Tuesday, April 17, 2012

Pen Registers

Who Ya Gonna Call?

The numbers you call from your home phone or smartphone are nobody else's business, and if the government wants to know who you are calling they'll need a court order for a wiretap, right? Yes and no. 

Yes, most people would say that those calls are usually nobody else's business, and No, the government doesn't need a court order for a wiretap. Since you voluntarily hand that information to your telephone service provider (so that they can complete your calls), the called number information isn't private. With that justification, there's a lower bar to clear to get the information.

Let me back up a little bit. Three key types of information about telephone calls are

  1. Who you call
  2. Who calls you
  3. What gets said
If law enforcement wants to listen in on what's getting said on your calls, they need to get a wiretap. For that they need a court order and they usually need a good reason. The other two types of information, who you call and who calls you, involve a much lower standard.

Pen registers are used to record the numbers that you call, while trap devices record the numbers that call you. Law enforcement can get pen/trap orders merely by asking the courts, and without any kind of good reason other than their own belief that the information would assist in some investigation. And they need not report back on findings.

When targeting a cell phone, a Pen Register also allows collection of associated cell tower information (which potentially provides coarse location information), and if the tower at the end of the call is different than the one on which the call started, that information is captured, too (which potentially provides coarse movement information).

Since the enactment of the US Patriot Act, pen/trap orders also apply to Internet communications. A pen/trap served to an ISP allows law enforcement to collect information such as IP addresses and the protocols used along with time stamps. It provides access to email header information other than the subject line (and not the email content), so it allows collection of data on who you send email to and receive email from, the dates and times, and how large the messages are.

What's your expectation about the privacy of numbers that you call, and those that call you? What's your expectation about the privacy of the email you send and receive? 

If Pen Register data is too easy to get, there's a risk of law enforcement casting too wide a net and involving everyone who ever communicated with anyone who ever communicated with a person of interest. If it's too hard to get, law enforcement can't efficiently do their legitimate job. What's the right balance? Should getting a pen/trap order be held to the same high standard as getting a wiretap order, or is it appropriate that it is substantially easier?

Leave a comment and let us know what you think.

(Disclaimer: I'm not a lawyer and I don't play one on TV. I won't claim to be an expert on this subject, but I find it interesting, and maybe you will, too. If I get the facts wrong, perhaps my lawyer friends may set me straight.)


Thanks for reading! A blog works best with active participation. If you enjoy this blog, please give it a +1 and leave a comment. Share it on Twitter, Google+, or Facebook. More readers will drive more discussion.

No comments:

Post a Comment