and the Patriot Act
reflects a missed opportunity,The current statutory text leaves the Justice
Department,commentators,and the courts with relatively little guidance.
192
But claims that the Patriot Act lowers the threshold that the government
must satisfy to monitor websurfing simply miss the mark,The statutory
definition of,contents” has remained unchanged since 1986,before the
World Wide Web was even invented,
193
and was not changed in any way by
the Patriot Act.
194
As a result,the Patriot Act could not have changed
whether the government needs a Wiretap Order to monitor websurfing,
Perhaps it does,perhaps it does not; but the Patriot Act did not change the
answer,At most,the Patriot Act might have changed whether the govern-
ment must obtain a pen register order to obtain the information,If websurf-
ing information does not constitute,contents,” a court might conclude that
such information falls within the scope of the pen register’s,dialing,rout-
ing,addressing,and signaling” information,but that it would not have
fallen within the scope of the pre-Patriot Act pen register statute.
195
But
192
In a statement issued on October 11,2001,Senator Leahy blamed the Bush Administration and
the Justice Department for refusing to define the terms,dialing,routing,addressing,and signaling” in-
formation,According to Leahy,“[t]he Administration and the Department of Justice flatly rejected my
suggestion that these terms be defined” with the unfortunate result that Congress was,leaving the courts
with little or no guidance of what is covered by ‘addressing’ or ‘routing.’” Statement,Senator Patrick
Leahy,On the Uniting and Strengthening of America Act of 2001 (USA Act) (Oct,11,2001),at
http://leahy.senate.gov/press/200110/101101a.html,
193
See DAVE RAGGETT ET AL.,RAGGETT ON HTML 4,18 (1997) (crediting the invention of the
Web to Tim Berners-Lee in 1989),
194
In its original form in 1968,Congress defined contents by stating that it,includes any informa-
tion concerning the identity of the parties to such communication or the existence,substance,purport,or
meaning of that communication.” 18 U.S.C,§ 2510(8) (1968),At the time Congress noted that the
definition,include[s] all aspects of the communication itself,No aspect,including the identity of the
parties,the substance of the communication between them,or the fact of the communication itself,is
excluded,The privacy of the communication to be protected is intended to be comprehensive.” Omni-
bus Crime Control and Safe Streets Act of 1968,Title III,Pub,L,No,90-351,1968 U.S.C.C.A.N,2179,
In 1986,however,Congress enacted the pen register statute and amended the definition of,con-
tents” to exclude the identity of the parties to such communication,See S,REP,NO,99-541,at 13
(1986),reprinted in 1986 U.S.C.C.A.N,3555,3567,According to the Senate Report,this change was
made to,distinguish[] between the substance,purport or meaning of the communication and the exis-
tence of the communication or transactional records about it.” Id,The Wiretap Act covered the former,
the pen register statute covered the latter,See id,
195
Notably,several members of the House and Senate and their staff were quite aware of the ambi-
guities over the scope of the new pen register laws,and in particular how they applied to websurfing,
For example,the House Report contains a statement that post-Patriot Act pen register orders could not
be obtained,to collect information other than ‘dialing,routing,addressing,and signaling’ information,
such as the portion of a URL (Uniform Resource Locator) specifying Web search terms or the name of a
requested file or article.” H.R,REP,NO,107-236,at 53 (2001),The proper weight to be afforded to this
statement is unclear,The phrase,dialing,routing,addressing,and signaling” information derived from
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
648
ironically,this means that the Patriot Act might have actually raised the
standard for government surveillance of websurfing,rather than lowered it,
III,THE PATRIOT ACT AND THE FBI’S,CARNIVORE” SURVEILLANCE TOOL
A second major criticism levied at the Patriot Act is that it explicitly
sanctioned and even encouraged the use of Carnivore,the FBI’s controver-
sial Internet surveillance tool.
196
Although the Patriot Act does not explic-
itly mention Carnivore,the press frequently reported that the Patriot Act
provided for its expanded use.
197
According to the New York Times,the use
of Carnivore was,at the heart of the debate” over the Patriot Act.
198
This
was troubling,the Times reported,because Carnivore acts as a powerful
tool that poses significant dangers to civil liberties:,[It] give[s] govern-
ment more power than ever before to encroach on the privacy of citi-
zens.”
199
,When Carnivore sits down to eat,it tastes everything.”
200
By
expanding the use of Carnivore,the Patriot Act supposedly created a sig-
nificant danger to civil liberties,
In this Part,I will argue that this criticism of the Patriot Act is exactly
backwards,The only provisions of the Patriot Act that directly address
Carnivore are pro-privacy provisions that actually restrict the use of Carni-
vore,Further,Carnivore itself differs from other tools that ISPs use for
monitoring every day only in the sense that the FBI specifically designed it
to protect privacy and to preserve government accountability more than
other tools,Oddly enough,the public debate over Carnivore has the issue
the original DOJ proposal and was shared by both the House and Senate versions of the bill,Because
the House proved more resistant to the DOJ’s proposal than the Senate,this statement may reflect an
effort by the authors of the House Report to,spin” later judicial interpretations of DOJ’s language,Cf,
ANTONIN SCALIA,A MATTER OF INTERPRETATION,FEDERAL COURTS AND THE LAW 34 (1997) (noting
that Committee Reports are often written with the,primary purpose” of affecting later judicial construc-
tions of the statutory text),Further,the critical question is less the scope of,dialing,routing,address-
ing,and signaling” information than the meaning of,contents,” which the Patriot Act did not change,
196
See,e.g.,Sonia Arrison,New Anti-Terrorism Law Goes Too Far,S.D,UNION TRIB.,Oct,31,
2001,at B9 (“The law also expands Internet surveillance by making Carnivore,the controversial email
wiretapping system official even though there is a real danger that it over-collects information.”); Mi-
chael Connor,Brave New Web,BOSTON PHOENIX,Mar,11,2002 (“Another controversial provision of
the USA PATRIOT Act allows increased use of Carnivore,a wire-tapping program for the Internet.”),
available at www.bostonphoenix.com/boston/news_features/other_stories/documents/02105031.htm;
Guernsey,supra note 80 (stating that an earlier bill,implies the wider use of Carnivore”); Anne Kandra,
The New Anti-Terrorism Law Steps Up Electronic Surveillance of the Internet,PC WORLD,Jan,2002,at
37 (“The new law opens the door for increased use of Carnivore.”); John Schwartz,Privacy Debate Fo-
cuses on F.B.I,Use of an Internet Wiretap,N.Y,TIMES,Oct,13,2001,at A14; Stefanie Olson,Patriot
Act Draws Privacy Concerns (Oct,26,2001) (“Part of the new legislation includes the expansion of
Internet eavesdropping technology once known as Carnivore.”),at http://news.com.com/2100-1023-
275026.html,
197
Schwartz,supra note 196,at A14,
198
See id,
199
Id,
200
Id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
649
somewhat backwards,While the press has pounced on Carnivore as Public
Enemy #1,the tool in fact implements a pro-privacy technology that both
law enforcement and civil libertarians should appreciate,
This Part begins by explaining how prospective Internet surveillance
works,and how the FBI’s Carnivore tool was designed to be a privacy-
protecting means of conducting it,The analysis argues that Carnivore is a
perplexing target for criticism by the civil liberties community,The Part
then turns to the impact of the USA Patriot Act on the use of Carnivore and
shows how the Patriot Act actually adds restrictions to the use of Carnivore,
rather than takes them away,
A,Understanding the Technology of Prospective Internet
Surveillance,Packet Sniffers
As explained in Part I,the Internet is a packet-switched network,All
Internet communications are broken down into discrete packets and sent
over the network,and then reassembled into the original communications
when they reach their final destination.
201
As a result,a great deal of pro-
spective Internet surveillance is packet surveillance.
202
To conduct prospec-
tive surveillance,a tool must,tap” a particular line of Internet traffic at a
particular physical location to look for the communication sought,Tapping
the line allows that person to view the packet traffic flowing through that
particular point in the network,Any device or software programmed to do
this on the Internet is generally known as a,packet sniffer,”
203
as it,sniffs”
Internet packets flowing through the particular point in the network,
One implication of this technology is that Internet packet surveillance
must always involve examining all of the packet traffic streaming by a par-
ticular point on the network,The tool must look at all of the traffic to see if
it is the communication sought,much like a police officer walking through
a public place looking for a known criminal suspect must look at every per-
son just to see whether they are in fact the suspect.
204
For example,if the
FBI obtains a court order allowing it to collect envelope information at the
201
See GRALLA,supra note 24,at 13,
202
The remainder is nonpacket surveillance that occurs immediately before the information has
been packetized,or else immediately after it has arrived and been depacketized,
203
See ANALYSER SALES LTD.,SNIFFER BASIC,WHAT IS A PACKET SNIFFER?,at http://www.pac
ket-sniffer.co.uk/packetsniffer/packetsniffer.htm (last visited Feb,4,2003),
204
The problem is the same in that the searcher must first view the item,even just cursorily,in or-
der to determine whether it is the item he wishes to find,See Andresen v,Maryland,427 U.S,463,482
n.11 (1976),
In searches for papers,it is certain that some innocuous documents will be examined,at least cur-
sorily,in order to determine whether they are,in fact,among those papers authorized to be seized,
Similar dangers,of course,are present in executing a warrant for the,seizure” of telephone con-
versations,In both kinds of searches,responsible officials,including judicial officials,must take
care to assure that they are conducted in a manner that minimizes unwarranted intrusions upon
privacy,
Id,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
650
packet level,such as IP headers for traffic originating from a specific IP ad-
dress,it must scan all of the traffic flowing over the network to locate,iso-
late,and collect the IP headers,
It helps to understand how an Internet sniffer usually works,While the
Internet uses packets to send and receive information,the packets are really
just digital ones and zeroes that computers use to communicate with each
other,The ones and zeroes can be reassembled into text to be read by a
human,but computers do not need to do this and generally will not.
205
A
computer surveillance tool programmed to look for all emails to the Internet
account,bob@aol.com” does not actually look for the text
“bob@aol.com.” To simplify a bit,the tool instead begins by looking for
emails,
206
and when it finds an email,it scans the right place in the email for
the digital equivalent of,bob@aol.com,” which is 01100010011011110
1100010010000000110000101101111011011000010111001100011011011
1101101101.
207
If this exact sequence of ones and zeros appears in the right
place,the surveillance tool knows that it has found an email to
bob@aol.com and will copy and record the block of ones and zeros that
represent the email so that someone can later come back,convert the ones
and zeros into text,and read the email,If the tool has an advanced filter
and is configured properly,the billions of ones and zeros that do not relate
to emails or to the exact sequence of 0s and 1s that represent the target ac-
count will pass through the device and be forgotten.
208
The tool cannot
think,cannot snoop around,and cannot understand what passes before it,it
can only look for the exact sequence of ones and zeros that a human pro-
grammed it to identify,
These technical details have profound implications for how Internet
surveillance can best respect privacy interests,Most remarkably,the Inter-
net reverses the common associations about the relationship between tech-
nology and privacy,In the physical world,advanced technology provides a
powerful way to invade privacy.
209
A single police officer can search a sin-
gle room on a house,but cannot search an entire neighborhood,or a large
city,To search an entire city,advanced technology would be required,At
205
See Softel v,Dragon Medical,1992 WL 168190,at *2 (S.D.N.Y,1992) (“Computers operate by
executing instructions composed of binary digits of ‘zeros’ and ‘ones.’”),
206
Emails are identifiable because a section of the packet header contains an identifying number
that lets the server know that the packet should be sent to the mail server,To be technical,emails are
carried on port 25,which means that the sniffer can just look for communications sent to port 25,See
MATTHEW DANDA,PROTECTING YOURSELF ONLINE 282 (2001),
207
I am using the standard ASCII format,ASCII is short for,American Standard Code for Infor-
mation Interchange.”
208
Once data is pushed out of the random access memory,it cannot be recovered,SHERRY
KINKOPH ET AL.,COMPUTERS,A VISUAL ENCYCLOPEDIA 286–87 (1994),
209
See Olmstead v,United States,277 U.S,438,474 (1928) (Brandeis,J.,dissenting) (“Subtler and
more far-reaching means of invading privacy have become available to the Government,Discovery and
invention have made it possible for the Government,by means far more effective than stretching upon
the rack,to obtain disclosure in court of what is whispered in the closet.”),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
651
an intuitive level,a bigger and more invasive search requires a more power-
ful tool.
210
In the case of Internet surveillance,by contrast,the way that the tech-
nology works mandates that the default will be the most invasive search
possible,and that advanced technology is needed to minimize the invasion
of privacy,The technology prompts the need for a filter to reduce the inva-
sion of privacy,For example,a system administrator (or a twelve-year old
computer hacker) can easily monitor all information flowing through a par-
ticular point in a network by writing a simple program,The program sim-
ply instructs the computer to record all of the traffic flowing through that
computer,it creates a packet sniffer and sets it to sniff all of the traffic,
The system administrator (or hacker) can later convert the recorded digits
into text and look through the entire world of traffic that flowed over the
network,The real technological challenge is devising a tool that acts as an
effective filter,and isolates and records only the exact packets that a court
order allows,rather than a tool that collects everything and requires subse-
quent review by a human being,In contrast to the physical world,total sur-
veillance of traffic through a point on the Internet is simple,but narrow and
limited surveillance requires advanced filtering,
B,The FBI and the Introduction of,Carnivore”
In the mid- to late-1990s,the FBI recognized these difficulties and began
designing surveillance tools that could filter and analyze Internet communica-
tions more effectively,The core difficulty lay in the private sector’s inability
to develop such a tool absent market demand,System administrators rou-
tinely used Internet surveillance tools to monitor Internet traffic going
through their networks,and many commercially available programs existed
to facilitate the task,However,given the fairly broad provider rights to inter-
cept communications inside their network,
211
none of the commercially avail-
able tools incorporated the privacy protections that the FBI desired.
212
The
FBI needed a surveillance tool that protected the privacy of Internet users
more than the surveillance tools routinely used by system administrators,
210
Upon hearing that the government has spent substantial resources to develop a new surveillance
tool,most people are likely to assume that the FBI was working on a tool to invade privacy,not to pro-
tect it,
211
See 18 U.S.C.A,§ 2511(2)(a)(i) (West Supp,2002) (creating provider rights for the acquisition
of contents); id,§ 3121(b)(1) (creating provider rights for the acquisition of addressing information),
212
See Carnivore Diagnostic Tool,Hearings Before the Senate Judiciary Comm.,106th Cong,(2000)
[hereinafter Hearings] (testimony of Donald M,Kerr),available at http://www.fbi.gov/congress/congress
00/kerr090600.htm,
Carnivore—far better than any commercially-available sniffer—is configurable so as to filter with
precision certain electronic computer traffic (i.e.,the binary computer code,the fast-flowing
streams of 0’s and 1’s),,,, [T]o our knowledge,there are few,if any,electronic surveillance
tools that perform like Carnivore,in terms of its being able to be tailored to comply with different
court orders,owing to its ability to filter with precision computer code traffic,
Id,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
652
In particular,commercially available programs generally did not allow
the user to run a very narrow search that a court order might require,and
none included auditing features that would be useful in court if a defendant
challenged the fruits of surveillance,These deficiencies are apparent in the
most popular off-the-shelf packet analyzer program for system administra-
tors,a product known as,EtherPeek” that sells for about $1,000.
213
The
versions of EtherPeek available in the late 1990s did not allow system ad-
ministrators to limit searches by ordering the sniffer to exclude results that
contained specific key words.
214
The tool could search for emails to
bob@aol.com,for example,but could not filter out emails to bob@aol.com
that also included the word,personal.” Instead,the tool required the collec-
tion of all emails to bob@aol.com,even if personal emails were beyond the
scope of a court order,While this extra invasion of privacy might not mat-
ter to a business,it makes a difference to a law enforcement agency,as it
raises the prospect that the tool might illegally collect information beyond
the scope of a court order,To ensure that the FBI would have a tool that
complied exactly with the terms of a court order,the FBI decided it needed
to develop its own surveillance tools tailored specifically to the limits of the
surveillance laws.
215
The FBI developed such a tool relatively late because law enforcement
agencies like the FBI rarely use their own surveillance tools when imple-
menting court orders,In most cases,the FBI simply hands the court order
to the ISP,which implements the order itself using its own tools.
216
Al-
though the ISP’s surveillance tools might collect more information than re-
quired by the court order,the ISP can manually filter the results and
exclude sensitive information before handing over the data to the FBI.
217
From a law enforcement perspective,this scheme of indirect surveil-
lance is vastly preferable to direct surveillance,although it cannot be relied
upon exclusively,The advantage of indirect surveillance is primarily eco-
nomic; it costs less and requires fewer technical resources for the govern-
ment to outsource surveillance duties to ISPs than for the government to
213
EtherPeek is a WildPackets,Inc,software program,See WildPackets,Inc.,EtherPeek,at
http://www.wildpackets.com/products/etherpeek (last visited Feb,4,2003),According to WildPackets,
Inc.’s promotional material,EtherPeek,is an award-winning Ethernet network traffic and protocol ana-
lyzer designed to make the complex tasks of troubleshooting and debugging mixed-platform,multi-
protocol networks easy.” Id.; see also Karen J,Bannan,Sniff Out Trouble,PC MAG.,May 22,2001,at
154 (offering a product review of EtherPeek),
214
More advanced filters were not incorporated in EtherPeek until more recently,Robert J,Kohl-
hepp,AG Group’s EtherPeek 4 Gives Network Analysis a New Look,NETWORK COMPUTING,Jan,24,
2000 (noting introduction of advanced filtering capabilities on EtherPeek),at http://www.network
computing.com/1101/1101sp4.html,
215
Hearings,supra note 212,
216
See Concerning the,Carnivore” Controversy,Electronic Surveillance and Privacy in the Digi-
tal Age,Hearing Before the Senate Judiciary Comm.,106th Cong,(2000) (statement of Kevin V,Di-
Gregory,Deputy Assistant Att’y Gen.),at http://www.cybercrime.gov/kvd_0906b.htm,
217
Id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
653
conduct the surveillance itself.
218
At times,however,ISPs lack the exper-
tise or the willingness to implement court orders on law enforcement’s be-
half,Trust of the ISP is also an issue,Indirect surveillance requires the
government to trust that the ISP can implement the court order effectively
and will turn over all of the evidence obtained to government investigators,
While this may be true with regards to major ISPs like AOL and Earthlink,
smaller ISPs may be uninterested in helping the Feds,may have other more
pressing problems,or may even be in cahoots with the criminal suspects,
This means that the government cannot rely exclusively on indirect surveil-
lance to implement its court orders,If all else fails,it must have a surveil-
lance tool that allows it to implement court orders directly.
219
The FBI dubbed the product of its efforts,Carnivore.”
220
Ironically,
the menacing name was originally intended to reflect how privacy protect-
ing the tool was designed to be.
221
The first-generation tool the FBI devel-
oped before Carnivore employed a fairly primitive filter that at times could
collect more information than a court order allowed.
222
As a result,it could
collect snippets of other communications beyond the scope of the court or-
der.
223
This tool,ate” more than it was supposed to,and so the FBI dubbed
it,Omnivore.”
224
In contrast to Omnivore,the second-generation tool had
an advanced filter that could precisely locate and record the exact informa-
tion sought,The FBI called the second-generation tool,Carnivore,” the
device only devoured the,meat” that the tool was programmed to record.
225
The FBI therefore designed Carnivore—and its progeny,such as the
third-generation tool given the more innocuous label,DCS-1000”
226
—to
218
Although no official figures are available on this point,common sense suggests that an ISP that
is familiar with its network and already has a system admininistrator employed to oversee it can more
easily and cheaply implement a court order to conduct surveillance of its network than the FBI,For the
FBI to implement the order,it must learn about the network from the ISP,and send technical specialists
out to the site in order to implement the surveillance tool,
219
In a sense,this capability is the Internet equivalent of what the telephone system guarantees by
way of the Communications Assistance for Law Enforcement Act,See 47 U.S.C,§ 1001 (2000),
220
See John Schwartz,Computer Security Experts Question Internet Wiretaps,N.Y,TIMES,Dec,5,
2000,at A16 (describing continued opposition to Carnivore); LAB,DIV.,FBI,CARNIVORE DIAGNOSTIC
TOOL,at http://www.fbi.gov/hq/lab/carnivore/carnivore2.htm (last visited Feb,4,2003),
221
See John Schwartz,Tapping into Gray Areas,New Internet Surveillance Technology Raises as
Many Questions as It Answers,HOUSTON CHRON.,Feb,16,2001,at 1 (noting that Carnivore,was de-
rived from an earlier system,called Omnivore,that captured most of the Internet traffic coursing
through a network,‘As the tool developed and became more discerning’—able to get at the meat of an
investigation—‘it was named Carnivore,’ an official said”),
222
See id.; see also IIT RESEARCH INST.,INDEPENDENT TECHNICAL REVIEW OF THE CARNIVORE
SYSTEM,FINAL REPORT 4-2 (2000) [hereinafter IITRI FINAL REPORT] (noting that Carnivore does not
over-collect,in contrast to generically available sniffer software),available at
http://www.epic.org/privacy/carnivore/carniv_final.pdf,
223
See IITRI FINAL REPORT,supra note 222,at 4-2,
224
See id,
225
See Schwartz,supra note 221,
226
See McCarthy,supra note 64,at 828 n.5,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
654
ensure compliance with court orders while minimizing the invasion of pri-
vacy,In fact,the tool’s user interface was designed with the law specifi-
cally in mind,the Carnivore software,which runs on a home PC or a
laptop,
227
prompts the user to enter in the exact type of traffic that the court
order specifies—e.g.,pen/trap vs,full content,email envelope vs,packet
envelope.
228
The program then executes the court order as instructed,Of
course,legitimate concerns exist that the program may malfunction,and as
with any tool,human error can cause the program to be configured incor-
rectly.
229
Assuming the tool performs as it is designed to perform,however,
it should be a privacy-protecting Internet surveillance tool as compared to
the commercially available alternatives,In fact,Carnivore is essentially an
everyday Internet tool with a few extra features designed to ensure compli-
ance with court orders,As Peter Swire has pointed out,it could have been
called the,Internet court order compliance tool.”
230
Unfortunately,both commentators and the press have portrayed Carni-
vore as a frightening and mysterious beast that invades privacy willy-nilly.
231
The menacing name itself probably accounts for much of this criticism,and a
misunderstanding of how the Internet inverts the traditional relationship be-
tween privacy and technology accounts for much of the rest,The physical
reality of the tool’s installation at ISPs in the form of a sealed black box has
not helped the FBI,either.
232
While Carnivore’s critics point to this as proof
of the tool’s dangers,
233
it instead reflects privacy and legal constraints,In-
stalling the tool at the ISP minimizes the amount of Internet traffic that needs
to be scanned,
234
minimizing the invasion of privacy,Sealing the computer
preserves the chain of custody for evidentiary purposes.
235
227
See IITRI FINAL REPORT,supra note 222,at 2–3,
228
See id,at ch,4,
229
See supra notes 191–95 and accompanying text,
230
See Peter Swire,Panel Presentation at AALS Conference Panel on Internet Privacy,New Or-
leans (Jan,6,2002),
231
See,e.g.,Schwartz,supra note 196,at A14 (“When Carnivore sits down to eat,it tastes every-
thing.”),For an amusing example of this hysteria,see Future Solutions,Stop Carnivore NOW!,at
www.stopcarnivore.org (last visited Feb,4,2003),
232
Press Release,American Civil Liberties Union,In Unique Tactic,ACLU Seeks FBI Computer
Code on,Carnivore” and Other Cybersnoop Programs (July 14,2000) [hereinafter ACLU Press Re-
lease],at http://www.aclu.org/news/2000/n071400a.html.,‘Right now,the FBI is running this software
out of a black box,’ said Barry Steinhardt,Associate Director of the ACLU.,,, ‘The FBI is saying,
‘trust us,we’re not violating anybody’s privacy.’ With all due respect,we’d like to determine that for
ourselves.’” Id,
233
See,e.g.,id,
234
This is true for any kind of prospective Internet surveillance,Because tapping the line requires
scanning the traffic passing through the line to identify the particular items sought in the court order,the
best way to minimize the invasion of privacy is to install the tap where the amount of traffic unrelated to
the court order is at an absolute minimum,When monitoring an Internet account,this will generally
mean the ISP that hosts the account,Installing the monitoring device elsewhere would increase the
amount of unrelated traffic scanned,
235
Imagine that you are a prosecutor attempting to persuade a jury that records collected by a
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
655
C,The Effect of the USA Patriot Act on Carnivore
Opponents of the Patriot Act allege that the Act encourages the use of
Carnivore,As the analysis above indicates,this is an odd point of criticism
since Carnivore is generally more privacy enhancing than other less sophis-
ticated packet sniffers in everyday use at ISPs,But even on its face,the
criticism rings hollow,
The view that the Patriot Act furthers the use of Carnivore is based
largely on a faulty logical premise,The premise is that because Carnivore
provides a means of conducting Internet surveillance,a law that appears to
further the government’s ability to conduct the use of Internet surveillance
must also further the use of Carnivore,The problem is that Carnivore is
merely one particular tool among many that could be used to conduct elec-
tronic surveillance,and there is no reason to think that the Patriot Act en-
courages the use of Carnivore as compared to any other tool (in fact,as we
shall see shortly the opposite is true),
As a result,the statement that the Patriot Act encourages the use of
Carnivore is akin to saying that a new highway bill furthers the use of Vol-
vos,Yes,some cars on the road are Volvos,Yes,a new law that helps the
highway system may eventually encourage more driving,some of which
presumably will be done behind the wheel of Volvos,But the connection
between the highway bill and a particular make or model of car is tenuous,
as there are hundreds of different cars that can be driven,and there is no
reason to think that a highway bill would encourage the use of Volvos more
than any other car,Tying the Patriot Act to the increased use of Carnivore
rests on similarly weak logic,
In part,the problem is that the Carnivore debate has been focused on
the wrong question,The critical question is not what particular tool is used
to conduct surveillance,but instead what the law authorizes the government
to do,and whether the government stays within the scope of that authority,
Again,a comparison to an automobile proves helpful,It is crime to drive a
car above the speed limit,
236
or to drive a car while drunk,
237
or to possess a
stolen car.
238
However,whether the car happens to be a Ford or a Chevrolet
packet sniffer installed by the FBI link the defendant to a crime,If the employees of the ISP had access
to the sniffer,your job could become quite difficult,Any good defense attorney will try to raise reason-
able doubt based on the untrustworthiness of records that were created by the FBI’s sniffer but open to
falsification by anyone present at the ISP,If employees could access the sniffer,they could modify the
sniffer,reconfigure the settings,falsify data,and tamper with the evidence,Cf,United States v,
Whitaker,127 F.3d 595,602 (7th Cir,1997) (noting that defendant’s argument that computer records
were unreliable because,with a few keystrokes” they could be modified or deleted was a question for
the jury),In contrast,if the device is sealed and cannot be accessed by the ISP,this minimizes one
source of possible tampering,
236
See,e.g.,VA,CODE ANN,§ 46.2-878.2 (Michie 2002),
237
See,e.g.,id,§ 18.2-266 (“It shall be unlawful for any person to drive or operate any motor vehi-
cle,,, while such person is under the influence of alcohol,,,,”),
238
See,e.g.,id,§ 18.2-109,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
656
is entirely irrelevant,What matters is not the model of the car,but what the
driver does with the car and whether that is legal or illegal,
Whether the government uses Carnivore or some other tool to conduct
prospective surveillance,the legal questions remain the same,Unless an
exception to the statute applies,the government must obtain a pen register
order to obtain,dialing,routing,addressing,and signaling information,”
and must obtain a Wiretap Order to obtain,contents.” This was true before
the Patriot Act (although the first part was uncertain),and it is true after the
Patriot Act,If the government does not obtain the right court orders,it vio-
lates the statute regardless of whether it has used Carnivore or Fluffy
Bunny.
239
D,The Patriot Act and New Rules for Direct Versus Indirect
Surveillance of Packet Switched Networks
Notably,the Patriot Act does include one amendment that is designed
to address Carnivore,However,this amendment is actually a pro-privacy
law,designed to monitor Carnivore by imposing a reporting requirement on
direct prospective surveillance of the Internet by law enforcement.
240
The
reporting requirement has been codified at 18 U.S.C,§ 3123(a)(3) and re-
quires a law enforcement agency to file a detailed report whenever it installs
its own surveillance device on an ISP available to the public pursuant to a
pen register order.
241
The report must identify,any officer or officers who
installed the device and any officer or officers who accessed the device to
obtain information from the network,”
242
,the date and time the device was
installed,the date and time the device was uninstalled,and the date,time,
and duration of each time the device is accessed to obtain information,”
243
“the configuration of the device at the time of its installation and any subse-
quent modification thereof,”
244
and,any information which has been col-
lected by the device.”
245
The provision was added to the Patriot Act at the
239
Currently,there is no Internet surveillance tool called Fluffy Bunny,However,the FBI may
want to try using the name,
240
See 18 U.S.C.A,§ 3123(a)(3) (West Supp,2002),
241
The reporting requirement is triggered when a,law enforcement agency implementing an ex
parte order under [the Pen Register Statute] seeks to do so by installing and using its own pen register or
trap and trace device on a packet-switched data network of a provider of electronic communication ser-
vice to the public.” 18 U.S.C.A,§ 3123(a)(3)(A),Although this statutory text does not mention Carni-
vore or DCS-1000 by name,Congress clearly intended to regulate the program,since the primary law
enforcement tool for conduct direct prospective surveillance is Carnivore and the third-generation DCS-
1000,and the,packet-switched data network” is a network connected to the Internet,The requirement
that the service be available,to the public” is explained in Andersen Consulting v,UOP,991 F,Supp,
1041,1042–43 (N.D,Ill,1998),
242
18 U.S.C.A,§ 3123(a)(3)(A)(i),
243
Id,§ 3123(a)(3)(A)(ii),
244
Id,§ 3123(a)(3)(A)(iii),
245
Id,§ 3123(a)(3)(A)(iv),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
657
insistence of House Majority Leader Dick Armey in an effort to increase the
judicial review of the use of Carnivore as a way of implementing pen regis-
ter orders.
246
Contrary to reports that the Patriot Act unleashed Carnivore,
the Patriot Act actually introduced measures that specifically monitor and
restrict its use.
247
Although the Patriot Act’s reporting requirement is a modest regulation
on the whole,its suspicion of direct surveillance reflects a significant shift
from the traditional approach found in United States surveillance and search
and seizure law,Federal privacy laws have traditionally preferred that law
enforcement implement court orders itself,and have signaled significant
skepticism at the prospect of allowing private parties to implement court
orders on the government’s behalf,For most of the last century,the norm
has been police implementation of their own court orders,and the exception
has been giving the responsibility over to the private provider,For exam-
ple,federal law governing the execution of search warrants actually prohib-
its private parties from executing search warrants on behalf of law
enforcement.
248
Similarly,when the Wiretap Act first allowed the FBI to
conduct prospective surveillance of the telephone network in 1968,it effec-
tively required the FBI to conduct direct surveillance,While the telephone
company could volunteer to help the government,providers could not be
compelled to execute the court order on the government’s behalf.
249
Con-
gress later amended the statute in 1970 to allow the courts to compel pro-
viders to help the government,but offered the government the choice,it
could either implement the order itself,or it could order the provider to im-
plement the order on its own and to send the results to law enforcement.
250
246
Editorial,Proceed with Caution,DENVER POST,Oct,26,2001,at B6 (“There are some safe-
guards,such as,,, a requirement,added at the last minute by House Majority Leader Dick Armey,R-
Texas,that a judge monitor the FBI’s use of the controversial Carnivore email surveillance system.”),
247
An even greater irony is that technological advances in commercial packet sniffers may have
significantly decreased the need for the FBI’s own surveillance tool,In the last two years,for example,
new versions of the commercial EtherPeek software have been introduced that significantly enhanced
the tool’s filtering capability,See,e.g.,WildPackets,Inc.,WildPackets Releases EtherPeek? v4.2,
New Version of Industry’s Leading Packet Analyzer Provides Multiple Filtering and Decoding Up-
grades (Aug,2,2001) (noting the introduction of advanced filtering capabilities in version 4.2 of Ether-
Peek,including,‘Accept Matching’ and ‘Reject Matching’ Filter Modes”),at http://www.wild
packets.com/corporate/news/01-08-02,If EtherPeek allows system administrators to implement surveil-
lance orders quickly and effectively,Carnivore and its progeny will be needed less and less often,
248
See 18 U.S.C.A,§ 3105 (“A search warrant may in all cases be served by any of the officers
mentioned in its direction or by an officer authorized by law to serve such warrant,but by no other per-
son,except in aid of the officer on his requiring it,he being present and acting in its execution.”),
249
In re Application of the United States,427 F.2d 639,644 (9th Cir,1970) (“If the Government
must have the right to compel regulated communications carriers or others to provide such assistance,it
should address its plea to Congress.”),
250
See 18 U.S.C.A,§ 2518(4) (“An order authorizing the interception,,, shall,upon request of the
applicant,direct that a provider of wire or electronic communication service,,, shall furnish the appli-
cant forthwith all information,facilities,and technical assistance necessary to accomplish the intercep-
tion,,,,” (emphasis added)),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
658
This is the standard that Congress has consistently enacted in surveillance
laws since 1970,Congress has offered law enforcement the choice of how
it wants to implement surveillance orders,without placing a thumb on the
scale in favor of either direct or indirect surveillance.
251
IV,THE COMPUTER TRESPASSER EXCEPTION TO THE WIRETAP ACT
A third major criticism of the USA Patriot Act centers on a new excep-
tion to the Wiretap Act,the computer trespasser exception.
252
The com-
puter trespasser exception concerns prospective content surveillance and
allows law enforcement to intercept the contents of Internet communica-
tions sent by a,computer trespasser” without a warrant from the computer
of a consenting victim of the trespasser.
253
The computer trespasser excep-
tion proved so controversial that Congress enacted it only pursuant to a sun-
set provision,the exception will cease to exist on December 31,2005,
unless Congress chooses to reauthorize it.
254
According to its critics,the
sunset provision was necessary because the computer trespasser exception
poses significant dangers to privacy.
255
This Part explains why the computer trespasser exception is an impor-
tant and appropriate addition to the Wiretap Act that should make sense to
law enforcement and civil libertarians alike,In the interests of full disclo-
sure,I should make clear that I am not a neutral player in this debate,I first
proposed adding a computer trespasser exception to the Wiretap Act to sev-
eral colleagues at the Justice Department in the summer of 1999 and pushed
it within DOJ until I left in the summer of 2001,My understanding is that
these efforts helped persuade other DOJ officials to support a computer
trespasser exception,and that such an exception eventually became a part of
the package that DOJ picked up as its Anti-Terrorism proposal,The DOJ
proposal then led in modified form to the Patriot Act,While I had no in-
volvement in the DOJ proposal after September 11,I think I was in some
sense,present at the creation” of the computer trespasser exception,
This Part begins by showing how the structure of the Wiretap Act re-
flects its origins as a means of protecting telephone privacy,and how apply-
ing the same legal framework to the Internet triggers the need for a
computer trespasser exception,It then explains how the computer tres-
251
Notably,however,the postal service regulation governing mail covers is an indirect regulation,
it allows the Postal Service to implement a mail cover,but no others,39 C.F.R,§ 233.3 (2002),Of
course,this is easier to do in the case of the postal mail given that the government Postal Service enjoys
a monopoly over postal mail,
252
See,e.g.,Rosen,supra note 81,at 12,
253
See 18 U.S.C.A,§ 2511(2)(i),
254
See Pub,L,107-56,§ 224 (“[T]his title and the amendments made by this title,,, shall cease to
have effect on December 31,2005.”),
255
See Rosen,supra note 81,at 12 (suggesting that the broad language of the original proposed text
of the exception would allow the government to monitor all of an Internet user’s communications when-
ever the user violated minor rules,like her ISP’s terms of service),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
659
passer exception fills this need,and carves out a middle course that will
preserve privacy protections and more closely translate Fourth Amendment
protections to the Internet,The Part argues that the computer trespasser ex-
ception better matches the Wiretap Act’s protections to the Fourth Amend-
ment,and in the end should increase the privacy protection of the Wiretap
Act by imposing limits on the scope of other exceptions to the Wiretap Act
and implicitly broadening the scope of what constitutes,contents.” At the
same time,the Part concludes that civil libertarian critics of the trespasser
exception have valid concerns about the current language and that the text
needs slight redrafting to clarify its scope and purpose,
A,The Structure of the Wiretap Act and the Assumptions of
the Telephone System
To understand why the Wiretap Act needs a computer trespasser ex-
ception,it is necessary to explore how the Wiretap Act applies to the com-
munications network for which it was designed,the telephone network,As
enacted in 1968,the Wiretap Act imposes a strikingly broad privacy regime
that protected essentially all telephone communications within the United
States.
256
The Act presumes that all telephone communications would oc-
cur between two human,parties”
257
to the call,It prohibits both the gov-
ernment and private parties from breaking into the communication with a
surveillance tool to tap the,contents”
258
of the communication without a
special court order.
259
The prohibited act of surveillance can be represented
with the following figure,
FIGURE 2,PROHIBITED ACT OF SURVEILLANCE
256
See CCIPS MANUAL,supra note 15,at 150–51,
257
18 U.S.C.A,§ 2511(2)(c) (West Supp,2002),
258
Id,§ 2510(8),
259
Id,§ 2518,
PARTY A
D evice
PARTY B
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
660
This scheme is easy to understand in the case of a telephone call,imagine
A and B conversing on a dedicated line and a surveillance device being used
to tap the line and intercept their conversation,The Wiretap Act makes it a
crime for anyone to use a device to tap the line between A and B without a
“super warrant” court order,subject to a few exceptions.
260
Although the Wiretap Act has many exceptions,only two are particu-
larly important,The first is the consent exception.
261
The exception allows
any,party to the communication”
262
to consent to surveillance,In the case
of the telephone call between A and B,the parties to the communication
prove easy to identify,they are A and B.
263
This exception allows tele-
phone call participants to record the calls,or to consent to having someone
else do so.
264
So long as one participant consents to the monitoring,the
surveillance does not violate the Wiretap Act,The courts have construed
consent fairly broadly in this context,as notice that monitoring will occur
can generate consent.
265
If a person uses the telephone after receiving no-
tice that he will be monitored,the theory goes,he has given,implied con-
sent” to monitoring.
266
However,if the telephone user has not either
expressly consented to or received notice of the monitoring,consent will
not be,cavalierly implied.”
267
The second important exception allows providers to intercept com-
munications through their network when it is a,necessary incident,,,
to the protection of the rights or property of the provider of that ser-
vice.”
268
In the parlance of Part I of this Article,this is a provider
power,not a government power,and is often known as the provider ex-
ception.
269
In the telephone context,the provider exception permits the
phone company to wiretap phones when it is necessary to combat unau-
260
Id,§ 2511(1),
261
Id,§ 2511(2)(c)–(d),
262
Id,
263
See United States v,Campagnuolo,592 F.2d 852,863 (5th Cir,1979) (noting that a,party” to a
telephone call means,the person actually participating in the communication” (quoting S,REP,NO,
1097,90th Cong,(1968),reprinted in 1968 U.S.C.C.A.N,2112,2182)),
264
18 U.S.C.A,§ 2511(2)(c)–(d),If the party is not acting under color of law,he must not have the
purpose to commit,any criminal or tortious act.” Id,§ 2511(2)(d),
265
United States v,Amen,831 F.2d 373,378 (2d Cir,1987),Implied consent exists when circum-
stances indicate that a party to a communication was,in fact aware” of monitoring,and nevertheless
proceeded to use the monitored system,United States v,Workman,80 F.3d 688,693 (2d Cir,1996); see
also Griggs-Ryan v,Smith,904 F.2d 112,116–17 (1st Cir,1990) (“[I]mplied consent is consent in fact
which is inferred from surrounding circumstances indicating that the [party] knowingly agreed to the
surveillance.” (internal quotations omitted)),Proof of notice to the party generally supports the conclu-
sion that the party knew of the monitoring,See Workman,80 F.3d,at 693,
266
See Berry v,Funk,146 F.3d 1003,1011 (D.C,Cir,1998),
267
Watkins v,L.M,Berry & Co.,704 F.2d 577,581 (11th Cir,1983),
268
18 U.S.C.A,§ 2511(2)(a)(i),
269
See CCIPS MANUAL,supra note 15,at 161–66,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
661
thorized use of the phone network.
270
The exception arose out of a series
of,blue box” cases in the 1960s,in which individuals used illegal blue
box devices that allowed them to trick the telephone system into letting
them make unlimited long-distance calls for free.
271
Importantly,how-
ever,the courts have stressed that this is a narrow exception,it only al-
lows the phone company to conduct limited surveillance for business-
related reasons,
272
and does not allow them to monitor even unauthorized
use to help law enforcement.
273
The structure of the Wiretap Act allows it to produce counterintui-
tive results,Many lawyers and citizens assume that wiretapping powers
track ownership in the network,if a company owns the network and
provides the phones,the assumption is that it must have intrinsic author-
ity to monitor the network.
274
Not so,In fact,ownership of the network
bestows no special monitoring privileges under the Wiretap Act;
275
nor
does unauthorized use trigger any traditional exception.
276
Under the
Wiretap Act,an employee successfully sued her employer for listening
to the employee’s personal calls at work on the employer’s phone during
work hours.
277
More remarkably,a kidnapper once successfully sued the
police for wiretapping his illegally cloned cellular phone calls in the
course of locating the kidnapper and freeing his victim.
278
Because the
monitoring in these two cases fell outside of the Act’s exceptions,the
monitoring violated the Wiretap Act,
270
United States v,Auler,539 F.2d 642,645–46 (7th Cir,1976),
271
See,e.g.,Bubis v,United States,384 F.2d 643,648 (9th Cir,1967),
272
See id,
273
See McClelland v,McGrath,31 F,Supp,2d 616,619 (N.D,Ill,1998),
274
The New York Times has often repeated this as fact,See,e.g.,Carl S,Kaplan,Big Brother as a
Workplace Robot,N.Y,TIMES,July 24,1997,at http://www.nytimes.com/library/cyber/law/072497
law.htm,
275
A possible exception is the so-called,extension telephone” exception,See 18 U.S.C.A,§
2510(5)(a) (West Supp,2002),This exception makes clear that when a phone company furnishes an
employer with an extension telephone for a legitimate work-related purpose,the employer’s monitoring
of employees using the extension phone for legitimate work-related purposes does not violate Title III,
See Watkins v,L.M,Berry & Co.,704 F.2d 577,582 (11th Cir,1983) (applying exception to permit
monitoring of sales representatives); Briggs v,Am,Air Filter Co.,630 F.2d 414,418 (5th Cir,1980)
(reviewing legislative history of Title III); James v,Newspaper Agency Corp.,591 F.2d 579,581 (10th
Cir,1979) (applying exception to permit monitoring of newspaper employees’ conversations with
customers),
276
Or at least it did not until the computer trespasser exception,
277
Deal v,Spears,980 F.2d 1153,1157–58 (8th Cir,1992) (holding employer liable for listening in
on employee’s phone calls at work,on the ground that employer merely told employee that employer
“might” listen in on employee’s calls,which was insufficient to generate consent),
278
McClelland,31 F,Supp,2d at 619 (denying officers’ motion for summary judgment on the
ground that the officers had encouraged the cellular service provider to engage in the monitoring,and
therefore that it fell outside the provider exception),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
662
B,Applying the Wiretap Act to the Internet,How Do the Exceptions Apply
and Who Is a Party to the Communication?
So much for the telephone,How about the Internet? In 1986,Con-
gress enacted the Electronic Communications Privacy Act (ECPA).
279
ECPA created the basic statutory framework for Internet surveillance that
exists today,Among the important changes brought about by ECPA was
that the law applied the privacy protections of the telephone Wiretap Act to
computer networks,The 1986 Act added,electronic communications” to
the telephone,wire communications” that the Wiretap Act protected,bring-
ing the entire Internet within the broad protection of the wiretap laws,
Adding Internet email to the category of communications protected by
the Wiretap Act made obvious sense,However,it also created a series of
difficult analytical problems that its drafters apparently failed to foresee,
The difficulty begins with the fact that there is a great deal to the Internet
beyond email,as demonstrated in Part I,Internet communications can con-
sist of emails,but they also take the form of web pages in transit,computer
commands sent to remote servers,music or pornography files,network traf-
fic,and other communications.
280
The Internet does not just provide a
means of letting people connect with other people,it also creates a com-
munications network that supports a range of hardware and software that
together foster a virtual world of cyberspace.
281
The Internet’s multifunctionality creates a series of puzzling problems
that complicates attempts to apply the Wiretap Act to it,Part II confronted
the problem of what are the,contents” of a communication in the case of a
human-to-computer communication,such as a computer command to re-
trieve a web page.
282
This problem is matched with an even more puzzling
question that helps explains the need for the computer trespasser exception,
How does the consent exception apply to the Internet? More specifically,
who is a,party to the communication” who can consent to monitoring in
the case of a human-to-computer or computer-to-computer communication?
The scope of privacy protection that the Wiretap Act provides hinges on the
answer to this question,
The question’s critical importance can be demonstrated by considering
a hypothetical law enforcement investigation into computer hacking,drawn
from several cases that I worked on at the Justice Department,When the
government investigates a computer hacking incident,investigators gener-
ally start at the victim that has reported the crime and trace back the attack
to its origin,To avoid detection,hackers will not mount their attacks di-
rectly from their ISPs,Rather,they will route communications through a
279
Electronic Communications Privacy Act of 1986,Pub,L,No,99-508,100 Stat,1848,1986
U.S.C.C.A.N,3555,
280
See GRALLA,supra note 24,at 2,
281
See generally LAWRENCE LESSIG,CODE AND OTHER LAWS OF CYBERSPACE (1999),
282
See supra notes 181–95 and accompanying text,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
663
few victim computers along the way to throw the government off the
trail.
283
This can effectively disguise their location because computers only
reveal the immediate source from which a user sent a communication,If a
user routes a command from A to B to C to D,the computer at D will only
know that the command came from C,and will not know that the command
actually originated from A,To identify the intruder,the government must
trace the communication step by step from D to C to B to A,
The rules that govern this tracing process depend heavily on whether
the computers that the hacker has victimized count as parties to the com-
munication under the Wiretap Act,Consider an example,Imagine that a
computer hacker in New York plans to attack sensitive Defense Department
computers in California,and starts off by accessing the Internet through his
ISP in New Jersey,Rather than hack directly into the Defense Department
computers in California,the hacker first breaks into a computer at a small
company in Nebraska,and from that site in Nebraska he hacks into another
computer belonging to a high school in Arizona,Finally,from the com-
puter in Arizona he launches a computer attack against Defense Department
computers in California that contain potentially sensitive information relat-
ing to national security,Defense Department criminal investigators then
begin an investigation into the attacks,
We can appreciate the importance of identifying who is a party to the
communication by imagining how the investigation will likely proceed,
From the perspective of the victims at the Defense Department,they will only
know that they are under attack from a computer at a high school in Ari-
zona.
284
Agents will call up the school and let them know that either a stu-
dent at the school is attacking them,or that they have a hacker inside their
network,The agents would prefer that the high school monitor the hacker’s
source and either identify him (if he is local),or else identify the next step
back in the chain (if he is not),It is possible that the high school will eagerly
and capably help the law enforcement agents; they will monitor the hacker it-
self and disclose to the agents that the next link back in the chain was the
company in Nebraska,However,watching the attack occur is itself an inter-
ception of electronic communications under the Wiretap Act,and must be
justified by an exception to the Act,If the school volunteers this information,
the provider exception would clearly allow the school to conduct the monitor-
ing and disclose it to the agents.
285
The agents can then turn to the company
in Nebraska and repeat the process,hoping it leads them to the ISP in New
Jersey,which can identify the hacker as its customer,
283
This is a common tactic among hackers,See CCIPS MANUAL,supra note 15,at 160 (“When a
hacker launches an attack against a computer network,.,, he may route the attack through a handful of
compromised computer systems before directing the attack at a final victim.”),
284
This is true because they can read only the packets that are directed to them,and those packets
will only have the IP addresses of the computers that are the next hop back in the chain,
285
18 U.S.C.A,§ 2511(2)(a)(i) (West Supp,2002),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
664
However,the legal picture shifts considerably if the school will permit
the agents to monitor its network,but lacks the expertise or resources to
monitor users itself,The provider exception does not itself allow law en-
forcement to step in and conduct monitoring on a provider’s behalf,even
with the provider’s consent.
286
As a result,whether the police can conduct
the monitoring with the school’s consent depends on whether the school is a
“party” to the hacker’s communication,If the school is a party,the school
can consent to law enforcement monitoring; if it is not a party,the school
cannot consent to the monitoring without violating the Wiretap Act,
Whether the school constitutes a party under the Wiretap Act then
hinges upon how the hacker’s attack is modeled,On one hand,if the
hacker sent a communication to the school with instructions for the school’s
computer to launch attacks against the California victims,then the school
itself is a party to the communication and can consent to the government’s
monitoring,This approach reflects a broad theory of the,party to the
communication” exception,On the other hand,if we say that the hacker
himself sent the communication to the California victim but merely routed
the communication through the school,then the school is not a party and
cannot consent.
287
This approach applies a narrow conception of the,party
to the communication” exception,
What complicates this picture is that labeling the school a party to the
communication may sound logical here because the school is a victim of
crime,but ultimately would eviscerate the privacy protections of the Wire-
tap Act,Internet communications almost never travel directly from their
point of origin to their destination,most travel from hop to hop as they
286
See McClelland v,McGrath,31 F,Supp,2d 616,619 (N.D,Ill,1998),
287
One way for law enforcement to get around this problem is to have the ISP install a,banner,”
which is a notice that tells users that their use may be monitored,CCIPS MANUAL,supra note 15,at
app,A,at 197 (“Network banners are electronic messages that provide notice of legal rights to users of
computer networks.”),If a user sees the banner but proceeds to use the network,then cases indicate that
he has,consented” to monitoring and therefore subsequent monitoring will not violate Title III,See,
e.g.,United States v,Amen,831 F.2d 373,379 (2d Cir,1987) (applying such reasoning in the context of
telephone monitoring),There are two difficulties with this approach,First,it is disturbing from a pri-
vacy standpoint,it requires all users who see the banner to relinquish their rights against monitoring
solely to allow law enforcement to monitor unauthorized hackers,It may be possible to banner the net-
work narrowly,but when it is not the use of a banner requires a broad waiver of privacy protection from
entirely innocent network users,Second,if the hacker comes up with a clever way to enter the network
that allows him to bypass the banner,the cases suggest that the government still cannot monitor the
hacker unless it shows,convincingly” that the hacker actually knew of the monitoring,See,e.g.,United
States v,Lanoue,71 F.3d 966,981 (1st Cir,1995) (“The surrounding circumstances must convincingly
show that the party knew about and consented to the interception in spite of the lack of formal notice or
deficient formal notice.”),This is extremely difficult to do in the electronic context,The result is an
unsatisfying (if not downright silly) cat-and-mouse game between the hackers and law enforcement,in
which the cops try to place the banners in front of the hackers to try to establish their consent,and the
hackers try to evade them,When I was at the Justice Department,this cat-and-mouse game was a sig-
nificant dynamic in many computer intrusion investigations,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
665
traverse the network.
288
If each hop is a party to the communication,as the
broader approach to the exception would dictate,then any provider can
monitor any communication within its network or can consent to monitor-
ing by others,
Take the example of email,If a friend sends me an email from his account
at eck@panix.com to my law school account at okerr@main.nlc.gwu.edu,he is
actually sending the message to his ISP,panix.com,with instructions to
send it to the George Washington University server,main.nlc.gwu.edu,with
instructions for the GW server to send the message into the,okerr” ac-
count.
289
If every hop is a party to communications it handles,that means
that both Panix and GW are parties to the email between my friend and I
and that both can consent to law enforcement monitoring of every email
sent to or from their networks,This would be quite remarkable,It would
mean that AOL would be able to watch all of the emails sent or received by
its users because AOL was itself a,party” to those emails,In fact,the
owner of every computer would have a right to consent to total surveillance
of any communication directed to it,
When taken from the telephone context and applied to the Internet,the
consent exception creates an unstable fulcrum upon which to rest Internet
surveillance practice,The consent exception can either apply very broadly
or very narrowly,and both extremes produce disturbing results,The broad
reading of the consent exception eviscerates the Wiretap Act’s privacy pro-
tections and the narrow reading broadens the protections to the point that
they do not even allow investigators to watch criminal attacks occur,While
the Wiretap Act makes perfect sense as applied to the telephone network,
translating its protections to the Internet results in either too little privacy or
too much,
C,The Computer Trespass Exception,An Attempted Middle Ground
The idea of a computer trespasser exception to the Wiretap Act first
surfaced within the Justice Department in the summer of 1999,The goal
was to fashion a new exception to the Wiretap Act that could take the pres-
sure off the consent exception and more closely and accurately match the
Wiretap Act to the Fourth Amendment,
To some extent,the push for a new exception reflected the adage that
“necessity be the mother of invention.”
290
Within the Justice Department,
there was a strong institutional preference for cautious approaches to apply-
ing the Wiretap Act to the Internet,If one reading of the Wiretap Act al-
lowed surveillance but another reading forbade it,the DOJ would generally
adopt the more cautious approach and refuse to sanction the surveillance,
288
See CCIPS MANUAL,supra note 15,at 102,
289
See GRALLA,supra note 24,at 88–89,93,
290
GEORGE FARQUHAR,The Twin Rivals,in THE RECRUITING OFFICER AND OTHER PLAYS 79,93
(1672) (William Myers ed.,1995),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
666
Under these restrictions,most of the government’s investigations into com-
puter hacking proved unsuccessful because the government normally could
not monitor the hacker’s communications,which made it difficult to iden-
tify the hacker or understand the scope of the hacker’s activity,Even
though hacking victims were often willing to consent to law enforcement
surveillance of the hacker within their network,the DOJ understood the law
to forbid such a move.
291
In most cases,the hacker’s trail went cold and the
case remained unsolved,
The purpose of the computer trespasser exception was to carve out a
narrow exception that would allow monitoring of hacker communications in
some instances without disrupting an otherwise narrow reading of the con-
sent exception,The proposed exception acted as a cross between the exist-
ing provider exception and consent exception,it would allow the
government to intercept the communications of computer hackers who did
not have authorization to use the network when the owner of the network
consented to the surveillance,Conceptually,this aligned the Wiretap Act
more closely to the Fourth Amendment,If we understand a hacker’s com-
munications as the virtual equivalent of a burglar inside the victimized net-
work,
292
then a hacker has no reasonable expectation of privacy in his attack
and the Fourth Amendment would not afford him any privacy rights against
monitoring.
293
From the perspective of victims’ rights,this also matched
victims’ options online and off,A victim of a burglary in his home can
consent to monitoring of a burglar there,Similarly,a victim of hacking
should be able to consent to monitoring of a hacker within its network.
294
The proposed computer trespass exception went through various drafts
from the summer of 1999 until the fall of 2001,when the DOJ introduced it
as part of the Justice Department’s proposed Anti-Terrorism Act,The lan-
guage went through various changes during the legislative process until it
emerged in its final form,In its final form,the exception states,
291
Cf,Orin S,Kerr,Are We Overprotecting Code? Thoughts on First-Generation Internet Law,57
WASH,& LEE,L,REV,1287,1298 (2000),
292
See Compuserve,Inc,v,Cyber Promotions,Inc.,962 F,Supp,1015,1021 (S.D,Ohio 1997)
(noting cases analogizing computer hacking to trespassing),
293
See Kerr,supra note 291,at 1298,
294
This rationale matches the one offered by the Justice Department in the,field guide” it released
to the public to help explain the Patriot Act,Prior law,the field guide noted,arguably
prevented law enforcement from assisting victims to take the natural and reasonable steps in their
own defense that would be entirely legal in the physical world,In the physical world,burglary
victims may invite the police into their homes to help them catch burglars in the act of committing
their crimes,The wiretap statute should not block investigators from responding to similar re-
quests in the computer context simply because the means of committing the burglary happen to
fall within the definition of a,wire or electronic communication” according to the wiretap statute,
U.S,DEP’T OF JUSTICE,FIELD GUIDANCE ON NEW AUTHORITIES ENACTED IN THE 2001 ANTI-
TERRORISM LEGISLATION 10,at http://www.epic.org/privacy/terrorism/DOJ_guidance.pdf (last visited
Feb,4,2003),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
667
It shall not be unlawful under this chapter for a person acting under color of
law to intercept the wire or electronic communications of a computer tres-
passer transmitted to,through,or from the protected computer,if—
(I) the owner or operator of the protected computer authorizes the interception
of the computer trespasser’s communications on the protected computer;
(II) the person acting under color of law is lawfully engaged in an investiga-
tion;
(III) the person acting under color of law has reasonable grounds to believe
that the contents of the computer trespasser’s communications will be relevant
to the investigation; and
(IV) such interception does not acquire communications other than those
transmitted to or from the computer trespasser.
295
The law also defines,computer trespasser” as follows,
(A) means a person who accesses a protected computer without authorization
and thus has no reasonable expectation of privacy in any communication
transmitted to,through,or from the protected computer; and
(B) does not include a person known by the owner or operator of the protected
computer to have an existing contractual relationship with the owner or opera-
tor of the protected computer for access to all or part of the protected com-
puter.
296
This approach largely captures the essence of the original proposed com-
puter trespasser exception,It allows the government to intercept the com-
munications of a,computer trespasser” with the consent of the owner or
operator of the trespasser’s victim,In particular,the language of the excep-
tion clearly contemplates a situation like the one in my earlier hypothetical,
in which government agents investigating a hacking incident need a vic-
tim’s consent to trace the communication the next hop back in the chain,In
these circumstances,“person[s] acting under color of law”
297
will be,law-
fully engaged in an investigation”
298
and will then approach the owner or
operator of the system to have them,authorize the interception.”
299
The
agents will then intercept the communications of the computer trespasser
that they have,reasonable grounds to believe”
300
will let them trace back or
identify the hacker,
Unfortunately,the current text of the exception contains a few quirks
that Congress will likely have to revisit and revise,For example,one con-
dition of the exception states that it applies only when,such interception
does not acquire communications other than those transmitted to or from
295
18 U.S.C.A,§ 2511(2)(i)(I)–(IV) (West Supp,2002),
296
Id,§ 2510(21),
297
Id,§ 2511(2)(i),
298
Id,§ 2511(2)(i)(II),
299
Id,§ 2511(2)(i)(I),
300
Id,§ 2511(2)(i)(III),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
668
the computer trespasser.”
301
This can be read in two ways,Is,such inter-
ception” the interception of the precise communications that the govern-
ment seeks to justify using the trespasser exception or does it refer to an act
of interception more broadly? Under the latter reading,the exception per-
mits the government to rely on the exception only when all of the commu-
nications that the government intercepts relate to the computer trespasser,
If the monitoring picks up any communications unrelated to the hacking,
then the government cannot rely on the exception,Under the former read-
ing,the condition merely clarifies that the exception can only justify the in-
terception of a trespasser’s communication and that the interception of other
communications must still be justified using other exceptions to the Wiretap
Act,such as consent,
The DOJ field guide indicates that DOJ intended the latter interpreta-
tion,
302
and this is the far more sensible rule.
303
However,the text of the ex-
ception seems to point the other way,the exception only extends to the
interception of,communications of a computer trespasser,” which pre-
sumably means communications,transmitted to or from the computer tres-
passer.” Under the former reading,the extra language of 18 U.S.C,§
2511(2)(i)(IV) appears entirely redundant,
A similar problem afflicts the definition of,computer trespasser”
found in 18 U.S.C,§ 2510(21),This provision defines a computer tres-
passer as one,who accesses a protected computer without authorization and
thus has no reasonable expectation of privacy in any communication trans-
mitted to,through,or from the protected computer.”
304
The phrasing here is
quite strange,The term,reasonable expectation of privacy” is a constitu-
tional standard from Fourth Amendment law.
305
Whether a user who ac-
cesses a computer without authorization has any Fourth Amendment
protections in communications to,through,or from the victim computer is a
question for the courts,not Congress,
Furthermore,the current language appears to nullify most of this defi-
nition,labeling a computer trespasser as one,who accesses a protected
computer without authorization and thus has no reasonable expectation of
privacy in any communication transmitted to,through,or from the pro-
301
See id,§ 2511(2)(i)(IV),
302
The field guide explains that this language ensures that the exception,would only apply where
the configuration of the computer system allows the interception of communications to and from the
trespasser,and not the interception of non-consenting users authorized to use the computer.” U.S,
DEP’T OF JUSTICE,supra note 294,at 10 (emphasis added),
303
My understanding is that DOJ intended the computer trespasser exception to work in conjunc-
tion with a banner that would generate a user’s consent,All legitimate users would have seen the ban-
ner,justifying any inadvertent interception of their communications under the consent exception,The
computer trespasser exception could then justify the interception of the communications belonging to
hackers who managed to enter through a backdoor and did not see the banner,
304
18 U.S.C.A,§ 2510(21)(a),
305
See Katz v,United States,389 U.S,347,361 (1967) (Harlan,J.,concurring),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
669
tected computer” is no different from defining a computer trespasser as one
“who accesses a protected computer without authorization.” The added
congressional articulation of how it thinks the courts should apply the
Fourth Amendment has no place in the statute,The better approach would
have been for the statute to define a computer trespasser as one who ac-
cesses a computer without authorization and has no reasonable expectation
of privacy,which would properly leave the constitutional question for the
courts.
306
D,The Benefits of the Computer Trespasser Exception
Despite these shortcomings,both law enforcement and civil libertari-
ans should recognize the substantial benefits to having a computer tres-
passer exception to the Wiretap Act,From a law enforcement perspective,
the exception guarantees that the Wiretap Act will not unnecessarily impede
computer hacking investigations by giving hackers privacy rights in their
attacks,This effect isn’t surprising,the DOJ pushed the exception,so we
might expect it to serve DOJ’s interests,
What is surprising is that the exception should appeal to civil libertari-
ans as well,In fact,the trespasser exception may become a powerful
weapon that civil libertarians can use in the struggle against expansive gov-
ernment wiretapping practices,The reason is subtle,and relates not to what
the trespasser exception does expressly,but rather to what it indicates im-
plicitly about how the Wiretap Act applies to the Internet,By adopting the
Justice Department’s proposal on the trespasser exception,Congress in ef-
fect adopted DOJ’s highly cautious assumptions about how the Wiretap Act
applied to the Internet,The trespasser exception explicitly grants the gov-
ernment a limited power that the government quite possibly had before the
Patriot Act,To avoid reducing the trespasser exception to a nullity,courts
can now plausibly reason that Congress meant to construe the remaining
provisions of the Wiretap Act quite narrowly,expanding the scope of the
Wiretap Act’s privacy protections in important ways,
Consider the effect of the trespasser exception on the definition of
“contents.”
307
As I discussed earlier,the scope of,contents” is an ex-
tremely important open question in Internet surveillance law.
308
The tres-
passer exception implicitly reflects a congressional recognition of a
relatively broad definition of contents; a definition broad enough to encom-
pass the bulk of a computer hacker’s communications,such as commands
306
This is the approach that Congress took when defining,oral communication,” the interception of
which is protected by Title III to prevent eavesdropping and bugging,The definition follows:,‘[O]ral
communication’ means any oral communication uttered by a person exhibiting an expectation that such
communication is not subject to interception under circumstances justifying such expectation,but such
term does not include any electronic communication,,,,” 18 U.S.C.A,§ 2510(2),
307
Id,§ 2510(8),
308
See supra notes 176–91 and accompanying text,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
670
sent to remote servers,Before the Patriot Act,DOJ could have plausibly
argued that computer commands were not,contents” under the Wiretap
Act,such that the Wiretap Act did not prohibit monitoring of hackers and
the computer commands of other users without a court order,This view
makes little sense after the Patriot Act,however,if Congress saw a need to
create a new exception to the Wiretap Act to allow the monitoring of com-
puter hackers,it implicitly must have concluded that the bulk of a hacker’s
commands and other communications are,contents” regulated by the Wire-
tap Act,Thus,the trespasser exception arguably signals an expansion of
the scope of the Wiretap Act’s privacy protections,rather than a restriction
of the Act’s scope,
The trespass exception also sends important signals about the scope of
the all-important consent exception,Before the Patriot Act,it was unclear
whether a pass-through intermediary computer could consent to monitoring,
but at least two courts of appeals had suggested that they might.
309
Such a
reading would eviscerate the privacy protection offered by the Wiretap Act,
The trespasser exception is the best argument against such a reading,the ex-
ception only makes sense if mere pass-through computers are not parties to
communications,Otherwise,the trespasser exception would merely cover
ground already covered by the consent exception,The existence of the tres-
passer exception sends a strong signal to the courts,to give effect to the tres-
passer exception,courts should construe the consent exception narrowly.
310
Ironically,the trespasser exception that has been condemned for ex-
panding the scope of wiretapping in open-ended ways
311
may have actually
narrowed the scope of government wiretapping,By implicitly rejecting the
broad reading of the consent exception and a narrow reading of contents,
309
See United States v,Mullins,992 F.2d 1472,1478 (9th Cir,1993) (stating as an alternate hold-
ing that the consent exception of § 2511(2)(d) authorizes monitoring of computer system misuse because
the owner of the computer system is a party to the communication); United States v,Seidlitz,589 F.2d
152,158 (4th Cir,1978) (concluding in dicta that a company that leased and maintained a compromised
computer system was,for all intents and purposes a party to the communications” when company em-
ployees intercepted intrusions into the system from an unauthorized user using a supervisor’s hijacked
account),
310
See Kungys v,United States,485 U.S,759,778 (1988) (noting,the cardinal rule of statutory in-
terpretation that no provision [of a statute] should be construed to be entirely redundant”),An interest-
ing question will arise if Congress decides not to renew the trespasser exception after it sunsets in 2005,
Should courts then read the remaining language in light of these cautious assumptions? Or will not re-
newing the trespasser exception be seen as a rejection of these cautious assumptions?
311
For example,Peter Swire argues that the trespasser exception
is a significant change to current law,because it creates conditions under which law enforcement
officials can station themselves in communications companies to watch phone calls,email,and
web surfing as it occurs,Some non-government experts are beginning to point out how open-
ended the computer trespasser exception may turn out to be in practice,
SWIRE,supra note 123,However,if is true with regards to the trespasser exception,it is much more true
in the case of the consent exception,which the trespasser exception implicitly narrows,And if a
hacker’s communications are not contents,then law enforcement could do this anyway without a Wire-
tap order,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
671
the trespasser exception may thwart readings of the Wiretap Act that would
radically minimize the protections of the Wiretap Act,No matter how
broadly the trespasser exception may be viewed,its impact on other provi-
sions of the Wiretap Act likely dwarfs the impact of the exception itself,
And that impact will expand privacy protections,not reduce them,
Finally,the trespasser exception more closely aligns the Wiretap Act
with the Fourth Amendment,In the physical world,the Fourth Amendment
“reasonable expectation of privacy” test protects those who are legitimately
on the premises,but not trespassers.
312
The trespasser exception does the
same for the Wiretap Act,Such an exception was unnecessary in the tele-
phone era,when all communications were person-to-person communica-
tions that seemed intrinsically private.
313
The Internet has introduced
something new,human-to-computer and computer-to-computer communi-
cations that may or may not deserve privacy,depending on the circum-
stances,The new network now encompasses the full diversity of life in
cyberspace,creating a new need for the Wiretap Act to make the same nu-
anced distinction between authorized and unauthorized communications
made by the Fourth Amendment in the physical world.
314
CONCLUSION
On the afternoon of September 11,2001,Electronic Frontier Founda-
tion cofounder and Harvard Law School fellow John Perry Barlow posted a
message to a thousand-member email list that set the tone for the civil liber-
ties debate surrounding the Patriot Act.
315
Just hours after the World Trade
Center towers had fallen,Barlow urged his readers to prepare for,the Com-
ing Police State.”
316
Barlow warned,
[N]othing could serve those who believe that American,safety” is more im-
portant than American liberty better than something like this,Control freaks
will dine on this day for the rest of our lives,
Within a few hours,we will see beginning the most vigorous efforts to end
what remains of freedom in America,,,, I beg you to begin NOW to do
whatever you can,,, to prevent the spasm of control mania from destroying
the dreams that far more have died for over the last two hundred twenty five
years than died this morning,
312
Rakas v,Illinois,439 U.S,128,143 n.12 (1978),
313
See Kerr,supra note 291,at 1299,
314
See id,at 1298–300,
315
Email from John Perry Barlow,Cofounder & Vice Chairman,Electronic Frontier Foundation,to
John Perry Barlow (Sept,11,2001,13:38:15) [hereinafter Barlow email],at http://www.activism,
net/pipermail/think/2001-September/000002.html,Barlow’s email has been posted widely on the Inter-
net and has been discussed by the press as well,See,e.g.,Kristen Philipkoski,Civil Liberty the Next
Casualty?,WIRED NEWS,Sept,13,2001,available at http://www.wired.com/news/politics/0,1283,
46784,00.html,
316
Barlow email,supra note 315,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
672
Don’t let the terrorists or (their natural allies) the fascists win,Remember
that the goal of terrorism is to create increasingly paralytic totalitarianism in
the government it attacks,Don’t give them the satisfaction.
317
News reports in the mainstream media soon echoed Barlow’s theme,
Within a few days after September 11,most major United States newspa-
pers ran stories on the prospect that the attacks would lead to extreme anti-
terror measures that could threaten civil liberties.
318
Several articles noted
that wartime threats led to loss of civil liberties in the past,ranging from
President Lincoln’s suspension of habeas corpus in the Civil War
319
to the
Japanese internment camps during World War II.
320
Experts predicted that
law enforcement demands for greater surveillance power would prove im-
possible to resist.
321
Although the Bush Administration had not actually
proposed any new laws yet,the articles warned that a major shift in the bal-
ance between privacy and security might be on the way.
322
Given these fears and expectations,perhaps it was inevitable that the
press would readily portray the Administration’s antiterrorism proposals as
extraordinary and,panicky.”
323
The complexity of Internet surveillance stat-
utes added to the confusion,and textual ambiguities in the initial DOJ pro-
posals provided at least some basis for civil libertarian fears that the Patriot
Act would do far more than its drafters intended,The Justice Department’s
defense of its proposals helped fuel fears,as well,Although Attorney Gen-
eral Ashcroft emphasized that the DOJ proposals were,modest,”
324
he also
claimed that the government would use the new laws to launch a,law en-
317
Id,
318
See,e.g.,Ken Armstrong,Many Fear Loss of Freedoms,CHI,TRIB.,Sept,16,2001,at 8; Harriet
Chiang,ACLU Fears Intrusive Policies,Racial Profiling,S.F,CHRON.,Sept,13,2001,at A15; Karen E,
Crummy,Attack on America,Civil Liberties May Be Next Victim of Deadly Attacks,BOSTON HERALD,
Sept,14,2001,at 4; Maura Dolan & Henry Weinstein,Activist Groups on Lookout for Erosion of Civil Lib-
erties,L.A,TIMES,Sept,14,2001,at A14; Eric Pianin & Thomas B,Edsall,Civil Liberties Debates Re-
vived Amidst Efforts To Fight Terrorism,WASH,POST,Sept,14,2001,at A11; Robin Toner,Some Foresee
a Sea Change in Attitudes on Freedoms,N.Y,TIMES,Sept,15,2001,at A16; Rebecca Walsh,Rights Advo-
cates Concerned About Attacks’ Aftermath,SALT LAKE TRIB.,Sept,15,2001,at A1; Nick Wingfield et al.,
Some Fear Fight Against Terror Will Imperil Privacy,WALL,ST,J.,Sept,13,2001,at B4,
319
See Chiang,supra note 318 (noting Lincoln’s suspension of prisoners’ constitutional rights dur-
ing the Civil War),
320
See Walsh,supra note 318 (discussing the use of internment camps in World War II),
321
See,e.g.,Chiang,supra note 318 (quoting University of Michigan law professor Yale Kamisar
as saying,“The pressure to let the police do what they want to do is just going to be enormous.,,, I
shudder to think what’s going to happen”); Wingfield,supra note 318 (quoting Columbia University
historian Alan Brinkley as saying,“In coming months,anything claiming to be in the name of security
will be hard to oppose”),
322
See,e.g.,Chiang,supra note 318; Wingfield,supra note 318,
323
See Editorial,A Panicky Bill,WASH,POST,Oct,26,2001,at A34,
324
See John Ashcroft,Expanding Terrorism Investigation,Prosecution,Hearing Before the Senate
Judiciary Comm.,107th Cong,(Sept,25,2001) (testimony of Atty,Gen,John Ashcroft) (describing the
DOJ proposals as,careful,balanced,and long overdue improvements,” and as a,modest set of essen-
tials” rather than a DOJ,wish list”),available at 2001 WL 26186648,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
673
forcement offensive”
325
immediately,implying that the surveillance amend-
ments in fact constituted significant changes to existing law,
Fortunately,a more sober assessment suggests that the Internet surveil-
lance provisions of the Patriot Act updated the surveillance laws without
substantially shifting the balance between privacy and security,Many of
the Patriot Act’s provisions had been proposed by the Clinton Administra-
tion long before September 11,and had been debated and discussed for
years both within law enforcement and civil libertarian circles,All of the
changes worked within the basic legal structure that Congress had created
in 1986 when it enacted ECPA,Civil libertarian objections to ambiguities
in the initial DOJ proposals led to clarifications on the scope of the pen reg-
ister act and trespasser exception,and the objections of privacy advocates
led to new regulations on the use of Carnivore and the fruits of pen register
orders,Ironically,while the media braced for extreme measures following
the terrorist attacks on New York and Washington,the Internet surveillance
provisions enacted into law by the Patriot Act broke little new ground,Of
course,different commentators may disagree about specific provisions,and
the fact that the Patriot Act did not disrupt the preexisting balance between
privacy and security does not mean that the preexisting balance was the right
one,But a focus on the details of the legislation suggests that the Act that has
been portrayed as the road to Big Brother does not actually head there,
The Patriot Act does not and should not represent the final word on
electronic surveillance law,The rapid pace of technological change will
likely require the Internet surveillance laws to remain a work in progress,
and the sunset of many of the Patriot Act’s provisions on December 31,
2005 will prove only one of many opportunities to revisit and revise these
laws in the future,Many open questions remain,and Congress will have to
keep a watchful eye on law enforcement practice and technology to main-
tain the crucial balance between privacy and security,But the remarkable
circumstances of the Patriot Act’s passage should not obscure the reality
that the Act advanced a much-needed debate on how surveillance laws
should regulate the Internet,and enacted many relatively balanced rules that
in less anxious times might have been applauded rather than vilified,
325
See Josh Meyer,Terror Bill’s Effects To Be Immediate,L.A,TIMES,Oct,26,2001,at A1
(“When President Bush signs into law today new anti-terror legislation,the Justice Department and the
FBI will immediately launch a law enforcement offensive as all-consuming as the one Robert F,Ken-
nedy waged against organized crime 40 years ago,Atty,Gen,John Ashcroft said Thursday.”),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
674
LAW SCHOOL
P UBLIC L AW AND L EGAL T HEORY WORKING P APER N O,043
THE BIG BROTHER THAT ISN’T
Orin S,Kerr
This paper can be downloaded without charge from the
Social Science Research Network Electronic Paper Collection:
http://ssrn.com/abstract=317501
INTERNET SURVEILLANCE LAW AFTER THE USA PATRIOT ACT:
Copyright 2003 by Northwestern University School of Law Printed in U.S.A,
Northwestern University Law Review Vol,97,No,2
607
INTERNET SURVEILLANCE LAW AFTER THE USA
PATRIOT ACT,THE BIG BROTHER THAT ISN’T
Orin S,Kerr
INTRODUCTION
Following the September 11 terrorist attacks on New York and Wash-
ington,Congress rushed into action and quickly passed antiterrorism legis-
lation known as the USA Patriot Act.
1
The Patriot Act has been widely
understood as a,sweeping”
2
antiterrorism law that gave the government
“vast new powers”
3
to conduct electronic surveillance over the Internet,
The Act’s surveillance provisions proved so controversial that Congress
added a sunset provision that will nullify several of its key provisions after
four years,on December 31,2005.
4
To many legislators,the vast law en-
Associate Professor,George Washington University Law School,From the fall of 1998 until the
summer of 2001,I was a lawyer in the Computer Crime and Intellectual Property Section of DOJ’s
Criminal Division,My experience at DOJ included working with the Internet surveillance laws that ex-
isted before the Patriot Act,I also commented on and helped draft the legislative proposals to amend
those laws,including some proposals that influenced portions of what later became the Patriot Act,I
hope that my familiarity with these laws from my time in government will shed light that outshines the
occasionally myopic effect of personal experience,All of the views expressed in this Article are solely
my own and do not reflect the positions of the Department of Justice,Thanks to Peter Swire,Steve
Saltzburg,Beryl Howell,Jeffrey Rosen,Dan Solove,Lee Tien,Peter Raven-Hansen,Cynthia Lee,Jon
Molot,and Mark Eckenwiler for commenting on earlier drafts,All errors remain my own,
1
See Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism Act (USA Patriot Act) of 2001,Pub,L,No,107-56,115 Stat,272,The formal title
is the,Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism (USA Patriot Act) Act of 2001.” Id,The awkward name of the USA Patriot Act
derives from its legislative history,the Act combines elements of two antiterrorism bills,the Senate’s
USA Act,Senate Bill 1510,and the House of Representative’s Patriot Act,House Bill 2975,The Senate
approved the,Uniting and Strengthening America Act” (or,USA” Act) by a vote of 96 to 1 on October
11,2001,The House approved the,Provide Appropriate Tools Required to Intercept and Obstruct Ter-
rorism Act” (or,Patriot” Act),by a vote of 337 to 79 on October 12,2001,The final bill started with
the basic framework of the Senate bill and then added many of the components of the House bill to cre-
ate a compromise bill that combined both titles to create the USA Patriot bill,The USA Patriot bill was
approved by the House on October 24th by a vote of 356 to 66,passed the Senate on October 25th,a
vote of 98 to 1,and was signed by President Bush on October 26th,For simplicity’s sake,I will refer to
the final enacted law as the,USA Patriot Act,”,the Patriot Act,” or simply,the Act.”
2
Jesse J,Holland,New Powers To Fight New Threat; Bush Vows Stiff Enforcement of Anti-
Terrorism Laws,SEATTLE TIMES,Oct,26,2001,at A1,
3
Id,
4
See Uniting and Strengthening America by Providing Appropriate Tools Required To Intercept
and Obstruct Terrorism (USA Patriot Act) Act of 2001,Pub,L,No,107-56,§ 224,115 Stat,272,295
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
608
forcement authorities unleashed by the Patriot Act seemed too dangerous to
extend indefinitely.
5
The Patriot Act triggered tremendous anxiety in part because few under-
stood exactly what it did,At the time of its passage,even many key legisla-
tors seemed to have little idea of the laws governing electronic surveillance,
both before the Patriot Act and following it.
6
Did the Act go too far? How
much privacy did Internet users have,and how much were they giving away?
No one seemed to know,and because the legislation rushed through Congress
with remarkable speed,
7
little in the way of Committee reports or other legis-
lative history existed to help explain it.
8
Most commentators simply assumed
the worst,they sensed that Internet users probably had very little privacy on-
line before the Patriot Act,and that the Patriot Act bargained away whatever
precious drops of privacy they had left.
9
This Article argues that the common wisdom on the USA Patriot Act is
incorrect,The Patriot Act did not expand law enforcement powers dramati-
cally,as its critics have alleged,In fact,the Patriot Act made mostly minor
amendments to the electronic surveillance laws,Many of the amendments
merely codified preexisting law,Some of the changes expanded law en-
forcement powers,but others protected privacy and civil liberties,Several
of the most controversial amendments may actually increase privacy pro-
tections,rather than decrease them,Most importantly,none of the changes
altered the basic statutory structure of electronic surveillance law created by
the Electronic Communications Privacy Act of 1986.
10
While critics of the
Patriot Act have rightly insisted that the government should have no more
surveillance power than it needs,they have failed to see that the Patriot Act
generally offers a balanced approach that in some ways protects civil liber-
ties more than the laws it replaced,The Patriot Act is hardly perfect,but it
is not the Big Brother law that many have portrayed it to be,
(“[T]his title and the amendments made by this title,,, shall cease to have effect on December 31,
2005.”),This so-called sunset provision does not apply to all of the Patriot Act’s amendments involving
electronic surveillance,it applies to about half of the provisions,See id,(explaining the sections to
which the sunset provision does not apply),
5
See Adam Clymer & Robin Toner,A Nation Challenged,The House,Vote Approves New Pow-
ers for Antiterror Investigators,N.Y,TIMES,Oct,18,2001,at B9,
6
See Editorial,Stampeded in the House,WASH,POST,Oct,16,2001,at A22 (noting that when the
House voted on House Bill 2975 on October 12,2001,“all manner of members of both parties com-
plained they had no idea what they were voting on,were fearful that aspects of the,,, bill went too
far—yet voted for it anyway”),
7
The Bush Administration introduced its proposed Anti-Terrorism Act on September 19,2001,just
eight days after the attacks,President Bush signed the Patriot Act on October 26,2001,See Martha
Mendoza,New Anti-Terror Law Brings Consternation; Security,Officials and Lawyers Try To Deci-
pher Complex Provisions,Federal Guidance Is in Short Supply,L.A,TIMES,Dec,16,2001,at A4,
8
The only existing Committee Report is the House Judiciary Committee’s Report on House Bill
2975,See H.R,REP,NO,107-236 (2001),available at ftp://ftp.loc.gov /pub/thomas/cp107/hr236p1.txt,
9
See infra notes 68–79,
10
Pub,L,No,99-508,§§ 101–11,100 Stat,1848,1848–59,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
609
This Article will explain how and why the conventional wisdom about
the Patriot Act misses the mark,It begins by explaining what Internet sur-
veillance is and how it works,which provides some guidance for under-
standing how Congress has decided to regulate it,It then applies this
framework to study three of the major criticisms of the Patriot Act,This
approach unfortunately sacrifices breadth for depth,but it allows us to see
how misconceptions about both the law and technology of the Internet has
led to significant misunderstandings about Internet surveillance law and the
effect of the USA Patriot Act,
The argument proceeds in four Parts,Part I explains the basic frame-
work of network surveillance law that governs any communications net-
work,It classifies the types of laws employed to govern the surveillance of
communications networks such as the postal system,the telephone,and the
Internet using a series of dichotomies,Once a framework has been devel-
oped,it is then possible to articulate an entire set of surveillance laws for
each network and make comparisons across different technologies,This
Part also explains how Internet surveillance includes both email and packet-
level surveillance,and how laws that govern Internet surveillance must
grapple with both levels of surveillance,
Part II considers the highly controversial pen register amendments to
the Patriot Act,These amendments apply a privacy law originally designed
for the telephone to the Internet,The amendments have been widely criti-
cized on the ground that they granted the government sweeping powers to
investigate crime involving the Internet,After explaining why Internet sur-
veillance is primarily governed by statutory law,rather than the constitu-
tional protections of the Fourth Amendment,Part II argues that the
criticisms of the pen register amendments are unfounded,The pen register
amendments merely reaffirmed preexisting practice,and if anything proba-
bly increased privacy protections afforded to Internet communications,
rather than decreased them,
Part III studies the Patriot Act’s impact on the FBI Internet surveillance
tool popularly known as,Carnivore.” The Patriot Act has received broad
criticism for expanding the use of Carnivore,which itself has been por-
trayed as a dangerous tool that enables the FBI to invade privacy online,
This Part argues that the public understanding of Carnivore has it largely
backwards,The analysis explains how surveillance tools such as Carnivore
work,and how Carnivore was itself designed to protect privacy and to en-
sure compliance with court orders,not invade privacy in an effort to cir-
cumvent judicial review,The Part explains that the Patriot Act did not
expand the use of Carnivore,but rather added new regulations on its use,
Part IV analyzes the new,computer trespasser” exception to the Wire-
tap Act,The trespasser exception has drawn criticism for weakening the
Wiretap Act’s privacy protections in cyberspace,The analysis explains
how the Wiretap Act applies to the Internet,and how the application of this
law designed for the telephone to the Internet creates the need for a tres-
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
610
passer exception,The Part also explains how the trespasser exception
probably expands Internet privacy protections,rather than reduces them,by
implicitly minimizing the scope of other exceptions to the Wiretap Act that
otherwise could have been read to eviscerate privacy protections online,
I,A GENERAL FRAMEWORK OF NETWORK SURVEILLANCE LAW
Communications networks are a defining feature of modern life.
11
Hundreds of millions of Americans use the postal system,the telephone
network,and the Internet to communicate with each other.
12
Although
these technologies differ from each other in important ways,they share a
common function,they are all global communications networks that allow
users to send,receive,and store information,
Unfortunately,communications networks also provide a stage for the
commission of criminal acts.
13
Networks can be used by criminals to con-
tact co-conspirators,deliver threats,further frauds,or engage in countless
other criminal activities.
14
When communications networks are used to fur-
ther crimes,the network itself becomes a crime scene.
15
Telephone records,
stored emails,and undelivered packages can contain important clues for law
enforcement,Much like a physical neighborhood,the networks themselves
become surveillance zones,complete with criminals seeking to evade detec-
tion and police trying to catch them,
The goal of this Part is to offer a taxonomy of network surveillance
law,A basic framework is necessary to understand the legal rules that ap-
ply to the surveillance of communications networks such as the Internet,the
postal network,or the telephone network,The framework allows us to ap-
preciate the relationship between the different types of surveillance that can
occur in a network,as well as to compare how the rules differ across differ-
11
See generally MANUEL CASTELLS,THE RISE OF THE NETWORK SOCIETY (2000); FRANCES
CAIRNCROSS,THE DEATH OF DISTANCE,HOW THE COMMUNICATIONS REVOLUTION WILL CHANGE
OUR LIVES (1997),
12
See CASTELLS,supra note 11,at 6–10,
13
See Michael Edmund O’Neill,Old Crimes in New Bottles,Sanctioning Cybercrime,9 GEO,
MASON L,REV,237,242–52 (2000) (reviewing different types of Internet crimes),For more specific
examples of how computer networks can be used to commit crimes,see Gretchen Morgenson,S.E.C,
Says Teenager Had After-School Hobby,Online Stock Fraud,N.Y,TIMES,Sept,21,2000,at A1 (using
computer networks to commit securities fraud); CYBERSTALKING,A NEW CHALLENGE FOR LAW
ENFORCEMENT AND INDUSTRY (1999) (use of computer networks to engage in stalking),available at
http://www.usdoj.gov/criminal/cybercrime/cyberstalking.htm (last modified Oct,18,1999); see also,
e.g.,United States v,Cohen,260 F.3d 68 (2d Cir,2001) (use of the Internet to gamble on sporting
events); PHILIP JENKINS,BEYOND TOLERANCE,CHILD PORNOGRAPHY ON THE INTERNET (2001) (use of
the Internet to collect child pornography),
14
See generally Scott Charney & Kent Alexander,Computer Crime,45 EMORY L.J,931 (1996),
15
See U.S,DEP’T OF JUSTICE,SEARCHING AND SEIZING COMPUTERS AND OBTAINING EVIDENCE IN
CRIMINAL INVESTIGATIONS,at vii (2001) [hereinafter CCIPS MANUAL] (“The dramatic increase in
computer-related crime requires prosecutors and law enforcement agents to understand how to obtain
electronic evidence stored in computers.”),available at www.cybercrime.gov/searchmanual.wpd,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
611
ent networks,As the framework illustrates,the basic contours of surveil-
lance law for any communications network involves only a small number of
questions,which correspond to the,what,”,who,”,when,” and,how” of
collecting evidence from the network,What kind of information exists in
the network? Who collects it,how,and under what circumstances?
By illustrating these principles in the context of three network tech-
nologies—the Internet,the telephone system,and the postal system—this
Part demonstrates that similar surveillance issues arise in each network in-
dependently of the technology involved,Different technologies may merit
different answers to these questions,of course,but the basic questions re-
main the same.
16
The analysis starts with the,what,” moves next to the
“who,” turns to the,when,” and then concludes with the,how.”
A,Envelope Information Versus Content Information (“What”)
The fundamental purpose of a communications network is to send and
receive communications,As a result,every communications network fea-
tures two types of information,the contents of communications,and the
addressing and routing information that the networks use to deliver the con-
tents of communications,The former is,content information,” and the lat-
ter is,envelope information.”
The essential distinction between content and envelope information
remains constant across different technologies,from postal mail to email,
With postal mail,the content information is the letter itself,stored safely in-
side its envelope,The envelope information is the information derived
from the outside of the envelope,including the mailing and return ad-
dresses,the stamp and postmark,and the size and weight of the envelope
when sealed.
17
Similar distinctions exist for telephone conversations,The content in-
formation for a telephone call is the actual conversation between partici-
pants that can be captured by an audio recording of the call.
18
The envelope
information includes the number the caller dials,the number from which
the caller dials,the time of the call,and its duration,This calling informa-
tion is not visible in the same way that the envelope of a letter is,but it
equates roughly with the information derived from the envelope of a letter,
In both cases,the envelope information contains to-and-from addressing,
data about the time the communication was sent,and information about the
16
See Joseph H,Sommer,Against Cyberlaw,15 BERKELEY TECH,L.J,1145,1147 (2000),
17
See 39 C.F.R,§ 233.3(c)(1) (2002) (articulating an administrative procedure for obtaining a,mail
cover,” which is defined as,the process by which a nonconsensual record is made of any data appearing
on the outside cover of any sealed or unsealed class of mail matter,or by which a record is made of the
contents of any unsealed class of mail matter as allowed by law”),
18
See 18 U.S.C.A,§ 2510(8) (West Supp,2002) (defining the,contents” of a,wire communica-
tion” as,any information concerning the substance,purport,or meaning of that communication”),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
612
communication’s size and length.
19
These principles translate to the Internet quite readily in the case of
email,The content information for an email is the message in the body of
the email itself,much like the phone conversation or the letter in the enve-
lope,The email also carries addressing information in a,mail header.”
Mail headers are digital postmarks that accompany every email and carry
information about the delivery of the mail.
20
Many email programs show
users only some of this information by default,but can be configured to re-
veal the full mail header.
21
A full mail header looks something like this,
FIGURE 1,FULL MAIL HEADER
Received,from SpoolDir by NLCMAIN (Mercury 1.48); 25 Oct 01 20:56:41
EST/EDT
Return-path,<eck@panix.com>
Received,from mail2.panix.com (166.84.0.213) by main.nlc.gwu.edu (Mer-
cury 1.48) with ESMTP;
25 Oct 01 20:56:40 EST/EDT
Received,from panix3.panix.com (panix3.panix.com [166.84.1.3])
by mail2.panix.com (Postfix) with ESMTP id 272278F14
for <okerr@main.nlc.gwu.edu>; Thu,25 Oct 2001 20:56:01 -0400 (EDT)
Received,(from eck@localhost)
by panix3.panix.com (8.11.3nb1/8.8.8/PanixN1.0) id f9Q0u1d15137
for okerr@main.nlc.gwu.edu; Thu,25 Oct 2001 20:56:01 -0400 (EDT)
From,<eck@panix.com>
Message-Id,<200110260056.f9Q0u1d15137@panix3.panix.com>
Subject,
To,okerr@main.nlc.gwu.edu (Kerr,Orin)
Date,Thu,25 Oct 2001 20:51:01 -0400 (EDT)
In-Reply-To,<20011026005212.5D2F1487A8@mail1.panix.com> from
“Kerr,Orin” at Oct 25,2001 08:47:28 PM
X-Mailer,ELM [version 2.5 PL6]
MIME-Version,1.0
Content-Type,text/plain; charset=us-ascii
Content-Transfer-Encoding,7bit
X-PMFLAGS,35127424 0 1 Y08B38.CNM
19
This information is generally known as,pen register” and,trap and trace” information,See infra
notes 99–104,
20
See ADAM GAFFIN,THE BIG DUMMY’S GUIDE TO THE INTERNET ch,6 (“Just as the postal service
puts its marks on every piece of mail it handles,so do Net postal systems,Only it’s called a ‘header’
instead of a postmark.”),at http://www.cs.indiana.edu/docproject/bdgtti/bdgtti_6.html (last visited Feb,
4,2003),
21
See id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
613
This gobbledygook is a mail header that was generated from an email sent to
my George Washington University email account on October 25,2001 from
the email address,eck@panix.com.” Each of the lines in the mail header has
specific meaning,and when read together,tells a story about the message,
how it was processed,and how and when the network directed it from its ori-
gin to its destination.
22
Notice that the mail header above does not contain a
subject line,although subject lines appear in the mail header,they are gener-
ally recognized as content.
23
Viewed as a whole,the email header (minus the
subject line) provides information about the email that is roughly analogous
to the routing information in other communication networks,
However,there is much more to Internet surveillance than email,In
fact,only a small fraction of the Internet’s traffic involves human-to-human
communications such as email messages,Most Internet communications are
communications between humans and computers,such as World-Wide-Web
pages in transit,commands sent to remote servers,and file transfers.
24
Many
others are computer-to-computer communications,such as network adminis-
trative traffic that keeps the Internet running smoothly.
25
These communica-
tions can provide evidence of crime in the same manner as email,For
example,the government may wish to monitor a computer hacker by watch-
ing and recording the commands he sends to the computers he has hacked,
These commands do not involve email,but instead consist of commands sent
directly to the victim computer.
26
A complete understanding of Internet sur-
veillance must go beyond email surveillance to encompass the surveillance of
human-to-computer and computer-to-computer communications,
To understand how the envelope-content distinction applies to human-
to-computer and computer-to-computer communications,it helps to under-
stand a few details about how the Internet works,The Internet is a,packet
switched” network,which means that every communication sent over the
Internet is broken down into individual packets.
27
These packets are the cy-
ber equivalent of letters between two computers,each containing about one
page of information and are sent across the Internet to their destination.
28
Computers communicate with each other by sending and receiving packets
of information across the Internet.
29
22
For example,the email was sent at 8:51 p.m,and was received at 8:56 p.m,For more on how to
read email headers,see,for example,Reading Email Headers,at http://www.stopspam.org/email/
headers/headers.html (last visited Feb,4,2003),
23
See CCIPS MANUAL,supra note 15,at 148,
24
See PRESTON GRALLA,HOW THE INTERNET WORKS (Greg Wiegand et al,eds.,1999),
25
See id,at 13,
26
See,e.g.,United States v,Seidlitz,589 F.2d 152,154–55 (4th Cir,1978) (explaining how a recording
device can be used to monitor commands entered by a computer hacker unauthorized to use a network),
27
See GRALLA,supra note 24,at 13,
28
See id,
29
See id,at 14–15 (explaining the packet-based nature of Internet communications),Consider web
surfing,When an Internet user types in a website address into a browser,the computer sends out pack-
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
614
Surveilling the Internet at the packet level provides a second way of
conducting Internet surveillance that can be considered distinct from email
surveillance,Like other forms of surveillance,packet surveillance divides
into envelope information and content information,When a computer
sends information across the Internet,it breaks the communication into
packets and creates a,packet header”
30
to direct the packet to its destina-
tion,The packet header contains addressing information,such as the to and
from Internet addresses of the two computers,often referred to as the Inter-
net Protocol addresses,or simply IP addresses,
31
as well as information
about what kind of packet it is (e.g.,part of a web page,part of a picture
file).
32
When the packet arrives at its destination,the receiving computer
discards the packet header and keeps the original message,At the packet
level,this message is the content information in the packet,generally re-
ferred to as the packet’s,payload.”
33
Some communications,such as web
pages in transit,typically are,packetized” only once,the host computer
creates the packets,and the destination computer discards the packet head-
ers and reassembles the original file when the packets arrive,Other com-
munications can be packetized several times over in the course of delivery,
For example,an email may be broken down into packets and reassembled
into the original email a few times on its trip from sender to receiver,
While I don’t wish to lose technophobic readers,it helps to understand
the basic relationship between email surveillance and packet surveillance,
Email surveillance is a subset of packet surveillance,in that while an email
travels across the Internet,both the envelope and content information of
emails travel across the Internet as payloads of individual packets,Obtaining
content information at the packet level for a packet that happens to carry an
email message may yield either envelope information for the email (the email
header),or content information (the email itself),or both (in the case of a
short email that can fit the entire header and message on one packet),Con-
sider a medium-length email that is divided into three packets,The first
ets to the remote computer that hosts the website,These packets contain requests for the remote com-
puter to send back the contents of the website,See id,at 140–45 (explaining how web pages work),
The remote computer then sends back several packets that together contain the contents of the web page,
and the user’s computer reassembles them and presents him with the web page requested,Although it
appears to the user as though he is,visiting” the website,the computers achieve this appearance through
a complex exchange of packets across the Internet,
30
See id,at 34–38,
31
See BRENDAN P,KEHOE,ZEN AND THE ART OF THE INTERNET 5 (4th ed,1996) (explaining IP ad-
dresses),IP addresses consist of a set of four numbers,each from 0 to 255,linked with a period,So,for
example,an IP address might be 123.9.232.87,See id,
32
See VINCENZO MEDILLO ET AL.,A GUIDE TO TCP/IP NETWORKING (1996) (“IP’s job is simply to
find a route for the datagram and get it to the other end,In order to allow routers or other intermediate
systems to forward the datagram,it adds its own header,The main things in this header are the source
and destination IP address,the protocol number,and another checksum.”),available at
http://www.ictp.trieste.it/~radionet/nuc1996/ref/tcpip/ (last visited Feb,4,2003),
33
See id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
615
packet will start with the packet header,which is needed to deliver the packet
to the recipient’s server,and then will contain a payload that consists of both
the mail header and then the beginning of the email’s contents,The second
packet then starts with its own packet header,followed by a payload that con-
sists of the next portion of the email’s contents,The third packet comes last,
and consists of a packet header and then the last portion of the email.
34
When
the email arrives at its destination,the server will shed the packet headers and
reassemble the email into the mail header and the contents of the email,
The following table summarizes the envelope and content information
for the four types of communications network surveillance,
TABLE 1,ENVELOPE AND CONTENT INFORMATION FOR POSTAL MAIL,
TELEPHONE CALLS,EMAILS,AND INTERNET PACKETS
34
Notably,each packet includes its own number,so that the different packets can arrive at different
times to their destination and the computer at the destination will be able to reassemble them into the
original communication,See GRALLA,supra note 24,at 13,
SURVEILLANCE
TYPE
ENVELOPE
INFORMATION
CONTENT
INFORMATION
Postal Mail
1) To,from mailing
address of a letter
2) Postmark,stamp
3) Color,size,weight
of package
The contents of the letter
Telephone 1) To,from telephone
numbers for a call
The contents of the
telephone
1) To,from email
address for an
2) Mail header info
(length of email,
digital postmarks)
minus the subject line
The contents of the
email,including the
subject line
Internet Packets 1) To,from IP
addresses
2) Remaining packet
header information
(length of packet,
type of traffic)
Payload of the packet
(the contents of any
communication between
two computers)
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
616
Notably,all four categories mirror the distinction between envelope and
content information,The envelope provides addressing information,and
the content provides the actual communication that the network will deliver
to its destination,
B,Prospective Versus Retrospective Surveillance
The next distinction considers the timing of the surveillance,Is the
surveillance designed to capture future communications that have not yet
been sent over the network (“prospective” surveillance),or is it designed to
look for stored records and past communications that may be retained in the
network (“retrospective” surveillance)? Wiretapping a telephone provides
the classic example of prospective surveillance,When the FBI wiretaps a
telephone line,it seeks to listen to the contents of future conversations,In
the case of retrospective surveillance,in contrast,the government seeks to
access stored records of past communications,The use of O.J,Simpson’s
telephone records in his murder trial furnishes a well-known example.
35
The Los Angeles Police Department obtained Simpson’s phone records to
show that Simpson had made several suspicious calls the night of his wife’s
murder.
36
This example illustrates retrospective surveillance of envelope
information; the police used the phone company’s stored business records
relating to past communications to try to prove Simpson’s guilt.
37
The law often distinguishes between prospective and retrospective sur-
veillance because they raise somewhat different privacy concerns,As Jus-
tice Douglas noted in his concurrence in Berger v,New York,
38
prospective
surveillance can at worst constitute,a dragnet,sweeping in all conversation
within its scope.”
39
The surveilling party taps into the network at a given
location and picks up traffic passing through,but cannot know in advance
exactly what the traffic will be,Some of the traffic may prove relevant,but
usually much of the traffic will not be.
40
Further,it can be technically diffi-
cult (if not impossible) to filter the communications down to the relevant
evidence before the government observes it,Accordingly,prospective sur-
veillance tends to raise difficult questions of how the communications
should be filtered down to the evidence the government seeks.
41
In con-
trast,the scope of retrospective surveillance is generally more limited,The
35
See Michael Miller,Time of Phone Call a Key to O.J,Case,S.F,EXAMINER,Aug,13,1994,at
A1,
36
See id,
37
See id,
38
388 U.S,41,64–68 (1967) (Douglas,J.,concurring),
39
Id,at 65,
40
See Scott v,United States,436 U.S,128,145 (1978) (Brennan,J.,dissenting) (“Because it is dif-
ficult to know with any degree of certainty whether a given communication is subject to interception
prior to its interception,there necessarily must be a margin of error permitted.”),
41
See id,at 140–43 (discussing difficulties of filtering the fruits of a wiretap),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
617
primary difference is that in most cases a substantial portion of the evidence
will no longer exist.
42
Because retrospective surveillance involves access-
ing records that have been retained in a network,the scope of surveillance
ordinarily will be limited to whatever information or records may have been
retained in the ordinary course of business.
43
Some records may be kept,
but others may not,
Retrospective surveillance also presents less formidable filtering chal-
lenges than prospective surveillance because the process of storing records
may itself help filter them,For example,retrospective surveillance of a
computer network generally means accessing stored files; an individual will
log on to a computer and look through logs and files that the system may
have retained in a particular folder or storage location,In the case of
emails,emails arriving at an Internet service provider will ordinarily be
screened and deposited by the ISP’s computer into individual accounts.
44
If
law enforcement obtains an order compelling the ISP to divulge all stored
emails in a particular email account,the ISP will be able to locate emails in
the account without screening through other emails.
45
In contrast,prospec-
tive surveillance means intercepting Internet packets as they cross the Inter-
net,or installing a monitoring device that collects the information
immediately before it is packetized and sent across the Internet or immedi-
ately after it arrives at its destination and is depacketized,The latter will
tend to pick up more information than the former.
46
The difference is merely one of degree,however,Filtering out unre-
lated files for materials targeted by a court order presents a constant chal-
lenge.
47
For example,in the case of retrospective surveillance of an email
account,the government can obtain a search warrant to obtain evidence of
crime in the form of stored emails,Someone must go through the stored
emails in the account and separate the pertinent from the non-pertinent
42
See CCIPS MANUAL,supra note 15,at 137 (“In general,no law regulates how long network ser-
vice providers must retain account records in the United States,Some providers retain records for
months others for hours,others not at all.”),
43
See id,
44
See id,at 82,
45
See,e.g.,United States v,Lamb,945 F,Supp,441,458–59 (N.D.N.Y,1996) (search warrant or-
dering AOL to divulge,all stored files” in specific Internet accounts),
46
See GRALLA,supra note 24,at 15,This may depend on the particular circumstances,however,
For example,a network may or may not have a,firewall” in place that records packet header informa-
tion entering or exiting the network protected by the firewall,Absent a firewall,no record of these
packets would ordinarily be kept,
47
See Andresen v,Maryland,427 U.S,463,482 n.11 (1976),The court noted,
In searches for papers,it is certain that some innocuous documents will be examined,at least cur-
sorily,in order to determine whether they are,in fact,among those papers authorized to be seized,
Similar dangers,of course,are present in executing a warrant for the,seizure” of telephone con-
versations,In both kinds of searches,responsible officials,including judicial officials,must take
care to assure that they are conducted in a manner that minimizes unwarranted intrusions upon
privacy,
Id,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
618
files.
48
Nonetheless,retrospective surveillance usually presents a less se-
vere filtering challenge than prospective surveillance.
49
C,Powers of the Government Versus Powers of the Provider (“Who”)
Having explored the types of information that the government may wish
to monitor on a communications network,we can now look to the different
types of legal rules that may regulate the surveillance,Legal rules governing
surveillance of communications networks generally divide into two types,
rules concerning government surveillance of the network for law enforcement
purposes,and rules governing network providers who may conduct surveil-
lance of their own and wish to disclose the information to the government.
50
Of these two types of rules,the latter is less understood,but no less impor-
tant,In any communications network,a service provider will administer each
48
See,e.g.,Lamb,945 F,Supp,at 458–59 (rejecting a Fourth Amendment challenge to a search
warrant for stored email in which the warrant required AOL to divulge,all stored files” in specific
Internet accounts to the government,rather than only the evidence of crime),Justice White stated this
point quite aptly in his Berger dissent,
Petitioner suggests that the search is inherently overbroad because the eavesdropper [conducting
prospective surveillance] will overhear conversations which do not relate to criminal activ-
ity.,,, [However,] the same is true of almost all searches of private property which the Fourth
Amendment permits,In searching for seizable matters,the police must necessarily see or hear,
and comprehend,items which do not relate to the purpose of the search,That this occurs,how-
ever,does not render the search invalid,so long as it is authorized by a suitable search warrant and
so long as the police,in executing that warrant,limit themselves to searching for items which may
constitutionally be seized,
Berger,388 U.S,at 108 (White,J.,dissenting),
49
Notably,the technology of the Internet can blur the line between prospective and retrospective
surveillance because communications in transit from their origin to their destination can be temporarily
stored at intermediary points,either for a few milliseconds,or for a longer period,Because the law
draws a distinction between prospective Internet surveillance (governed by the Wiretap Act and the Pen
Register Statute,18 U.S.C.A,§§ 2510–2522,3121–3127 (West Supp,2002)) and retrospective surveil-
lance (governed by the Electronic Communications Privacy Act (ECPA),id,§§ 2701–2711),this creates
a series of questions as to where to draw the line between these two legal regimes,Compare Steve Jack-
son Games,Inc,v,United States Secret Serv.,36 F.3d 457,460–63 (5th Cir,1994) (holding that a tem-
porarily stored email file is governed by ECPA,not the Wiretap Act),with Konop v,Hawaiian Airlines,
236 F.3d 1035,1048 (9th Cir.) (holding that a temporarily stored email file is governed by the Wiretap
Act in addition to ECPA),withdrawn,262 F.3d 972 (9th Cir,2001),rev’d,302 F.3d 868 (9th Cir,2002),
The Patriot Act helped clarify this line by removing the statutory language that past courts had used to
find that the prospective Wiretap Act governed temporarily stored contents,See 18 U.S.C.A,§ 2510(1)
(defining,wire communication”); United States v,Smith,155 F.3d 1051,1058–59 (9th Cir,1998) (rely-
ing on the pre-Patriot Act definition of,wire communication” to hold that the Wiretap Act applies to
stored voicemail),The courts have not yet had the opportunity to draw the line post-Patriot Act,How-
ever,presumably the courts will draw some kind of functional equivalence test,in which the functional
equivalent of prospective surveillance is government by the Wiretap Act and Pen Register Statute,while
access to a stored file in a way that is not the functional equivalent of prospective surveillance is gov-
erned by ECPA,
50
Another possible category exists,rules concerning provider surveillance of the network at the re-
quest of (or pursuant to a court order obtained by) law enforcement,However,I will consider these
rules as a subset of the rules concerning government surveillance of the network,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
619
segment of the network with responsibility for that portion of the network.
51
A
network can have a single provider like the United States Postal Service,The
Postal Service enjoys a statutory monopoly over the United States postal mail
system.
52
Most networks are decentralized,however,The Internet provides a
clear example of a highly decentralized network,No one owns the Internet as a
whole,Instead,thousands of independent Internet service providers (ISPs)
each administer small corners of the network.
53
Rules governing provider surveillance are quite important because provid-
ers often need to surveil their corner of the network for a variety of business-
related reasons,For example,the phone company may need to keep records of
calls for long-distance billing (envelope surveillance)
54
or may need to listen to
calls on occasion to combat telephone fraud or assess the quality of the line
(content surveillance).
55
Similarly,ISPs may need to maintain email logs,or
intercept communications in transit to determine the source of a network prob-
lem or ferret out an unauthorized intruder.
56
Providers may discover evidence
of a crime on their own and wish to report it to law enforcement,
1,Government Powers.—In categorizing the rules,two features stand
out as the most important,The first considers the legal threshold that the gov-
ernment must satisfy before it can collect a particular type of information,The
second considers the different rules that may apply depending on whether the
government conducts the surveillance of the network itself,or the government
obtains an order requiring the provider to monitor on the government’s behalf.
57
a,Thresholds (“When”).—The first question asks,What type
of threshold showing must the government make before it can acquire a cer-
tain type of information? For example,should the FBI be allowed to open
postal mail without a court order,or must the FBI first obtain a search war-
rant? Can the local police require the phone company to provide a cus-
tomer’s long-distance records without a court order,or is some court order
required,and if so,what kind of order?
51
See CASTELLS,supra note 11,
52
See Air Courier Conference of Am,v,Am,Postal Workers Union,498 U.S,517,519 (1991)
(“Since its establishment,the United States Postal Service has exercised a monopoly over the carriage of
letters in and from the United States.”).,The postal monopoly is codified,,, [at] 18 U.S.C,§§ 1693–
1699 and 39 U.S.C,§§ 601–606.” Id,
53
See GRALLA,supra note 24,at 5,
54
See,e.g.,Smith v,Maryland,442 U.S,735,742 (1979) (“In fact,pen registers and similar devices
are routinely used by telephone companies for the purposes of checking billing operations,detecting
fraud and preventing violations of law.” (internal quotations omitted)),
55
See,e.g.,Bubis v,United States,384 F.2d 643 (9th Cir,1967),
56
See,e.g.,CLIFF STOLL,THE CUCKOO’S EGG (1989) (recounting how a system administrator con-
ducted electronic surveillance of his network to trace a computer hacker),
57
Other questions include the role of judicial review in obtaining the order and later challenging it,
as well as the remedy when the law has been violated,From a practical standpoint,these factors can be
important determinants of how closely and consistently the laws are followed,For the sake of simplic-
ity,however,I will skip these questions in the course of the analysis,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
620
The different thresholds can be placed along a continuum,ranging
from the lowest threshold to the highest,A continuum based on thresholds
commonly found in current surveillance law might look something like this,
TABLE 2,LEGAL THRESHOLDS FOR GOVERNMENT SURVEILLANCE
NO LEGAL PROCESS
The government can acquire the informa-
tion without process or order,
SUBPOENA
The government must obtain a subpoena,
such as a grand jury subpoena duces
tecum
58
or an administrative subpoena,be-
fore acquiring the information.
59
The sub-
poena compels the provider to disclose the
information to the government,
RELEVANCE COURT ORDER
The government must obtain a court order
before acquiring the information but can
obtain the order merely by certifying to the
court that the information likely to be ob-
tained is relevant to a law enforcement in-
vestigation.
60
ARTICULABLE FACTS
COURT ORDER
The government must obtain a court order
before acquiring the information,and to ob-
tain the order must offer specific and ar-
ticulable facts establishing reasonable
grounds to believe the information to be
obtained is both relevant and material to an
ongoing criminal investigation.
61
58
See,e.g.,FED,R,CRIM,P,6 (granting subpoena power to federal grand jury),
59
See,e.g.,5 U.S.C,app,(2000) (authorizing administrative subpoenas pursuant to § 6(a)(4) of the
Inspector General Act),
60
See,e.g.,18 U.S.C.A,§ 3123 (West Supp,2002) (describing process for obtaining a pen register
or trap and trace order),
61
See,e.g.,id,§ 2703(d) (requiring government to obtain a court order before ordering an Internet service
provider to divulge records,and stating that the order must state,specific and articulable facts showing that
there are reasonable grounds to believe that the contents of a wire or electronic communication,or the records
or other information sought,are relevant and material to an ongoing criminal investigation”),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
621
PROBABLE CAUSE
SEARCH WARRANT
The government must obtain a search war-
rant before acquiring the information,The
search warrant requires,probable cause,”
which in the criminal context means that
the government must offer facts establish-
ing a likelihood that a crime has occurred
and that evidence of the crime exists in the
location to be searched.
62
“SUPER” SEARCH WARRANT
The government must obtain a special
search warrant before acquiring the infor-
mation that adds threshold requirements
beyond those of ordinary search warrants
(e.g.,requiring the government to exhaust
all other means of obtaining the informa-
tion,requiring special authorization).
63
THE GOVERNMENT MAY NOT
ACQUIRE THE INFORMATION BY
ANY LEGAL PROCESS
The law may forbid the government from
acquiring the information regardless of the
legal process,
This list is illustrative rather than exhaustive,It reflects the continuum
of court orders and legal processes that Congress currently uses to govern
law enforcement surveillance of communications networks,For the most
part,the greater the privacy interest at stake,the higher the threshold Con-
gress uses,Exactly what thresholds apply is up to Congress when it enacts
statutory privacy laws and the courts when they interpret the Fourth
Amendment,
b,Direct Versus Indirect Surveillance (“How”).—The second
issue raised by government surveillance is the difference between what I
will call,direct” and,indirect” government surveillance,Direct govern-
ment surveillance rules authorize the government to conduct surveillance of
the network on its own,In contrast,indirect government surveillance rules
authorize the government to compel providers to conduct surveillance on
the government’s behalf,The difference between direct and indirect sur-
62
See FED,R,CRIM,P,41 (authorizing the issuance of search warrants based on probable cause);
18 U.S.C.A,§ 2703(a) (requiring a search warrant to compel an ISP to disclose the contents of certain
types of stored communications held by the ISP),
63
See 18 U.S.C.A,§ 2516 (describing procedure for obtaining a Wiretap order),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
622
veillance lies in the implementation of court orders,does the government
install its own monitoring device and tap into the network directly,or does
it serve the order on the provider and require the provider to conduct the
monitoring and provide the results to law enforcement? The former is di-
rect surveillance,the latter indirect surveillance,
The law may distinguish between direct and indirect surveillance be-
cause the two can raise somewhat different privacy concerns,Indirect sur-
veillance imposes a third-party screen between the network and the
government,and the government sees only what the provider shows them,
If the prospect of government overreaching concerns us more than that of
provider overreaching,a law that imposes more serious legal constraints on
direct surveillance would be a more favorable option,At the same time,if
there is reason to believe that a provider will be unwilling or unable to
comply fully with a surveillance order,it may be preferable to allow the
government to engage in direct surveillance,Each type of surveillance re-
quires trust in someone; the difference comes in who receives the grant of
trust,Direct surveillance asks us to trust the government,and indirect sur-
veillance asks us to trust the provider,
These competing concerns occupied center stage in the recent debate
over Carnivore,the FBI’s tool for conducting direct surveillance of the
Internet.
64
Carnivore (later incarnations of which have been known as
DCS-1000) is a,packet sniffer,” an Internet wiretap that reads traffic while
it is in transit in packet form.
65
Carnivore is discussed in depth in Section
III,but for now it is important to note that the Carnivore debate revolves in
part around the issue of whether Internet surveillance should proceed by
way of direct surveillance or indirect surveillance,Should providers be
trusted to use their own surveillance devices to implement surveillance or-
ders,or can the FBI be trusted to conduct the surveillance with Carnivore?
Either way,an accountable party must conduct the surveillance pursuant to
a court order and turn over the results to law enforcement,
2,Provider Powers.—Providers themselves often conduct surveil-
lance of their network,As a result,surveillance rules must also consider
when and how providers can collect information about the communications
within their network,and also when they can disclose that information to
law enforcement,The rules regulating provider surveillance focus gener-
ally not on legal process,but rather on the factual circumstances in which
64
See,e.g.,Thomas R,McCarthy,Don’t Fear Carnivore,It Won’t Devour Individual Privacy,66
MO,L,REV,827 (2001); Christian David Hammel Schultz,Note,Unrestricted Federal Agent:,Carni-
vore” and the Need To Revise the Pen Register Statute,76 NOTRE DAME L,REV,1215 (2001); Manton
M,Grier,Jr.,Comment,The Software Formerly Known as,Carnivore”,When Does Email Surveil-
lance Encroach Upon a Reasonable Expectation of Privacy?,52 S.C,L,REV,875 (2001); Aaron Ken-
dal,Comment,Carnivore,Does the Sweeping Sniff Violate the Fourth Amendment?,18 T.M,COOLEY
L,REV,183 (2001),
65
See infra Part III,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
623
the law prohibits provider surveillance and disclosure,Consider the follow-
ing example,Imagine that a band of computer hackers breaks into a pro-
vider’s computer network,and that the hackers set up illegal servers from
within the network to distribute counterfeit software to other hackers,The
provider would likely notice the illegal entry when the unauthorized traffic
slowed down the rest of the network,To locate the problem and block the
unauthorized traffic,a network administrator would likely conduct various
forms of surveillance,He might look through the network for the illegal
server (conducting retrospective surveillance),set up a sniffer to watch the
unauthorized traffic in an effort to trace it (prospective surveillance),and,if
that is successful,may wish to disclose the records to the police to help
them crack the case (disclosure),The rules governing the providers regu-
late when the provider can conduct specific types of surveillance and when
the provider can disclose that information to law enforcement.
66
II,THE PATRIOT ACT AND APPLYING THE PEN REGISTER
STATUTE TO THE INTERNET
The passage of the USA Patriot Act on October 26,2001 has been
widely portrayed as a dark moment for the civil liberties of Internet users,
The ACLU declared that the Act gave law enforcement,extraordinary new
66
The different categories can be summarized using a fairly simple matrix,A blank matrix might
look like this,
TABLE 3
TYPE OF INFORMATION
CONDITIONS WHEN
GOVERNMENT
SURVEILLANCE
ALLOWED
CONDITIONS WHEN
PROVIDER SURVEILLANCE
AND DISCLOSURE TO
GOVERNMENT ALLOWED
Envelope Information,
Prospective
Direct,
Indirect,
Envelope Information,
Retrospective
Direct,
Indirect,
Content Information,
Prospective
Direct,
Indirect,
Content Information,
Retrospective
Direct,
Indirect,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
624
powers.”
67
Another civil liberties group,the Electronic Frontier Founda-
tion,announced that,the civil liberties of ordinary Americans have taken a
tremendous blow with this law.”
68
The website of the Electronic Privacy
Information Center featured a drawing of a tombstone that stated,The
Fourth Amendment,1789–2001.”
69
Major media outlets agreed,The New
York Times viewed the Act as an overreaction to September 11th,and con-
cluded that the law gave the government unjustified,broad new powers.”
70
The Washington Post also opposed the Act,its editorial board described
the Patriot Act as,panicky legislation” that,reduce[d] the healthy oversight
of the courts.”
71
The unanimous verdict was that the Patriot Act created a
sweeping and probably unjustifiable expansion of law enforcement author-
ity in cyberspace.
72
Is this verdict justified? To answer this,it is crucial to recognize that
the Patriot Act is not a single coherent law,The Act collected hundreds of
minor amendments to federal law,grouped into ten subparts or,Titles,” on
topics ranging from immigration to money laundering.
73
With many of
these amendments,the devil is in the details,especially in the electronic
surveillance context,the complex relationship among sections of statutory
text means that the changes often defy easy soundbites,Further,the lan-
guage that passed on October 26th differed in significant ways from the
language the Justice Department first proposed just a few days after Sep-
tember 11th,The congressional negotiations that ensured the quick passage
of the Patriot Act led to many compromises,and even considerable victo-
ries for the Act’s opponents,Altogether,these features make broad charac-
terizations of the Patriot Act difficult to maintain,
When we focus on the Internet surveillance provisions that passed into
law,however,it becomes clear that the popular understanding of the Patriot
Act is substantially wrong,The Patriot Act did not tilt the balance between
67
ACLU Legislative Analysis,USA Patriot Act Boosts Government Powers While Cutting Back on
Traditional Checks and Balances,at www.aclu.org/congress/110101a.html (last visited Feb,4,2003),
68
Elec,Frontier Found.,EFF Analysis of the Provisions of the USA Patriot Act That Relate to
Online Activities (Oct,31,2001),at www.eff.org/Privacy/Surveillance/Terrorism_militias/2001
1031_eff_usa_patriot_analysis.html,
69
See Patricia Cohen,9/11 Law Means More Snooping? Or Maybe Less?,N.Y,TIMES,Sept,7,
2002,at B9,
70
Robin Toner & Neil A,Lewis,House Passes Terrorism Bill Much Like Senate’s,But with 5-Year
Limit,N.Y,TIMES,Oct,13,2001,at B6,
71
See Editorial,A Panicky Bill,WASH,POST,Oct,26,2001,at A34,
72
As a student author recently concluded:,Although it is unlikely that the USA PATRIOT Act’s
far-reaching extensions of surveillance law would have enabled the government to prevent the tragedy
we witnessed on September 11th,2001,it is patently apparent how we will all pay the price of a false
sense of security at the cost of cherished freedoms.” Sharon H,Rackow,Comment,How the USA
PATRIOT Act Will Permit Governmental Infringement upon the Privacy of Americans in the Name of
“Intelligence” Investigations,150 U,PA,L,REV,1651,1696 (2002),
73
See Pub,L,No,107-56,115 Stat,272,The Act consists of ten subparts,Title I through Title X,
Only one of these subparts,Title II,directly relates to Internet surveillance laws,See id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
625
Internet privacy and security strongly in favor of security,Most of the Pa-
triot Act’s key changes reflected reasonable compromises that updated anti-
quated laws,Some of these changes advance law enforcement interests,but
others advance privacy interests,and several do both at the same time,
None challenged the basic legal framework that Congress created in 1986 to
protect Internet privacy,Studying the Internet surveillance provisions of
the Act suggests that the media portrayal of the Patriot Act as,extraordi-
nary” and,panicky legislation” has little in common with the law Congress
actually enacted,
The remainder of this Article explores how the common understanding
of the Patriot Act misses the mark by focusing on three particularly contro-
versial aspects of the Patriot Act,Admittedly,this approach sacrifices
breadth for depth,as it ignores dozens of Patriot Act amendments that
equally deserve careful study.
74
However,the approach also lets us exam-
ine a few specific controversies with care and to use them as examples that
generally apply to the Patriot Act as a whole.
75
In particular,this Part of the Article will explore one of the most contro-
versial provisions of the Patriot Act,the amendments making the pen regis
74
For example,the Patriot Act made many minor changes to the rules governing retrospective sur-
veillance,which affected the privacy protections governing both voicemails and Internet records,These
changes appear in the newly revamped 18 U.S.C.A,§ 2703,However,the three examples I study in this
Article all involve prospective surveillance,The limited scope of my approach also means that I focus
on fairly specific changes to the surveillance laws,while ignoring others that may be related,For exam-
ple,the pen register amendments clarified that the laws applied to the Internet (which I discuss in this
Part) and also allowed the government to obtain nationwide orders (which I do not discuss),
75
Of course,some provisions of the Patriot Act may prove to have serious negative consequences
for privacy and civil liberties,The Patriot Act’s amendments relating to the Foreign Intelligence Sur-
veillance Act,50 U.S.C.A,§§ 1801–1811 (West Supp,2002),are particularly notable in this regard,as
is the broader restructuring of the relationship between law enforcement and the intelligence community
in surveillance investigations,
At the same time,several provisions in the Patriot Act other than the ones I discuss in this Article
were controversial in large part because they were misrepresented in the press,The attention paid to
“roving wiretaps” provides a good example,Congress first enacted a law allowing the government to
obtain roving wiretaps in criminal cases in 1986,and the debate over their use goes back to that period,
See,e.g.,Clifford S,Fishman,Interception of Communications in Exigent Circumstances,The Fourth
Amendment,Federal Legislation,and the United States Department of Justice,22 GA,L,REV,1 (1987),
These laws were challenged and upheld by the courts,See,e.g.,United States v,Petti,973 F.2d 1441,
1443 (9th Cir,1992) (Browning,J.),Section 206 of the Patriot Act expanded this authority to FISA
cases,so that it could be used in terrorism investigations,in addition to criminal investigations,The
press and commentators sometimes ignored this preexisting authority,however,and instead discussed
the Patriot Act as if it were the first law to introduce roving wiretaps,See,e.g.,Editorial,Constitutional
Concerns,DAILY OKLAHOMAN,Sept,29,2001,at 6A; Erwin Chemerinsky,Giving Up Our Rights for
Little Gain,L.A,TIMES,Sept,27,2001,at B17,As a result,to a large extent the public debate over the
roving wiretap provisions of the Patriot Act concerned whether the events of September 11th justified a
law that Congress had already enacted fifteen years earlier,Of course,the fact that Congress enacted a
law in 1986 does not in itself justify its existence today,but it does seem relevant to whether the
amendment broke new ground,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
626
ter law applicable to the Internet.
76
The pen register law has governed pro-
spective envelope surveillance of the telephone since Congress enacted it in
1986,
77
and the Patriot Act makes clear that this law also applies to the Inter-
net,The press uniformly presented this change as a significant expansion of
law enforcement authority.
78
The Washington Post stated that this change
“makes it easier for the government to engage in wiretapping by,in effect,low-
ering the standard of judicial review.”
79
The New York Times described this
change as a grant of,broad authority to inspect logs of Internet use and the ad-
dress fields of email messages.”
80
Both the political left and the political right
agreed that this was a significant and potentially dangerous change,On the left,
the New Republic thundered that this change gave the government,essentially
unlimited authority to install recording devices”
81
to monitor the Internet,On
the right,a group of lawyers affiliated with the Federalist Society approved of
the Patriot Act as a whole,but singled out the pen register amendments as the
only troubling change to the electronic surveillance laws.
82
This Part will explain why these criticisms of the Patriot Act are un-
founded,The pen register amendments to the Patriot Act do not signal an
unwarranted expansion of law enforcement authority,To the contrary,the
changes reaffirm existing law that aligns Internet surveillance law with postal
and telephone surveillance,More importantly,to the extent that the amend-
ments actually changed the law at all,on the whole they probably added to
the privacy of Internet communications,rather than subtracted from it,Ironi-
cally,the pen register amendments that have been portrayed as unwarranted
expansions of law enforcement authority are neither unwarranted,nor even
expansions of authority,This does not mean that Congress could not increase
the privacy protections of the pen register law in the future; it could,and I
think it probably should,However,it turns out that the Patriot Act is not the
source of the problem,but rather the first step toward a better solution,
To understand how the common wisdom has misjudged the Patriot
Act’s pen register amendments,it is necessary to step back and understand
why statutory protections matter in this area,as well as how the law treats
76
The pen register law is codified at 18 U.S.C,§§ 3121–3127,
77
The pen registers laws were passed as part of the Electronic Communications Privacy Act of
1986,Pub,L,No,99-508,100 Stat,1848,
78
See,e.g.,Declan McCullagh,USA Act Stampedes Through,WIRED NEWS,Oct,25,2001 (“The
U.S,Senate is set to end a month-long debate over balancing freedom and security on Thursday by
granting police more surveillance power and sharply curtailing Americans’ privacy.”),available at
www.wired.com/news/conflict/0,2100,47858,00.html (last visited Feb,4,2003),
79
See Editorial,supra note 6,
80
Lisa Guernsey,Living Under An Electronic Eye,N.Y,TIMES,Sept,27,2001,at G1,
81
Jeffrey Rosen,Tapped Out,NEW REPUBLIC,Oct,15,2001,at 12,
82
See TOM GEDE ET AL.,FEDERALIST SOCIETY FOR LAW AND PUBLIC POLICY STUDIES,WHITE
PAPER ON ANTI-TERRORISM LEGISLATION,SURVEILLANCE & WIRETAP LAWS,DEVELOPING
NECESSARY AND CONSTITUTIONAL TOOLS FOR LAW ENFORCEMENT 21–22 (calling the pen register
amendments,the single most difficult issues presented by the new law”),at http://www.fed-soc.org/
Publications/Terrorism/Anti-TerrorismLegislation.pdf (last visited Feb,4,2003),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
627
the prospective surveillance of envelope information in other contexts,such
as the postal network and the telephone,This facilitates a comparison be-
tween the law applied to Internet envelope surveillance before the Patriot
Act and the law after the Patriot Act,
A,Internet Privacy Is Statutory Privacy
Most discussions of the rules that govern government surveillance fo-
cus on the Fourth Amendment and the,reasonable expectation of pri-
vacy”
83
test,In the case of Internet privacy law,however,the real action
tends to be in the legislature,not the courts,The explanation for this lies in
the narrow way that the courts have interpreted the reasonable expectation
of privacy test in communications networks,While many questions remain,
the existing cases appear to have left Congress with relative liberty to create
the set of rules it thinks best,To a surprising extent,Internet privacy is
statutory privacy,Under current law,Congress creates the primary rules
that regulate law enforcement surveillance of the Internet,rather than the
courts.
84
The cases most responsible for the fairly narrow Fourth Amend-
ment protections in communications networks hold that an individual has
no reasonable expectation of privacy in information revealed to third par-
ties.
85
I will call this mechanism the disclosure principle,information dis-
closed to a third party does not receive Fourth Amendment protection,If I
tell you a secret,the government cannot violate my reasonable expectation
of privacy by persuading you to disclose my secret to the police.
86
While
such an expectation of privacy might seem reasonable in a practical sense—
a reasonable person might expect you not to disclose the secret—the courts
have concluded that it is not,reasonable” in a constitutional sense.
87
83
Katz v,United States,389 U.S,347,361 (1967) (Harlan,J.,concurring),
84
Of course,this statement is based on current law,The courts may start finding constitutional pro-
tections in Internet communications that may be difficult to see based on existing precedents,Cf,Kyllo
v,United States,533 U.S,27,34 (2001) (suggesting that as technology advances,the courts should in-
terpret the Fourth Amendment to,assure preservation of that degree of privacy against government that
existed when the Fourth Amendment was adopted”),
85
The cases include Smith v,Maryland,442 U.S,740,743–44 (1979),United States v,Miller,425
U.S,435,443 (1976),Couch v,United States,409 U.S,322,335 (1973),and Hoffa v,United States,385
U.S,293,302 (1966),
86
See Hoffa,385 U.S,at 302–03 (holding that Jimmy Hoffa’s Fourth Amendment rights were not
violated when his friend to whom he disclosed secrets became a government informant),
87
As the Supreme Court stated in Miller,
[T]he Fourth Amendment does not prohibit the obtaining of information revealed to a third party
and conveyed by him to Government authorities,even if the information is revealed on the as-
sumption that it will be used only for a limited purpose and the confidence placed in the third
party will not be betrayed,
425 U.S,at 443 (citations omitted and emphasis added),See generally Orin S,Kerr,The Fourth
Amendment in Cyberspace,Can Encryption Create a,Reasonable Expectation of Privacy?”,33
CONN,L,REV,503,507–12 (2001) (explaining how the Supreme Court’s,reasonable expectation of
privacy” diverges from the expectation of privacy of a reasonable person),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
628
The disclosure principle carries tremendous significance when consid-
ering how the Fourth Amendment applies to communications networks,
Communications networks require partial (and sometimes total) disclosure
to the network provider to send communications,Envelope information
provides a clear example,Envelope information is simply the,to” and
“from” information offered to the network provider to help the provider de-
liver the contents,For example,the postal service must read the,to” ad-
dress on a letter to deliver it properly,Similarly,a caller necessarily
discloses the phone number he is dialing to the phone company when he
communicates it to the phone company so the company can complete the
call,
Under the disclosure principle,the courts have unanimously rejected
claims of Fourth Amendment protection in envelope information,In the
case of postal mail,the courts have held that postal customers have no rea-
sonable expectation of privacy in the outside of their envelopes and pack-
ages because they must be viewed by Postal Service employees in the
course of delivery.
88
As a result,the government can examine the outside
of an envelope and copy the envelope information without a court order or a
search warrant.
89
The Supreme Court applied the same rationale to the tele-
phone network in Smith v,Maryland,
90
concluding that dialing a telephone
number to connect a call eliminates Fourth Amendment protection in the
numbers dialed because it discloses the numbers dialed to the telephone
company.
91
The courts have more recently applied the same rationale to the
Internet,holding that an Internet user cannot enjoy a reasonable expectation
of privacy in non-content information sent to an ISP because the user has
disclosed the information to the ISP.
92
The disclosure principle also has important implications for Fourth
Amendment protections in the case of content information,Here,we have
to be quite careful,the courts have struggled to apply the Fourth Amend-
ment to contents sent over communications networks,The law is quite
murky and may change,In general,however,the courts have held that a
user has a reasonable expectation of privacy in content information that is
sealed away from the network provider,but does not retain such protection
in information disclosed or openly visible to the provider,In the postal
88
See United States v,Huie,593 F.2d 14,15 (5th Cir,1979) (“There is no reasonable expectation of
privacy in information placed on the exterior of mailed items and open to view and specifically intended
to be viewed by others.”),
89
See United States v,Hinton,222 F.3d 664,675 (9th Cir,2000) (citing United States v,Van
Leeuwen,397 U.S,249,250–52 (1970)),
90
442 U.S,at 745–46,
91
See id,at 743–44,
92
See Guest v,Leis,255 F.3d 325,335–36 (6th Cir,2001) (finding no expectation of privacy in
non-content information disclosed to ISP); United States v,Hambrick,55 F,Supp,2d 504,508–09
(W.D,Va,1999),aff’d,225 F.2d 656 (4th Cir,Aug,3,2000); United States v,Kennedy,81 F,Supp,2d
1103,1110 (D,Kan,2000),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
629
context,for example,a person normally enjoys Fourth Amendment protec-
tion in the contents of their sealed letters,
93
but not in their unsealed post-
cards or opened packages.
94
In the context of the telephone network,a
caller normally enjoys Fourth Amendment protection in the contents of
their calls,
95
but not when they use cordless phones that operate via radio
waves disclosed to the public.
96
The courts have not yet determined how
this rationale applies to Internet communications.
97
However,because the
contents of Internet communications are mixed together with envelope in-
formation and disclosed to the ISP,it is at least possible that courts will find
that Internet users cannot have a reasonable expectation of privacy in Inter-
net content information,much like postcards or cordless phone calls,
Under these precedents,Internet surveillance law has become pre-
dominantly statutory law.
98
The rules that actually govern electronic sur-
veillance tend to be statutory rules,inspired by constitutional values,but not
necessarily governed by constitutional commands.
99
Further,because the
93
See Ex parte Jackson,96 U.S,727,733 (1877) (concluding that the Fourth Amendment protects
sealed postal letters); United States v,Phillips,478 F.2d 743,748 (5th Cir,1973) (“[T]he privacy of a
sealed item bearing the proper amount of postage for a first class item is protected from warrantless
opening,not because it is given the appellation ’first class’ but because the Constitution commands that
result.”),
94
See United States v,Jacobsen,466 U.S,109,119 (1984) (holding that,Respondents could have
no privacy interest in the contents of the package,since it remained unsealed”); United States v,
Vasquez,858 F.2d 1387,1391 (9th Cir,1988) (concluding that because envelope was found unsealed,
police officer’s search of its contents did not violate the defendant’s Fourth Amendment rights),Re-
markably,no cases exist directly dealing with Fourth Amendment protections in postcards,However,
there are many cases dealing with Fourth Amendment rights in unsealed packages and information on
the exterior of packages and envelopes,all of which hold that a person has no Fourth Amendment pro-
tection in such information,
95
See Berger v,New York,388 U.S,41,44–45 (1967) (finding Fourth Amendment protection in
the contents of telephone conversations),
96
See,e.g.,Tyler v,Berodt,877 F.2d 705,706 (8th Cir,1989); McKamey v,Roach,55 F.3d 1236,
1239–40 (6th Cir,1995); United States v,McNulty,47 F.3d 100,104–06 (4th Cir,1995); United States
v,Smith,978 F.2d 171,177–81 (5th Cir,1992),Of course,Congress can protect such calls when the
Fourth Amendment does not,In the case of cordless telephone calls,Congress added statutory protec-
tion against their interception in 1994,See McKamey,55 F.3d at 1238 n.1,
97
See United States v,Bach,310 F.3d 1063,1066 (8th Cir,2002) (assuming,but not deciding,that
the Fourth Amendment protects stored emails and noting that,[w]hile it is clear to this court that Con-
gress intended to create a statutory expectation of privacy in e-mail files,it is less clear that an analo-
gous expectation of privacy derives from the Constitution”),
98
Of course,this case law has not stopped most commentators on Internet surveillance law from
making the case for strong privacy protections in constitutional terms,The most common approach is to
recite a brief history of Fourth Amendment law ending in 1967 with Katz v,United States,389 U.S,347
(1967),and then to announce that Katz guarantees strong privacy protections in new technologies,See,
e.g.,Rackow,supra note 72,at 1656 (following this path and concluding that,[p]rivacy as protected by
the Fourth Amendment denotes a right to be free from unwanted governmental surveillance”),This ap-
proach surely reflects honorable aspirations,but it strangely ignores the fact that in the thirty-five years
since Katz,the courts have mostly rejected such an expansive view of its holding,
99
In fact,the courts have often deferred to Congress’s judgment when confronted with a Fourth
Amendment challenge to electronic surveillance,See,e.g.,McNulty,47 F.3d at 105–06 (rejecting a claim
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
630
courts have demonstrated a marked reluctance to incorporate legislative
standards of privacy protection in new technologies into constitutional
Fourth Amendment rules,
100
statutory laws often provide the only rules that
protect Internet privacy,Absent some legislative rules,few privacy protec-
tions exist,
Congress has responded to this constitutional vacuum with a series of
laws that offer relatively strong (although hardly perfect) legislative privacy
protections,Congress first made it a crime to wiretap telephone lines in
1934,
101
even though wiretapping did not violate the Fourth Amendment at
that time.
102
Congress has since revisited the surveillance statutes every
few years to take into account advancing technology and changing social
norms,The two most important dates are 1968 and 1986,In 1968,Con-
gress created the modern Wiretap Act that regulates prospective content
surveillance of telephone lines today,
103
and in 1986,Congress expanded
that law to the Internet and added regulations of retrospective surveillance
as well when it enacted the Electronic Communications Privacy Act.
104
B,Prospective Envelope Surveillance of the Postal
Network and the Telephone
Although Congress has enacted statutory privacy protections that gov-
ern network surveillance,Congress historically has shown little interest in
protecting mere envelope information,Congress has regulated prospective
content information very strictly,with a warrant requirement in the case of
the postal system,
105
and a super-warrant requirement for telephones and the
of constitutional protection in calls to a cordless phone user,in part on the ground that holding to the con-
trary would force the court,to rule the statutory exceptions of Title III unconstitutional,” an,untoward re-
sult” given the,heavy presumption of constitutionality [that] attaches to the carefully considered decisions
of a coequal and representative branch of our Government” (internal quotations and brackets omitted)); see
also Adams v,City of Battle Creek,250 F.3d 980,986 (6th Cir,2001) (“The Electronic Communications
Privacy Act is part of detailed legislative scheme under Title III of the Omnibus Crime and Control Act of
1986,The legislation seeks to balance privacy rights and law enforcement needs,keeping in mind the pro-
tections of the Fourth Amendment against unreasonable search and seizure,Congress made the Act the
primary vehicle by which to address violations of privacy interests in the communication field.”),
100
See,e.g,McNulty,47 F.3d at 106 (rejecting argument that subsequent legislative protection of
privacy rights in cordless phone calls should influence court to recognize constitutional protections in
the same); United States v,Hambrick,225 F.2d 656 (4th Cir,Aug,3,2000) (rejecting argument that
statutory protection of Internet subscriber information under the Electronic Communications Privacy
Act created a constitutional reasonable expectation of privacy in the information),
101
See 47 U.S.C,§ 605 (1934); Nardone v,United States,302 U.S,379,381–82 (1937),
102
See Nardone,302 U.S,at 381 (citing Olmstead v,United States,277 U.S,438 (1928)),
103
See 18 U.S.C.A,§§ 2510–2522 (West Supp,2002),
104
See Electronic Communications Privacy Act of 1986,Pub,L,No,99-508,§§ 101–11,100 Stat,
1848,1848–59,
105
See Ex parte Jackson,96 U.S,727,733 (1877),Of course,this limitation is constitutional,not statu-
tory,Congress has protected the content of sealed letters and packages sent through the mail through a criminal
prohibition,See 18 U.S.C.A,§ 1703 (“Whoever,being a Postal Service officer or employee,unlawfully,,,
opens any letter,,, shall be fined under this title or imprisoned not more than five years,or both.”),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
631
Internet.
106
However,mere envelope information has traditionally received
little if any protection in communications networks such as the postal sys-
tem and the telephone,
In the postal system,no statutory protection exists,Surveillance of en-
velope information is governed solely by a postal regulation enacted in
1975.
107
The regulation prohibits envelope surveillance of postal mail
unless it is conducted pursuant to a request to initiate a,mail cover.”
108
The
regulation defines a mail cover as a,nonconsensual record,,, of any data
appearing on the outside cover of any sealed or unsealed class of mail.”
109
A mail cover can be instituted whenever a law enforcement agent files a
written request with the Postal Inspector that,specifies,,, reasonable
grounds to demonstrate the mail cover is necessary to,,, [o]btain informa-
tion regarding the commission or attempted commission of a crime.”
110
When that request is received,the postal inspectors will initiate the mail
cover and conduct envelope surveillance for thirty days.
111
As a matter of
privacy law,the mail cover regulation offers only meager privacy protec-
tion,Law enforcement agents do not need to obtain a court order,and no
judge need ever learn of the surveillance,If agents violate the statute,there
is no remedy—criminal,civil,or suppression.
112
The law offers somewhat higher protection for prospective envelope
surveillance of the telephone network,The privacy law that applies is
known as the pen register law because in the 1960s the phone company
could create a record of numbers dialed from a telephone by installing a de-
vice known as a pen register.
113
Congress first enacted the pen register law
106
See 18 U.S.C.A,§ 2518 (discussing the requirements that the government must meet to obtain a
Wiretap Order),
107
See 39 C.F.R,§ 233 (2002),This regulation was first enacted on March 12,1975,See 40 Fed,
Reg,11,579 (1975),
108
39 C.F.R,§ 233.3(b),
109
See id,§ 233.3(c)(1) (defining the phrase,mail cover”),The reference to,contents” of,un-
sealed” matter presumably refers to postcards,This includes,the name of the addressee,the postmark,
the name and address of the sender (if it appears),and the class of mail,” United States v,Huie,593 F.2d
14,14 (5th Cir,1979),but may simply consist of a photograph of the exterior of the envelope,see 39
C.F.R,§ 233.3(c)(2) (defining a,record” as,a transcription,photograph,photocopy or any other fac-
simile of the image of the outside cover,envelope,wrapper,or contents of any class of mail”),
110
See 39 C.F.R,§ 233.3(e)(2)(iii),The mail cover can be authorized on other grounds,see id.,but
these are the most common ones,
111
See id,§ 233.3(g)(5),
112
See United States v,Hinton,222 F.3d 664,674 (9th Cir,2000) (“Although it is undisputed that
the officers did not follow the proper procedures for obtaining a mail cover,suppression is not the ap-
propriate remedy,,,,”),
113
A pen register was described by one early court as follows,
The pen register is a mechanical device attached on occasion to a given telephone line,usually at
central telephone offices,A pulsation of the dial on a line to which the pen register is attached re-
cords on a paper tape dashes equal to the number dialed,The paper tape then becomes a perma-
nent and complete record of outgoing calls as well as the numbers called on the particular line,
Immediately after the number is dialed and before the line called has had an opportunity to answer
(actually the pen register has no way of determining or recording whether or not the calls are an-
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
632
in 1986
114
and created a statutory criminal prohibition on the prospective
surveillance of envelope information for the telephone network,subject to a
few exceptions.
115
The pen register law allows the government to obtain a
court order authorizing the collection of envelope information for renew-
able periods of sixty days.
116
Although the application must be made by an
attorney and approved by a federal judge,the threshold for obtaining the
order is low,the attorney must only certify to the court that,the informa-
tion likely to be obtained,,, is relevant to an ongoing criminal investiga-
tion.”
117
Violations of the pen register statute do not result in suppression
of the evidence; instead,the remedy is a criminal prosecution,
118
and in the
case of a lawyer,possible ethical charges.
119
C,Prospective Envelope Surveillance of the Internet,
The Uncertain Privacy Protections Before the USA Patriot Act
What about the Internet? More specifically,in the period leading up to
the Patriot Act,what privacy laws regulated the prospective surveillance of
envelope information in the case of email surveillance and packet surveil-
lance? The answer is surprisingly unclear,The only law that could con-
ceivably have applied was the pen register statute,but it provided an odd mix
of telephone-specific language and more general text,The statute divided the
category of envelope information into two subcategories,the,to” addressing
swered) the pen register mechanically and automatically is disconnected,There is neither re-
cording nor monitoring of the conversation,
United States v,Guglielmo,245 F,Supp,534,535 (N.D,Ill,1965),
114
See Electronic Communications Privacy Act of 1986,Pub,L,No,99-508,§ 301(a),100 Stat,
1848,1868,
115
See 18 U.S.C.A,§ 3121(a) (West Supp,2002),Violations of the pen register statute are misde-
meanors,See id,§ 3121(d),One exception allows providers to collect envelope information in the or-
dinary course of business,See id,§ 3121(b),
116
See id,§§ 3122–3123,
117
Id,§ 3123(a); see also United States Telecom Ass’n v,FCC,227 F.3d 450,454 (D.C,Cir,2000)
(“Rather than the strict probable cause showing necessary for wiretaps,pen register orders require only
certification from a law enforcement officer that ‘the information likely to be obtained is relevant to an
ongoing criminal investigation.’”),So long as the application contains these elements,the court will au-
thorize the installation of the pen/trap device,The court will not conduct an,independent judicial in-
quiry into the veracity of the attested facts.” In re United States,846 F,Supp,1555,1559 (M.D,Fla,
1994); see also United States v,Fregoso,60 F.3d 1314,1320 (8th Cir,1995) (“The judicial role in ap-
proving use of trap and trace devices is ministerial in nature,,,,”),
118
As one court has explained,
The salient purpose of requiring the application to the court for an order is to affix personal re-
sponsibility for the veracity of the application (i.e.,to ensure that the attesting United States Attor-
ney is readily identifiable and legally qualified) and to confirm that the United States Attorney has
sworn that the required investigation is in progress.,,, As a form of deterrence and as a guarantee
of compliance,the statute provides,,, for a term of imprisonment and a fine as punishment for a
violation [of the statute],
In re United States,846 F,Supp,at 1559,
119
A knowingly false certification would constitute not only a violation of the statute but also a ma-
terially false statement to the court in the course of an attorney’s official duties,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
633
information,which historically would be obtained by installing a pen register,
and the,from” addressing information,which historically would be obtained
by running a,trap and trace.”
120
Rather than refer to the information to be
gathered,the structure of the pen register law prohibited the installation or
use of a pen register or trap and trace device without a court order,
Before the Patriot Act,however,the definitions of the terms,pen reg-
ister” and,trap and trace device” did not make clear whether they applied
only to the telephone,or whether they could also apply to the Internet,The
definition of,trap and trace device” was quite broad,it referred to,a de-
vice which captures the incoming electronic or other impulses which iden-
tify the originating number of an instrument or device from which a wire or
electronic communication was transmitted.”
121
Given that most Internet
communications are,electronic communication[s],”
122
this definition ap-
peared to apply to the Internet as well as to the phone system,In contrast,
the definition of,pen register” appeared strikingly telephone-specific,the
law defined a pen register as,a device which records or decodes electronic
or other impulses which identify the numbers dialed or otherwise transmit-
ted on the telephone line to which such device is attached.”
123
So did the pen register laws apply to the Internet? The Justice Depart-
ment believed they did and that the pen register laws regulated both Internet
email and packet-level envelope surveillance just as they did telephone enve-
lope surveillance.
124
In fact,Justice Department practice had embraced the
120
,Trap and trace” information is so called because collecting the information originally required
the telephone company to trace the phone line using a tool known as a,terminating trap.” In re United
States,610 F.2d 1148,1151 (3d,Cir,1979),
121
18 U.S.C.A,§ 3127(4) (West Supp,2002),
122
See CCIPS MANUAL,supra note 15,at 106 (“[A]lmost all Internet communications (including
email) qualify as electronic communications.”),The phrase,electronic communication” means
any transfer of signs,signals,writing,images,sounds,data,or intelligence of any nature transmit-
ted in whole or in part by a wire,radio,electromagnetic,photoelectronic or photooptical system
that affects interstate or foreign commerce,but does not include—
(A) any wire or oral communication;
(B) any communication made through a tone-only paging device;
(C) any communication from a tracking device (as defined in section 3117 of this title); or
(D) electronic funds transfer information stored by a financial institution in a communications sys-
tem used for the electronic storage and transfer of funds;
18 U.S.C.A,§ 2510(12),
123
18 U.S.C.A,§ 3127(3); see also PETER P,SWIRE,ADMINISTRATION WIRETAP PROPOSAL HITS THE
RIGHT ISSUES BUT GOES TOO FAR (Brookings Institute Analysis Paper No,3,2001) (“ECPA has not aged
gracefully,Much of its language reflects the telephone technology of the 1980s rather than the Internet realities
of today.”),available at http://www.brook.edu/dybdocroot/views/articles/fellows/2001_swire.htm,
124
See CCIPS MANUAL,supra note 15,at 102,As the DOJ described in their January 2001 Manual,“The
Pen/Trap statute permits law enforcement to obtain the addressing information of Internet communications
much as it would addressing information for traditional phone calls.,,, The Pen/Trap statute [also] permits
law enforcement to obtain the addressing information of Internet emails (minus the subject line,which can con-
tain contents).” Id,The Manual cites Brown v,Waddell for an example of law enforcement,using a court or-
der,just like it permits law enforcement to obtain addressing information for phone calls and individual Internet
‘packets’ using a court order.” Id,(citing Brown v,Waddell,50 F.3d 285,292 (4th Cir,1995)),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
634
pen register statute for several years as the means of conducting Internet en-
velope surveillance,Federal judges had at least implicitly agreed,judges had
signed pen register orders authorizing Internet email and packet surveillance
hundreds,if not thousands,of times in the years leading up to the Patriot
Act.
125
While some magistrate judges had asked prosecutors whether the
statute applied to the Internet,the judges always satisfied themselves that it
did and signed the order.
126
One magistrate judge in Los Angeles had also
written an unpublished order agreeing that the statute applied to the Internet,
“Although apparently not contemplated by the drafters of the original stat-
ute,” Judge James McMahon wrote,“the use of a pen register order in the
present situation is compatible with the terms of the statute.”
127
The text re-
mained uncertain,but as a matter of law enforcement practice,it was gener-
ally understood that the pen register laws applied to the Internet.
128
Notably,the government’s conclusion that the pen register statute ap-
plied to the Internet created a double-edged sword,Without the pen register
statute,the government could conduct envelope surveillance without a court
order,The government or anybody else could wiretap the Internet and col-
lect any noncontent information it wished without restriction.
129
Applying
the pen register laws to the Internet denied the government the power to
conduct envelope surveillance without a court order,which limited gov-
ernment power and blocked private entities from conducting prospective
envelope surveillance,thus protecting privacy,At the same time,applying
the pen register statute to the Internet benefited law enforcement by giving
the government a relatively easy way of obtaining orders compelling ISPs
to conduct prospective envelope surveillance on the government’s behalf,
Absent that authority,the government would need to install monitoring de-
vices itself,rely on the voluntary cooperation of ISPs,or try to use other
laws requiring a higher factual showing than the pen register laws to obtain
court orders compelling ISPs to conduct envelope surveillance.
130
125
See Carl S,Kaplan,Concern over Proposed Changes in Internet Surveillance,N.Y,TIMES,Sept,
21,2001,at E1 (quoting Marc Zwillinger,former Trial Attorney of the Computer Crime and Intellectual
Property Section of DOJ,that during his time at the Justice Department,he used the pen register statute
to obtain envelope information,hundreds of times”),
126
When I was at the Justice Department,I would occasionally hear of magistrate judges raising such
questions with Assistant U.S,Attorneys who applied for pen register orders to conduct Internet surveillance,
127
See In re United States of America,Cr,No,99-2713M (C.D,Cal,Feb,4,2000) (McMahon,
Mag,J.) (unpublished opinion) (on file with author),
128
See CCIPS MANUAL,supra note 15,at 102,
129
So long as the device did not pick up any,content,” 18 U.S.C.A,§ 2510(8) (West Supp,2002),
it did not violate the Wiretap Act,
130
See United States v,New York Telephone,434 U.S,159,168–70 (1977) (holding that in the ab-
sence of an explicit law,the government can obtain a search warrant to order the installation of a pen
register),A plausible claim could be made that the government could have also used the retrospective
authority of 18 U.S.C.A,§ 2703 in combination with the All Writs Act,28 U.S.C,§ 1651 (2000),in or-
der to obtain a court order to perform such surveillance with a specific and articulable facts threshold
rather than probable cause otherwise required by the New York Telephone case,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
635
Despite the fact that federal judges appeared willing to agree with the
DOJ’s conclusion that the pen register statute applied to the Internet before
the Patriot Act,two events helped precipitate the Patriot Act’s pen register
amendments,First,on July 17,2000,President Clinton’s Chief of Staff
John Podesta announced the Clinton Administration’s support for amend-
ments to the pen register statute,making clear that the statute applied to the
Internet.
131
Podesta argued that it was,time to update and harmonize our
existing laws to give all forms of technology the same legislative protec-
tions as our telephone conversations.”
132
Although the Clinton Administra-
tion’s proposal did not go far in Congress,it set a precedent for clarifying
the scope of the pen register laws.
133
The second event that helped precipitate the pen register amendments
occurred on November 17,2000,when Magistrate Judge Patricia Trumbull
of the Northern District of California in San Jose denied an ex parte gov-
ernment application for an Internet pen register order,and rendered an un-
published written decision holding that the pen register laws did not apply
to the Internet.
134
Judge Trumbull reasoned that the language of the pen
register statute was sufficiently telephone-specific that it could not be read
to apply to the Internet.
135
In particular,she noted that the pen register stat-
ute required the court to specify in its order,the number and,if known,the
physical location of the telephone line to which the,,, device is to be at-
tached.”
136
Because Internet pen register orders did not specify a telephone
line,Judge Trumbull reasoned that,the proposed technology does not fall
within the scope of the statute.”
137
Judge Trumbull’s decision added special urgency to the call for a legis-
lative clarification of the scope of the pen register statute,On one hand,the
decision was an unpublished and unpublicized order by a sole magistrate
judge,in conflict with general practice and the prior written opinion of an-
other magistrate judge in the same circuit.
138
On the other hand,Judge
131
See John Schwartz,U.S,Hopes To Extend Online Wiretapping,WASH,POST,July 18,2000,at
E1,The amendment was only one of several relating to Internet surveillance that the Clinton admini-
stration endorsed at that time,See id,
132
Remarks by John Podesta,White House Chief of Staff,on Electronic Privacy,at 2000 WL
21168908 (transcript by U.S,Newswire),The Clinton Administration proposals were the product of a
15-agency White House working group chaired by Peter Swire,the Clinton Administration’s Privacy
“czar.” See SWIRE,supra note 123,
133
The Administration’s proposal was introduced as Senate Bill 3083,Some of its pro-privacy
measures appeared in a strongly pro-privacy House bill that passed the House Judiciary committee as
House Bill 5018,See SWIRE,supra note 123,
134
See In re United States,Cr-00-6091 (N.D,Cal,Nov,17,2000) (Trumbull,Mag,J.) (unpublished
opinion) (on file with author),
135
See id,at 4,
136
See id,(quoting 18 U.S.C.A,§ 3123(b)(1)(C)),
137
See id,at 5 (citing In re United States,885 F,Supp,197,200 (C.D,Cal,1995)),
138
See In re United States of America,Cr,No,99-2713M (C.D,Cal,Feb,4,2000) (McMahon,
Mag,J.) (unpublished opinion) (on file with author),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
636
Trumbull was the only magistrate judge in San Jose,California.
139
Note the
location,the San Jose division of the Northern District of California covers
Silicon Valley and includes the home of such powerhouse Internet service
providers as Yahoo! and Hotmail,Even if Judge Trumbull’s decision could
be appealed and overturned,the slow pace of litigation meant that it would
be many months,if not several years,before the government could use the
statute to authorize envelope surveillance at some of the country’s most
popular Internet service providers,Within the criminal division of the DOJ,
a sense emerged that the best approach was to keep quiet about Judge
Trumbull’s decision,which it did,as the DOJ has never shared Judge
Trumbull’s unpublished decision with the public.
140
Instead,DOJ remained
committed to pursuing a legislative fix when an opportunity arose that
would establish clearly that the pen register laws applied to the Internet,
D,The Patriot Act and the Expansion of the Pen Register Laws
In the wake of the terrorist attacks on New York and Washington on
September 11,2001,pressure built on the Bush Administration to propose
antiterrorism legislation.
141
Just days after the attacks,Attorney General
John Ashcroft contacted various divisions within DOJ and sought recom-
mendations for legislative changes that could help fight the war on terror-
ism,One area that surfaced as a promising arena was Internet surveillance
law,The DOJ had been clamoring for changes to the antiquated surveil-
lance laws for years,and the September 11th attacks provided an obvious
opportunity to update the laws,The link between the surveillance laws and
terrorism was not direct because the September 11th attacks did not directly
implicate the Internet,However,terrorists groups such as Al-Qaeda were
known to favor the latest Internet technologies to communicate with each
other,
142
which meant that updating the Internet surveillance laws could as-
sist law enforcement in terrorism-related cases,In any event,the obviously
antiquated surveillance laws provided one of the few areas in which new
laws were both clearly needed and could conceivably help the Justice
Department fight terrorism,Further,the events of September 11th changed
139
See ALMANAC OF THE FEDERAL JUDICIARY (2002),
140
The Justice Department has continued to maintain its silence about Judge Trumbull’s decision,
In one recent document,DOJ announced that,[a]lthough numerous courts across the country have ap-
plied the pen/trap statu[t]e to communications on computer networks,no federal district or appellate
court has explicitly ruled on its propriety.” COMPUTER CRIME AND INTELLECTUAL PROPERTY SECTION,
FIELD GUIDANCE ON NEW AUTHORITIES THAT RELATE TO COMPUTER CRIME AND ELECTRONIC
EVIDENCE ENACTED IN THE USA PATRIOT ACT OF 2001,at http://www.cybercrime.gov/PatriotAct.htm
(last visited Feb,4,2003),Note the Clintonian phrasing here,because neither of the Magistrate Judge
orders were appealed to a district court judge or the Ninth Circuit,the statement may be technically true,
However,it is certainly misleading,
141
See Jonathan Krim,Anti-Terror Push Stirs Fears for Liberties,Rights Groups Unite To Seek
Safeguards,WASH,POST,Sept,18,2001 at A17,
142
See,e.g.,Kevin Maney,Osama’s Messages Could Be Hiding in Plain Sight,USA TODAY,Dec,
19,2001,at B6 (noting Al-Qaeda’s use of advanced technologies such as encrypted Internet communi-
cations and steganography),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
637
partment fight terrorism,Further,the events of September 11th changed the
political climate considerably,softening the opposition that had success-
fully blocked DOJ efforts to amend the Internet surveillance statutes in the
previous Congress.
143
Fortunately for Ashcroft,the DOJ had already prepared a comprehen-
sive proposal for updating the Internet surveillance laws,For several years,
teams of lawyers within the Justice Department and elsewhere in the execu-
tive branch had worked on legislative proposals to update the electronic
surveillance laws.
144
Many bills had been introduced in Congress,includ-
ing ones that previously had the Clinton Administration’s support.
145
By
the time September 11th arrived,amendments that had been proposed and
debated within the Justice Department for several years were already
drafted and provided an obvious starting point for amendments to the elec-
tronic surveillance laws.
146
Eight days after September 11th,the proposals
formed the basis for the electronic surveillance portions of the Justice De-
partment’s proposed Anti-Terrorism bill,The DOJ bill in turn provided the
basis for the USA Patriot Act passed on October 26,
Updating the pen register statute so that it clearly applied to the Inter-
net provided one obvious priority,especially in light of the Clinton Admini-
stration’s failed efforts and Judge Trumbull’s order,The Justice
Department’s proposal aimed to do this in a minimalist way,Rather than
rewrite the entire statute,the DOJ proposed to amend the definition of,pen
register” and,trap and trace device” to make clear that it applied broadly to
network envelope information,encompassing both telephones and the
Internet,The DOJ proposed to describe envelope information as,dialing,
routing,addressing,or signaling information”
147
and to amend the defini-
tions of pen register and trap and trace device to incorporate this broader
definition.
148
Congress essentially adopted the DOJ’s approach in the Pa-
143
In the year 2000,the primary momentum among bills that changed Internet surveillance law be-
longed to pro-privacy bills such as House Bill 5018,See Cutting Edge Legislation Seeks To Tighten Pri-
vacy Laws,L.A TIMES,Sept,7,2000,at C8,
144
Within the Computer Crime and Intellectual Property Section of DOJ’s Criminal Division,for
example,an informal,High Tech Crime Bill” working group within the section tasked itself with writ-
ing proposed legislative amendments to the Internet surveillance laws,I was one of the attorneys who
participated in the Working Group,
145
See Schwartz,supra note 131,
146
For example,the High Tech Crime Bill working group had spent two years studying,writing,
and debating the need for dozens of changes to the surveillance laws,The group had drafted proposed
legislative text for the changes and had also written explanations of the sections that could form the ba-
sis for a future House or Senate Committee report on the amendments if the amendments ever became
law,The written explanations later emerged as a,Field Guide” to the Patriot Act,It is available at the
CCIPS website at http://www.cybercrime.gov/PatriotAct.htm,
147
See ANALYSIS OF PROVISIONS OF THE PROPOSED ANTI-TERRORISM ACT OF 2001,AFFECTING
THE PRIVACY OF COMMUNICATIONS AND PERSONAL INFORMATION,Sept,24,2001,at www.epic.org/
privacy/terrorism/ata_analysis.html (last visited Feb,4,2003),
148
Id,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
638
triot Act,with the slight modification that the phrase,dialing,routing,ad-
dressing,or signaling information” was supplemented with a clarification
that,such information shall not include the contents of any communica-
tion.”
149
This clarification to the DOJ’s proposal was added at Senator
Leahy’s recommendation to ensure that the expanded pen register amend-
ment did not trump the Wiretap Act.
150
E,Why Criticisms of the Pen Register Amendments Are Misplaced
As demonstrated earlier,the Patriot Act’s modification of the pen reg-
ister statute to include all,dialing,routing,addressing,or signaling infor-
mation” proved to be one of the most controversial provisions in the Act,
The media widely interpreted this change as a sweeping and unjustified ex-
pansion of law enforcement authority,To be fair,some of these reactions
derived from the initial DOJ proposal,which lacked Senator Leahy’s clari-
fication that the changes to the scope of the pen register statute did not alter
the scope of the Wiretap Act (although as I will explain shortly,it is
unlikely that such a clarification was necessary),But even so,the criticisms
of the pen register amendment prove surprisingly weak,
First,the criticisms ignore the fact that the pen register statute is pri-
marily a privacy law,The law protects envelope information,making it a
federal crime to collect envelope information without a court order.
151
If
the pen register statute did not apply to the Internet,then email and packet
envelope surveillance would be totally unregulated by federal privacy law,
In such a world,the government would be allowed to conduct envelope
surveillance of the entire country’s emails and Internet communications
without a court order,or without even any prior authorization within the
Executive Branch,Even more broadly,any private party would be allowed
to do the same,
149
See 18 U.S.C.A,§ 3127(3)–(4) (West Supp,2002),Notably,the minimalist approach of the
USA Patriot Act retains the pen register statute’s awkward structure,The statute does not directly pro-
hibit prospective envelope surveillance without a court order,Instead,the statute achieves the same goal
in a roundabout way,it prohibits the use or installation of a pen register or trap and tract device without
a court order and then defines a pen register and trap and trace device as a,device or process” that con-
ducts prospective envelope surveillance,
150
See Statement of Senator Patrick Leahy on the Uniting and Strengthening of America Act (“USA
ACT”) (Oct,11,2001),at http://leahy.senate.gov/press/200110/101101a.html,According to Senator
Leahy,
The Administration and the Department of Justice flatly rejected my suggestion that these terms
[“dialing,routing,addressing,and signaling”] be defined to respond to concerns that the new
terms might encompass matter considered content,which may be captured only upon a showing of
probable cause,not the mere relevancy of the pen/trap statute,Instead,the Administration agreed
that the definition should expressly exclude the use of pen/trap devices to intercept,content,”
which is broadly defined in 18 U.S.C,Section 2510(8),
Id,
151
See 18 U.S.C.A,§ 3121(d) (“Whoever knowingly violates [the prohibition against installing or
using a pen register or trap and trace device without a court order] shall be fined under this title or im-
prisoned not more than one year,or both.”),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
639
The Patriot Act’s pen register amendments helped avert this situation
by clarifying that the government was required to obtain a court order to
conduct prospective envelope surveillance of Internet communications,In
other words,the Patriot Act requires a court order,where before it may not
have been necessary,From a civil libertarian standpoint,this is plainly a
step in the right direction,Ironically,the real problem with the Patriot Act
from a civil libertarian perspective is not that it goes too far,but that it does
not go far enough in protecting the privacy of envelope information,Mak-
ing it a crime to conduct envelope surveillance on the Internet without a
court order is an improvement,but should have been matched with a higher
threshold to obtain the court order that was required,combined with judicial
review of the government’s application.
152
I would personally support such
a change; I believe that a higher,specific and articulable facts”
153
threshold
would not add substantial burden for law enforcement,and at least on paper
it would add privacy protection.
154
However,the fact that this section of the
Patriot Act could have offered stronger protection should not obscure the
fact that as a whole the amendment helps add privacy protections,not re-
duce them,
The criticisms of the pen register amendments also missed the mark
because they failed to recognize that the changes codified a decade’s worth
of preexisting practice that had matched Internet privacy protections to tele-
phone privacy protections,The Justice Department had been obtaining pen
register orders to conduct envelope surveillance for years,and the new text
explicitly recognized and approved the practice,The legislative change did
not expand any authority,at most,the change merely overruled Magistrate
Judge Trumbull’s unpublished order.
155
Although styled a,change” in the
law by its critics,the pen register amendments merely reaffirm the status
quo,In itself this provides no reason to celebrate the amendments,as the
status quo may be inadequate,However,the fact that the change reaffirms
longstanding practice seems to undercut claims that the change dramatically
expanded law enforcement powers,
Further,applying the pen register laws to the Internet matched the
152
The ACLU has made this argument,See Calvin Galvin,Rights and Wrongs,Why New Law-
Enforcement Powers Worry Civil Libertarians,SEATTLE TIMES,Dec,6,2001,at A3,
153
18 U.S.C.A,§ 2703(d),
154
I add the caveat,on paper” because in my government experience I never knew or even heard of
any law enforcement agent or lawyer obtaining a pen register order when the agent did not also have
specific and articulable facts,which would satisfy the higher threshold,My experience is narrow,but it
suggests that the practical burden of obtaining the order combined with the certification to a federal
judge and potential for criminal liability effectively regulates government officers and deters them from
obtaining pen register orders in bad faith,On the other hand,there may be rogue officers out there,if
not now then in the future,and a higher threshold combined with judicial review could potentially pro-
vide an extra barrier to abuse,
155
See In re United States of America,Cr-00-6091 (N.D,Cal,Nov,17,2000) (Trumbull,Mag,J.)
(unpublished opinion) (on file with author),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
640
regulation of the Internet to the regulation of the telephone network and ex-
ceeded the protection that the law provides to similar surveillance of the
postal network,After the Patriot Act,envelope surveillance of the tele-
phone and the Internet requires a pen register order,whereas envelope sur-
veillance of postal mail still requires no court order whatsoever.
156
Although some believe that the standards for Internet envelope surveillance
should be more strict than their analogues in the telephone context
157
—a
question analyzed in the next Part—at the very least the Patriot Act imposes
same standard for analogous information in the case of the telephone,and
more privacy protection for analogous information in the case of the postal
network,
Criticisms of the pen register amendments also failed to note that the
negotiations over the various bills that led to the Patriot Act actually added
privacy protections to the pen register statute that prohibit the disclosure of
information obtained through envelope surveillance.
158
Prior to the Patriot
Act,government officials could publish or leak information obtained by use
of a pen register or trap and trace device.
159
During the congressional nego-
tiations,pro-privacy legislators managed to insert language that limits the
disclosure of information obtained through prospective envelope surveil-
lance of Internet and telephone communications to disclosures made,in the
proper performance of the official functions of the officer or governmental
entity making the disclosure.”
160
Any other disclosure is prohibited.
161
Al-
though the exact contours of this prohibition remain unclear,the new provi-
sion bolsters the privacy protections that the pen register statutes offer to
envelope information,
What explains the harsh criticisms of the pen register provisions in the
Patriot Act? It seems that some of the civil libertarian concern derived from
a strained reading of DOJ’s initial draft of the pen register amendments,As
156
Note that despite the public perceptions that we have no privacy in our use of new technologies,
in fact there is a general trend in privacy law that the more advanced the technology,the more privacy
protection the law extends,
157
See infra notes 137–54,
158
See 18 U.S.C.A,§ 2707(g) (West Supp,2002),
Any willful disclosure of a,record,” as that term is defined in section 552a(a) of title 5,United
States Code,obtained by an investigative or law enforcement officer,or a governmental entity,
pursuant to section 2703 of this title,or from a device installed pursuant to section 3123 or 3125 of
this title,that is not a disclosure made in the proper performance of the official functions of the of-
ficer or governmental entity making the disclosure,is a violation of this chapter,This provision
shall not apply to information previously lawfully disclosed (prior to the commencement of any
civil or administrative proceeding under this chapter) to the public by a federal,state,or local gov-
ernmental entity or by the plaintiff in a civil action under this chapter,
Id,
159
In contrast,evidence obtained pursuant to a Title III order cannot be disclosed except in limited
situations,see 18 U.S.C.A,§ 2517,and federal law places strict limits on information obtained pursuant
to a grand jury subpoena,see FED,R,CRIM,P,6(e),
160
See 18 U.S.C.A,§ 2707(g),
161
Id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
641
noted earlier,
162
the initial DOJ proposals expanded the definition of pen
register and trap and trace devices to include devices or processes that collect
“dialing,routing,addressing,and signaling information.”
163
Given the fun-
damental distinction between envelope information and content information,
and even its constitutional moorings,it seems clear that this phrase was de-
signed to broadly include non-content addressing information,However,at
least some critics apparently viewed the phrase,dialing,routing,addressing,
and signaling information” as an ingenious government scheme to include
contents,as well,and to quietly overthrow the Wiretap Act,Thanks to a
long-redundant section of the Wiretap Act that exempts pen register and trap
and trace information from the scope of the Wiretap Act,
164
it was at least
theoretically possible that a broad reading of the pen register and trap and
trace device statutes could expand the statute into the traditional terrain of the
Wiretap Act,reducing privacy protections.
165
For example,if the contents of
one person’s email to another could be interpreted as in some sense a signal
from the sender to the receiver,then perhaps the contents of the email consti-
tuted,signaling information” under the pen register statute,and the govern-
ment could then intercept the email with a pen register order,rather than a
wiretap order,As best I can tell,it was this chain of logic that led to reports
that the pen register amendments would allow the government to obtain the
contents of communications without a Wiretap Order.
166
This objection to the pen register amendments suffers from two impor-
tant weaknesses,First,it is difficult to imagine that a court actually would
have construed the phrase,dialing,routing,addressing,and signaling in-
formation” to include contents,To reach this result,the court would have
had to ignore the fundamental distinction between contents and envelope
information,a distinction of constitutional magnitude in the telephone and
mail contexts and possibly in the Internet context as well.
167
It seems fanci-
ful to believe that a judge would read the ambiguous word,signaling” in
162
See supra notes 149–51 and accompanying text,
163
18 U.S.C.A,§ 3127(3)–(4),
164
See 18 U.S.C.A,§ 2511(2)(h) (“It shall not be unlawful under [the Wiretap Act,,, to use a pen
register or a trap and trace device.,,,”),
165
See United States v,Fregoso,60 F.3d 1314,1321 (8th Cir,1995) (“Title III makes it clear that
devices which satisfy the statutory definition of pen registers or trap and trace devices set forth in 18
U.S.C.A,§ 3127 are exempted from its requirements.”); Brown v,Waddell,50 F.3d 285,290 (4th Cir,
1995) (noting that,interceptions of electronic communications by two specific devices—‘pen registers’
and ‘trap and trace devices’—were,however,specifically exempted by the 1986 amendments from these
generally applicable authorization requirements”),
166
See,e.g.,Larry Lipman,Congress Close to Passage of Anti-Terrorism Bills,PALM BEACH POST,
Oct,4,2001,at 16A (noting that,Democrats accepted the idea [of applying the pen register statute to
the Internet] in principle but expressed concern that the [initial DOJ proposal] provision could also per-
mit access to the content of emails,opening the door to potential abuse”); Jonathan Ringel,Will New
Anti-Terror Tools Pass Muster?,LEGAL TIMES,Oct,8,2001,at 14 (noting concerns that expanding the
pen register statute,to email would also necessarily give government access to the content of emails”),
167
See supra notes 94–98 and accompanying text,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
642
the largely unknown pen register statute as silently overruling a major stat-
ute,the Wiretap Act,In fact,ambiguous language in the pen register statute
dating from 1986 could have been read exactly the same way,but in fifteen
years had never been so construed,the 1986 definition of,pen register”
covered,numbers,,, transmitted”
168
over a telephone line,but no one had
ever thought that the contents of communications that happen to include
numbers were somehow exempted from the Wiretap Act,To the contrary,a
year before the Patriot Act,the D.C,Circuit had suggested that numbers di-
aled after a call had been connected constituted Wiretap Act contents.
169
In
light of this history,the broad reading of the initial DOJ proposal seems dif-
ficult to square with the proposal itself,
Second,as I noted earlier,
170
the initial DOJ proposal was amended to
clarify that pen register and trap and trace information,shall not include the
contents of any communication.”
171
This amendment helpfully addressed
the concerns that amendments to the pen register statute might lessen the
scope of the Wiretap Act,confirming that they did not,From the standpoint
of critiquing the Patriot Act,however,it means that the harshest criticisms
of the pen register amendments derived from rather strained interpretations
of only an initial draft of the text,rather than the Patriot Act itself,
F,Does the Internet Deserve Higher Standards? The Weak Case
for Internet Particularity
So the Patriot Act applies the standard for the telephone network to the
Internet,But so what? According to the Patriot Act’s critics,Internet enve-
lope surveillance implicates far more serious privacy interests than does
telephone envelope surveillance.
172
Critics reason that email accounts re-
veal more private information about their users than telephone accounts,
and that Internet envelope surveillance encompasses private activities such
as websurfing that deserve higher privacy protection than a mere pen regis-
ter order.
173
As a result,they claim,the low threshold for obtaining a tele-
168
18 U.S.C,§ 3127(3) (1986),
169
See United States Telecom Ass’n v,FCC,227 F.3d 450,462 (D.C,Cir,2000) (“Post-cut-through
dialed digits can also represent call content,For example,subjects calling automated banking services
enter account numbers,When calling voicemail systems,they enter passwords,When calling pagers,
they dial digits that convey actual messages,And when calling pharmacies to renew prescriptions,they
enter prescription numbers.”),
170
See supra notes 149–51 and accompanying text,
171
18 U.S.C.A,§ 3127(3)–(4),
172
See,e.g.,Press Release,American Civil Liberties Union,ACLU Says Congress Should Treat
Administration Proposal Carefully; Says Many Provisions Go Far Beyond Anti-Terrorism Needs (Sept,
20,2001) (“The Administration’s bill would extend this low threshold of proof to Internet communica-
tions that are far more revealing than numbers dialed on a phone.”),available at http://www.aclu,
org/news/2001/n092001e.html,
173
See Kaplan,supra note 125 (quoting Professor Daniel Solove for the view that evidence of web-
surfing is,much more telling about an individual” than the numbers they dialed from a telephone),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
643
phone pen register order is too low,and should be replaced by a higher
threshold such as,specific and articulable fact” or probable cause,
These criticisms are also misplaced,Here my argument is quite nar-
row,I agree with civil libertarian critics who believe that the pen register
standard should be raised.
174
However,if the pen register standard needs
changing,it should be raised for both the Internet and the telephone; the ar-
gument for raising the Internet standards while maintaining the current
standards for the telephone turns out to be surprisingly weak,The claim
that prospective envelope surveillance of an Internet account provides more
private information than the same surveillance of a telephone account is not
accurate in most cases,Internet and telephone envelope surveillance usu-
ally provide equally sensitive information,and in some key ways,Internet
envelope surveillance provides much less sensitive information,
Consider the envelope information for a telephone call,In particular,
imagine that the police are investigating Bugsy and Mugsy,two alleged
mobsters,The police have placed a pen register on Bugsy’s telephone,and
it reveals that at 3:10 p.m,the telephone located at Bugsy’s home at 123
Main Street was used to place a twelve-minute call to Mugsy’s home at 62
Pine Street,This will be very important information for the police,Al-
though the police cannot be sure that the call was placed by Bugsy or re-
ceived by Mugsy,they do know that there was someone present at Bugsy’s
place at 123 Main Street between 3:10 p.m,and 3:22 p.m.,and that there
was also someone at 62 Pine Street at those times as well,The twelve-
minute call suggests that the two people on opposite ends of the line knew
each other,or at least had something substantial to discuss,The pen regis-
ter yields fairly private information,activity from within the suspects’
homes that tells the police where they were,at what time,and how long
they spoke,
If a telephone call were replaced with an email,however,the police
would know comparatively less,and the invasion of privacy would be less
severe,Imagine that the police place a pen register on Bugsy’s email ac-
count,bugsy@criminal.com,and that it records the fact that someone sent
at 3:10 p.m,to the account mugsy@gangster.com,Again,the police cannot
be sure that the communication was sent by Bugsy or received by Mugsy,
as the fact that someone used an account does not necessarily mean that any
particular person used it.
175
More importantly,however,the police will
know very little about the whereabouts of Bugsy and Mugsy,They will
know that someone (probably Bugsy) sent an email at 3:10 p.m,to Mugsy’s
account,However,they will not know where Bugsy was located at that
time,whether Mugsy ever received the email,or where Mugsy is located,
The above argument also assumes that Mugsy and Bugsy each have known
174
See supra notes 152–54 and accompanying text,
175
See CCIPS MANUAL,supra note 15,at 90–91 (noting that the fact that an account or address was
used does not establish conclusively the identity or location of a particular person who used it),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
644
email accounts in the first place,which is generally not true,as there is no
centralized email book that matches the phone book,which makes it harder
for the police to associate suspects with particular addresses.
176
In sum,if
the police try to find Bugsy and Mugsy,or try to pin down and identify
their whereabouts and conduct at particular times,the telephone envelope
surveillance will tend to yield more private and useful information than
email envelope information,
Further,comparing email surveillance to telephone surveillance itself
stacks the deck slightly in favor of finding greater privacy interests in the
case of Internet surveillance than phone surveillance,The reason is that
many pen register orders are implemented on packet headers,not email
headers,As mentioned in Part I,email surveillance has far greater privacy
interests at stake than mere packet-level surveillance of the Internet,When
the government obtains a pen register order to collect packet headers,the
information it yields involves a reduced privacy interest than in the case of
either email or telephone surveillance.
177
G,The Pen Register Statute and URL Search Terms
Critics of the Patriot Act’s pen register amendments have also argued
that the amendments grant the government too much power because they al-
low the government to collect Internet search terms and lists of websites vis-
ited with a mere pen register order.
178
According to these critics,the Patriot
Act lowers the threshold that the government must meet to obtain search
terms and monitor web surfing; the government can now obtain a pen register
order instead of a Title III warrant.
179
This criticism has it backwards,how-
ever,The pen register amendments could not have lowered the legal thresh-
olds for conducting websurfing surveillance,Depending on how past and
current ambiguities in the law are resolved,the amendments either retained
176
Further,this hypothetical assumes that Mugsy uses an email address with a username,Mugsy,”
and Bugsy has a username,Bugsy.” Criminals who are seeking to evade the detection of the police are
not so stupid,Mugsy and Bugsy will be much more likely to have less illuminating usernames such as
“Cathy27,”,akjs3242K,” or,62Power.” Further,they will likely register their email accounts using
fake names and stolen credit card numbers so the accounts cannot be easily identified with them,Of
course,in the telephone context,criminals will also take similar measures by using stolen,cloned” cel-
lular phones,
177
For example,the IP header will reveal only that at a particular time,a packet of information such
as part of a web page or an email was sent from one computer to another computer,Who was responsi-
ble for sending the packet,or where that person might be,or who was the intended recipient,will remain
entirely unknown,
178
See,e.g.,Jane Black,Uncle Sam Needs Watching,Too,BUS,WEEK ONLINE (Nov,29,2001)
(“The Patriot Act also expands the ‘pen register’ statute to include email and Internet surfing.”),at
http://www.businessweek.com/bwdaily/dnflash/nov2001/nf20011129_3806.htm; Kaplan,supra note
125,
179
See,e.g.,Elec,Frontier Found.,supra note 68 (“The government may now spy on web surfing of
innocent Americans,including terms entered into search engines,by merely telling a judge anywhere in the
U.S,that the spying could lead to information that is ‘relevant’ to an ongoing criminal investigation.”),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
645
the pre-Patriot Act treatment of websurfing surveillance,or else raised the le-
gal standard from no court order to a pen register order standard,How the
surveillance laws apply to search terms and websurfing remains quite unclear,
but the ambiguities turn out to have nothing to do with the Patriot Act.
180
The primary question raised by surveillance of websurfing and Internet
search terms is whether the government can monitor websurfing conduct,
such as search terms entered into search engines and URLs visited,without
collecting the,contents”
181
of communications,The government must ob-
tain a Title III super warrant to obtain,contents” of communications in
transit.
182
The Wiretap Act itself does not define,contents” clearly,but
merely states that it,includes any information concerning the substance,
purport,or meaning”
183
or a communication,As a matter of legal doctrine,
if Internet search terms and URLs constitute,contents,” the government
must obtain a super warrant to intercept them.
184
However,if they do not
fall within the scope of,contents,” then either the information counts as
“dialing,routing,addressing,or signaling information”
185
requiring a pen
register order,or else the government does not need any order to obtain the
information as it falls outside the scope of both statutes.
186
Whether URLs that include search terms and other websurfing addresses
can contain,contents” presents a surprisingly difficult question,The concep-
tual difficulty is that the legal categories of,contents” and,addressing infor-
180
Internet search terms raise interesting questions under current law because they appear in the
Internet address directed back to the user from the search engine,For example,entering a Google query
for,Patriot Act” returns the following URL,http://www.google.com/search?hl=en&ie=150-8859-
1&q=%2patriot+act%22,Copying this URL into a web browser will then retrieve the results of the
search,Whether the pen register laws allow the government to collect websurfing data beyond packet
headers is largely a theoretical question,The government apparently has never tried to obtain a pen reg-
ister order to monitor websurfing in this way,In an informal survey of experienced federal prosecutors,
I was unable to find anyone who had heard of such an application,Prospective surveillance of websurf-
ing turns out to be of fairly limited help to a criminal investigation,At the same time,such surveillance
is possible,for example,the FBI’s DCS-1000 surveillance tool has a setting that allows the tool to col-
lect websurfing information,Because the government has never sought such an order,no court has ever
assessed its permissibility,
181
18 U.S.C.A,§ 2510(8) (West Supp,2002) (providing that,‘contents,’ when used with respect to
any wire,oral,or electronic communication,includes any information concerning the substance,pur-
port,or meaning of that communication”),
182
Id,§ 2516,
183
Id,
184
See Brown v,Waddell,50 F.3d 285,294 n.11 (4th Cir,1995),One subtlety to this question is
that we must go beyond the abstract question of whether the pen register allows the government to
monitor websurfing to the more specific question of what kind of evidence of websurfing can be col-
lected under what authorities,
185
18 U.S.C.A,§ 3127,
186
This raises an interesting question not clearly answered by the Patriot Act,Is all non-content in-
formation,dialing,routing,addressing,and signaling” information,so that all prospective information
triggers the Pen Register statute and/or Title III? Or is there a third category outside of,contents” and
“dialing,routing,addressing,and signaling” information?
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
646
mation” are straightforward in the case of human-to-human communications,
but can be quite murky when considering human-to-computer communications,
In the case of human-to-human communications,“contents” include any mes-
sage or communication that the human sender intends to communicate to the
human recipient.
187
This covers the subject line and the body of emails,
188
as
well as the substance of a telephone call,In these cases,the,contents” are the
messages that the sender wants to send to the recipient,
How does this apply when the message is destined for a computer instead
of a person? This asks a profoundly important question that neither Congress
nor the courts have fully answered,When an Internet user surfs the web,he
sends commands to his computer directing it to send commands to the host
computer,asking the host to send back packets of data that will be assembled
by his computer into a web page.
189
We can look at the user’s command in two
ways,either the command is the,content” of the communication between the
user and his computer or it is merely,addressing information” that the user en-
tered into his computer to tell the computer where it should go and what it
should do,much like the pen register information in Smith v,Maryland.
190
The same problem arises in determining which legal order is required
to monitor a computer hacker’s commands sent to a remote server,Are
these commands,contents” of the communications between the hacker and
the computer,“addressing” information that tells the computer what to do,
or something else? No court has yet considered such questions squarely,
191
187
See supra note 181,Notably,the definition of,wire communication” and,aural” that Congress
enacted in the original 1968 Act together require that the communication contain,the human voice.” 18
U.S.C.A,§ 2510(1),(18),
188
See CCIPS MANUAL,supra note 15,at 102,
189
See GRALLA,supra note 24,at 139–40,
190
Smith v,Maryland,442 U.S,735,741–42 (1979),This is a difficulty latent in Smith that has not
yet fully been appreciated,In Smith,the Court analogized dialing a phone number to contacting an op-
erator and asking the operator to connect the call,Id,at 744–45,Because disclosing the number to an
operator would eliminate the speaker’s reasonable expectation of privacy in the information,so did dis-
closing the information to the phone company’s computer,So far,so good,The difficulty is that if a
speaker calls the operator and places that request,then that request constitutes the contents of the com-
munication between the speaker and the operator,The contents of the conversation between the speaker
and the operator becomes the addressing information for the ensuing conversation between the speaker
and the person he wishes to call,As a result,it is difficult in the abstract to say whether that initial
communication should be considered addressing information or contents,
191
See United States Telecom Ass’n v,FCC,227 F.3d 450,462 (D.C,Cir,2000) (noting that,[n]o
court has yet considered” whether digital signals entered by a user to a computer over a telephone line
are contents and stating that,it may be that a Title III warrant is required”),The D.C,Circuit did sug-
gest that human-to-computer communications can,in fact,be,contents” according to Title III,at least in
the context of the telephone network,Id,at 462,In discussing whether the government can intercept
dialed digits entered after a call has been completed (known as,post-cut-though dialed digits”),the
court offered the following analysis:,Post-cut-through dialed digits can also represent call content,For
example,subjects calling automated banking services enter account numbers,When calling voicemail
systems,they enter passwords,When calling pagers,they dial digits that convey actual messages,And
when calling pharmacies to renew prescriptions,they enter prescription numbers.” Id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
647
which means that the legal distinction between,contents” and,addressing
information” remains murky for human-to-computer communications,
Congress has not yet carefully addressed how electronic surveillance
statutes apply to human-to-computer communications,and the Patriot Act
reflects a missed opportunity,The current statutory text leaves the Justice
Department,commentators,and the courts with relatively little guidance.
192
But claims that the Patriot Act lowers the threshold that the government
must satisfy to monitor websurfing simply miss the mark,The statutory
definition of,contents” has remained unchanged since 1986,before the
World Wide Web was even invented,
193
and was not changed in any way by
the Patriot Act.
194
As a result,the Patriot Act could not have changed
whether the government needs a Wiretap Order to monitor websurfing,
Perhaps it does,perhaps it does not; but the Patriot Act did not change the
answer,At most,the Patriot Act might have changed whether the govern-
ment must obtain a pen register order to obtain the information,If websurf-
ing information does not constitute,contents,” a court might conclude that
such information falls within the scope of the pen register’s,dialing,rout-
ing,addressing,and signaling” information,but that it would not have
fallen within the scope of the pre-Patriot Act pen register statute.
195
But
192
In a statement issued on October 11,2001,Senator Leahy blamed the Bush Administration and
the Justice Department for refusing to define the terms,dialing,routing,addressing,and signaling” in-
formation,According to Leahy,“[t]he Administration and the Department of Justice flatly rejected my
suggestion that these terms be defined” with the unfortunate result that Congress was,leaving the courts
with little or no guidance of what is covered by ‘addressing’ or ‘routing.’” Statement,Senator Patrick
Leahy,On the Uniting and Strengthening of America Act of 2001 (USA Act) (Oct,11,2001),at
http://leahy.senate.gov/press/200110/101101a.html,
193
See DAVE RAGGETT ET AL.,RAGGETT ON HTML 4,18 (1997) (crediting the invention of the
Web to Tim Berners-Lee in 1989),
194
In its original form in 1968,Congress defined contents by stating that it,includes any informa-
tion concerning the identity of the parties to such communication or the existence,substance,purport,or
meaning of that communication.” 18 U.S.C,§ 2510(8) (1968),At the time Congress noted that the
definition,include[s] all aspects of the communication itself,No aspect,including the identity of the
parties,the substance of the communication between them,or the fact of the communication itself,is
excluded,The privacy of the communication to be protected is intended to be comprehensive.” Omni-
bus Crime Control and Safe Streets Act of 1968,Title III,Pub,L,No,90-351,1968 U.S.C.C.A.N,2179,
In 1986,however,Congress enacted the pen register statute and amended the definition of,con-
tents” to exclude the identity of the parties to such communication,See S,REP,NO,99-541,at 13
(1986),reprinted in 1986 U.S.C.C.A.N,3555,3567,According to the Senate Report,this change was
made to,distinguish[] between the substance,purport or meaning of the communication and the exis-
tence of the communication or transactional records about it.” Id,The Wiretap Act covered the former,
the pen register statute covered the latter,See id,
195
Notably,several members of the House and Senate and their staff were quite aware of the ambi-
guities over the scope of the new pen register laws,and in particular how they applied to websurfing,
For example,the House Report contains a statement that post-Patriot Act pen register orders could not
be obtained,to collect information other than ‘dialing,routing,addressing,and signaling’ information,
such as the portion of a URL (Uniform Resource Locator) specifying Web search terms or the name of a
requested file or article.” H.R,REP,NO,107-236,at 53 (2001),The proper weight to be afforded to this
statement is unclear,The phrase,dialing,routing,addressing,and signaling” information derived from
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
648
ironically,this means that the Patriot Act might have actually raised the
standard for government surveillance of websurfing,rather than lowered it,
III,THE PATRIOT ACT AND THE FBI’S,CARNIVORE” SURVEILLANCE TOOL
A second major criticism levied at the Patriot Act is that it explicitly
sanctioned and even encouraged the use of Carnivore,the FBI’s controver-
sial Internet surveillance tool.
196
Although the Patriot Act does not explic-
itly mention Carnivore,the press frequently reported that the Patriot Act
provided for its expanded use.
197
According to the New York Times,the use
of Carnivore was,at the heart of the debate” over the Patriot Act.
198
This
was troubling,the Times reported,because Carnivore acts as a powerful
tool that poses significant dangers to civil liberties:,[It] give[s] govern-
ment more power than ever before to encroach on the privacy of citi-
zens.”
199
,When Carnivore sits down to eat,it tastes everything.”
200
By
expanding the use of Carnivore,the Patriot Act supposedly created a sig-
nificant danger to civil liberties,
In this Part,I will argue that this criticism of the Patriot Act is exactly
backwards,The only provisions of the Patriot Act that directly address
Carnivore are pro-privacy provisions that actually restrict the use of Carni-
vore,Further,Carnivore itself differs from other tools that ISPs use for
monitoring every day only in the sense that the FBI specifically designed it
to protect privacy and to preserve government accountability more than
other tools,Oddly enough,the public debate over Carnivore has the issue
the original DOJ proposal and was shared by both the House and Senate versions of the bill,Because
the House proved more resistant to the DOJ’s proposal than the Senate,this statement may reflect an
effort by the authors of the House Report to,spin” later judicial interpretations of DOJ’s language,Cf,
ANTONIN SCALIA,A MATTER OF INTERPRETATION,FEDERAL COURTS AND THE LAW 34 (1997) (noting
that Committee Reports are often written with the,primary purpose” of affecting later judicial construc-
tions of the statutory text),Further,the critical question is less the scope of,dialing,routing,address-
ing,and signaling” information than the meaning of,contents,” which the Patriot Act did not change,
196
See,e.g.,Sonia Arrison,New Anti-Terrorism Law Goes Too Far,S.D,UNION TRIB.,Oct,31,
2001,at B9 (“The law also expands Internet surveillance by making Carnivore,the controversial email
wiretapping system official even though there is a real danger that it over-collects information.”); Mi-
chael Connor,Brave New Web,BOSTON PHOENIX,Mar,11,2002 (“Another controversial provision of
the USA PATRIOT Act allows increased use of Carnivore,a wire-tapping program for the Internet.”),
available at www.bostonphoenix.com/boston/news_features/other_stories/documents/02105031.htm;
Guernsey,supra note 80 (stating that an earlier bill,implies the wider use of Carnivore”); Anne Kandra,
The New Anti-Terrorism Law Steps Up Electronic Surveillance of the Internet,PC WORLD,Jan,2002,at
37 (“The new law opens the door for increased use of Carnivore.”); John Schwartz,Privacy Debate Fo-
cuses on F.B.I,Use of an Internet Wiretap,N.Y,TIMES,Oct,13,2001,at A14; Stefanie Olson,Patriot
Act Draws Privacy Concerns (Oct,26,2001) (“Part of the new legislation includes the expansion of
Internet eavesdropping technology once known as Carnivore.”),at http://news.com.com/2100-1023-
275026.html,
197
Schwartz,supra note 196,at A14,
198
See id,
199
Id,
200
Id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
649
somewhat backwards,While the press has pounced on Carnivore as Public
Enemy #1,the tool in fact implements a pro-privacy technology that both
law enforcement and civil libertarians should appreciate,
This Part begins by explaining how prospective Internet surveillance
works,and how the FBI’s Carnivore tool was designed to be a privacy-
protecting means of conducting it,The analysis argues that Carnivore is a
perplexing target for criticism by the civil liberties community,The Part
then turns to the impact of the USA Patriot Act on the use of Carnivore and
shows how the Patriot Act actually adds restrictions to the use of Carnivore,
rather than takes them away,
A,Understanding the Technology of Prospective Internet
Surveillance,Packet Sniffers
As explained in Part I,the Internet is a packet-switched network,All
Internet communications are broken down into discrete packets and sent
over the network,and then reassembled into the original communications
when they reach their final destination.
201
As a result,a great deal of pro-
spective Internet surveillance is packet surveillance.
202
To conduct prospec-
tive surveillance,a tool must,tap” a particular line of Internet traffic at a
particular physical location to look for the communication sought,Tapping
the line allows that person to view the packet traffic flowing through that
particular point in the network,Any device or software programmed to do
this on the Internet is generally known as a,packet sniffer,”
203
as it,sniffs”
Internet packets flowing through the particular point in the network,
One implication of this technology is that Internet packet surveillance
must always involve examining all of the packet traffic streaming by a par-
ticular point on the network,The tool must look at all of the traffic to see if
it is the communication sought,much like a police officer walking through
a public place looking for a known criminal suspect must look at every per-
son just to see whether they are in fact the suspect.
204
For example,if the
FBI obtains a court order allowing it to collect envelope information at the
201
See GRALLA,supra note 24,at 13,
202
The remainder is nonpacket surveillance that occurs immediately before the information has
been packetized,or else immediately after it has arrived and been depacketized,
203
See ANALYSER SALES LTD.,SNIFFER BASIC,WHAT IS A PACKET SNIFFER?,at http://www.pac
ket-sniffer.co.uk/packetsniffer/packetsniffer.htm (last visited Feb,4,2003),
204
The problem is the same in that the searcher must first view the item,even just cursorily,in or-
der to determine whether it is the item he wishes to find,See Andresen v,Maryland,427 U.S,463,482
n.11 (1976),
In searches for papers,it is certain that some innocuous documents will be examined,at least cur-
sorily,in order to determine whether they are,in fact,among those papers authorized to be seized,
Similar dangers,of course,are present in executing a warrant for the,seizure” of telephone con-
versations,In both kinds of searches,responsible officials,including judicial officials,must take
care to assure that they are conducted in a manner that minimizes unwarranted intrusions upon
privacy,
Id,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
650
packet level,such as IP headers for traffic originating from a specific IP ad-
dress,it must scan all of the traffic flowing over the network to locate,iso-
late,and collect the IP headers,
It helps to understand how an Internet sniffer usually works,While the
Internet uses packets to send and receive information,the packets are really
just digital ones and zeroes that computers use to communicate with each
other,The ones and zeroes can be reassembled into text to be read by a
human,but computers do not need to do this and generally will not.
205
A
computer surveillance tool programmed to look for all emails to the Internet
account,bob@aol.com” does not actually look for the text
“bob@aol.com.” To simplify a bit,the tool instead begins by looking for
emails,
206
and when it finds an email,it scans the right place in the email for
the digital equivalent of,bob@aol.com,” which is 01100010011011110
1100010010000000110000101101111011011000010111001100011011011
1101101101.
207
If this exact sequence of ones and zeros appears in the right
place,the surveillance tool knows that it has found an email to
bob@aol.com and will copy and record the block of ones and zeros that
represent the email so that someone can later come back,convert the ones
and zeros into text,and read the email,If the tool has an advanced filter
and is configured properly,the billions of ones and zeros that do not relate
to emails or to the exact sequence of 0s and 1s that represent the target ac-
count will pass through the device and be forgotten.
208
The tool cannot
think,cannot snoop around,and cannot understand what passes before it,it
can only look for the exact sequence of ones and zeros that a human pro-
grammed it to identify,
These technical details have profound implications for how Internet
surveillance can best respect privacy interests,Most remarkably,the Inter-
net reverses the common associations about the relationship between tech-
nology and privacy,In the physical world,advanced technology provides a
powerful way to invade privacy.
209
A single police officer can search a sin-
gle room on a house,but cannot search an entire neighborhood,or a large
city,To search an entire city,advanced technology would be required,At
205
See Softel v,Dragon Medical,1992 WL 168190,at *2 (S.D.N.Y,1992) (“Computers operate by
executing instructions composed of binary digits of ‘zeros’ and ‘ones.’”),
206
Emails are identifiable because a section of the packet header contains an identifying number
that lets the server know that the packet should be sent to the mail server,To be technical,emails are
carried on port 25,which means that the sniffer can just look for communications sent to port 25,See
MATTHEW DANDA,PROTECTING YOURSELF ONLINE 282 (2001),
207
I am using the standard ASCII format,ASCII is short for,American Standard Code for Infor-
mation Interchange.”
208
Once data is pushed out of the random access memory,it cannot be recovered,SHERRY
KINKOPH ET AL.,COMPUTERS,A VISUAL ENCYCLOPEDIA 286–87 (1994),
209
See Olmstead v,United States,277 U.S,438,474 (1928) (Brandeis,J.,dissenting) (“Subtler and
more far-reaching means of invading privacy have become available to the Government,Discovery and
invention have made it possible for the Government,by means far more effective than stretching upon
the rack,to obtain disclosure in court of what is whispered in the closet.”),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
651
an intuitive level,a bigger and more invasive search requires a more power-
ful tool.
210
In the case of Internet surveillance,by contrast,the way that the tech-
nology works mandates that the default will be the most invasive search
possible,and that advanced technology is needed to minimize the invasion
of privacy,The technology prompts the need for a filter to reduce the inva-
sion of privacy,For example,a system administrator (or a twelve-year old
computer hacker) can easily monitor all information flowing through a par-
ticular point in a network by writing a simple program,The program sim-
ply instructs the computer to record all of the traffic flowing through that
computer,it creates a packet sniffer and sets it to sniff all of the traffic,
The system administrator (or hacker) can later convert the recorded digits
into text and look through the entire world of traffic that flowed over the
network,The real technological challenge is devising a tool that acts as an
effective filter,and isolates and records only the exact packets that a court
order allows,rather than a tool that collects everything and requires subse-
quent review by a human being,In contrast to the physical world,total sur-
veillance of traffic through a point on the Internet is simple,but narrow and
limited surveillance requires advanced filtering,
B,The FBI and the Introduction of,Carnivore”
In the mid- to late-1990s,the FBI recognized these difficulties and began
designing surveillance tools that could filter and analyze Internet communica-
tions more effectively,The core difficulty lay in the private sector’s inability
to develop such a tool absent market demand,System administrators rou-
tinely used Internet surveillance tools to monitor Internet traffic going
through their networks,and many commercially available programs existed
to facilitate the task,However,given the fairly broad provider rights to inter-
cept communications inside their network,
211
none of the commercially avail-
able tools incorporated the privacy protections that the FBI desired.
212
The
FBI needed a surveillance tool that protected the privacy of Internet users
more than the surveillance tools routinely used by system administrators,
210
Upon hearing that the government has spent substantial resources to develop a new surveillance
tool,most people are likely to assume that the FBI was working on a tool to invade privacy,not to pro-
tect it,
211
See 18 U.S.C.A,§ 2511(2)(a)(i) (West Supp,2002) (creating provider rights for the acquisition
of contents); id,§ 3121(b)(1) (creating provider rights for the acquisition of addressing information),
212
See Carnivore Diagnostic Tool,Hearings Before the Senate Judiciary Comm.,106th Cong,(2000)
[hereinafter Hearings] (testimony of Donald M,Kerr),available at http://www.fbi.gov/congress/congress
00/kerr090600.htm,
Carnivore—far better than any commercially-available sniffer—is configurable so as to filter with
precision certain electronic computer traffic (i.e.,the binary computer code,the fast-flowing
streams of 0’s and 1’s),,,, [T]o our knowledge,there are few,if any,electronic surveillance
tools that perform like Carnivore,in terms of its being able to be tailored to comply with different
court orders,owing to its ability to filter with precision computer code traffic,
Id,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
652
In particular,commercially available programs generally did not allow
the user to run a very narrow search that a court order might require,and
none included auditing features that would be useful in court if a defendant
challenged the fruits of surveillance,These deficiencies are apparent in the
most popular off-the-shelf packet analyzer program for system administra-
tors,a product known as,EtherPeek” that sells for about $1,000.
213
The
versions of EtherPeek available in the late 1990s did not allow system ad-
ministrators to limit searches by ordering the sniffer to exclude results that
contained specific key words.
214
The tool could search for emails to
bob@aol.com,for example,but could not filter out emails to bob@aol.com
that also included the word,personal.” Instead,the tool required the collec-
tion of all emails to bob@aol.com,even if personal emails were beyond the
scope of a court order,While this extra invasion of privacy might not mat-
ter to a business,it makes a difference to a law enforcement agency,as it
raises the prospect that the tool might illegally collect information beyond
the scope of a court order,To ensure that the FBI would have a tool that
complied exactly with the terms of a court order,the FBI decided it needed
to develop its own surveillance tools tailored specifically to the limits of the
surveillance laws.
215
The FBI developed such a tool relatively late because law enforcement
agencies like the FBI rarely use their own surveillance tools when imple-
menting court orders,In most cases,the FBI simply hands the court order
to the ISP,which implements the order itself using its own tools.
216
Al-
though the ISP’s surveillance tools might collect more information than re-
quired by the court order,the ISP can manually filter the results and
exclude sensitive information before handing over the data to the FBI.
217
From a law enforcement perspective,this scheme of indirect surveil-
lance is vastly preferable to direct surveillance,although it cannot be relied
upon exclusively,The advantage of indirect surveillance is primarily eco-
nomic; it costs less and requires fewer technical resources for the govern-
ment to outsource surveillance duties to ISPs than for the government to
213
EtherPeek is a WildPackets,Inc,software program,See WildPackets,Inc.,EtherPeek,at
http://www.wildpackets.com/products/etherpeek (last visited Feb,4,2003),According to WildPackets,
Inc.’s promotional material,EtherPeek,is an award-winning Ethernet network traffic and protocol ana-
lyzer designed to make the complex tasks of troubleshooting and debugging mixed-platform,multi-
protocol networks easy.” Id.; see also Karen J,Bannan,Sniff Out Trouble,PC MAG.,May 22,2001,at
154 (offering a product review of EtherPeek),
214
More advanced filters were not incorporated in EtherPeek until more recently,Robert J,Kohl-
hepp,AG Group’s EtherPeek 4 Gives Network Analysis a New Look,NETWORK COMPUTING,Jan,24,
2000 (noting introduction of advanced filtering capabilities on EtherPeek),at http://www.network
computing.com/1101/1101sp4.html,
215
Hearings,supra note 212,
216
See Concerning the,Carnivore” Controversy,Electronic Surveillance and Privacy in the Digi-
tal Age,Hearing Before the Senate Judiciary Comm.,106th Cong,(2000) (statement of Kevin V,Di-
Gregory,Deputy Assistant Att’y Gen.),at http://www.cybercrime.gov/kvd_0906b.htm,
217
Id,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
653
conduct the surveillance itself.
218
At times,however,ISPs lack the exper-
tise or the willingness to implement court orders on law enforcement’s be-
half,Trust of the ISP is also an issue,Indirect surveillance requires the
government to trust that the ISP can implement the court order effectively
and will turn over all of the evidence obtained to government investigators,
While this may be true with regards to major ISPs like AOL and Earthlink,
smaller ISPs may be uninterested in helping the Feds,may have other more
pressing problems,or may even be in cahoots with the criminal suspects,
This means that the government cannot rely exclusively on indirect surveil-
lance to implement its court orders,If all else fails,it must have a surveil-
lance tool that allows it to implement court orders directly.
219
The FBI dubbed the product of its efforts,Carnivore.”
220
Ironically,
the menacing name was originally intended to reflect how privacy protect-
ing the tool was designed to be.
221
The first-generation tool the FBI devel-
oped before Carnivore employed a fairly primitive filter that at times could
collect more information than a court order allowed.
222
As a result,it could
collect snippets of other communications beyond the scope of the court or-
der.
223
This tool,ate” more than it was supposed to,and so the FBI dubbed
it,Omnivore.”
224
In contrast to Omnivore,the second-generation tool had
an advanced filter that could precisely locate and record the exact informa-
tion sought,The FBI called the second-generation tool,Carnivore,” the
device only devoured the,meat” that the tool was programmed to record.
225
The FBI therefore designed Carnivore—and its progeny,such as the
third-generation tool given the more innocuous label,DCS-1000”
226
—to
218
Although no official figures are available on this point,common sense suggests that an ISP that
is familiar with its network and already has a system admininistrator employed to oversee it can more
easily and cheaply implement a court order to conduct surveillance of its network than the FBI,For the
FBI to implement the order,it must learn about the network from the ISP,and send technical specialists
out to the site in order to implement the surveillance tool,
219
In a sense,this capability is the Internet equivalent of what the telephone system guarantees by
way of the Communications Assistance for Law Enforcement Act,See 47 U.S.C,§ 1001 (2000),
220
See John Schwartz,Computer Security Experts Question Internet Wiretaps,N.Y,TIMES,Dec,5,
2000,at A16 (describing continued opposition to Carnivore); LAB,DIV.,FBI,CARNIVORE DIAGNOSTIC
TOOL,at http://www.fbi.gov/hq/lab/carnivore/carnivore2.htm (last visited Feb,4,2003),
221
See John Schwartz,Tapping into Gray Areas,New Internet Surveillance Technology Raises as
Many Questions as It Answers,HOUSTON CHRON.,Feb,16,2001,at 1 (noting that Carnivore,was de-
rived from an earlier system,called Omnivore,that captured most of the Internet traffic coursing
through a network,‘As the tool developed and became more discerning’—able to get at the meat of an
investigation—‘it was named Carnivore,’ an official said”),
222
See id.; see also IIT RESEARCH INST.,INDEPENDENT TECHNICAL REVIEW OF THE CARNIVORE
SYSTEM,FINAL REPORT 4-2 (2000) [hereinafter IITRI FINAL REPORT] (noting that Carnivore does not
over-collect,in contrast to generically available sniffer software),available at
http://www.epic.org/privacy/carnivore/carniv_final.pdf,
223
See IITRI FINAL REPORT,supra note 222,at 4-2,
224
See id,
225
See Schwartz,supra note 221,
226
See McCarthy,supra note 64,at 828 n.5,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
654
ensure compliance with court orders while minimizing the invasion of pri-
vacy,In fact,the tool’s user interface was designed with the law specifi-
cally in mind,the Carnivore software,which runs on a home PC or a
laptop,
227
prompts the user to enter in the exact type of traffic that the court
order specifies—e.g.,pen/trap vs,full content,email envelope vs,packet
envelope.
228
The program then executes the court order as instructed,Of
course,legitimate concerns exist that the program may malfunction,and as
with any tool,human error can cause the program to be configured incor-
rectly.
229
Assuming the tool performs as it is designed to perform,however,
it should be a privacy-protecting Internet surveillance tool as compared to
the commercially available alternatives,In fact,Carnivore is essentially an
everyday Internet tool with a few extra features designed to ensure compli-
ance with court orders,As Peter Swire has pointed out,it could have been
called the,Internet court order compliance tool.”
230
Unfortunately,both commentators and the press have portrayed Carni-
vore as a frightening and mysterious beast that invades privacy willy-nilly.
231
The menacing name itself probably accounts for much of this criticism,and a
misunderstanding of how the Internet inverts the traditional relationship be-
tween privacy and technology accounts for much of the rest,The physical
reality of the tool’s installation at ISPs in the form of a sealed black box has
not helped the FBI,either.
232
While Carnivore’s critics point to this as proof
of the tool’s dangers,
233
it instead reflects privacy and legal constraints,In-
stalling the tool at the ISP minimizes the amount of Internet traffic that needs
to be scanned,
234
minimizing the invasion of privacy,Sealing the computer
preserves the chain of custody for evidentiary purposes.
235
227
See IITRI FINAL REPORT,supra note 222,at 2–3,
228
See id,at ch,4,
229
See supra notes 191–95 and accompanying text,
230
See Peter Swire,Panel Presentation at AALS Conference Panel on Internet Privacy,New Or-
leans (Jan,6,2002),
231
See,e.g.,Schwartz,supra note 196,at A14 (“When Carnivore sits down to eat,it tastes every-
thing.”),For an amusing example of this hysteria,see Future Solutions,Stop Carnivore NOW!,at
www.stopcarnivore.org (last visited Feb,4,2003),
232
Press Release,American Civil Liberties Union,In Unique Tactic,ACLU Seeks FBI Computer
Code on,Carnivore” and Other Cybersnoop Programs (July 14,2000) [hereinafter ACLU Press Re-
lease],at http://www.aclu.org/news/2000/n071400a.html.,‘Right now,the FBI is running this software
out of a black box,’ said Barry Steinhardt,Associate Director of the ACLU.,,, ‘The FBI is saying,
‘trust us,we’re not violating anybody’s privacy.’ With all due respect,we’d like to determine that for
ourselves.’” Id,
233
See,e.g.,id,
234
This is true for any kind of prospective Internet surveillance,Because tapping the line requires
scanning the traffic passing through the line to identify the particular items sought in the court order,the
best way to minimize the invasion of privacy is to install the tap where the amount of traffic unrelated to
the court order is at an absolute minimum,When monitoring an Internet account,this will generally
mean the ISP that hosts the account,Installing the monitoring device elsewhere would increase the
amount of unrelated traffic scanned,
235
Imagine that you are a prosecutor attempting to persuade a jury that records collected by a
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
655
C,The Effect of the USA Patriot Act on Carnivore
Opponents of the Patriot Act allege that the Act encourages the use of
Carnivore,As the analysis above indicates,this is an odd point of criticism
since Carnivore is generally more privacy enhancing than other less sophis-
ticated packet sniffers in everyday use at ISPs,But even on its face,the
criticism rings hollow,
The view that the Patriot Act furthers the use of Carnivore is based
largely on a faulty logical premise,The premise is that because Carnivore
provides a means of conducting Internet surveillance,a law that appears to
further the government’s ability to conduct the use of Internet surveillance
must also further the use of Carnivore,The problem is that Carnivore is
merely one particular tool among many that could be used to conduct elec-
tronic surveillance,and there is no reason to think that the Patriot Act en-
courages the use of Carnivore as compared to any other tool (in fact,as we
shall see shortly the opposite is true),
As a result,the statement that the Patriot Act encourages the use of
Carnivore is akin to saying that a new highway bill furthers the use of Vol-
vos,Yes,some cars on the road are Volvos,Yes,a new law that helps the
highway system may eventually encourage more driving,some of which
presumably will be done behind the wheel of Volvos,But the connection
between the highway bill and a particular make or model of car is tenuous,
as there are hundreds of different cars that can be driven,and there is no
reason to think that a highway bill would encourage the use of Volvos more
than any other car,Tying the Patriot Act to the increased use of Carnivore
rests on similarly weak logic,
In part,the problem is that the Carnivore debate has been focused on
the wrong question,The critical question is not what particular tool is used
to conduct surveillance,but instead what the law authorizes the government
to do,and whether the government stays within the scope of that authority,
Again,a comparison to an automobile proves helpful,It is crime to drive a
car above the speed limit,
236
or to drive a car while drunk,
237
or to possess a
stolen car.
238
However,whether the car happens to be a Ford or a Chevrolet
packet sniffer installed by the FBI link the defendant to a crime,If the employees of the ISP had access
to the sniffer,your job could become quite difficult,Any good defense attorney will try to raise reason-
able doubt based on the untrustworthiness of records that were created by the FBI’s sniffer but open to
falsification by anyone present at the ISP,If employees could access the sniffer,they could modify the
sniffer,reconfigure the settings,falsify data,and tamper with the evidence,Cf,United States v,
Whitaker,127 F.3d 595,602 (7th Cir,1997) (noting that defendant’s argument that computer records
were unreliable because,with a few keystrokes” they could be modified or deleted was a question for
the jury),In contrast,if the device is sealed and cannot be accessed by the ISP,this minimizes one
source of possible tampering,
236
See,e.g.,VA,CODE ANN,§ 46.2-878.2 (Michie 2002),
237
See,e.g.,id,§ 18.2-266 (“It shall be unlawful for any person to drive or operate any motor vehi-
cle,,, while such person is under the influence of alcohol,,,,”),
238
See,e.g.,id,§ 18.2-109,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
656
is entirely irrelevant,What matters is not the model of the car,but what the
driver does with the car and whether that is legal or illegal,
Whether the government uses Carnivore or some other tool to conduct
prospective surveillance,the legal questions remain the same,Unless an
exception to the statute applies,the government must obtain a pen register
order to obtain,dialing,routing,addressing,and signaling information,”
and must obtain a Wiretap Order to obtain,contents.” This was true before
the Patriot Act (although the first part was uncertain),and it is true after the
Patriot Act,If the government does not obtain the right court orders,it vio-
lates the statute regardless of whether it has used Carnivore or Fluffy
Bunny.
239
D,The Patriot Act and New Rules for Direct Versus Indirect
Surveillance of Packet Switched Networks
Notably,the Patriot Act does include one amendment that is designed
to address Carnivore,However,this amendment is actually a pro-privacy
law,designed to monitor Carnivore by imposing a reporting requirement on
direct prospective surveillance of the Internet by law enforcement.
240
The
reporting requirement has been codified at 18 U.S.C,§ 3123(a)(3) and re-
quires a law enforcement agency to file a detailed report whenever it installs
its own surveillance device on an ISP available to the public pursuant to a
pen register order.
241
The report must identify,any officer or officers who
installed the device and any officer or officers who accessed the device to
obtain information from the network,”
242
,the date and time the device was
installed,the date and time the device was uninstalled,and the date,time,
and duration of each time the device is accessed to obtain information,”
243
“the configuration of the device at the time of its installation and any subse-
quent modification thereof,”
244
and,any information which has been col-
lected by the device.”
245
The provision was added to the Patriot Act at the
239
Currently,there is no Internet surveillance tool called Fluffy Bunny,However,the FBI may
want to try using the name,
240
See 18 U.S.C.A,§ 3123(a)(3) (West Supp,2002),
241
The reporting requirement is triggered when a,law enforcement agency implementing an ex
parte order under [the Pen Register Statute] seeks to do so by installing and using its own pen register or
trap and trace device on a packet-switched data network of a provider of electronic communication ser-
vice to the public.” 18 U.S.C.A,§ 3123(a)(3)(A),Although this statutory text does not mention Carni-
vore or DCS-1000 by name,Congress clearly intended to regulate the program,since the primary law
enforcement tool for conduct direct prospective surveillance is Carnivore and the third-generation DCS-
1000,and the,packet-switched data network” is a network connected to the Internet,The requirement
that the service be available,to the public” is explained in Andersen Consulting v,UOP,991 F,Supp,
1041,1042–43 (N.D,Ill,1998),
242
18 U.S.C.A,§ 3123(a)(3)(A)(i),
243
Id,§ 3123(a)(3)(A)(ii),
244
Id,§ 3123(a)(3)(A)(iii),
245
Id,§ 3123(a)(3)(A)(iv),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
657
insistence of House Majority Leader Dick Armey in an effort to increase the
judicial review of the use of Carnivore as a way of implementing pen regis-
ter orders.
246
Contrary to reports that the Patriot Act unleashed Carnivore,
the Patriot Act actually introduced measures that specifically monitor and
restrict its use.
247
Although the Patriot Act’s reporting requirement is a modest regulation
on the whole,its suspicion of direct surveillance reflects a significant shift
from the traditional approach found in United States surveillance and search
and seizure law,Federal privacy laws have traditionally preferred that law
enforcement implement court orders itself,and have signaled significant
skepticism at the prospect of allowing private parties to implement court
orders on the government’s behalf,For most of the last century,the norm
has been police implementation of their own court orders,and the exception
has been giving the responsibility over to the private provider,For exam-
ple,federal law governing the execution of search warrants actually prohib-
its private parties from executing search warrants on behalf of law
enforcement.
248
Similarly,when the Wiretap Act first allowed the FBI to
conduct prospective surveillance of the telephone network in 1968,it effec-
tively required the FBI to conduct direct surveillance,While the telephone
company could volunteer to help the government,providers could not be
compelled to execute the court order on the government’s behalf.
249
Con-
gress later amended the statute in 1970 to allow the courts to compel pro-
viders to help the government,but offered the government the choice,it
could either implement the order itself,or it could order the provider to im-
plement the order on its own and to send the results to law enforcement.
250
246
Editorial,Proceed with Caution,DENVER POST,Oct,26,2001,at B6 (“There are some safe-
guards,such as,,, a requirement,added at the last minute by House Majority Leader Dick Armey,R-
Texas,that a judge monitor the FBI’s use of the controversial Carnivore email surveillance system.”),
247
An even greater irony is that technological advances in commercial packet sniffers may have
significantly decreased the need for the FBI’s own surveillance tool,In the last two years,for example,
new versions of the commercial EtherPeek software have been introduced that significantly enhanced
the tool’s filtering capability,See,e.g.,WildPackets,Inc.,WildPackets Releases EtherPeek? v4.2,
New Version of Industry’s Leading Packet Analyzer Provides Multiple Filtering and Decoding Up-
grades (Aug,2,2001) (noting the introduction of advanced filtering capabilities in version 4.2 of Ether-
Peek,including,‘Accept Matching’ and ‘Reject Matching’ Filter Modes”),at http://www.wild
packets.com/corporate/news/01-08-02,If EtherPeek allows system administrators to implement surveil-
lance orders quickly and effectively,Carnivore and its progeny will be needed less and less often,
248
See 18 U.S.C.A,§ 3105 (“A search warrant may in all cases be served by any of the officers
mentioned in its direction or by an officer authorized by law to serve such warrant,but by no other per-
son,except in aid of the officer on his requiring it,he being present and acting in its execution.”),
249
In re Application of the United States,427 F.2d 639,644 (9th Cir,1970) (“If the Government
must have the right to compel regulated communications carriers or others to provide such assistance,it
should address its plea to Congress.”),
250
See 18 U.S.C.A,§ 2518(4) (“An order authorizing the interception,,, shall,upon request of the
applicant,direct that a provider of wire or electronic communication service,,, shall furnish the appli-
cant forthwith all information,facilities,and technical assistance necessary to accomplish the intercep-
tion,,,,” (emphasis added)),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
658
This is the standard that Congress has consistently enacted in surveillance
laws since 1970,Congress has offered law enforcement the choice of how
it wants to implement surveillance orders,without placing a thumb on the
scale in favor of either direct or indirect surveillance.
251
IV,THE COMPUTER TRESPASSER EXCEPTION TO THE WIRETAP ACT
A third major criticism of the USA Patriot Act centers on a new excep-
tion to the Wiretap Act,the computer trespasser exception.
252
The com-
puter trespasser exception concerns prospective content surveillance and
allows law enforcement to intercept the contents of Internet communica-
tions sent by a,computer trespasser” without a warrant from the computer
of a consenting victim of the trespasser.
253
The computer trespasser excep-
tion proved so controversial that Congress enacted it only pursuant to a sun-
set provision,the exception will cease to exist on December 31,2005,
unless Congress chooses to reauthorize it.
254
According to its critics,the
sunset provision was necessary because the computer trespasser exception
poses significant dangers to privacy.
255
This Part explains why the computer trespasser exception is an impor-
tant and appropriate addition to the Wiretap Act that should make sense to
law enforcement and civil libertarians alike,In the interests of full disclo-
sure,I should make clear that I am not a neutral player in this debate,I first
proposed adding a computer trespasser exception to the Wiretap Act to sev-
eral colleagues at the Justice Department in the summer of 1999 and pushed
it within DOJ until I left in the summer of 2001,My understanding is that
these efforts helped persuade other DOJ officials to support a computer
trespasser exception,and that such an exception eventually became a part of
the package that DOJ picked up as its Anti-Terrorism proposal,The DOJ
proposal then led in modified form to the Patriot Act,While I had no in-
volvement in the DOJ proposal after September 11,I think I was in some
sense,present at the creation” of the computer trespasser exception,
This Part begins by showing how the structure of the Wiretap Act re-
flects its origins as a means of protecting telephone privacy,and how apply-
ing the same legal framework to the Internet triggers the need for a
computer trespasser exception,It then explains how the computer tres-
251
Notably,however,the postal service regulation governing mail covers is an indirect regulation,
it allows the Postal Service to implement a mail cover,but no others,39 C.F.R,§ 233.3 (2002),Of
course,this is easier to do in the case of the postal mail given that the government Postal Service enjoys
a monopoly over postal mail,
252
See,e.g.,Rosen,supra note 81,at 12,
253
See 18 U.S.C.A,§ 2511(2)(i),
254
See Pub,L,107-56,§ 224 (“[T]his title and the amendments made by this title,,, shall cease to
have effect on December 31,2005.”),
255
See Rosen,supra note 81,at 12 (suggesting that the broad language of the original proposed text
of the exception would allow the government to monitor all of an Internet user’s communications when-
ever the user violated minor rules,like her ISP’s terms of service),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
659
passer exception fills this need,and carves out a middle course that will
preserve privacy protections and more closely translate Fourth Amendment
protections to the Internet,The Part argues that the computer trespasser ex-
ception better matches the Wiretap Act’s protections to the Fourth Amend-
ment,and in the end should increase the privacy protection of the Wiretap
Act by imposing limits on the scope of other exceptions to the Wiretap Act
and implicitly broadening the scope of what constitutes,contents.” At the
same time,the Part concludes that civil libertarian critics of the trespasser
exception have valid concerns about the current language and that the text
needs slight redrafting to clarify its scope and purpose,
A,The Structure of the Wiretap Act and the Assumptions of
the Telephone System
To understand why the Wiretap Act needs a computer trespasser ex-
ception,it is necessary to explore how the Wiretap Act applies to the com-
munications network for which it was designed,the telephone network,As
enacted in 1968,the Wiretap Act imposes a strikingly broad privacy regime
that protected essentially all telephone communications within the United
States.
256
The Act presumes that all telephone communications would oc-
cur between two human,parties”
257
to the call,It prohibits both the gov-
ernment and private parties from breaking into the communication with a
surveillance tool to tap the,contents”
258
of the communication without a
special court order.
259
The prohibited act of surveillance can be represented
with the following figure,
FIGURE 2,PROHIBITED ACT OF SURVEILLANCE
256
See CCIPS MANUAL,supra note 15,at 150–51,
257
18 U.S.C.A,§ 2511(2)(c) (West Supp,2002),
258
Id,§ 2510(8),
259
Id,§ 2518,
PARTY A
D evice
PARTY B
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
660
This scheme is easy to understand in the case of a telephone call,imagine
A and B conversing on a dedicated line and a surveillance device being used
to tap the line and intercept their conversation,The Wiretap Act makes it a
crime for anyone to use a device to tap the line between A and B without a
“super warrant” court order,subject to a few exceptions.
260
Although the Wiretap Act has many exceptions,only two are particu-
larly important,The first is the consent exception.
261
The exception allows
any,party to the communication”
262
to consent to surveillance,In the case
of the telephone call between A and B,the parties to the communication
prove easy to identify,they are A and B.
263
This exception allows tele-
phone call participants to record the calls,or to consent to having someone
else do so.
264
So long as one participant consents to the monitoring,the
surveillance does not violate the Wiretap Act,The courts have construed
consent fairly broadly in this context,as notice that monitoring will occur
can generate consent.
265
If a person uses the telephone after receiving no-
tice that he will be monitored,the theory goes,he has given,implied con-
sent” to monitoring.
266
However,if the telephone user has not either
expressly consented to or received notice of the monitoring,consent will
not be,cavalierly implied.”
267
The second important exception allows providers to intercept com-
munications through their network when it is a,necessary incident,,,
to the protection of the rights or property of the provider of that ser-
vice.”
268
In the parlance of Part I of this Article,this is a provider
power,not a government power,and is often known as the provider ex-
ception.
269
In the telephone context,the provider exception permits the
phone company to wiretap phones when it is necessary to combat unau-
260
Id,§ 2511(1),
261
Id,§ 2511(2)(c)–(d),
262
Id,
263
See United States v,Campagnuolo,592 F.2d 852,863 (5th Cir,1979) (noting that a,party” to a
telephone call means,the person actually participating in the communication” (quoting S,REP,NO,
1097,90th Cong,(1968),reprinted in 1968 U.S.C.C.A.N,2112,2182)),
264
18 U.S.C.A,§ 2511(2)(c)–(d),If the party is not acting under color of law,he must not have the
purpose to commit,any criminal or tortious act.” Id,§ 2511(2)(d),
265
United States v,Amen,831 F.2d 373,378 (2d Cir,1987),Implied consent exists when circum-
stances indicate that a party to a communication was,in fact aware” of monitoring,and nevertheless
proceeded to use the monitored system,United States v,Workman,80 F.3d 688,693 (2d Cir,1996); see
also Griggs-Ryan v,Smith,904 F.2d 112,116–17 (1st Cir,1990) (“[I]mplied consent is consent in fact
which is inferred from surrounding circumstances indicating that the [party] knowingly agreed to the
surveillance.” (internal quotations omitted)),Proof of notice to the party generally supports the conclu-
sion that the party knew of the monitoring,See Workman,80 F.3d,at 693,
266
See Berry v,Funk,146 F.3d 1003,1011 (D.C,Cir,1998),
267
Watkins v,L.M,Berry & Co.,704 F.2d 577,581 (11th Cir,1983),
268
18 U.S.C.A,§ 2511(2)(a)(i),
269
See CCIPS MANUAL,supra note 15,at 161–66,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
661
thorized use of the phone network.
270
The exception arose out of a series
of,blue box” cases in the 1960s,in which individuals used illegal blue
box devices that allowed them to trick the telephone system into letting
them make unlimited long-distance calls for free.
271
Importantly,how-
ever,the courts have stressed that this is a narrow exception,it only al-
lows the phone company to conduct limited surveillance for business-
related reasons,
272
and does not allow them to monitor even unauthorized
use to help law enforcement.
273
The structure of the Wiretap Act allows it to produce counterintui-
tive results,Many lawyers and citizens assume that wiretapping powers
track ownership in the network,if a company owns the network and
provides the phones,the assumption is that it must have intrinsic author-
ity to monitor the network.
274
Not so,In fact,ownership of the network
bestows no special monitoring privileges under the Wiretap Act;
275
nor
does unauthorized use trigger any traditional exception.
276
Under the
Wiretap Act,an employee successfully sued her employer for listening
to the employee’s personal calls at work on the employer’s phone during
work hours.
277
More remarkably,a kidnapper once successfully sued the
police for wiretapping his illegally cloned cellular phone calls in the
course of locating the kidnapper and freeing his victim.
278
Because the
monitoring in these two cases fell outside of the Act’s exceptions,the
monitoring violated the Wiretap Act,
270
United States v,Auler,539 F.2d 642,645–46 (7th Cir,1976),
271
See,e.g.,Bubis v,United States,384 F.2d 643,648 (9th Cir,1967),
272
See id,
273
See McClelland v,McGrath,31 F,Supp,2d 616,619 (N.D,Ill,1998),
274
The New York Times has often repeated this as fact,See,e.g.,Carl S,Kaplan,Big Brother as a
Workplace Robot,N.Y,TIMES,July 24,1997,at http://www.nytimes.com/library/cyber/law/072497
law.htm,
275
A possible exception is the so-called,extension telephone” exception,See 18 U.S.C.A,§
2510(5)(a) (West Supp,2002),This exception makes clear that when a phone company furnishes an
employer with an extension telephone for a legitimate work-related purpose,the employer’s monitoring
of employees using the extension phone for legitimate work-related purposes does not violate Title III,
See Watkins v,L.M,Berry & Co.,704 F.2d 577,582 (11th Cir,1983) (applying exception to permit
monitoring of sales representatives); Briggs v,Am,Air Filter Co.,630 F.2d 414,418 (5th Cir,1980)
(reviewing legislative history of Title III); James v,Newspaper Agency Corp.,591 F.2d 579,581 (10th
Cir,1979) (applying exception to permit monitoring of newspaper employees’ conversations with
customers),
276
Or at least it did not until the computer trespasser exception,
277
Deal v,Spears,980 F.2d 1153,1157–58 (8th Cir,1992) (holding employer liable for listening in
on employee’s phone calls at work,on the ground that employer merely told employee that employer
“might” listen in on employee’s calls,which was insufficient to generate consent),
278
McClelland,31 F,Supp,2d at 619 (denying officers’ motion for summary judgment on the
ground that the officers had encouraged the cellular service provider to engage in the monitoring,and
therefore that it fell outside the provider exception),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
662
B,Applying the Wiretap Act to the Internet,How Do the Exceptions Apply
and Who Is a Party to the Communication?
So much for the telephone,How about the Internet? In 1986,Con-
gress enacted the Electronic Communications Privacy Act (ECPA).
279
ECPA created the basic statutory framework for Internet surveillance that
exists today,Among the important changes brought about by ECPA was
that the law applied the privacy protections of the telephone Wiretap Act to
computer networks,The 1986 Act added,electronic communications” to
the telephone,wire communications” that the Wiretap Act protected,bring-
ing the entire Internet within the broad protection of the wiretap laws,
Adding Internet email to the category of communications protected by
the Wiretap Act made obvious sense,However,it also created a series of
difficult analytical problems that its drafters apparently failed to foresee,
The difficulty begins with the fact that there is a great deal to the Internet
beyond email,as demonstrated in Part I,Internet communications can con-
sist of emails,but they also take the form of web pages in transit,computer
commands sent to remote servers,music or pornography files,network traf-
fic,and other communications.
280
The Internet does not just provide a
means of letting people connect with other people,it also creates a com-
munications network that supports a range of hardware and software that
together foster a virtual world of cyberspace.
281
The Internet’s multifunctionality creates a series of puzzling problems
that complicates attempts to apply the Wiretap Act to it,Part II confronted
the problem of what are the,contents” of a communication in the case of a
human-to-computer communication,such as a computer command to re-
trieve a web page.
282
This problem is matched with an even more puzzling
question that helps explains the need for the computer trespasser exception,
How does the consent exception apply to the Internet? More specifically,
who is a,party to the communication” who can consent to monitoring in
the case of a human-to-computer or computer-to-computer communication?
The scope of privacy protection that the Wiretap Act provides hinges on the
answer to this question,
The question’s critical importance can be demonstrated by considering
a hypothetical law enforcement investigation into computer hacking,drawn
from several cases that I worked on at the Justice Department,When the
government investigates a computer hacking incident,investigators gener-
ally start at the victim that has reported the crime and trace back the attack
to its origin,To avoid detection,hackers will not mount their attacks di-
rectly from their ISPs,Rather,they will route communications through a
279
Electronic Communications Privacy Act of 1986,Pub,L,No,99-508,100 Stat,1848,1986
U.S.C.C.A.N,3555,
280
See GRALLA,supra note 24,at 2,
281
See generally LAWRENCE LESSIG,CODE AND OTHER LAWS OF CYBERSPACE (1999),
282
See supra notes 181–95 and accompanying text,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
663
few victim computers along the way to throw the government off the
trail.
283
This can effectively disguise their location because computers only
reveal the immediate source from which a user sent a communication,If a
user routes a command from A to B to C to D,the computer at D will only
know that the command came from C,and will not know that the command
actually originated from A,To identify the intruder,the government must
trace the communication step by step from D to C to B to A,
The rules that govern this tracing process depend heavily on whether
the computers that the hacker has victimized count as parties to the com-
munication under the Wiretap Act,Consider an example,Imagine that a
computer hacker in New York plans to attack sensitive Defense Department
computers in California,and starts off by accessing the Internet through his
ISP in New Jersey,Rather than hack directly into the Defense Department
computers in California,the hacker first breaks into a computer at a small
company in Nebraska,and from that site in Nebraska he hacks into another
computer belonging to a high school in Arizona,Finally,from the com-
puter in Arizona he launches a computer attack against Defense Department
computers in California that contain potentially sensitive information relat-
ing to national security,Defense Department criminal investigators then
begin an investigation into the attacks,
We can appreciate the importance of identifying who is a party to the
communication by imagining how the investigation will likely proceed,
From the perspective of the victims at the Defense Department,they will only
know that they are under attack from a computer at a high school in Ari-
zona.
284
Agents will call up the school and let them know that either a stu-
dent at the school is attacking them,or that they have a hacker inside their
network,The agents would prefer that the high school monitor the hacker’s
source and either identify him (if he is local),or else identify the next step
back in the chain (if he is not),It is possible that the high school will eagerly
and capably help the law enforcement agents; they will monitor the hacker it-
self and disclose to the agents that the next link back in the chain was the
company in Nebraska,However,watching the attack occur is itself an inter-
ception of electronic communications under the Wiretap Act,and must be
justified by an exception to the Act,If the school volunteers this information,
the provider exception would clearly allow the school to conduct the monitor-
ing and disclose it to the agents.
285
The agents can then turn to the company
in Nebraska and repeat the process,hoping it leads them to the ISP in New
Jersey,which can identify the hacker as its customer,
283
This is a common tactic among hackers,See CCIPS MANUAL,supra note 15,at 160 (“When a
hacker launches an attack against a computer network,.,, he may route the attack through a handful of
compromised computer systems before directing the attack at a final victim.”),
284
This is true because they can read only the packets that are directed to them,and those packets
will only have the IP addresses of the computers that are the next hop back in the chain,
285
18 U.S.C.A,§ 2511(2)(a)(i) (West Supp,2002),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
664
However,the legal picture shifts considerably if the school will permit
the agents to monitor its network,but lacks the expertise or resources to
monitor users itself,The provider exception does not itself allow law en-
forcement to step in and conduct monitoring on a provider’s behalf,even
with the provider’s consent.
286
As a result,whether the police can conduct
the monitoring with the school’s consent depends on whether the school is a
“party” to the hacker’s communication,If the school is a party,the school
can consent to law enforcement monitoring; if it is not a party,the school
cannot consent to the monitoring without violating the Wiretap Act,
Whether the school constitutes a party under the Wiretap Act then
hinges upon how the hacker’s attack is modeled,On one hand,if the
hacker sent a communication to the school with instructions for the school’s
computer to launch attacks against the California victims,then the school
itself is a party to the communication and can consent to the government’s
monitoring,This approach reflects a broad theory of the,party to the
communication” exception,On the other hand,if we say that the hacker
himself sent the communication to the California victim but merely routed
the communication through the school,then the school is not a party and
cannot consent.
287
This approach applies a narrow conception of the,party
to the communication” exception,
What complicates this picture is that labeling the school a party to the
communication may sound logical here because the school is a victim of
crime,but ultimately would eviscerate the privacy protections of the Wire-
tap Act,Internet communications almost never travel directly from their
point of origin to their destination,most travel from hop to hop as they
286
See McClelland v,McGrath,31 F,Supp,2d 616,619 (N.D,Ill,1998),
287
One way for law enforcement to get around this problem is to have the ISP install a,banner,”
which is a notice that tells users that their use may be monitored,CCIPS MANUAL,supra note 15,at
app,A,at 197 (“Network banners are electronic messages that provide notice of legal rights to users of
computer networks.”),If a user sees the banner but proceeds to use the network,then cases indicate that
he has,consented” to monitoring and therefore subsequent monitoring will not violate Title III,See,
e.g.,United States v,Amen,831 F.2d 373,379 (2d Cir,1987) (applying such reasoning in the context of
telephone monitoring),There are two difficulties with this approach,First,it is disturbing from a pri-
vacy standpoint,it requires all users who see the banner to relinquish their rights against monitoring
solely to allow law enforcement to monitor unauthorized hackers,It may be possible to banner the net-
work narrowly,but when it is not the use of a banner requires a broad waiver of privacy protection from
entirely innocent network users,Second,if the hacker comes up with a clever way to enter the network
that allows him to bypass the banner,the cases suggest that the government still cannot monitor the
hacker unless it shows,convincingly” that the hacker actually knew of the monitoring,See,e.g.,United
States v,Lanoue,71 F.3d 966,981 (1st Cir,1995) (“The surrounding circumstances must convincingly
show that the party knew about and consented to the interception in spite of the lack of formal notice or
deficient formal notice.”),This is extremely difficult to do in the electronic context,The result is an
unsatisfying (if not downright silly) cat-and-mouse game between the hackers and law enforcement,in
which the cops try to place the banners in front of the hackers to try to establish their consent,and the
hackers try to evade them,When I was at the Justice Department,this cat-and-mouse game was a sig-
nificant dynamic in many computer intrusion investigations,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
665
traverse the network.
288
If each hop is a party to the communication,as the
broader approach to the exception would dictate,then any provider can
monitor any communication within its network or can consent to monitor-
ing by others,
Take the example of email,If a friend sends me an email from his account
at eck@panix.com to my law school account at okerr@main.nlc.gwu.edu,he is
actually sending the message to his ISP,panix.com,with instructions to
send it to the George Washington University server,main.nlc.gwu.edu,with
instructions for the GW server to send the message into the,okerr” ac-
count.
289
If every hop is a party to communications it handles,that means
that both Panix and GW are parties to the email between my friend and I
and that both can consent to law enforcement monitoring of every email
sent to or from their networks,This would be quite remarkable,It would
mean that AOL would be able to watch all of the emails sent or received by
its users because AOL was itself a,party” to those emails,In fact,the
owner of every computer would have a right to consent to total surveillance
of any communication directed to it,
When taken from the telephone context and applied to the Internet,the
consent exception creates an unstable fulcrum upon which to rest Internet
surveillance practice,The consent exception can either apply very broadly
or very narrowly,and both extremes produce disturbing results,The broad
reading of the consent exception eviscerates the Wiretap Act’s privacy pro-
tections and the narrow reading broadens the protections to the point that
they do not even allow investigators to watch criminal attacks occur,While
the Wiretap Act makes perfect sense as applied to the telephone network,
translating its protections to the Internet results in either too little privacy or
too much,
C,The Computer Trespass Exception,An Attempted Middle Ground
The idea of a computer trespasser exception to the Wiretap Act first
surfaced within the Justice Department in the summer of 1999,The goal
was to fashion a new exception to the Wiretap Act that could take the pres-
sure off the consent exception and more closely and accurately match the
Wiretap Act to the Fourth Amendment,
To some extent,the push for a new exception reflected the adage that
“necessity be the mother of invention.”
290
Within the Justice Department,
there was a strong institutional preference for cautious approaches to apply-
ing the Wiretap Act to the Internet,If one reading of the Wiretap Act al-
lowed surveillance but another reading forbade it,the DOJ would generally
adopt the more cautious approach and refuse to sanction the surveillance,
288
See CCIPS MANUAL,supra note 15,at 102,
289
See GRALLA,supra note 24,at 88–89,93,
290
GEORGE FARQUHAR,The Twin Rivals,in THE RECRUITING OFFICER AND OTHER PLAYS 79,93
(1672) (William Myers ed.,1995),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
666
Under these restrictions,most of the government’s investigations into com-
puter hacking proved unsuccessful because the government normally could
not monitor the hacker’s communications,which made it difficult to iden-
tify the hacker or understand the scope of the hacker’s activity,Even
though hacking victims were often willing to consent to law enforcement
surveillance of the hacker within their network,the DOJ understood the law
to forbid such a move.
291
In most cases,the hacker’s trail went cold and the
case remained unsolved,
The purpose of the computer trespasser exception was to carve out a
narrow exception that would allow monitoring of hacker communications in
some instances without disrupting an otherwise narrow reading of the con-
sent exception,The proposed exception acted as a cross between the exist-
ing provider exception and consent exception,it would allow the
government to intercept the communications of computer hackers who did
not have authorization to use the network when the owner of the network
consented to the surveillance,Conceptually,this aligned the Wiretap Act
more closely to the Fourth Amendment,If we understand a hacker’s com-
munications as the virtual equivalent of a burglar inside the victimized net-
work,
292
then a hacker has no reasonable expectation of privacy in his attack
and the Fourth Amendment would not afford him any privacy rights against
monitoring.
293
From the perspective of victims’ rights,this also matched
victims’ options online and off,A victim of a burglary in his home can
consent to monitoring of a burglar there,Similarly,a victim of hacking
should be able to consent to monitoring of a hacker within its network.
294
The proposed computer trespass exception went through various drafts
from the summer of 1999 until the fall of 2001,when the DOJ introduced it
as part of the Justice Department’s proposed Anti-Terrorism Act,The lan-
guage went through various changes during the legislative process until it
emerged in its final form,In its final form,the exception states,
291
Cf,Orin S,Kerr,Are We Overprotecting Code? Thoughts on First-Generation Internet Law,57
WASH,& LEE,L,REV,1287,1298 (2000),
292
See Compuserve,Inc,v,Cyber Promotions,Inc.,962 F,Supp,1015,1021 (S.D,Ohio 1997)
(noting cases analogizing computer hacking to trespassing),
293
See Kerr,supra note 291,at 1298,
294
This rationale matches the one offered by the Justice Department in the,field guide” it released
to the public to help explain the Patriot Act,Prior law,the field guide noted,arguably
prevented law enforcement from assisting victims to take the natural and reasonable steps in their
own defense that would be entirely legal in the physical world,In the physical world,burglary
victims may invite the police into their homes to help them catch burglars in the act of committing
their crimes,The wiretap statute should not block investigators from responding to similar re-
quests in the computer context simply because the means of committing the burglary happen to
fall within the definition of a,wire or electronic communication” according to the wiretap statute,
U.S,DEP’T OF JUSTICE,FIELD GUIDANCE ON NEW AUTHORITIES ENACTED IN THE 2001 ANTI-
TERRORISM LEGISLATION 10,at http://www.epic.org/privacy/terrorism/DOJ_guidance.pdf (last visited
Feb,4,2003),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
667
It shall not be unlawful under this chapter for a person acting under color of
law to intercept the wire or electronic communications of a computer tres-
passer transmitted to,through,or from the protected computer,if—
(I) the owner or operator of the protected computer authorizes the interception
of the computer trespasser’s communications on the protected computer;
(II) the person acting under color of law is lawfully engaged in an investiga-
tion;
(III) the person acting under color of law has reasonable grounds to believe
that the contents of the computer trespasser’s communications will be relevant
to the investigation; and
(IV) such interception does not acquire communications other than those
transmitted to or from the computer trespasser.
295
The law also defines,computer trespasser” as follows,
(A) means a person who accesses a protected computer without authorization
and thus has no reasonable expectation of privacy in any communication
transmitted to,through,or from the protected computer; and
(B) does not include a person known by the owner or operator of the protected
computer to have an existing contractual relationship with the owner or opera-
tor of the protected computer for access to all or part of the protected com-
puter.
296
This approach largely captures the essence of the original proposed com-
puter trespasser exception,It allows the government to intercept the com-
munications of a,computer trespasser” with the consent of the owner or
operator of the trespasser’s victim,In particular,the language of the excep-
tion clearly contemplates a situation like the one in my earlier hypothetical,
in which government agents investigating a hacking incident need a vic-
tim’s consent to trace the communication the next hop back in the chain,In
these circumstances,“person[s] acting under color of law”
297
will be,law-
fully engaged in an investigation”
298
and will then approach the owner or
operator of the system to have them,authorize the interception.”
299
The
agents will then intercept the communications of the computer trespasser
that they have,reasonable grounds to believe”
300
will let them trace back or
identify the hacker,
Unfortunately,the current text of the exception contains a few quirks
that Congress will likely have to revisit and revise,For example,one con-
dition of the exception states that it applies only when,such interception
does not acquire communications other than those transmitted to or from
295
18 U.S.C.A,§ 2511(2)(i)(I)–(IV) (West Supp,2002),
296
Id,§ 2510(21),
297
Id,§ 2511(2)(i),
298
Id,§ 2511(2)(i)(II),
299
Id,§ 2511(2)(i)(I),
300
Id,§ 2511(2)(i)(III),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
668
the computer trespasser.”
301
This can be read in two ways,Is,such inter-
ception” the interception of the precise communications that the govern-
ment seeks to justify using the trespasser exception or does it refer to an act
of interception more broadly? Under the latter reading,the exception per-
mits the government to rely on the exception only when all of the commu-
nications that the government intercepts relate to the computer trespasser,
If the monitoring picks up any communications unrelated to the hacking,
then the government cannot rely on the exception,Under the former read-
ing,the condition merely clarifies that the exception can only justify the in-
terception of a trespasser’s communication and that the interception of other
communications must still be justified using other exceptions to the Wiretap
Act,such as consent,
The DOJ field guide indicates that DOJ intended the latter interpreta-
tion,
302
and this is the far more sensible rule.
303
However,the text of the ex-
ception seems to point the other way,the exception only extends to the
interception of,communications of a computer trespasser,” which pre-
sumably means communications,transmitted to or from the computer tres-
passer.” Under the former reading,the extra language of 18 U.S.C,§
2511(2)(i)(IV) appears entirely redundant,
A similar problem afflicts the definition of,computer trespasser”
found in 18 U.S.C,§ 2510(21),This provision defines a computer tres-
passer as one,who accesses a protected computer without authorization and
thus has no reasonable expectation of privacy in any communication trans-
mitted to,through,or from the protected computer.”
304
The phrasing here is
quite strange,The term,reasonable expectation of privacy” is a constitu-
tional standard from Fourth Amendment law.
305
Whether a user who ac-
cesses a computer without authorization has any Fourth Amendment
protections in communications to,through,or from the victim computer is a
question for the courts,not Congress,
Furthermore,the current language appears to nullify most of this defi-
nition,labeling a computer trespasser as one,who accesses a protected
computer without authorization and thus has no reasonable expectation of
privacy in any communication transmitted to,through,or from the pro-
301
See id,§ 2511(2)(i)(IV),
302
The field guide explains that this language ensures that the exception,would only apply where
the configuration of the computer system allows the interception of communications to and from the
trespasser,and not the interception of non-consenting users authorized to use the computer.” U.S,
DEP’T OF JUSTICE,supra note 294,at 10 (emphasis added),
303
My understanding is that DOJ intended the computer trespasser exception to work in conjunc-
tion with a banner that would generate a user’s consent,All legitimate users would have seen the ban-
ner,justifying any inadvertent interception of their communications under the consent exception,The
computer trespasser exception could then justify the interception of the communications belonging to
hackers who managed to enter through a backdoor and did not see the banner,
304
18 U.S.C.A,§ 2510(21)(a),
305
See Katz v,United States,389 U.S,347,361 (1967) (Harlan,J.,concurring),
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
669
tected computer” is no different from defining a computer trespasser as one
“who accesses a protected computer without authorization.” The added
congressional articulation of how it thinks the courts should apply the
Fourth Amendment has no place in the statute,The better approach would
have been for the statute to define a computer trespasser as one who ac-
cesses a computer without authorization and has no reasonable expectation
of privacy,which would properly leave the constitutional question for the
courts.
306
D,The Benefits of the Computer Trespasser Exception
Despite these shortcomings,both law enforcement and civil libertari-
ans should recognize the substantial benefits to having a computer tres-
passer exception to the Wiretap Act,From a law enforcement perspective,
the exception guarantees that the Wiretap Act will not unnecessarily impede
computer hacking investigations by giving hackers privacy rights in their
attacks,This effect isn’t surprising,the DOJ pushed the exception,so we
might expect it to serve DOJ’s interests,
What is surprising is that the exception should appeal to civil libertari-
ans as well,In fact,the trespasser exception may become a powerful
weapon that civil libertarians can use in the struggle against expansive gov-
ernment wiretapping practices,The reason is subtle,and relates not to what
the trespasser exception does expressly,but rather to what it indicates im-
plicitly about how the Wiretap Act applies to the Internet,By adopting the
Justice Department’s proposal on the trespasser exception,Congress in ef-
fect adopted DOJ’s highly cautious assumptions about how the Wiretap Act
applied to the Internet,The trespasser exception explicitly grants the gov-
ernment a limited power that the government quite possibly had before the
Patriot Act,To avoid reducing the trespasser exception to a nullity,courts
can now plausibly reason that Congress meant to construe the remaining
provisions of the Wiretap Act quite narrowly,expanding the scope of the
Wiretap Act’s privacy protections in important ways,
Consider the effect of the trespasser exception on the definition of
“contents.”
307
As I discussed earlier,the scope of,contents” is an ex-
tremely important open question in Internet surveillance law.
308
The tres-
passer exception implicitly reflects a congressional recognition of a
relatively broad definition of contents; a definition broad enough to encom-
pass the bulk of a computer hacker’s communications,such as commands
306
This is the approach that Congress took when defining,oral communication,” the interception of
which is protected by Title III to prevent eavesdropping and bugging,The definition follows:,‘[O]ral
communication’ means any oral communication uttered by a person exhibiting an expectation that such
communication is not subject to interception under circumstances justifying such expectation,but such
term does not include any electronic communication,,,,” 18 U.S.C.A,§ 2510(2),
307
Id,§ 2510(8),
308
See supra notes 176–91 and accompanying text,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
670
sent to remote servers,Before the Patriot Act,DOJ could have plausibly
argued that computer commands were not,contents” under the Wiretap
Act,such that the Wiretap Act did not prohibit monitoring of hackers and
the computer commands of other users without a court order,This view
makes little sense after the Patriot Act,however,if Congress saw a need to
create a new exception to the Wiretap Act to allow the monitoring of com-
puter hackers,it implicitly must have concluded that the bulk of a hacker’s
commands and other communications are,contents” regulated by the Wire-
tap Act,Thus,the trespasser exception arguably signals an expansion of
the scope of the Wiretap Act’s privacy protections,rather than a restriction
of the Act’s scope,
The trespass exception also sends important signals about the scope of
the all-important consent exception,Before the Patriot Act,it was unclear
whether a pass-through intermediary computer could consent to monitoring,
but at least two courts of appeals had suggested that they might.
309
Such a
reading would eviscerate the privacy protection offered by the Wiretap Act,
The trespasser exception is the best argument against such a reading,the ex-
ception only makes sense if mere pass-through computers are not parties to
communications,Otherwise,the trespasser exception would merely cover
ground already covered by the consent exception,The existence of the tres-
passer exception sends a strong signal to the courts,to give effect to the tres-
passer exception,courts should construe the consent exception narrowly.
310
Ironically,the trespasser exception that has been condemned for ex-
panding the scope of wiretapping in open-ended ways
311
may have actually
narrowed the scope of government wiretapping,By implicitly rejecting the
broad reading of the consent exception and a narrow reading of contents,
309
See United States v,Mullins,992 F.2d 1472,1478 (9th Cir,1993) (stating as an alternate hold-
ing that the consent exception of § 2511(2)(d) authorizes monitoring of computer system misuse because
the owner of the computer system is a party to the communication); United States v,Seidlitz,589 F.2d
152,158 (4th Cir,1978) (concluding in dicta that a company that leased and maintained a compromised
computer system was,for all intents and purposes a party to the communications” when company em-
ployees intercepted intrusions into the system from an unauthorized user using a supervisor’s hijacked
account),
310
See Kungys v,United States,485 U.S,759,778 (1988) (noting,the cardinal rule of statutory in-
terpretation that no provision [of a statute] should be construed to be entirely redundant”),An interest-
ing question will arise if Congress decides not to renew the trespasser exception after it sunsets in 2005,
Should courts then read the remaining language in light of these cautious assumptions? Or will not re-
newing the trespasser exception be seen as a rejection of these cautious assumptions?
311
For example,Peter Swire argues that the trespasser exception
is a significant change to current law,because it creates conditions under which law enforcement
officials can station themselves in communications companies to watch phone calls,email,and
web surfing as it occurs,Some non-government experts are beginning to point out how open-
ended the computer trespasser exception may turn out to be in practice,
SWIRE,supra note 123,However,if is true with regards to the trespasser exception,it is much more true
in the case of the consent exception,which the trespasser exception implicitly narrows,And if a
hacker’s communications are not contents,then law enforcement could do this anyway without a Wire-
tap order,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
671
the trespasser exception may thwart readings of the Wiretap Act that would
radically minimize the protections of the Wiretap Act,No matter how
broadly the trespasser exception may be viewed,its impact on other provi-
sions of the Wiretap Act likely dwarfs the impact of the exception itself,
And that impact will expand privacy protections,not reduce them,
Finally,the trespasser exception more closely aligns the Wiretap Act
with the Fourth Amendment,In the physical world,the Fourth Amendment
“reasonable expectation of privacy” test protects those who are legitimately
on the premises,but not trespassers.
312
The trespasser exception does the
same for the Wiretap Act,Such an exception was unnecessary in the tele-
phone era,when all communications were person-to-person communica-
tions that seemed intrinsically private.
313
The Internet has introduced
something new,human-to-computer and computer-to-computer communi-
cations that may or may not deserve privacy,depending on the circum-
stances,The new network now encompasses the full diversity of life in
cyberspace,creating a new need for the Wiretap Act to make the same nu-
anced distinction between authorized and unauthorized communications
made by the Fourth Amendment in the physical world.
314
CONCLUSION
On the afternoon of September 11,2001,Electronic Frontier Founda-
tion cofounder and Harvard Law School fellow John Perry Barlow posted a
message to a thousand-member email list that set the tone for the civil liber-
ties debate surrounding the Patriot Act.
315
Just hours after the World Trade
Center towers had fallen,Barlow urged his readers to prepare for,the Com-
ing Police State.”
316
Barlow warned,
[N]othing could serve those who believe that American,safety” is more im-
portant than American liberty better than something like this,Control freaks
will dine on this day for the rest of our lives,
Within a few hours,we will see beginning the most vigorous efforts to end
what remains of freedom in America,,,, I beg you to begin NOW to do
whatever you can,,, to prevent the spasm of control mania from destroying
the dreams that far more have died for over the last two hundred twenty five
years than died this morning,
312
Rakas v,Illinois,439 U.S,128,143 n.12 (1978),
313
See Kerr,supra note 291,at 1299,
314
See id,at 1298–300,
315
Email from John Perry Barlow,Cofounder & Vice Chairman,Electronic Frontier Foundation,to
John Perry Barlow (Sept,11,2001,13:38:15) [hereinafter Barlow email],at http://www.activism,
net/pipermail/think/2001-September/000002.html,Barlow’s email has been posted widely on the Inter-
net and has been discussed by the press as well,See,e.g.,Kristen Philipkoski,Civil Liberty the Next
Casualty?,WIRED NEWS,Sept,13,2001,available at http://www.wired.com/news/politics/0,1283,
46784,00.html,
316
Barlow email,supra note 315,
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
672
Don’t let the terrorists or (their natural allies) the fascists win,Remember
that the goal of terrorism is to create increasingly paralytic totalitarianism in
the government it attacks,Don’t give them the satisfaction.
317
News reports in the mainstream media soon echoed Barlow’s theme,
Within a few days after September 11,most major United States newspa-
pers ran stories on the prospect that the attacks would lead to extreme anti-
terror measures that could threaten civil liberties.
318
Several articles noted
that wartime threats led to loss of civil liberties in the past,ranging from
President Lincoln’s suspension of habeas corpus in the Civil War
319
to the
Japanese internment camps during World War II.
320
Experts predicted that
law enforcement demands for greater surveillance power would prove im-
possible to resist.
321
Although the Bush Administration had not actually
proposed any new laws yet,the articles warned that a major shift in the bal-
ance between privacy and security might be on the way.
322
Given these fears and expectations,perhaps it was inevitable that the
press would readily portray the Administration’s antiterrorism proposals as
extraordinary and,panicky.”
323
The complexity of Internet surveillance stat-
utes added to the confusion,and textual ambiguities in the initial DOJ pro-
posals provided at least some basis for civil libertarian fears that the Patriot
Act would do far more than its drafters intended,The Justice Department’s
defense of its proposals helped fuel fears,as well,Although Attorney Gen-
eral Ashcroft emphasized that the DOJ proposals were,modest,”
324
he also
claimed that the government would use the new laws to launch a,law en-
317
Id,
318
See,e.g.,Ken Armstrong,Many Fear Loss of Freedoms,CHI,TRIB.,Sept,16,2001,at 8; Harriet
Chiang,ACLU Fears Intrusive Policies,Racial Profiling,S.F,CHRON.,Sept,13,2001,at A15; Karen E,
Crummy,Attack on America,Civil Liberties May Be Next Victim of Deadly Attacks,BOSTON HERALD,
Sept,14,2001,at 4; Maura Dolan & Henry Weinstein,Activist Groups on Lookout for Erosion of Civil Lib-
erties,L.A,TIMES,Sept,14,2001,at A14; Eric Pianin & Thomas B,Edsall,Civil Liberties Debates Re-
vived Amidst Efforts To Fight Terrorism,WASH,POST,Sept,14,2001,at A11; Robin Toner,Some Foresee
a Sea Change in Attitudes on Freedoms,N.Y,TIMES,Sept,15,2001,at A16; Rebecca Walsh,Rights Advo-
cates Concerned About Attacks’ Aftermath,SALT LAKE TRIB.,Sept,15,2001,at A1; Nick Wingfield et al.,
Some Fear Fight Against Terror Will Imperil Privacy,WALL,ST,J.,Sept,13,2001,at B4,
319
See Chiang,supra note 318 (noting Lincoln’s suspension of prisoners’ constitutional rights dur-
ing the Civil War),
320
See Walsh,supra note 318 (discussing the use of internment camps in World War II),
321
See,e.g.,Chiang,supra note 318 (quoting University of Michigan law professor Yale Kamisar
as saying,“The pressure to let the police do what they want to do is just going to be enormous.,,, I
shudder to think what’s going to happen”); Wingfield,supra note 318 (quoting Columbia University
historian Alan Brinkley as saying,“In coming months,anything claiming to be in the name of security
will be hard to oppose”),
322
See,e.g.,Chiang,supra note 318; Wingfield,supra note 318,
323
See Editorial,A Panicky Bill,WASH,POST,Oct,26,2001,at A34,
324
See John Ashcroft,Expanding Terrorism Investigation,Prosecution,Hearing Before the Senate
Judiciary Comm.,107th Cong,(Sept,25,2001) (testimony of Atty,Gen,John Ashcroft) (describing the
DOJ proposals as,careful,balanced,and long overdue improvements,” and as a,modest set of essen-
tials” rather than a DOJ,wish list”),available at 2001 WL 26186648,
97:607 (2003) Internet Surveillance Law After the USA Patriot Act
673
forcement offensive”
325
immediately,implying that the surveillance amend-
ments in fact constituted significant changes to existing law,
Fortunately,a more sober assessment suggests that the Internet surveil-
lance provisions of the Patriot Act updated the surveillance laws without
substantially shifting the balance between privacy and security,Many of
the Patriot Act’s provisions had been proposed by the Clinton Administra-
tion long before September 11,and had been debated and discussed for
years both within law enforcement and civil libertarian circles,All of the
changes worked within the basic legal structure that Congress had created
in 1986 when it enacted ECPA,Civil libertarian objections to ambiguities
in the initial DOJ proposals led to clarifications on the scope of the pen reg-
ister act and trespasser exception,and the objections of privacy advocates
led to new regulations on the use of Carnivore and the fruits of pen register
orders,Ironically,while the media braced for extreme measures following
the terrorist attacks on New York and Washington,the Internet surveillance
provisions enacted into law by the Patriot Act broke little new ground,Of
course,different commentators may disagree about specific provisions,and
the fact that the Patriot Act did not disrupt the preexisting balance between
privacy and security does not mean that the preexisting balance was the right
one,But a focus on the details of the legislation suggests that the Act that has
been portrayed as the road to Big Brother does not actually head there,
The Patriot Act does not and should not represent the final word on
electronic surveillance law,The rapid pace of technological change will
likely require the Internet surveillance laws to remain a work in progress,
and the sunset of many of the Patriot Act’s provisions on December 31,
2005 will prove only one of many opportunities to revisit and revise these
laws in the future,Many open questions remain,and Congress will have to
keep a watchful eye on law enforcement practice and technology to main-
tain the crucial balance between privacy and security,But the remarkable
circumstances of the Patriot Act’s passage should not obscure the reality
that the Act advanced a much-needed debate on how surveillance laws
should regulate the Internet,and enacted many relatively balanced rules that
in less anxious times might have been applauded rather than vilified,
325
See Josh Meyer,Terror Bill’s Effects To Be Immediate,L.A,TIMES,Oct,26,2001,at A1
(“When President Bush signs into law today new anti-terror legislation,the Justice Department and the
FBI will immediately launch a law enforcement offensive as all-consuming as the one Robert F,Ken-
nedy waged against organized crime 40 years ago,Atty,Gen,John Ashcroft said Thursday.”),
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W
674